A workplace threat assessment team (TAT) is a small, cross-functional group inside an organization - typically built from Human Resources, Legal or Employee Relations, Security, and one senior operations leader - chartered to identify individuals whose behavior raises concern about potential violence, evaluate the level of risk, and coordinate a response that protects employees while respecting due process. The team is not a disciplinary body and is not a substitute for law enforcement. It is the mechanism that lets an employer move from “we got an alarming complaint” to a documented, defensible plan of action before the situation escalates. After three decades of protective-services work at MPS Security & Protection, we have seen this single capability - a trained, standing TAT - separate organizations that manage risk effectively from those that learn the hard way.

Why a threat assessment team is different from an HR investigation

HR investigations exist to determine whether a policy was violated and what discipline applies. A threat assessment team exists to ask a different question: is this person on a path toward violence, and if so, how do we move them off that path safely? The two work in parallel. A misconduct investigation may conclude that termination is warranted; a threat assessment process determines how to execute that termination without precipitating the very outcome you are trying to prevent.

The U.S. Secret Service’s National Threat Assessment Center, which has analyzed more than 30 years of targeted-violence cases, found that attackers almost never “just snap” - most engage in observable, concerning behavior in the weeks and months before an attack, and many leak their intent to people around them (U.S. Secret Service NTAC, 2024). That window of observable concerning behavior is precisely what a threat assessment team is designed to act on.

Who should be on the team

A defensible TAT is small enough to move quickly and broad enough to see the situation from every angle a court or regulator will later ask about. A typical composition:

•           Human Resources - owns employee history, policies, and the disciplinary record; usually the case lead.

•           Legal or Employee Relations - provides privilege, documentation standards, and a defensible record.

•           Security / Corporate Investigations - assesses behavioral indicators, prior incidents, and physical-security implications.

•           One Senior Operations Leader - has authority to authorize protective measures (access changes, schedule changes, temporary relocations).

•           External advisors on retainer - a licensed behavioral threat assessment professional, outside counsel, and a protective-services firm such as MPS. The team calls them in when the case demands it.

Mental-health clinicians are sometimes added but are usually engaged as external consultants rather than standing members, to keep clinical opinions separate from employment decisions.

The case for executive sponsorship

A TAT cannot function without authority. The most common failure mode we see is a well-meaning HR-only group that lacks budget, lacks the standing to direct facility changes, and lacks an executive sponsor. That brings us to the case for board-level attention to executive safety: when targeted violence becomes a board-reportable risk - and the SEC and most major D&O carriers now treat it that way - the threat assessment program belongs in the same governance conversation as cybersecurity and crisis management, sponsored at the C-suite level with documented escalation paths.

What the team actually does, step by step

A workable program follows a documented case lifecycle. At MPS, we recommend organizations adopt a five-stage workflow:

1.         Intake. A reporting channel - phone line, web form, or named ombudsman - captures the concern. The intake is screened within hours, not days.

2.         Initial assessment. The team meets within 24 to 48 hours to triage. Most cases are resolved at this stage as low-concern (interpersonal conflict, isolated comment, performance issue).

3.         Behavioral evaluation. Cases that show pathway-to-violence indicators are evaluated by a trained behavioral specialist using a structured tool such as the WAVR-21 or the FBI’s MOSAIC framework.

4.         Risk management. Based on the evaluation, the team selects from a menu of interventions - separation, schedule and access changes, mandatory referral to an EAP, removal of a firearm at work, protective surveillance during a transition, or in the highest cases, coordination with law enforcement.

5.         Monitoring and closure. Cases are not closed when an action is taken; they are monitored for 30 to 180 days afterward and formally closed only when the team agrees the elevated risk has resolved. This monitoring discipline is the foundational risk-mitigation philosophy our firm operates from, applied to an internal personnel context rather than an external protective detail.

Common warning signs and pathway indicators

The behaviors that warrant escalation to the TAT are well documented. They include direct or veiled threats, fixation or obsession with a particular grievance or person, escalating volatility after a personal or professional loss, expressed identification with prior attackers, attempts to acquire or display weapons inappropriate to the role, and inappropriate surveillance of coworkers or facilities. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a federal pathway-to-violence reference that aligns with these indicators and is widely used by corporate programs (CISA, 2024).

A single indicator is not a verdict. A cluster of indicators, particularly when the subject is also experiencing acute personal stressors, is the pattern that should pull a case from initial assessment into formal evaluation.

High-risk termination protocols

The highest-risk moment in a workplace-violence case is often the moment of separation. The TAT’s job is to design that termination with the same care a security advance is designed for a public appearance: time of day, location, who is present, what protective measures are visible, what monitoring happens for the 30 days afterward. Done well, the moment passes without incident. Done poorly - surprise termination at the start of a shift, with no advance, no access controls, and no behavioral evaluation - it is the single highest-risk decision an employer can make.

Frequently asked questions

What is a workplace threat assessment team?

A workplace threat assessment team is a standing, cross-functional group inside an employer - typically HR, Legal, Security, and a senior operations leader - chartered to receive reports of concerning behavior, evaluate whether a person is on a pathway toward violence, and coordinate a managed response that protects employees while respecting due process.

How is a threat assessment team different from HR?

HR investigates whether policies were violated and what discipline applies. A threat assessment team evaluates whether a person poses a risk of targeted violence and designs the protective response. The two run in parallel on the same case - an investigation can lead to discipline, while a parallel assessment shapes how that discipline is delivered safely.

What size organization should have a threat assessment team?

Any employer with more than roughly 100 employees should have at least a small standing team, and any organization with multiple sites, contractors, or public-facing operations should have a formal TAT with documented procedures. Smaller organizations should at minimum have a designated case lead and a relationship with an outside threat assessment professional.

Who runs the meetings?

Typically the HR member runs the meeting as case lead, with Legal documenting and Security advising on behavioral and physical-security indicators. The senior operations sponsor attends when a case requires resource decisions or facility changes.

How does MPS Security & Protection support corporate threat assessment programs?

MPS provides on-retainer behavioral threat assessment consultation, high-risk termination protective details, protective surveillance during transition windows, and post-termination monitoring. We work alongside in-house HR, Legal, and Security teams as the external protective-services capability the program calls when a case escalates.

Is this a substitute for calling law enforcement?

No. Threat assessment teams work alongside law enforcement and, in serious cases, refer directly to them. The TAT is the corporate mechanism that decides when a case crosses the threshold to law enforcement notification and ensures the company’s documented record supports that decision.

Build the program before you need it

The organizations that handle a high-risk situation well are the ones that built the team, ran the tabletops, and designated the resources before the first case landed. Contact MPS Security & Protection to discuss how an external advisor can help your HR, Legal, and Security leaders stand up - or upgrade - a defensible workplace threat assessment program.

About the Author

Michael D. Julian is the founder of MPS Security & Protection and brings 30+ years of executive protection, corporate security, and protective-services leadership to the field. He served as President of the California Association of Licensed Investigators (CALI) from 2005 to 2015 and has built protection programs for Fortune 500 leaders, family offices, and public-company executives across the United States and abroad. Connect with Michael on LinkedIn.