Security & Operational Risk Assessment Toolkit
Excel register with automatic scoring, live heatmap and dashboard · methodology guide · executive report template.
Editable toolkits, a practitioner-taught masterclass, and free starters — built from 22+ years running security, investigations and crisis response in the field. Structured around ISO 31000 and ISO 22301.
Score twice — inherent and residual. The movement is the argument for your budget. Every toolkit here is built on that method.
Each starter is the working manual version of a full toolkit: five pages, genuinely usable on its own, instant download. Take the one that matches your problem.
The 5-step method · scoring scales · a worked example you can copy.
The 6-step process · one-page incident report · interview checklist.
One-page BIA · MTPD, RTO and RPO explained · crisis-team roles.
Complete working systems — registers, scoring, plans and report templates — with worked examples throughout. Buy once, use across your organisation.
Excel register with automatic scoring, live heatmap and dashboard · methodology guide · executive report template.
The full risk toolkit, plus investigation, interview and incident report templates with a case tracker and evidence & chain-of-custody log.
Automated business impact analysis workbook · continuity strategies · crisis action log · ready-to-complete crisis management plan.
The risk assessment toolkit licensed for your whole team, including use on client engagements.
View licenceA growing library of practitioner toolkits across four domains. Items marked Available ship today; the remainder are in active development and release in sequence — each built to the same field-tested standard, not padded to fill a list.
Available now: the Risk Assessment Toolkit, the Business Continuity & Crisis Management Toolkit, and the Risk + Investigation Bundle. New toolkits are released regularly — the fastest way to hear first is a free starter above.
Security & Operational Risk Assessment Masterclass. The complete method behind the toolkit: plan, score and present a risk assessment leadership acts on — taught the way it is done in the field, not the way it is written in textbooks.
The full course and all worksheets.
The course plus the complete Risk Assessment Toolkit — the tool used in every exercise.
Everything in Complete, plus the Investigation and Continuity toolkits and Q&A feedback on one of your assessments.
Inherent and residual. The movement between the two numbers is the evidence your controls earn their cost — and the argument that wins budget.
Every risk is written so it can be scored, owned and fixed. “Theft risk” is a category; a risk statement names the weakness to close.
Nothing counts until a named person has signed for it. Registers die of vagueness; these are built to be answered for.
Practical notes on risk, investigations and continuity — the same thinking behind the toolkits. New pieces publish on LinkedIn first.
Most security risk assessments fail for one reason: they are scored once. A single score tells you a risk is “medium” and nothing else. It hides the one thing leadership needs to see — whether your controls are doing anything.
Score every risk twice. Inherent: the exposure with no controls in place. Residual: what remains with your current controls working. The gap between the two numbers is the entire argument for your budget.
A risk that drops from 20 to 6 proves the spending works. A risk that barely moves tells you where to look next. Score once, and that story is invisible — which is why many managers lose the funding conversation before it starts.
When you present risk to leadership, how do you show them your controls are earning their cost?
Continue the discussion on LinkedIn →An investigation is usually lost in the first hour, not in the final report. The early mistakes are consistent: evidence handled before it is secured, an outcome decided before the facts are in, notes written from memory days later, opinion recorded where fact belonged.
None of these are knowledge problems. They are discipline problems — and discipline is what holds up when a case is challenged months later by people who were not there.
The remedy is a repeatable process: assess and plan, preserve evidence, gather, interview, reach fact-based findings, then report. The same six steps whether the matter is fraud, theft or misconduct.
What is the earliest mistake you have seen compromise an investigation?
Continue on LinkedIn →“We have a plan” is one of the most dangerous sentences in business continuity. A plan nobody has tested is a document, not a capability.
The most common flaw is quiet but decisive: a recovery target set longer than the disruption the business can survive. Two numbers decide it — the maximum tolerable period of disruption, and the recovery time objective. If the recovery target equals or exceeds the tolerable period, the plan fails on paper before anything goes wrong.
Recovery objectives must sit inside what the business can absorb, with margin. Test them before you need them.
When did you last test your continuity plan, rather than file it?
Continue on LinkedIn →
A security and risk leader with more than 22 years across corporate security, criminal investigations, fraud examination and crisis management — including service as a Senior Fraud & Security Investigator at the U.S. Embassy in Cairo, operations and strategic planning on a United Nations field mission, and leadership of destination-wide security and incident command at a major Red Sea destination.
Every template, checklist and lesson here is the working method from that career — written down, structured around ISO 31000 and ISO 22301 terminology, and stripped of theory that does not survive contact with a real operation.
Physical protection and loss prevention, built in layers.
Reports that hold up — structure, evidence and findings.
Open-source intelligence applied to security decisions.