physical security risk assessment

Physical Security Risk Assessment: A Practical Guide for London Premises

A physical security risk assessment is a structured review of a site — its people, property, layout and daily routines — that identifies where it is vulnerable, judges how likely and how damaging each threat would be, and sets out proportionate measures to reduce the risk. It is the groundwork that should sit beneath every security decision, from where a camera points to whether a premises needs an officer on the door at all.

Without one, security spending tends to follow habit or guesswork: a guard because there has always been a guard, CCTV because a neighbouring unit installed it. An assessment replaces guesswork with evidence, which is why insurers, landlords and corporate clients increasingly expect to see one.

What the assessment actually looks at

A thorough review considers three things together, because none of them means much in isolation.

Threats are the events that could cause harm: theft, burglary, vandalism, unauthorised access, antisocial behaviour, workplace violence, arson, or disruption during an event. The realistic threat picture varies enormously between a quiet office in a managed building and a late-opening retail unit on a busy high street.

Vulnerabilities are the weaknesses that would let a threat succeed: an unmonitored rear entrance, a shared loading bay, poor lighting along a boundary, out-of-date key records, blind spots in camera coverage, or simply a reception desk that is regularly left unattended.

Impact is what a successful incident would actually cost — not only stolen goods or damaged property, but interrupted trading, staff who no longer feel safe, contractual penalties, reputational harm and, on construction sites, programme delays that dwarf the value of anything taken.

Risk is the product of all three. A vulnerability that faces no realistic threat may need nothing; a modest weakness that sits in the path of a frequent, high-impact threat should be near the top of the action list. Getting that ordering right is the entire point of the exercise.

Why it matters more than most buyers realise

It directs money to the right places. Security budgets are finite. An assessment frequently shows that a site’s most cost-effective improvements are unglamorous — repairing a fence line, changing a locking routine, moving a camera — before any question of additional staffing arises. Equally, it can demonstrate that a manned presence genuinely is justified, and at which hours, rather than defaulting to round-the-clock cover.

It supports your duty of care. Employers and premises operators in the UK carry legal responsibilities for the safety of staff, visitors and the public. A documented, regularly reviewed assessment is practical evidence that risks were considered and addressed — something that matters after an incident, when questions are asked about what was foreseeable.

It strengthens insurance and contractual positions. Insurers may ask what security measures are in place and why. Landlords, event licensing authorities and principal contractors often require documented security arrangements. An assessment provides the reasoning behind those arrangements rather than a bare list of equipment.

In London, context changes street by street. High footfall, a dense night-time economy, mixed-use buildings where offices sit above retail, shared service corridors, and construction activity in almost every borough all shape a site’s exposure. Two premises a few hundred metres apart can face quite different risk profiles, which is why a walked survey of the specific site beats any generic checklist.

How the physical security risk assessment process works

The sequence below reflects standard practice; a competent assessor adapts the depth of each stage to the size and complexity of the site.

1. Scoping and information gathering

The assessor agrees what the review covers — a single unit, a whole building, an outdoor event footprint — and gathers background: incident history, existing procedures, opening patterns, staffing levels, previous surveys and any concerns raised by staff. Local context is checked too, because what happens in the surrounding area is part of the threat picture.

2. The site survey

A physical walk-through, ideally at more than one time of day. Boundaries, entrances and exits, lighting, sightlines, CCTV positions and coverage, alarm points, access control, key management, delivery routes, waste areas and roof or basement access are all examined. On a construction site the survey extends to plant storage, fuel, scaffolding access and hoarding integrity; at an event it covers ingress and egress routes, crowd pinch points and the perimeter.

Just as important is watching how the site actually operates. Doors that are propped open for convenience, visitor sign-in that is skipped when reception is busy, or contractors given unsupervised access tell an assessor more than any floor plan.

3. Threat and vulnerability analysis

Findings from the survey are set against the realistic threats to that site and sector. This is where experience earns its keep: recognising, for example, that a retail unit’s greatest exposure may be organised shoplifting during trading hours rather than overnight burglary, or that a hotel’s risk sits mainly around unescorted access to guest floors.

4. Risk evaluation and prioritisation

Each risk is rated — typically by likelihood and impact — and ranked. The output should make clear which handful of issues deserve attention first. An assessment that presents forty findings of apparently equal weight has failed at its main job.

5. Recommendations and mitigation

Proportionate measures are proposed for the priority risks. These usually mix physical improvements (locks, lighting, barriers, camera repositioning), procedural changes (access control routines, key audits, incident reporting, opening and closing procedures) and, where justified, people — static guarding, patrols, door supervision or event stewarding. Good recommendations state what each measure is expected to achieve, so its effect can later be judged.

6. Reporting and review

Findings, ratings and recommendations are recorded in a written report with clear ownership: who acts on each item, and by when. The assessment is then treated as a living document. It should be revisited on a set cycle and immediately after any trigger event — an incident or near miss, a change of layout or use, new tenants, altered opening hours, or a shift in local crime patterns.

The same process, different priorities by site type

One reason template-driven assessments disappoint is that risk genuinely differs by environment.

Offices centre on access control: reception discipline, tailgating at entry points, visitor management and out-of-hours arrangements, particularly in multi-tenant buildings with shared cores.

Retail premises balance an open, welcoming frontage against theft during trading hours, stockroom access and cash or high-value display handling, with closing-time procedures a recurring weak point.

Hotels must protect guests without making them feel monitored — lift and stairwell access to guest floors, luggage areas, function rooms and the late-night lobby all feature.

Construction sites change weekly. Perimeter integrity, plant and material storage, subcontractor access and out-of-hours exposure dominate, and the assessment must keep pace with each project phase.

Events compress every risk into a short window: crowd movement, entry searches, perimeter control, emergency egress and coordination with venue staff and, where relevant, the police.

The full sequence — from risk assessment through to event-day deployment and debrief — is set out in our guide to event security planning.

A useful assessment reads as if it were written for your site, because it was.

What a good report gives you — and a poor one doesn’t

Three features distinguish an assessment worth paying for. First, prioritisation: a short, ranked action list rather than an undifferentiated catalogue of observations. Second, ownership and timescales: every recommendation assigned to someone, with a date. Third, a review trigger: a stated schedule and the events that should prompt an earlier revisit.

It is also worth understanding what credentials do and do not tell you. An SIA licence is the legal entry requirement for licensable security roles in the UK — it is not, by itself, evidence that a provider assesses risk well. Indicators of quality sit elsewhere: relevant health-and-safety competence in the management team (such as IOSH-qualified staff), independent auditing, adherence to recognised British Standards for security services, and reports that demonstrate site-specific thinking rather than recycled text.

Accolade Security has operated in London since 2004 and holds SIA Approved Contractor status for Door Supervision, Security Guarding, Key Holding and Public Space CCTV. Its IOSH-qualified management team conducts site risk assessments and security audits as part of its security consultancy services, working to British Standards BS7499 and BS7858 under ISO 9001-certified processes — the same assessment-led approach that underpins its guarding, CCTV and construction site security work across London and nationwide.

When to commission or refresh an assessment

Treat any of the following as a prompt: you are opening, fitting out or relocating a premises; an incident or near miss has occurred; the building’s use, layout or tenancy has changed; opening hours have extended; an event is being planned; an insurer, landlord or client has asked for documented arrangements; or the last review is simply more than a year old. On fast-moving sites — construction above all — the interval should be shorter still.

Final thoughts

A physical security risk assessment is not paperwork for its own sake. Done properly, it is the difference between security measures chosen because they address your site’s actual weaknesses and measures chosen because they are what everyone else buys. Start with the assessment, and every subsequent decision — equipment, procedures, staffing — becomes easier to justify and easier to get right.

If you would like a professional view of your premises, Accolade Security offers a site security survey assessment for properties and events in London and nationwide. Email info@accoladesecurity.com or call 020 7709 3056 to arrange a visit.

Frequently asked questions

An assessment identifies and prioritises risks to decide what protection a site needs. An audit checks whether existing measures and procedures are working as intended. Sites benefit from both: the assessment sets the plan, the audit tests it.

It depends on the size and complexity of the site. A single retail unit or small office can often be surveyed in part of a day, while a large mixed-use building, live construction site or major event may need multiple visits at different times, plus document review.

At least annually, and sooner after any significant change: an incident, altered layout or use, new occupants, extended hours, or a planned event. Construction sites should review as the project moves through phases.

Someone with relevant, demonstrable competence — experience of your sector, health-and-safety qualifications such as IOSH within the assessing team, and the ability to show site-specific reasoning in the final report. Internal staff can contribute valuable operational knowledge, but an external assessor brings fresh eyes and comparative experience.

UK employers and premises operators have general legal duties to protect staff, visitors and the public, and workplace risk assessment is a core part of meeting them. Whether a dedicated security assessment is formally required depends on the context — licensing conditions, contracts and insurance often demand one in practice. This article is general guidance, not legal advice.