Michael Gips and Matthew Dumpert, both Kroll, discuss how risk management can be a useful tool when developing executive protection programs.

Executive protection strategies

The gunshots that killed UnitedHealthcare CEO Brian Thompson early in the morning of 4 December 2024 outside the Hilton Midtown in Manhattan continue to echo in corporate board rooms and executive suites.

Alleged shooter Luigi Mangione seems to have been motivated by rage against the US healthcare system, a fury that captures public sentiment.

According to You.gov, only 43% of the US adult population – including only 29% of those aged 18-44 – have somewhat unfavorable or very unfavorable views of Mangione.

That tone shift signals the rise of a potential new threat actor: people with grievances against healthcare companies, insurers or businesses in which individuals perceive themselves as victims of a ruthless corporate “system” that prioritizes profit over people.

Executive protection teams have responded with a host of strategies: reviewing and adjusting risk assessment methodologies, reassessing risk, conferring with executive stakeholders, investing in enhanced protective measures and so on.

However, these changes shouldn’t be grafted on an existing corporate security program.

They should be integrated holistically.

On a recent webinar in which the authors discussed the aftermath of the shooting, a guest asked how he could layer an Enterprise Security Risk Management (ESRM) program into existing executive protection and corporate security functions.

This article discusses how.

ESRM basics

According to ASIS’s ESRM Guideline (ASIS ERM-2019), ESRM is “a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally established and accepted risk management principles.”

Its goal is “to identify, evaluate and mitigate the likelihood and/or impact of security risks to the organization with priority given to protective activities that help enable the organization to advance its overall mission.”

The ESRM cycle contains four components:

1. Identify and prioritize assets
2. Identify and prioritize risks
3. Mitigate prioritize risks
4. Continuous improvement

Let’s apply this cycle to executive protection.

In fact, a mature security department is likely already performing the actions described in the article, but perhaps not in a systematic, documented and measurable way.

It simply requires reframing what you are already doing.

Identify and prioritize assets

Executives and other key personnel constitute the relevant assets: their physical wellbeing, their ability to generate work and advance the organization’s mission, their value to the share price and their symbolic and brand value.

Who, though, is the asset owner? Is it the individual executive, who of course has the most compelling interest in his or her own life?

Is it the person or department that the executive reports to, such as the Chief Information Officer or Chief Operating Officer?

Or is it the Board, which has a fiduciary duty to serve in the best interests of the organization?

No sane person would relinquish the role of asset owner of their own life and wellbeing.

However, their supervisors have an obvious interest in and obligation to their direct reports, and they should be expected to play a role in the risk equation; as such, they should be considered primary stakeholders in risk decisions for those staff.

Many other potential stakeholders exist as well.

They may include the executive’s family, the Board, major shareholders, corporate PR, human resources, the travel department, operations and other key executives and departments.

Corporate security and executive protection professionals should work collectively with the executive, their supervisors and any stakeholders to understand the business impact of harm done to the executive.

This can range from reputational damage due to the executive taking a pie to the face in a public area (Bill Gates, 1998; Rupert Murdoch, 2011) to the 1992 abduction of senior Exxon executive Sidney Reso, which at least briefly called into question the oil company’s ability to protect its own people.

Identify and prioritize risks

The core of any executive protection program involves casting a wide net to identify plausible risks to executives, with risks entailing the elements of threat, exposure and impact.

Part of this process is to analyze identified risks and to estimate their level, including operational, financial and reputational impacts.

Finally, the security team prioritizes risk by comparing risk for each identified event with the company’s (and executive’s) risk tolerance.

When sorting through the universe of risks, what should an executive protection team include?

An obvious start is by looking at previous attacks or threats against their own corporate executives, as well as any controversial or unpopular actions taken or positions held by the individual or the employer.

They should expand that search to other businesses in its industry or geography, as well as those with a similar ethic or credo.

They should also consider threats from the view of an adversary.

Risks may be a function of opportunity and potential gain rather than something specific to the executive.

In late 2024, for example, South American theft rings targeted the homes of professional athletes such as Patrick Mahomes, Travis Kelce, Joe Burrow and Luka Dončić, raiding their homes for valuables.

Today’s social media environment fans the flames of risk.

When Bud Light associated itself with trans influencer Dylan Mulvaney in 2023, who posted a video on Instagram of a special can with her face on it, conservative groups launched a boycott.

Musician Kid Rock subsequently posted a video of himself opening fire with a rifle on several cases of Bud Light.

That unsubtle threat of violence fueled threats against both Mulvaney and staff at Anheuser-Busch, the brewer of Bud Light.

The UnitedHealthcare murder may have unveiled a virulent strain of resentment against the healthcare and insurance industries, or, even more broadly, represented latent anticorporatism or sentiment for a class war.

In the days after the shooting, wanted posters appeared in Manhattan calling for the death of at least two other healthcare CEOs.

Is the executive an outspoken advocate for any particular cause, or do they identify with a specific community under threat?

For example, given the global protests of the war in Gaza, Israeli or Jewish executives might face greater risks, especially if they publicly support Israel in the conflict.

For two years, Disney and Florida Governor Ron DeSantis waged a feud over the “Don’t Say Gay” law, which put Disney executives in the crosshairs.

Chick-Fil-A, Target and Nike are among corporations that have faced increased threat due to social stances.

Executive protection professionals should discuss the specific concerns with executives themselves, which will uncover risks that security may not have been aware of, such as resentment in a local community where an executive just built a large vacation home or the executive’s friendship with a controversial public figure.

Prioritizing risks should be a collaborative exercise with the relevant executives.

What kind of exposure exists?

What would be the cost to your business in the case of death or injury to the executive? Which risks are within risk tolerance – trips to Dubuque but not to New York?

Security leaders need to ensure that executives understand the risks that they and the organization face.

More than that, security and protectees should maintain an ongoing relationship with clear communication so that risk identification and prioritization is a dynamic process.

Mitigate prioritized risks

Again, security or executive protection must work closely with the principal and stakeholders to manage risk in a way that suits all stakeholders.

It’s an advisory role, not dictatorial one.

Managing risk could involve accepting it, transferring it, spreading it, mitigating it or removing it.

Security should offer viable options for whichever path the risk owners want to take.

For example, Disney could have reduced the risk it faced from public dismay to its “Don’t Say Gay” stance by endorsing DeSantis’ legislation, but that would have unleashed a backlash from opponents of the legislation, many of whom were on staff.

Security may not often get involved in such public policy disputes, but the example emphasizes the importance of explaining the consequences of risk management decisions.

Continuous improvement

As the ASIS guideline puts it: “The security professional should recognize that the operational environment is constantly changing.

“Monitoring changes in the physical, non-physical and logical environments is crucial toward understanding how and what should be improved in the security program.

“Continuous improvement responds to shifts in the risk landscape and collects data to enable informed decision making and appropriate alignment of security measures to risks.”

The UnitedHealthcare shooting qualifies as a significant shift in the risk landscape, especially as potential copycat incidents have come to light.

In their seminal work, Enterprise Security Risk Management: Concepts and Applications, Brian Allen and Rachelle Loyear discuss three elements of continuous improvement: incident response, root cause analysis and improvement, and ongoing security risk assessment.

As the authors explain, incident response can involve reacting to an actual incident, such as a kidnapping of an executive.

Or it can be a proactive response to, say, the threat of a family member’s abduction.

In either case, incident response can make security aware of previously unknown risks and residual risks – the remaining risk after a risk measure was decided on and implemented.

A root cause analysis asks questions to discover how the event happened and how it can be prevented from recurring.

Questions, according to Allen and Loyear, might include: How did it happen? Could it happen again? Has the threat changed? Has the value of the asset changed? What controls failed? Do the same vulnerabilities exist? The analysis should be shared with the appropriate business units, executives or departments.

Finally, an ongoing security risk assessment reiterates the original assessment but adapts it for new information, new developments, new threats and risks, and so on.

While we have presented the basics of overlaying an ESRM approach to executive protection, a mature ESRM program contains many other elements, including working with other risk methodologies used by the organization, creating a governance structure, ensuring buy-in and leadership from the top, and designing and using metrics.

About the authors

Michael Gips, JD, CPP, CSyP, is a Managing Director in the Enterprise Security Risk Management practice at Kroll.

As Chief Global Knowledge and Learning Officer for ASIS International, he was responsible for integrating ESRM into all ASIS content and education.

He was also part of the team that developed the ASIS ESRM guideline published in 2019.

He is a 2006 graduate of R.L. Oatman’s Executive Protection training program.

Matthew Dumpert is a Managing Director at Kroll, where he runs the Enterprise Security Risk Management practice.

Prior to joining Kroll, Matthew was a US Diplomat, Special Agent and Regional Security Officer with the US Department of State’s Diplomatic Security Service, working in locations ranging from Dublin to Al-Hillah, Iraq.

This article was originally published in the April edition of Security Journal Americas. To read your FREE digital edition, click here.