As evidenced by the April arson attack against OpenAI’s head office, and the armed gunman who walked into Aetna’s corporate headquarters in Connecticut, the threat against high-profile individuals and corporations remains high. Boards of Directors and executives are asking “What can be done to keep our employees and assets safe given the recent escalation of violence?”
A myriad of options are available from local security integrators and professional security consulting firms to address various risks, but the two most common, and comprehensive, solutions are the Independent Security Study (“ISS”) and the Threat, Vulnerability, and Risk Assessment (“TVRA”). The question then becomes: which is better, an ISS or TVRA?
This question, however, misunderstands the purpose and scope of the two assessments, and this blog is designed to help differentiate between the two.
ISS vs. TVRA Scope: Executive-Centric Protection vs. Enterprise-Wide Risk
The ISS is an assessment designed to meet the specific parameters of Title 26 CFR § 1.132-5 – Working condition fringes and is singularly focused on security determining a bona fide threat profile as it relates to an individual, such as the CEO. While the ISS would consider the physical security of the executive’s office location, it is specific to that which affects the executive. For example, the ISS would only consider the executive floor of a multi-story office giving particular attention to the pathways to that space, including to the principal’s office, rather than every floor occupied by the company.
The TVRA, meanwhile, is much broader and more asset-centric, looking across an organization’s entire portfolio of facilities, infrastructure, systems, and processes to identify threats, assess vulnerabilities, and evaluate the likelihood and impact of potential incidents. It examines existing, read, in-place, governance and controls and risks across physical, operational, cyber, and environmental areas to understand how well the organization is protected and prepared for adverse events. Its outcomes serve to provide a set of prioritized, layered initiatives that focus on enhancing and strengthening the overall security capabilities and posture of an organization’s resilience, including its people, processes, and technology, and sometimes reputation.
Who the Report Is For: Boards and Tax/Legal (ISS) vs. Security and Risk Teams (TVRA)
Perhaps the biggest differentiator between the two assessments is for whom the resulting reports are created. The ISS, as part of determining alignment and justification for potential tax benefits for the business and its principal, will necessarily involve tax and legal departments. Often, ISS results are shared with executive leadership more broadly as well as boards of directors. The TVRA product, meanwhile, usually does not rise to this level, and is more narrowly distributed among security, operations, and risk management leaders and groups.
Who Should Perform an ISS or TVRA: Internal Teams vs. Independent Third Parties
In-house security teams typically conduct TVRAs on a recurring or annual basis, but the process most often begins with a third-party subject matter expert. Outside consultants bring specialized knowledge and the capacity to deliver a thorough assessment without competing internal priorities or timing constraints. Once the initial engagement is complete, internal teams are well positioned to carry the process forward on their own. External consultants may still be brought back periodically to provide a quality assurance review, particularly as adversary tactics, techniques, and procedures continue to evolve.
Meanwhile, the ISS, by nature of its design as an independent security study, requires outside assistance. This can sometimes cause confusion when in-house security teams have already done some of the work required under the IRS code section 132. As I wrote about in an earlier blog, it is difficult to argue that a report jointly performed by the company and the security consultant provides an objective assessment of all facts and circumstances. Companies and their tax advisors must consider if such a report is defensible during an IRS audit.
ISS vs. TVRA Outcomes: Security Improvements, Budget Impact, and Potential Tax Advantages
At the end of the day, both TVRA and ISS assessments are valuable in mitigating risk for corporations, but under distinct differences and purpose. The ISS, as set forth under IRS Code Section 132, has the additional benefit of making the mitigation strategies tax deductible for the business, even if the recommendations are the same from an ISS and TVRA. For example, a physical security assessment may identify security gaps at the corporate headquarters where the principal and executive leadership team sits, requiring hardware and integration upgrades to cameras, door locks, and access control and intrusion detection systems. When done as part of a TVRA, security teams frequently must ask for additional capital funds as part of their annual budget, which may compete with other organization and leadership priorities. If done as part of an ISS, however, that very same security expenditure may result in a tax write-off for the business. In a similar vein, as part of the final deliverable for an ISS, identifying deficiencies in operational policies related to executive protection and travel risk for the CEO may provide additional justification to expand the scope of conducting security assessments to other facilities and personnel within the company.
Whether your organization is determining the right protection framework for a senior executive or evaluating risk across an entire enterprise, the decision about which assessment to pursue is only half the equation. The other half is who conducts it. Both the ISS and the TVRA deliver their greatest value when led by an independent third party, like Guidepost, with the specialized knowledge to see beyond the obvious gaps, benchmark findings against current threat realities, and produce a result that is defensible to boards, auditors, and adversaries alike. Before your organization commissions its next assessment, it is worth asking whether the team you are considering can truly deliver all three.
