Completing a University Threat and Risk Assessment

Michael Herrera

The process of performing a Threat and Risk Assessment (TRA) for an educational university is a complex endeavor if you have not performed one in the recent past.  The purpose of the TRA is identify the most relevant threats to the organization but also assess the current level of mitigation that is inherent within the organization.  Remember, hazard mitigation is sustained action taken to reduce or eliminate long-term risk to people and their property from hazards and their effects.  The greater the mitigation, the greater the reduction in long-term risk.  Performing a comprehensive TRA will take at least 160 hours to complete from beginning to end.  Below are the high level steps to complete an assessment:


In preparation for the assessment, gather the following information:

  1. Maps of the Campus (e.g., GIS maps with layering is best)
  2. Recent History of Events (e..g, Within last 5 years)
  3. High Value Assets (e.g., data centers, student buildings, dorms, research labs, stadiums,  etc.)
  4. Key Infrastructure Locations (e.g., power, water, data/voice network, etc.)
  5. Relevant Threat List Based on Location and Past History  (e.g., man-made, natural, technology)
  6. FEMA Weather Based History (e.g/, hurricanes, floods, earthquakes, etc.)
  7. Use of the Campus for High Profile Events (e.g., presidential visits, other high profile events, controversial issues, etc.)
  8. Maximum Population of the University at Peak Time


  1. Schedule interviews of key personnel to include the Police Department, Campus Emergency Management, Environmental Health/Safety, Information Technology, Senior Faculty, Local Emergency Management,  etc.)
  2. Interview personnel to determine level of mitigation in place for their key areas of responsibility to include emergency plans, backup power, network resiliency, business continuity, disaster recovery, stakeholder communications, evacuation planning, active shooter preparation,hazardous material spills, community readiness, ability of community to respond to a university event, etc.)
  3. Interview senior faculty to address their understanding of risk/threats,  level of mitigation currently in place and most relevant concerns.  Use this information to compare to  the results of the study.
  4. Tour the high value assets of the university and assess level of mitigation and hardening.
  5. Tour key infrastructure areas (e..g, power, water, network) and assess level of mitigation and hardening.
  6. Determine what high value assets need to have the most hardening.


  1. Assess level of mitigation based on results of the interviews.
  2. Document critical exposures and opportunities for improvement.
  3. Prioritize exposures and opportunities for improvement.
  4. Determine most relevant threats to the university (e.g. focus on Top 5).
  5. Document management report and mitigation plan over the next 18 to 24 months.
  6. Review report and mitigation plan with university management.

In closing, the TRA study should identify the most relevant threats and outline how we can best mitigate against them.  It is important to note that senior faculty may choose to accept the risk and not implement mitigation steps that are too costly, too time consuming, etc.  What is important is that you have identified what to be most concerned with and how to minimize its effect.  Your TRA should be updated annually.

About MHA: MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information on MHA, contact Michael Herrera at herrera at mha-it dot com or visit

Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
Disaster Recovery Trends