Skip to content

Guidance For Organisations

Organisations have an obligation to identify, assess and manage risks to their people, particularly those who are considered high-risk individuals

Last Updated 15 April 2024

Introduction

When organisations engage in activity that increases the likelihood of harm to its people, its employers have an obligation to identify, assess and manage such risks. This includes malicious threats to staff that arise because of their employment or their association with the organisation.

Everyone is subject to some risks to their personal safety and security. This guidance is primarily aimed at organisations who have staff that are at heightened risk. See Personal Safety and Security for High-Risk Individuals for more detail on the threats these individuals may be exposed to.

There are many reasons why employers should manage these types of security risks to their staff, including:

  • Staff safety and wellbeing.
  • To preserve the organisation’s mission – staff and/or departments who feel threatened or vulnerable may withdraw or not deliver organisational needs. 
  • To attract and retain staff.
  • To protect against a loss of productivity through, for example sickness, stress, staff turnover.
  • To minimise wider security risks to the organisation, for example staff may be coerced into doing something that is harmful to the organisation.
  • To comply with UK laws.
  • To help defend against civil claims, for example, brought about by, for example, employees who have suffered harm or loss.
  • Prioritising the safety and security of high-risk employees demonstrates a commitment to ethical business practices and earns the trust and respect of stakeholders and staff.

To assist with managing these risks, it is recommended that employers do the following:

Understand the problem

Many hostile actors operator covertly, making it hard to discover their intentions and capabilities. Information about security threats is often incomplete and uncertain. Therefore, judgements about the nature and scale of protective security should be based on risk rather than threat alone. where reliable threat information is available, it should be heeded.

When assessing the security risk to staff, it is essential to develop a clear picture of:

  • What is the threat and to which staff members? What are the circumstances when the threat is more likely to occur? 

Threat indicators to consider

Exclamation mark in triangle

  • The individual’s work role is contentious or likely to attract hostility.

  • Security agencies or police have intelligence of a threat to the individual or to people in a similar role.

  • The individual (or their employer) has received a credible direct threat (e.g. through social media or in person).

  • The individual has previously been subject to an attack or an attempted attack.

  • A state-backed organisation has taken action against specific individuals, such as intimidating friends/family, applying sanctions, issuing an international warning notice, or prosecuting individual(s).

  • The individual has knowledge or physical assets that are likely to he highly attractive to threat actors (e.g., organised criminals or state-backed organisations).

 What is the vulnerability and exposure of the individual(s) to those threats?

Vulnerability indicators to consider

  • The individual is a known "face" of your organisation.

  • The individual's work role requires them to be accessible (e.g. meeting members of the public in person).

  • The individual's home and/or place of work have little or protective security.

  • The individual's home address and work address are widely known or easily discoverable.

  • The individual regularly travels on public transport or on a predictable route. 

  • The individual travels to areas/environments where the threat actors have a more permissive environment to operate in or have more resources/capabilities at their disposal.

  • What is the harm and wider consequences of the threat, to both the individuals and the organisation itself?
  • The organisation should consider what impact this threat might have on others within the organisation who are not being directly targeted but could become at risk due to their association with the organisation or high-risk individual.
  • As part of the organisation’s security culture, all staff should understand safety and security policies and procedures, and their role in protecting the organisation and others.

Effective governance

Effective governance will include, for example:

  • Having a senior responsible owner 
  • Having risk management processes in place
  • Having policies and procedures embedded, and their effectiveness regularly evaluated.

For more information, see NPSA guidance on Leadership and Governance for effective security strategies, Passport to Good Security for senior executives and Protective Security Risk Management (PSRM).

Corporate obligations

For example, if a member of staff has received several specific credible death threats, consider what support you will provide outside of the workplace. If a member of staff has been sanctioned by a state-backed organisation, consider what your position will be regarding work and personal travel.

Unlike many other areas of security risk, some security measures you consider may intrude on the personal lives of those affected. These may or may not be welcomed.

Engage with staff

Personal security will primarily focus on informing and shaping your staff’s behaviours, so it is essential they:

  • Understand the threat. Staff will have their own perceptions of the threat and you should be prepared for these not necessarily aligning to those of the organisation. It is important to listen and understand these and address any issues that could harm their safety and security.
  • Recognise the importance of their role in in their own security. Staff are often most vulnerable when they are away from their normal place of work, so their own behaviours and levels of preparedness are critical. This may be uncomfortable for some staff, but it’s very important they understand this. Listen to their views and ideas regarding security measures and training – they need to buy into these and feel they are appropriate. It is important to be clear about "red lines" - measures that are so important they must be undertaken. 
  • Recognise that complacency is an issue. Staff can suffer from “threat fatigue”, when they are regularly exposed to threat but it has not to date materialised into physical harm. In effect, it can become “normalised” and staff can become complacent. It is important that engagement with staff addresses this issue because it is often the case that the threat remained the same, but it is the individual's perceptions that have changed, and this can be dangerous.
  • Feel confident in undertaking their role, in their training and in the security measures designed to minimise the risk to them.

Develop mitigations

Where necessary, this should be supported by training. Identifying and deciding what mitigations are appropriate is complex and it may be helpful to divide them into the following categories:

  • Those that relate to organisational practices, such as:
    • Do individuals use their own personal devices on corporate IT systems? 
    • Are they mixing corporate and private lives through social media?  
    • How are threats communicated to staff?
  • Those that relate to work locations, such as permanent, temporary, remote working, and public engagements.
  • Work related travel. Are there any additional threat or vulnerability considerations? How will you know where your high-risk staff are and what support is needed?
  • Staff behaviours and organisational culture. Are staff aware of the threat? Have they been trained to be vigilant and develop situational awareness skills? Do they know what to look for and what to do in the event of a security concern
  • Those related to staff private lives such as personal travel, security at their home, home IT, personal devices, use of social media etc. See plan ahead guidance for more information.

Develop reporting mechanisms

These should be assessed at a “case” level and across cases, to help spot trends. Hostile actors are often covert and use a variety of means to target individuals online and in-person. It is important that all relevant departments in your organisation are engaged in the process, including Human Resources, Physical Security and Information Technology and Cyber Security.

Employers should also share guidance with staff that can help them to understand what they need to do if an incident arises and reinforce the message that if it is an emergency, if they are in imminent danger or a crime is being committed, they should phone 999.

Provide reporting mechanisms

Consider whether your employee assistance programmes are appropriate to support staff at heightened risk. Ensure procedures are in place to help those who are impacted by the threat, either directly or indirectly. Staff will benefit from advice, information and support on the issues they face, as well as provisions such as psychological first aid and compassionate leave in some circumstances.

Having welfare support in place is important for staff who may be feeling the stresses of a potential threat to them and their families, as well as in the aftermath of an incident.

Regular review

Reviews should be conducted on a regular basis or when required, such as: a change in threat, change to operational environment; or to assess the suitability of new measures implemented. For more information on key steps to take when considering the wider process of protective security risk management, see NPSA’s PSRM pages.

Did you find this page useful? Yes No
Feedback