A free digital tool for councils and public sector organisations to complete a structured risk assessment, based on the official ProtectUK / NaCTSO 5-stage risk management process. Supports Martyn's Law compliance.
Before undertaking a risk assessment, establish your context, governance structure, risk appetite and the scope of this assessment. This follows the ProtectUK guidance on Setting the Scene.
This tool is based on the official ProtectUK Risk Management Guidance published by NaCTSO. Your answers are stored only in your browser and are permanently destroyed when you close this tab. Nothing is sent to any server unless you choose to email your results to Fyrfly.
Privacy notice: All data you enter is held only in your browser's session memory. It is never transmitted to any server. When you close this tab or browser window, all data is permanently and irreversibly destroyed. If you wish to keep a record, download the PDF before closing.
Using an event-based approach (as recommended by ProtectUK for first-time assessors), identify up to 5 risk scenarios. For each risk, describe the threat, the vulnerability that could be exploited, and the potential consequences.
Risk = Threat × Vulnerability × Impact. A risk only occurs when a threat source is present to exploit a vulnerability. For each scenario, consider: Who might attack? What weakness could they exploit? What would happen? The ProtectUK approach uses event-based scenarios — think at a strategic level first.
For each risk, assess likelihood and impact using the ProtectUK 4-level qualitative scales. Impact is assessed across 7 categories — your highest score determines the overall impact rating. The 4×4 risk matrix will calculate your inherent risk score.
Rate likelihood and impact with your existing controls in place — this is your inherent risk. The ProtectUK 4×4 matrix reflects a minimalist risk appetite: only 3 cells are classified as Low. Very High and High risks are unacceptable and require treatment. Medium risks should be treated where practicable.
For each risk, select a treatment option (Avoid / Share / Modify / Retain), describe the controls and further actions you will implement, then calculate the residual risk — the risk that remains after treatment.
Modify is the most common treatment for risk — implementing physical and active controls to reduce likelihood or impact. Retain may be selected where risk cannot be further reduced, but retained risks must still be monitored. Assign a Risk Owner and Review Date to each risk.
This is a living document. Your risk assessment should be reviewed whenever the threat level changes, following a security incident, after significant organisational change, or at the scheduled review dates above. Any retained risks should be monitored continuously.
This tool is based on the ProtectUK Risk Management Guidance published by the National Counter Terrorism Security Office (NaCTSO), Home Office and Counter Terrorism Policing. The 5-stage process, 4×4 risk matrix, likelihood and impact scales, and risk band definitions are taken directly from the official guidance and have not been modified. Source: protectuk.police.uk. Fyrfly Systems is not affiliated with NaCTSO, the Home Office or ProtectUK. This tool does not constitute professional security advice.