VIGIL uses cookies to maintain session security and measure anonymous usage. No assessment data is shared with third-party analytics.Privacy Policy
Security Risk & Investment Readiness Diagnostic
A practitioner-led assessment that surfaces where security programmes drift out of alignment — and what that means for the investment case you need to build.
Your sector calibrates the peer benchmark. A premium hotel and a budget property share a sector classification but carry fundamentally different risk profiles — be specific.
What sector does this organisation operate in?
Hospitality — hotels, resorts, events, food and beverage
High public access · brand-sensitive · VIP exposure
Commercial real estate — offices, business parks, mixed-use
Mixed access · information assets · executive exposure
Public access · distributed accountability · perception vs preparedness gap
If this site were disrupted for 48 hours, what would the business impact be?
This anchors the financial framing in the output — not the risk score.
Minimal — operations can be paused or relocated without material impact
Noticeable — measurable revenue or operational cost impact
Significant — losses in the hundreds of thousands; operational and contractual exposure
Severe — millions at risk; reputational, regulatory and financial consequences combined
How visible is this organisation externally?
Low profile — limited public or media presence
Regional brand — known within its geography or sector
National brand or listed entity — broad public recognition
High visibility — media scrutiny, hosts VIPs, or politically sensitive environment
Section 2 of 5 — Threat environment
What does the threat landscape look like?
The most damaging incidents are rarely caused by the threats organisations spend the most time discussing. Insider failures, contractor gaps and unexercised response plans consistently cause more harm than perimeter breaches.
Which threats are you genuinely concerned about at this site?
Select all that apply. Do not include threats you are confident have been fully addressed.
Theft, burglary or asset loss
Unauthorised access — outsiders or unescorted contractors
Insider threat — staff misconduct, data theft or sabotage
Consistently the most underacknowledged risk across every sector we work in
Workplace violence or aggression — by staff, customers or visitors
Terrorism, extremism or targeted hostile attack
Includes soft-target vulnerability and VIP-adjacent exposure
Civil disorder, protest or reputational attack
Cyber-physical convergence — digital attacks affecting physical operations
Supply chain or contractor-borne risk
How would you characterise the crime environment around this site?
Elevated — known area of concern or recent deterioration
High — persistent threat environment; staff incidents have been reported
How many recordable security incidents in the past 24 months?
Include theft, access violations, aggression, near-misses and formal complaints. Absence of records is not the same as absence of incidents.
None recorded
1–5 minor incidents
6–20 incidents of varying severity
More than 20, or at least one serious incident requiring escalation
Section 3 of 5 — Current security posture
How mature is your current security programme?
Maturity is not the same as presence. A CCTV system that is not actively monitored is not a surveillance programme. Answer for how controls actually operate — not how they appear in policy documents.
Governance — how is security managed at leadership level?
Governance maturity is the single strongest predictor of long-term programme effectiveness.
Security is not formally represented at leadership level
Reactive decisions; no dedicated budget owner; no structured programme
Someone is responsible — but it is not their primary role
Typically Facilities, HR or Operations carrying security as an additional duty
A dedicated security function exists with its own budget and reporting line
Regular reviews occur; policies exist; application is inconsistent
Security is embedded at board or executive level with a formal programme
Risk reviews, KPIs, audit cycles and improvement plans operating consistently
Technology — how would you characterise your security technology programme?
Little to no technology deployed
Basic systems — CCTV, some access control — not integrated or actively managed
Technology deployed and monitored — not necessarily optimised or current
Integrated, maintained and regularly reviewed — aligned with current threat picture
Guard force — how would you characterise your security personnel?
No security personnel deployed
Guards present — primarily for access and deterrence; minimal training and documentation
Guards trained, follow documented SOPs and are actively supervised
Professional security team — vetted, trained, exercised and performance-reviewed
Incident response — what happens when something goes wrong?
The gap between detection and response is where organisations pay the highest price.
No documented response procedures — incidents handled ad hoc
Basic procedures exist but not widely understood or regularly tested
Plans regularly exercised, reviewed after incidents and updated accordingly
Section 4 of 5 — Security culture
How embedded is security across the organisation?
The failures that stay with us longest are rarely about missing cameras. They are about the manager who tolerated the exception that became standard practice. The culture in which security quietly became someone else's problem.
How would you describe security awareness and ownership across the organisation?
Security is rarely discussed and is viewed as the responsibility of the security team
Most staff have limited awareness of their own security role
Security awareness exists in some areas but is not consistently demonstrated
Pockets of good practice; the culture overall is uneven
Security expectations are generally understood; staff participate in training and reporting
Developing — most people know what is expected, not all consistently act on it
Security is embedded in daily behaviours, management decisions and operational practices
Ownership is shared; the culture is proactive and visible at all levels
Section 5 of 5 — Business drivers
Why are you looking at this now?
The investment driver shapes how the case must be framed — and what language it must speak. Your answers here determine the board framing and CFO narrative in the report.
What is the primary reason you are considering security investment at this time?
A specific incident or near-miss has raised internal concern
The most powerful driver available — use it; do not minimise it
Board or senior leadership directive
Priority is structured response, measurable progress and governance improvement
Compliance, audit finding or regulatory obligation
Compliance is a floor, not a ceiling — frame it as risk management
Business growth, new site or operational expansion
The moment to build the right foundation — retrofitting is always more expensive
Insurance premium, coverage condition or renewal requirement
Client, partner or customer security requirement
Proactive review — security governance as part of good management practice
Who is the primary audience for the investment case?
Board, CEO or owners — financial consequence and reputational framing
CFO or Finance — loss avoidance, cost-benefit and risk quantification
Operations or Facilities leadership — practical, implementable framing
I am the decision-maker — I need to stress-test my own thinking
Your full report is on its way — check your inbox within 2 minutes. An ARRC consultant may follow up within 48 hours to discuss what the findings mean for your specific situation.