As a corporate security professional, you know organizations across all industries face various workplace violence risks. And the evolving threat landscape can make prevention feel overwhelming, but it doesn’t have to be. By following a workplace violence threat management roadmap, you can effectively prevent incidents and sabotage, ensuring both the safety of your people and the strength of your organization.

The purpose of the threat management process is to evaluate threatening or alarming behavior, determine whether there is any actual threat or risk, and, if so, determine how to mitigate it.

The workplace violence threat management process

The process is comprised of the following six steps:

What’s in a name?

In addition to documenting and understanding the threat management process, it’s essential to decide what to call the person you are assessing. Teams vary in which term they use. If your organization already has a database to capture security events or incidents, you may already have a term that you can use to refer to the person you are assessing. If not — or if you want to choose a different term — here are some options to choose from:

• Entity
• Person of Interest (POI)
• Person in Question (PIQ)
• Subject of Concern (SOC)
• Person of Concern (SOC)
• Person Being Assessed (PBA)
• Threatening Person or Situation (TBS)
• Threat Actor (TA)
• Potentially Dangerous Person (PDP)
• Threatening Person (TP)

The specific term that your organization chooses is not critical. What is more important is using the same term throughout the process (whatever term you choose) so that the threat management process is easy to follow and easy to apply to any particular case. Many of the organizations I’ve worked with use either “Person of Interest” or “Entity.” For consistency throughout the remainder of  this article, I’ll refer to the subject of a threat assessment investigation as “Person of Interest” or “POI.” 

Threat management process case study

Let’s walk through an example to illustrate the threat management process from beginning to end.

In one organization I worked with, a CEO got a threatening email and alerted his executive protection detail. The detail leader created an incident report about the threatening email and forwarded the report to the organization’s threat management team. The threat management team followed the threat management process as detailed below: 

Incident intake

The threat management team reviewed the threatening email sent to the CEO from Derek Davidson. In Davidson’s email, he threatened to kill him and any other employees he could find at their headquarters if he was not given a new job with the organization; he gave the CEO 10 days to respond with a job offer. In the email, he also detailed various locations at the headquarters building and in the surrounding area where he felt he could lay in wait and get a good shot at the CEO and other employees as they walked from the parking area to the building.  

We also ran a search on Davidson’s name and identifiers in the organization’s security database. We found a prior incident report about Davidson when he was still an employee after he sent a series of emails to the organization’s board members criticizing how the organization treated veterans and making recommendations for improvement. That prior incident report had been referred to human resources to address the behavior; no further investigation had been conducted by the security department. The team answered screening questions about  Davidson’s threatening email and determined that they needed to use the threat management process to investigate, assess, and mitigate the threat.  

The team proceeded to the next step in the threat management process: Investigate the incident, the POI, their behavior, and information about their situation or circumstances. 

Investigation

The threat management team gathered information from multiple sources, including the departments within the organization — including HR, Davidson’s personnel file, Davidson’s former supervisor, and the Employee Assistance Program. We discovered that Davidson had left his job at the organization six years prior (to move to a different city with his fiancée) and was eligible for re-hire. He had applied for a new position within the organization but did not get the position. He applied for another position but was turned down for that job as well. It was after he was turned down a second time that Davidson emailed his death threat to the CEO.

We also gathered information from external sources, including running a criminal background check and social media check. We discussed possibly talking with Davidson and decided we would do so if we could identify someone in the organization who still had a positive relationship with Davidson, which we found by reviewing his recent job applications (Davidson listed a current employee at the organization among his references).  

After the investigation, the team moved to the next step in the threat management process: Analysis of the information in the investigation. 

Analysis and assessment

The threat management team analyzed the information it had obtained in order to “connect the dots” — looking for any indications that Davidson was on a pathway to violence, identifying what problems or circumstances might be driving him to see violence as a solution, and, identifying any missing information, to see if further information gathering efforts are necessary.

After the analysis, the team moved to the next step in the threat management process: Make an assessment to determine if the POI poses a threat of violence, suicide, or sabotage — or is on a pathway to violence, suicide, or sabotage.  

Based on their analysis of the information gathered in the case, the threat management team answered the assessment questions and determined that Davidson was on a pathway to violence — with a plan and possibly at the preparation stage for engaging in violence.  Because of this, the team proceeded to the remaining steps in the threat management process.

Threat intervention and protection 

To intervene and protect, the team focused on the problems and circumstances that we thought were driving Davidson to resort to violence or to see violence as a desirable way to solve his problems. 

In Davidson’s case, we kept a close eye on how the interventions were working. We developed a backup plan in case Davidson’s behavior deteriorated, which would have involved bringing Davidson for an emergency psychiatric evaluation to contain an imminent threat. Once Davidson had been connected with mental health resources for several weeks and had a colleague who was checking in with him on a regular basis, we updated the assessment by answering the assessment questions again. We felt at that time that Davidson no longer posed a threat of violence to the CEO or other employees. The team put mechanisms in place to continue to monitor Davidson for several months beyond that.  

Monitor, update, and close

After several months of monitoring and multiple updated assessments that showed that Davidson no longer posed a threat of violence, we closed Davidson’s threat management case. We documented the investigation and intervention in our system of record, so we had a clear history of what worked to reduce Davidson’s risk, in the event he became a concern again. 

What’s next?

In the next article of this series, I’ll get into details of the first step in the threat management process: Intake of incident reports and screening them to determine if you need to use the threat management process.