A business security risk assessment is a structured process for identifying what you're protecting, what threatens it, and how likely each threat is to cause real harm. Complete one before you spend a dollar on guards, cameras, or access control systems. It's the only way to know whether you're spending on the right things.
The short answer: Walk your property, list your assets and people, map realistic threats against known vulnerabilities, score each risk by likelihood x impact, then address the highest-scoring risks first.
The sections below give you a practical, step-by-step framework you can finish in a single day, no security consultant required.
What a security risk assessment is (and why it matters)
A physical security risk assessment is a documented analysis of the threats facing your people, property, and operations. It answers three questions:
- •What do we need to protect?
- •What could go wrong, and how likely is it?
- •Are our current safeguards sufficient?
Why businesses do them
Insurance requirements. Many commercial property and general liability carriers require a documented security assessment before issuing or renewing a policy. A completed assessment can also lower your premium by showing proactive risk management.
Liability protection. If a crime occurs on your property and you cannot show you evaluated the risk and took reasonable precautions, you may face negligence claims. Documentation matters.
Right-sizing your spend. The most common mistake businesses make is buying controls before understanding threats. A retail shop in a low-crime suburban area does not need the same security posture as a cash-heavy nightclub in a dense urban corridor. An assessment tells you where your actual exposure is.
Compliance. Certain industries (healthcare, financial services, cannabis, pharmaceuticals) face regulatory requirements around physical access controls and documentation. An assessment is the foundation for any compliance program.
Step 1: Identify what you are protecting
Start by cataloguing your assets, both physical and human.
People:
- •Employees and contractors on site
- •Customers or clients on premises
- •Vendors and delivery personnel
Physical assets:
- •Cash, safes, and high-value inventory
- •Equipment, vehicles, and tools
- •Servers and IT hardware
Operational assets:
- •Proprietary processes or client data stored on-site
- •Controlled substances or regulated materials
- •Critical infrastructure (power, communications)
Reputational assets:
- •The customer experience. A publicized incident damages your brand even if the financial loss is modest.
Write these down. Prioritize by replacement cost and business impact if lost, stolen, damaged, or accessed by an unauthorized party.
Step 2: Identify threats and review your incident history
Threats fall into three broad buckets:
External threats: theft, vandalism, trespassing, unauthorized entry, robbery, workplace violence from non-employees
Internal threats: employee theft, improper access to restricted areas, unauthorized sharing of entry codes or badges
Environmental hazards: fire, flooding, power failure, severe weather that can take down physical security systems
Where to look for data
- •Your own incident log. Review police reports, insurance claims, and any internal incident documentation from the past two to three years. Repeat patterns are your highest-priority threats.
- •Local crime data. Most U.S. cities publish neighborhood-level crime statistics. Check your local police department's online crime map or request a report for your address.
- •Industry benchmarks. Retail averages roughly 1.4% annual shrinkage from theft. Warehouses and distribution centers lose an estimated $15-30 billion annually in cargo theft. Healthcare facilities face high rates of pharmaceutical diversion. Knowing where your industry sits helps calibrate your threat model.
Step 3: Walk the property and find vulnerabilities
This is the physical inspection step. Move room by room and perimeter point by perimeter point, looking for gaps between your current controls and the threats you identified in Step 2.
Do this walkthrough twice: once during normal business hours and once after dark. Night reveals a different set of problems (lighting gaps, blind spots cameras miss, cover for concealment near entrances).
Perimeter:
- •Is fencing intact, with no gaps or low sections?
- •Are all vehicle entry and exit points gated or monitored?
- •Does landscaping create concealment near doors or windows?
- •Are dumpsters or equipment positioned to aid climbing over fences or walls?
Lighting:
- •Are all exterior entry points, parking areas, and loading zones adequately lit?
- •Are there blind spots where someone could approach undetected?
- •Do interior public areas have enough light to deter loitering?
Entry and exit points:
- •Are all doors, windows, and roof hatches accounted for and secured?
- •Do emergency exits have audible alarms on the push bar?
- •Is there a controlled visitor check-in process, or can anyone walk in unannounced?
Access control:
- •Are restricted areas (server rooms, cash offices, stock rooms) locked with key card, PIN, or lock?
- •Are master keys or entry codes shared widely enough to create exposure?
- •Is there a process for revoking access when an employee leaves?
Surveillance:
- •Do cameras cover all entry points, cash-handling areas, and high-value storage zones?
- •Are there blind spots that a camera repositioning or addition could eliminate?
- •Is footage retained for at least 30 days, stored off-site or in a tamper-resistant location?
Operational procedures:
- •Do employees know how to report a suspicious person or incident?
- •Is there a written emergency response plan and is it posted?
- •Are vendor and contractor visits logged?
Document every gap you find. Each gap is a potential vulnerability.
Step 4: Assess likelihood x impact
Not every vulnerability deserves the same attention. Use a risk matrix to score each finding by two dimensions:
- •Likelihood. How probable is this threat, given your location, industry, and incident history?
- •Impact. If this threat materializes, how severe is the consequence (financial loss, injury, operational disruption, reputational damage)?
Risk matrix
| Low impact | Medium impact | High impact | |
|---|---|---|---|
| High likelihood | Medium | High | Critical |
| Medium likelihood | Low | Medium | High |
| Low likelihood | Low | Low | Medium |
Score each vulnerability and sort your list. Critical risks require immediate action. High risks should be addressed within 30 days. Medium risks belong in your next planning cycle. Low risks are worth monitoring but don't require urgent spend.
Step 5: Prioritize and choose controls
Controls fall into four categories.
Deterrence controls make the target less attractive or signal that detection is likely. Signage, lighting, and a visible security guard presence are the strongest deterrents for opportunistic crimes.
Detection controls identify a threat when it occurs. Surveillance cameras, alarm systems, motion sensors, and access-control audit logs are detection tools.
Delay controls slow down an intruder to give response time. Reinforced doors, deadbolts, fencing, and security film on windows are delay controls.
Response controls take action once a threat is detected. A security guard, an alarm monitoring center with police dispatch, or a trained emergency response plan are response controls.
Matching controls to your top risks
| Risk | Best-fit controls |
|---|---|
| Opportunistic shoplifting or theft | Visible guard presence, improved lighting, camera coverage at entry/exit |
| After-hours break-in | Alarm system, exterior lighting, perimeter patrol |
| Internal theft | Access control logs, inventory audits, randomized guard patrols |
| Unauthorized access to restricted areas | Key card access with audit trail, sign-in procedures |
| Parking lot safety incidents | Lighting, guard patrol, emergency call station |
| Workplace violence | Controlled entry, de-escalation training, visible guard presence |
Step 6: Document your assessment and schedule a review
A completed assessment is only useful if it's written down and revisited.
Your documentation should include:
- •A dated record of the walkthrough and who conducted it
- •The full list of assets and threats identified
- •Vulnerability findings with risk scores
- •Chosen controls with implementation status and owner
- •A scheduled review date (annually at minimum; sooner if you move locations, experience an incident, or your business changes significantly)
Store a copy with your insurance documents. If a claim or lawsuit arises, a documented assessment showing you identified and addressed foreseeable risks is a material defense.
DIY security assessment checklist
Use this checklist during your property walkthrough.
Perimeter
- • Fencing intact, no gaps or low sections
- • All vehicle gates functional and lockable
- • Landscaping trimmed, no concealment near doors, windows, or HVAC
- • Dumpsters and equipment not usable as climbing aids
Lighting
- • All exterior entry points lit
- • Parking lot fully illuminated at night
- • Loading or delivery areas lit
- • No dark approaches to main entrances
Entry and exits
- • All entry doors self-closing with functioning latches
- • Emergency exits alarmed
- • Roof and secondary access points secured
- • Visitor check-in process in place
Access control
- • Restricted areas (cash office, server room, stockroom) require separate credentials
- • Former employee access revoked within 24 hours of departure
- • Master codes and keys limited to essential personnel
Surveillance
- • Cameras cover all exterior entry points
- • Cameras cover cash-handling and high-value storage areas
- • No large blind spots at key locations
- • Footage retained for at least 30 days
Operational procedures
- • Employees know how to report suspicious activity
- • Emergency response plan is written, posted, and current
- • Vendor and contractor visits are logged
- • Incident log is maintained and reviewed periodically
When to deploy a security guard vs. other controls
Cameras and alarms detect. Guards detect and respond.
Consider deploying a guard when:
- •Your highest-priority risks require a real-time human response. Cameras document theft; a guard stops it mid-act.
- •You have high foot traffic or cash handling. Bars, retail, dispensaries, and event venues benefit from visible deterrence at entry points.
- •You're operating during high-risk hours. Overnight shifts, weekend closings, and opening/closing procedures are when most crimes occur.
- •You have a specific, time-limited threat. A disgruntled former employee, a recent incident, or a high-profile event warrants temporary augmented coverage.
- •Your incident history shows repeat problems that cameras and alarms haven't solved.
Cameras and alarms are the right primary control when threats are low-frequency, response time from law enforcement is adequate, and your main goal is documentation for insurance purposes.
For most businesses, the right answer is layered: cameras for documentation, alarms for after-hours detection, lighting for deterrence, and a guard for response. Deploy based on your risk score, not a gut feeling.
After completing your assessment, you can deploy right-sized coverage on demand through Calvis at around $29.60/hr with no contract required. Learn more about whether your business needs a guard, review the full security guard cost guide, or hire security guards directly for your highest-priority shifts. Not sure what guards actually do on a shift? See what a security guard does.