How to Conduct a Threat, Risk & Vulnerability Assessment (TRVA) for Critical Sites

You cannot protect what you have not assessed. The Threat, Risk & Vulnerability Assessment (TRVA) is the foundation of every credible critical infrastructure security plan. It transforms a vague sense of "we need more security" into a prioritised, defensible programme of measures. Here's how a structured TRVA works in practice.

Step 1: Site Risk Profiling

Begin by characterising the site: its function, criticality, location, surrounding environment and the consequences of disruption. A power station, a water-treatment works and a telecommunications hub each carry different risk profiles. Profiling establishes what you are protecting and why it matters.

Step 2: Map Dependencies and Interdependencies

Critical infrastructure rarely stands alone. A single site may depend on external power, water, fuel, connectivity and personnel access. Mapping these dependencies — and the interdependencies between systems — reveals cascade risks where one failure triggers others.

Step 3: Identify Threat Vectors

Assess the realistic threats facing the site:

• Sabotage — deliberate damage to disrupt operations.
• Terrorism — attacks intended to cause harm or fear.
• Insider risk — staff or contractors who abuse legitimate access.
• Organised crime — theft of high-value assets such as cable, fuel or metals.

Threats must be assessed against intent and capability — not just imagined worst cases. A realistic threat picture keeps mitigation proportionate.

Step 4: Assess Vulnerabilities

Vulnerabilities are the gaps a threat could exploit: weak perimeters, blind spots in CCTV coverage, poorly controlled access points, untrained personnel or unmonitored contractor activity. Each vulnerability is rated by how easily it could be exploited and the impact if it were.

Step 5: Calculate and Prioritise Risk

Risk is the product of threat likelihood, vulnerability and consequence. Scoring each scenario lets you rank risks and focus resources where they reduce the most exposure — rather than spreading budget thinly across low-value measures.

Step 6: Recommend Resilience Measures

Translate findings into layered measures: deterrence, detection, delay and response. Effective resilience combines physical protection systems, trained personnel, clear procedures and tested response plans. The aim is not a single impenetrable barrier but defence in depth.

Step 7: Continuous Improvement

A TRVA is a living document. Threats evolve, sites change and incidents reveal new gaps. Schedule regular reviews and update the assessment after any significant incident, change of use or regulatory change under CIPA.