Modern corporate building lobby with glass doors, discreet access control, and navy reception desk in natural daylight
workplace violence preventionthreat assessmentcorporate security

Workplace Violence Prevention: What a Real Program Looks Like Beyond the Compliance Checklist

Protection Architects ·

A federal audit of the U.S. Postal Service found that 79% of workplace violence incidents were never entered into the agency’s tracking system — despite a documented workplace violence prevention program being in place for years. That gap between paperwork and operational prevention is not unique to USPS. It is the default outcome when compliance substitutes for a real program.

The numbers back this up: 57,610 nonfatal workplace violence cases required time away from work in the 2021-22 period, 458 workplace homicides occurred in 2023, and nonfatal assaults climbed 62% per 10,000 workers over the past decade. Companies in the $50M-$2B revenue range sit in a dangerous middle — big enough to face real risk, not big enough to staff a full security department.

The seven steps that follow are the actual sequence we use to build these programs. They start where most guides skip: with operational reality, not regulatory checklists. Prevention costs 25 times less than recovery — $183,770 versus $4.7 million for a 10,000-employee organization. And 59% of affected employees leave within a year of an incident. The real cost is not the event itself. It is the organizational damage that follows.

Step 1: Start With a Hazard Assessment, Not a Policy Template

A workplace violence prevention plan written without a hazard assessment is a compliance document, not a prevention program. You cannot protect against risks you have not identified. The ASIS WVPI AA-2020 standard — the current ANSI benchmark for workplace violence and active assailant prevention — puts hazard assessment at the foundation of the program lifecycle.

Incident History Review

Pull HR records, workers’ compensation claims, security incident reports, and EAP utilization data for the past three to five years. Look for patterns, not just headline events. A single physical altercation gets attention. Three years of escalating verbal threats in the same department tells you something more important.

Environmental Scan

Walk every facility. Identify:

  • Access control gaps and uncontrolled entry points
  • Blind spots where confrontations could escalate unseen
  • Isolated work areas with limited escape routes
  • Reception vulnerabilities and visitor management weaknesses
  • After-hours exposure for late-shift or weekend employees

Industry and Location Risk Factors

Healthcare, retail, social services, and late-night operations carry elevated Type II (customer/client) risk under the OSHA/NIOSH typology. Urban locations may have higher Type I (criminal intent) exposure. Your industry and geography shape the program — a hospital emergency department and a financial services office face different threat profiles.

Workforce Risk Indicators

High turnover departments, recent layoffs, active labor disputes, and known interpersonal conflicts are dynamic risk factors. These change quarter to quarter, which means the assessment is not a one-time exercise.

Scoping for Mid-Market

  • Single-site, under 500 employees: Internal assessment led by facilities manager and HR, validated by an external consultant. Budget approximately $15,000 or more for a comprehensive assessment.
  • Multi-site: Prioritize highest-risk locations first. Physical security consultant cost benchmark: $0.25-$1.25 per square foot, or $80-$300 per hour.

The assessment report becomes the foundation document for every subsequent step. It ranks threats by likelihood and impact, identifies gaps in current controls, and establishes a baseline for measuring program effectiveness.

Tip: If your company has had any workplace violence incident, threat, or near-miss in the past five years, OSHA considers you “on notice” under the General Duty Clause. Your assessment is not optional — it is a legal obligation.

Step 2: Build a Threat Assessment Team With the People You Already Have

Mid-market companies assume threat assessment requires a dedicated security team. It does not. The multidisciplinary threat assessment team model endorsed by the FBI, DHS, and the Association of Threat Assessment Professionals draws from existing organizational roles. As the FBI’s Law Enforcement Bulletin states: “An organization does not need to be a government entity or a large company to incorporate threat assessment practices.”

Your TAT Roster From Existing Staff

RoleWhy They Are on the Team
HR business partnerEmployee behavior expertise, access to performance and conduct records
Legal counsel (in-house or outside)Employment law guidance, restraining order process, privacy and confidentiality boundaries
Facilities or operations managerPhysical security knowledge, building access controls, workspace modification capability
EAP provider or contracted mental health professionalBehavioral assessment, fitness-for-duty evaluation referrals
Law enforcement liaisonNamed contact at local PD, or a former law enforcement consultant

The Critical Addition: An External Consultant

Retain a threat assessment professional on a defined-scope retainer for high-risk cases. Your internal team handles 80% of concerns. The consultant handles the 20% where experience matters most.

  • Retainer cost range: $1,600-$20,000 per month depending on scope
  • Right model for most mid-market companies: A light retainer ($2,000-$5,000 per month) with per-case escalation pricing

When vetting consultants, look for ATAP membership, the Certified Threat Manager (CTM) designation, WAVR-21 proficiency, and ASIS WVPI AA-2020 fluency. Ask for corporate client references at comparable company size.

Making It Operational

  • Charter: Write a formal document defining team authority, confidentiality protocols, decision rights, and escalation thresholds. Without a charter, the team stalls on its first ambiguous case.
  • Coordinator: Designate one person — usually HR or the most senior operations leader — to receive all reports and convene the team.
  • Training: All TAT members complete the free DHS Behavioral Threat Assessment and Management (BTAM) introductory training. The team lead should pursue ATAP certification.
  • Case tracking: Log every concern, assessment action, and outcome. Even a structured spreadsheet works initially.
  • Cadence: Review open cases monthly at minimum. Do not wait for escalation to convene.

Corporate conference room with whiteboard framework diagrams, folders at each seat, and glass walls overlooking an office corridor A functional threat assessment team does not require a security operations center. It requires a table, a charter, and the right people in the room.

Step 3: Map the Escalation Pathway From Concern to Action

Every workplace violence prevention article lists behavioral red flags. None explain what to do next. A warning sign without an escalation pathway is a source of anxiety, not a tool for prevention. CISA’s Pathway to Violence framework identifies observable pre-attack behaviors: grievance formation, ideation, research and planning, preparation, probing, and attack. Intervention must happen in the early stages.

Six-Level Escalation Pathway

Level 1 — Early warning observed. Any employee notices a behavioral change, threatening statement, or concerning pattern. Document what was observed (behavior, date, context) and report through established channels. Do not confront the subject.

Level 2 — Report received. Supervisor or HR evaluates the report. Immediate threat: call 911. Pattern of concern: open a TAT case and notify the coordinator within 24 hours.

Level 3 — TAT case opened. The coordinator convenes relevant team members for a preliminary behavioral assessment. Determine whether a structured assessment using the WAVR-21 or similar validated instrument is warranted.

Level 4 — Intervention designed. The team develops a case management plan addressing the subject’s specific risk factors: supervisor conversation, EAP referral, leave of absence, workspace modification, or facility security measures. Assign a case manager and set a review timeline.

Level 5 — Active monitoring. The TAT monitors for behavioral change and reassesses dynamic risk factors at each review point. If risk escalates: emergency TAT session, law enforcement notification, workplace restraining order, or termination with a security protocol.

Level 6 — Case closure or escalation. Close resolved cases with documented rationale. Escalate to law enforcement referral, emergency protective order, or immediate removal when imminent risk indicators are present.

The Principles Behind This Framework

The FBI’s four principles of threat assessment drive the entire pathway: violence is a process, not just an act. Violent acts often culminate from long-term, identifiable problems. Assessment focuses on dangerousness, not prediction. Teams analyze contextual behaviors, not profiles.

One behavior worth particular attention: “leakage” — communicating intent to a third party — is one of the most consistent pre-attack indicators identified by CISA. Your reporting system must capture it.

Tip: Print the escalation pathway as a one-page reference card for every manager. If they have to look it up in a binder, they will not use it in the moment.

Step 4: Fix the Reporting Problem Before It Kills Your Program

Without reports flowing in, your threat assessment team has nothing to assess. The USPS audit found 79% of incidents went unreported. Research shows fear of retaliation is the primary barrier. Normalization of verbal aggression is second — threats become “just how they talk.”

Organizational hierarchy compounds the problem. Studies show that 57% of reporting barriers trace to deference to authority and perceived managerial indifference.

Seven Steps to Build Reporting Culture

  1. Make leadership visible. The COO or CEO personally endorses the program. Token HR rollouts signal that leadership does not take the threat seriously.

  2. Reframe reporting as professional responsibility. “Reporting a concern protects your colleague” lands better than “report suspicious behavior.”

  3. Establish multiple anonymous channels. Dedicated hotline, secure web portal, and mobile app. Employees should never have to report to the person they are concerned about.

  4. Close the loop. After a concern is resolved, communicate — without disclosing confidential details — that the report was acted on. One buried report destroys credibility for years.

  5. Enforce zero retaliation. Investigate every retaliation allegation. Take visible disciplinary action when confirmed.

  6. Train managers separately. Supervisors are the first to hear concerns and the first barrier to escalation. Give them specific training on receiving disclosures without dismissing them.

  7. Normalize near-miss reporting. Acknowledge prevention wins publicly without naming reporters. When the organization sees the system works, more people use it.

Reporting culture is infrastructure, not a poster on the breakroom wall.

Warning: If your anonymous reporting channel routes through a manager’s inbox, it is not anonymous. Route directly to HR and the TAT coordinator.

Step 5: Address the Violence Nobody Talks About: Domestic Violence Spillover

41% of mass attackers studied by the U.S. Secret Service NTAC had a documented history of at least one domestic violence incident. In April 2025, NTAC released new research reinforcing the connection between domestic violence and mass attacks. OSHA Type IV violence — personal relationship violence spilling into the workplace — is the scenario most likely to arrive at your front desk without warning.

What Employers Must Do

  1. Write a DV/personal safety policy as part of the WVPP. Explicitly cover Type IV violence and name the employer’s obligations and available resources.

  2. Train managers to recognize signs: unexplained injuries, repeated absences, distress calls at work, a partner appearing at the workplace uninvited.

  3. Create a confidential disclosure pathway. Employees must be able to report DV situations without fear of job consequences. In New York, domestic violence victim status is a protected class under the Human Rights Law.

  4. Build individualized workplace safety plans for at-risk employees:

    • Restrict building access for the abusive partner
    • Alert reception and security
    • Modify shifts or worksite if possible
    • Provide escort to vehicle
    • Update emergency contacts

  5. Coordinate proactively with law enforcement if specific threats to attend the workplace have been made. Contacting police before an incident is always preferable to calling 911 during one.

  6. Document everything as TAT case records — the same case management system used for any other threat.

Why This Is a Program Responsibility

An abuser who enters the workplace endangers everyone, not just the targeted employee. Women account for 72.5% of all nonfatal workplace violence cases. Ignoring Type IV violence means ignoring the risk factor most relevant to the majority of your affected workforce. Your workplace violence prevention program is incomplete without a Type IV response protocol.

Note: Approach DV disclosure conversations with empathy and confidentiality. The employee is sharing information that may put them at greater risk if mishandled. Route through your EAP and TAT — not through general HR channels.

This is the kind of problem we solve. Start a conversation.

Step 6: Write a Prevention Plan That Goes Beyond the Compliance Binder

Compliance is the floor, not the program. California’s SB 553, enforceable since July 2024, requires a written plan, a violent incident log, employee training, and recordkeeping. A real workplace violence prevention program adds behavioral threat assessment capability, reporting culture infrastructure, Type IV response protocol, and post-incident recovery. Use the ASIS WVPI AA-2020 standard as your benchmark.

What the Plan Document Should Include

  • Scope and applicability (all locations, all employees, contractors, visitors)
  • WVPP administrator by name and title with actual authority and budget
  • Four-type violence definitions (OSHA/NIOSH typology) with industry-relevant examples
  • Hazard assessment findings and control measures (from Step 1)
  • Reporting procedures: supervisor, HR, anonymous, and emergency channels
  • TAT charter and escalation pathway (from Steps 2-3)
  • Training requirements: initial, annual refresh, manager-specific, and TAT-specific
  • Violent incident log procedures and review cadence
  • Post-incident response protocol (Step 7)
  • Annual review and update commitment

Budget Context for the CFO

Line ItemCost Range
Online WVP training~$10/employee per year
Physical security assessment$0.25-$1.25/sq ft, or $80-$300/hr
Comprehensive risk assessmentStarting at $15,000
Threat assessment consultant retainer$1,600-$20,000/month

For a 1,000-employee company, a $50,000-$100,000 annual program investment protects against multi-million-dollar incident exposure. Over 60% of CFOs report each dollar invested in injury prevention returns two dollars or more. Lead with the 25:1 prevention-to-recovery cost ratio when presenting to leadership. Fear of fines motivates compliance; fear of organizational damage motivates real programs.

Navy-bound prevention plan document open on a desk beside a laptop showing data dashboards, with a notepad and pen in natural light The plan document is the starting point, not the finish line. What matters is whether anyone opens it after the first week.

The Regulatory Trend

California SB 553 is not an outlier. New York’s Retail Worker Safety Act took effect June 2025, with panic button requirements for large employers by January 2027. Building a real program now positions your organization ahead of the mandate curve.

Step 7: Plan for the Worst Day: Post-Incident Response That Preserves Your Organization

Most workplace violence prevention plans end at the emergency response section. What happens in the hours, days, and weeks after an incident determines whether your organization recovers or fractures.

The Post-Incident Sequence

  1. Immediate safety. Secure the premises, ensure medical attention for everyone involved, and confirm law enforcement is on scene.

  2. Evidence preservation. Secure CCTV footage, access logs, communications, and physical evidence before the scene is cleaned or altered. This step is time-sensitive and irreversible.

  3. Employee communication (within hours). Issue a clear, factual statement to all employees explaining what happened, what is being done, and what resources are available. Silence in the first 24 hours creates rumors and erosion of trust.

  4. Psychological first aid (within 24 hours). Deploy EAP counselors or trained psychological first aid staff to provide immediate support to all affected employees — direct victims and witnesses.

  5. Structured debriefing (within 72 hours). A facilitated group session using a trained professional. This is a support intervention, not a legal deposition.

  6. Incident investigation (parallel track). Document the timeline, contributing factors, and whether existing WVP controls performed as designed. Run this separately from the employee debriefing.

  7. After-action review (within 30 days). Formal review examining what the program detected, what it missed, and what must change. Update the WVPP based on findings.

  8. Long-term monitoring. Track affected employees for PTSD symptoms, absenteeism, and performance changes for months afterward.

The Hidden Cost: Witness Trauma

Psychological trauma claims from witnesses — not just direct victims — are an emerging cost driver in workers’ compensation. An average serious incident costs $36,500 before litigation. Add witness trauma claims, turnover, and reputational damage, and the real cost multiplies well beyond that figure.

Warning: Do not combine the structured employee debriefing with the incident investigation. Mixing support with fact-finding compromises both. Run them as parallel tracks with different facilitators.

Ready to turn ad hoc security into a real program? Let’s talk about where you are.

Frequently Asked Questions

Does my company need a workplace violence prevention program if we are not in healthcare or California?

Yes. OSHA’s General Duty Clause requires all employers to provide a workplace free from recognized hazards. If you have experienced any incident, threat, or near-miss, you are legally on notice. Multiple states are passing sector-specific mandates, and the trend is toward universal requirements.

What is the difference between SB 553 compliance and a real workplace violence prevention program?

SB 553 requires a written plan, incident log, training, and recordkeeping — a documentation floor. A real program adds behavioral threat assessment, a multidisciplinary team, anonymous reporting infrastructure, and cross-functional integration. Compliance satisfies regulators; a real program creates intervention capability before violence occurs.

What is the minimum team needed for workplace threat assessment at a mid-market company?

An HR business partner, legal counsel, a facilities or operations manager, EAP access, and a law enforcement liaison — all drawn from existing roles. Add an external threat assessment consultant on retainer for high-risk cases.

How much does a workplace violence prevention program cost?

Online training runs approximately $10 per employee. Physical security assessments cost $0.25-$1.25 per square foot. Consultant retainers range from $1,600-$20,000 per month. A mid-market company investing $50,000-$100,000 annually protects against multi-million-dollar incident exposure.

Is workplace violence a real risk for office-based companies?

Yes. The Secret Service found that most mass attackers had a prior relationship with the target location — including current and former employees. Worker-on-worker violence and grievance-motivated attacks are not limited to manufacturing or healthcare. The average cost per serious incident is $36,500 before litigation.