Home Book Why Most People Misunderstand Threat & Risk — and Pay for It LaterBack to all articles
Book

Why Most People Misunderstand Threat & Risk — and Pay for It Later

Philip Grindell
Written by Philip Grindell
Sophie Rudge Sky News

Before you can reduce a threat, you need to understand what it’s actually made of.

In the mid-1980s, during recruit training at the Guards Depot, I wasn’t allowed anywhere near a weapon with live ammunition until I could strip it down completely, put it back together again, and handle it safely.

Every component. Every part. What it did. How it fitted together.

Only then — once I understood the mechanism — was I trusted to fire it.

Before you can reduce a threat, you have to understand what it is made of.

Most people — and most organisations — skip that step. They respond to the surface without understanding the structure. That’s where things go wrong.

Threat, vulnerability and risk are not the same thing

These three words are used interchangeably. They shouldn’t be.

Threat is the starting point. It has two components: intent and capability. Both must be present for a threat to be viable. Remove either one, and the threat collapses.

Vulnerability is how exposed a target actually is — the gaps in their defences, the weaknesses a threat actor would seek to exploit.

Risk is the combination of likelihood and impact. How probable is an attack, and how serious would the consequences be? It is the product of threat and vulnerability combined.

These three elements form what I call the Risk Chain. Understand the chain, and you can start to break it.

Threat: intent and capability — the two things you’re always looking for

Intent is the motivation — the grievance, the ideology, the anger that drives someone towards harm. Targeted threats almost always have a grievance at their root. Find it, address it proportionately, and the intent often dissipates.

But intent without capability rarely produces a serious threat.

In serious threat assessment, two questions are always kept separate: what does this person want to do, and can they actually do it? Conflating them — or answering one in place of the other — produces a risk picture that is incomplete at best and dangerously misleading at worst.

When a threat comes across my desk, the first question isn’t “how serious does this sound?” It’s “Is this credible?” Most of what I see is noise — frustration, bluster, someone sounding off with no intention or ability to act. The job is to separate that from the genuine threat, as quickly and accurately as possible.

A case that illustrates this came while I was leading the threat assessment team at UK Parliament following the assassination of Jo Cox MP in 2016. Hundreds of concerning communications came to our attention. Most was noise. But one wasn’t.

A message came through describing a threat to Rosie Cooper MP. The person behind it was Jack Renshaw — a neo-Nazi white supremacist, member of the proscribed terrorist group National Action, and under investigation for child sexual abuse offences. He had disclosed his intention to kill the MP and a police officer — a clear case of leakage, revealing genuine planning rather than empty bragging.

Several pre-attack indicators were present. I contacted the head of the Domestic Counter Terrorism Unit, shared my assessment and the indicators that supported it, and an investigation was launched.

Jack Renshaw was convicted of plotting to kill Rosie Cooper MP and a police officer. He received a life sentence.

The point isn’t that the threat was dramatic. Many dramatic threats go nowhere. The point is that the assessment process — working through intent and capability, identifying the indicators that separate noise from danger, and articulating clearly why this one warranted escalation — is what made the difference.

When intent and capability get confused: a live example

This week, Sky News journalist Sophie Rudge asked the UK Defence Secretary, John Healey, a direct question.

“Does Iran have the capability to strike London?”

She asked it twice. She never got an answer.

What she got, on both occasions, was: “We have no assessment that Iran has any plans to attack.”

Plans are intent. She asked about capability.

Healey consistently answered the wrong component without acknowledging it. Sophie Rudge spotted it immediately. “I don’t really understand the language,” she said. She wasn’t confused. She had identified that the language was avoiding her question.

He did not say Iran cannot strike London. He said there are no plans to do so. Those are not the same statement. A proper threat assessment would never treat them as if they were.

An incomplete risk picture is not reassuring. It is a different kind of vulnerability.

Vulnerability: where most security thinking focuses — and often gets it wrong

If we can’t reduce the threat directly, we look at vulnerability.

The question is never whether vulnerabilities exist — everyone has them. It’s which ones matter, given the specific threat being assessed.

One of the most consistently underestimated vulnerabilities for prominent individuals is digital exposure — what is already publicly available about them, their family, their routines, and their connections, often without their knowledge. A motivated threat actor conducts hostile reconnaissance before they act. Understanding what they would find — and where the real gaps are — is the starting point for any proportionate response. That is what the Digital Exposure Assessment is designed to do.

When I was responsible for the safety of politicians, we couldn’t tell MPs to stop meeting the public, stop sharing contact details, or stop saying things people disagreed with. That would have meant stopping them doing their jobs.

The response has to be proportionate. The job isn’t to eliminate all risk. It’s to identify which vulnerabilities are most likely to be exploited and address those first.

Risk: where it all comes together — and where most professionals get it wrong

Risk is the combination of likelihood and impact. What is the probability of something negative happening, and what would the consequences be? Both must be assessed. Neither alone tells you anything useful.

Consider a client under threat of blackmail. Unless they do X, Y will be exposed. Their instinct is to calculate the likelihood and impact of that exposure. But the moment they decide to expose Y themselves — to take control of the disclosure — the entire calculation collapses. The likelihood disappears. The impact disappears with it. The blackmailer has nothing left.

That is how risk is reduced. Not always by addressing the threat. Sometimes, by removing the impact that the threat depends on.

This is where too many professionals go wrong. When asked for a threat assessment, they assess the threat. When asked for a risk assessment, they provide a more detailed description of the threat. They miss the likelihood calculation entirely, or treat impact as self-evident.

A threat assessment answers: Is this threat real, and can the threat actor act on it?

A risk assessment answers: given the threat and the vulnerability, what is the likelihood of harm, and what would the impact be?

They are different documents. They answer different questions. Confusing them is not a minor error — it is the kind of error that leaves people exposed.

How it fits together

Work through it in order.

  1. Identify the threat — who is it, what do they want, and can they act on it?
  2. Look at the vulnerability — what are the gaps in the target’s defences, and which is the threat actor most likely to exploit?
  3. Consider the impact — what happens if an attack succeeds, and what are the longer-term consequences?
  4. Having assessed the likelihood, what can be done to mitigate it, and are the costs proportionate to the impact if nothing is?

Risk is not a fixed condition. It’s a chain. And chains can be broken.

When something doesn’t feel right — about a person, a situation, or the reassurances you’re being given — which part of the chain are you actually looking at?

 

Go deeper

The Risk Chain, pre-attack indicators, and the behavioural framework that underpins everything described in this article are covered in full in Personal Threat Management: The Practitioner’s Guide to Keeping Clients Safer.

Written for security professionals, advisers, and anyone responsible for the safety of prominent individuals, it sets out the complete methodology — from identifying credible threats to managing risk proportionately over time.

If this article has raised questions about your own situation or that of a client, get in touch for a confidential conversation.

Philip Grindell is the founder and CEO of Defuse Global, a specialist threat investigation and crisis management consultancy working with UHNW individuals, family offices, and their advisers. His book, Personal Threat Management: The Practitioner’s Guide to Keeping Clients Safer, sets out this framework in full.

You may also like...

🧠 When Wealth Becomes a Target
Book
Family relaxing on terrace together
🧠 When Wealth Becomes a Target Why the Misinformation Around Tax Is Making the Wealthy Genuinely Unsafe By Philip Grindell MSc CSyP, Founder & CEO, Defuse Global 🚨 A Growing Pattern of Attacks January 2025: French ... Continue reading
🔒 Your Home’s Secrets Are Already Public
General
Home Security
🔒 Your Home’s Secrets Are Already Public Here’s What Others Know About You Most people think home security means buying an alarm and hoping for the best. But here’s the uncomfortable truth: while worrying about locks and ... Continue reading
Call us today +44 (0)207 293 0932 Have us call you back

Consent(Required)
This website uses cookies. By continuing to use the site, you are acknowledging the terms of our Privacy Policy.