A TVRA is a threat, vulnerability and risk assessment: a structured method that models the relationship between assets, threats, vulnerabilities, and consequences to produce a risk score and prioritize countermeasures. It is the analytical core of a physical security assessment, applied to security threats against people, operations, and facilities.

What does TVRA stand for?

TVRA stands for threat, vulnerability and risk assessment. The name reflects the three things it brings together: the threats facing an asset, the vulnerabilities a threat could exploit, and the resulting risk once consequence is weighed in.

What are the components of a TVRA?

A TVRA is built on four components: assets (what you are protecting and how much it matters), threats (who or what could cause harm and how capable they are), vulnerabilities (the gaps a threat could exploit), and consequence (how bad the outcome would be). Risk is scored from the relationship between them, typically as a function of threat likelihood, vulnerability, and consequence.

How do you conduct a TVRA?

A TVRA moves through six steps: identify and value the assets, characterize the threats, assess the vulnerabilities, determine the consequence, score the risk, then recommend countermeasures and treat. The risks are ranked so the most serious are addressed first, countermeasures are tracked to closure, and the assessment is repeated on a schedule.

How is risk scored in a TVRA?

Risk in a TVRA is scored from the combination of how likely a threat is to exploit a vulnerability and how severe the consequence would be, often expressed on a matrix and ranked. The exact scale varies, but the discipline that matters is consistency: using the same well-defined scale across every asset and site so results can be compared and rolled up. A defensible qualitative scale beats a falsely precise number.

What is the difference between a TVRA and a risk assessment?

A general risk assessment, aligned to ISO 31000 or NIST SP 800-30, applies the same identify-analyze-evaluate-treat logic across any kind of risk. A TVRA is that logic applied specifically to physical and security threats against assets and facilities, with the threat and vulnerability characterized explicitly. A TVRA is a security-specific instance of the broader risk-assessment discipline.

When do you need a TVRA?

A TVRA is warranted whenever you need a defensible, risk-based view of physical security: standing up or reviewing security at a facility, justifying a security budget, responding to a change in the threat environment, or after an incident. Some regulated assessments require one in all but name. NERC CIP-014, for example, requires a threat and vulnerability evaluation of high-impact electric transmission substations that is effectively a TVRA.

What is in a TVRA report?

A TVRA report typically contains an executive summary, the scope and methodology, an asset inventory ranked by criticality, the threat and vulnerability analysis, the risk scoring and ranking, and prioritized findings and recommendations with owners, timelines, and expected residual risk. The report is also the audit trail that shows what was assessed, how it was scored, and why each recommendation was made.

Physical security guide

What is a TVRA?

A TVRA is a threat, vulnerability and risk assessment: a structured method that models the relationship between assets, threats, vulnerabilities, and consequences to score security risk and prioritize countermeasures. A plain-English guide to the model, the scoring, the steps, how a TVRA compares to other assessments, and what a TVRA report contains.

See the assessment platform Get the free checklist

The short version

A TVRA, in one paragraph

A TVRA, a threat, vulnerability and risk assessment, is a structured method that models the relationship between four things: the assets you are protecting, the threats that could harm them, the vulnerabilities a threat could exploit, and the consequence if it did. From that model it produces a risk score for each scenario, ranks the results, and drives a prioritized set of countermeasures. A TVRA is the analytical core inside a physical security assessment, and it is a security-specific instance of the broader risk-assessment discipline described by ISO 31000 and NIST SP 800-30.

Last reviewed June 2026. Part of the RiskWatch physical security knowledge base.

The asset-threat-vulnerability-consequence model

Every TVRA rests on four components. On their own, each is just a list. The power of a TVRA is that it connects them: it asks which threats could act against which assets, which vulnerabilities those threats could exploit, and what the consequence would be, then scores the whole chain as risk. Miss any one component and the score is meaningless, a vulnerability with no threat behind it is academic, and a threat against an asset with no vulnerability has nowhere to land.

Asset: What you are protecting and how much it matters. People come first, then critical operations, then high-value or sensitive property. Each asset is ranked by criticality so the assessment stays proportionate to what is at stake.
Threat: Who or what could cause harm, and how capable and motivated they are. Threats range from intrusion, theft, vandalism, and workplace violence to insider misuse and vehicle attack. A threat only matters where it can act against a specific asset.
Vulnerability: The gap that would let a threat succeed: a weak perimeter, an unmonitored camera, a door that does not lock, a badge that still works after someone leaves, a response plan no one has rehearsed. Vulnerabilities are concrete and observable.
Consequence: How bad the outcome would be if the threat exploited the vulnerability. Harm to people weighs heaviest, then operational disruption, then financial and reputational loss. Consequence is what scales a likely-but-trivial risk down and an unlikely-but-catastrophic one up.

How a TVRA scores risk

A TVRA turns the four components into a single, comparable number. Conceptually, risk rises with the likelihood that a threat exploits a vulnerability and with the consequence if it does. Many practitioners express this as risk being a function of threat, vulnerability, and consequence, scored on a matrix and ranked. The arithmetic matters less than two disciplines: defining each scale clearly, and applying the same scale to every asset and every site.

Consistency is what lets a TVRA do its real job, which is triage. A ranked list tells leadership which risks demand action now, which can be scheduled, and which can be accepted and monitored. It also lets very different sites be compared on one yardstick and rolled up into a portfolio view. A falsely precise number that no one can defend is worse than a well-reasoned qualitative rating that everyone understands.

How to conduct a TVRA, step by step

A TVRA runs through six steps. The first four build the model, the fifth scores it, and the sixth turns the score into action. For the full operational workflow that wraps a TVRA, including the site walk and the report, see the guide on how to conduct a physical security assessment.

1
Identify and value the assets
List what you are protecting at the site and rank each asset by criticality. People, critical operations, and sensitive or high-value property head the list. The ranking sets the weight every later step inherits.
2
Characterize the threats
For each asset, identify the credible threats and judge each one's capability and intent. Use local context, sector incident history, and the site's own event log, without asserting specific rates you cannot source.
3
Assess the vulnerabilities
For each asset-threat pair, find the gaps that would let the threat succeed, organized by security domain: perimeter, access control, surveillance, lighting, barriers, intrusion detection, personnel, and policies.
4
Determine the consequence
Estimate the impact if the threat exploited the vulnerability, weighing harm to people first, then operational, financial, and reputational loss. Keep the scale consistent so results compare across assets and sites.
5
Score the risk
Combine threat likelihood, vulnerability, and consequence into a single risk score for each scenario, commonly on a matrix, then rank them. The score is a triage tool: it says what to fix now, what to schedule, and what to monitor.
6
Recommend countermeasures and treat
For each priority risk, recommend countermeasures that deter, detect, delay, respond to, or recover from the threat, then track them to closure and re-score to confirm the risk actually fell. Then set the date for the next TVRA.

Put a TVRA into practice

The free physical security checklist bundles a TVRA register and walks the assets, threats, vulnerabilities, and scoring on this page, so you can run a first assessment by hand.

Get the free checklist Explore the assessment platform

TVRA vs. other assessments

The terms in this space overlap, and they are often used loosely. The distinctions below are what separate a TVRA from the assessments it is most often confused with.

TVRA vs. a physical security assessment: A TVRA is the analytical core: the asset-threat-vulnerability-consequence model that produces a risk score. A physical security assessment wraps that core in the full operational workflow, the site walk, the report, the countermeasures, and the remediation, and applies it to a facility. Most physical security assessments contain a TVRA.
TVRA vs. a vulnerability assessment: A vulnerability assessment catalogues weaknesses. It stops at finding gaps. A TVRA goes further: it pairs each vulnerability with the threats that could exploit it and the consequences if they did, then scores the combination as risk. A vulnerability assessment is one input to a TVRA, not a substitute for it.
TVRA vs. a threat assessment: A threat assessment focuses on adversaries: who they are, what they can do, and what they intend. It does not weigh your own weaknesses or what an attack would cost you. A TVRA folds the threat picture into the wider model so the output is risk to a specific asset, not a threat in the abstract.
TVRA vs. a risk assessment (general): A general risk assessment, aligned to ISO 31000 or NIST SP 800-30, follows the same logic across any risk domain. A TVRA is that logic applied to physical and security threats against assets and facilities, with threat and vulnerability characterized explicitly. It is a security-specific instance of the broader discipline.

Where the built environment is the source of a vulnerability, a TVRA pairs well with a CPTED overlay, which designs risk out of a space rather than bolting controls on top.

What a TVRA report contains

The deliverable of a TVRA is a report that a decision-maker can act on and an auditor can follow. A strong report leads with the headline risks and recommendations, then documents the analysis behind them. The sections below are the backbone of most TVRA reports.

Executive summary: The headline risks and the recommended actions, written for a decision-maker who will not read the appendix. Lead with what matters and what it will take to fix it.
Scope and methodology: What the TVRA covered, what it did not, and the scoring method used. This is what makes the conclusions repeatable and defensible to leadership, insurers, and regulators.
Asset inventory: The protected assets, ranked by criticality, so a reader can see what the analysis was weighted around.
Threat and vulnerability analysis: The credible threats, the vulnerabilities they could exploit, and the pairing between them, organized by asset and by security domain.
Risk scoring and ranking: Each scenario scored on a consistent scale and ranked, usually with a matrix, so priorities are visible at a glance.
Findings and recommendations: Prioritized countermeasures tied to the risks they reduce, with owners and timelines, plus the residual risk expected after treatment.

From one TVRA to a program at scale

A single TVRA describes one site at one moment. The harder problem is running the same method consistently across many sites, keeping the scoring comparable, tracking remediation to closure, and refreshing the assessment as threats and controls change. Done on spreadsheets, that work fragments fast: every site ends up with its own scale, and rolling results into a portfolio view becomes guesswork.

This is where a TVRA goes from a document to a program. The RiskWatch physical security assessment platform standardizes the asset-threat-vulnerability-consequence model, scores every scenario on one scale, tracks countermeasures to closure, and rolls results up across every location in a single view. For regulated utilities, the same engine drives the free CIP-014 risk assessment toolkit, whose threat and vulnerability evaluation is a TVRA in all but name.

FAQ

Frequently asked questions

Score risk the same way everywhere

Run a TVRA across every site in one platform

RiskWatch standardizes the threat, vulnerability and risk assessment across single sites or large portfolios, scores every scenario on one scale, and tracks remediation in one place. Start a free trial or request a demo.

See the platform Get the free checklist

No credit card required · 30-day free trial · Cancel anytime

What is a TVRA?

A TVRA, in one paragraph

The asset-threat-vulnerability-consequence model

How a TVRA scores risk

How to conduct a TVRA, step by step

Identify and value the assets

Characterize the threats

Assess the vulnerabilities

Determine the consequence

Score the risk

Recommend countermeasures and treat

TVRA vs. other assessments

What a TVRA report contains

From one TVRA to a program at scale

Frequently asked questions

What is a TVRA?

What does TVRA stand for?

What are the components of a TVRA?

How do you conduct a TVRA?

How is risk scored in a TVRA?

What is the difference between a TVRA and a risk assessment?

When do you need a TVRA?

What is in a TVRA report?

Run a TVRA across every site in one platform