A written workplace violence prevention program satisfies regulators. It does almost nothing to stop an attack. The gap between the two is behavioral threat assessment: the discipline of noticing, reporting, and acting on the concerning behaviors that precede nearly every act of targeted workplace violence, months before the policy binder is ever opened.
What Is a Workplace Violence Prevention Program, and Why Isn’t Compliance Enough?
A workplace violence prevention program is a written plan, required by law in California and recommended everywhere else, that defines how an employer identifies, reports, investigates, and responds to violence risk. Under California’s SB 553, every covered employer must maintain one, complete with a violent incident log, hazard evaluation procedures, and documented training. California’s Occupational Safety and Health Standards Board is required to formally adopt its general industry standard no later than December 31, 2026, with enforcement expected to follow closely behind, according to the California Department of Industrial Relations.
That deadline is why most companies currently building a program are focused on the document. Names and titles of responsible parties. Reporting procedures. A training log. All of it defensible in an audit, none of it aimed at the actual mechanism of violence.
The federal data on where violence in the workplace originates is unambiguous about the mismatch. Over the 2023–2024 period, private industry recorded 78,340 nonfatal violent-act cases resulting in days away from work, restriction, or job transfer, an annualized rate of 3.7 per 10,000 full-time workers with a median of 11 days lost per incident, according to the Bureau of Labor Statistics. Those numbers describe outcomes. A compliance plan describes paperwork. Neither one, on its own, describes the person of concern six weeks before the incident, which is where prevention actually happens.
What Warning Signs Does Behavioral Threat Assessment Actually Catch?
Behavioral threat assessment catches the pattern of observable behavior that precedes violence: not a single red flag, but a cluster of them building over time. The FBI’s Behavioral Analysis Unit, studying active shooter incidents between 2000 and 2013, found that attackers displayed an average of four to five concerning behaviors observable to others before they acted, most frequently tied to deteriorating mental health, breakdowns in interpersonal relationships, and “leakage” (the intentional or unintentional disclosure of violent intent).
None of those signals show up on an OSHA log. A previously engaged employee who abruptly withdraws from colleagues. A grievance that calcifies into fixation rather than fading. A divorce or custody dispute that HR already knows about but never flags to security. Individually, each looks like an HR matter, a performance issue, or none of the company’s business. Assessed together by a team trained to connect them, they form a recognizable pathway. The FBI’s follow-on report on threat management found that people of concern are roughly 16 times more likely to escalate toward violence when they display these behaviors to bystanders who never intervene, according to the FBI Behavioral Analysis Unit’s findings as reported by ASIS International’s Security Management magazine. The absence of intervention, not the absence of warning, is usually the failure point.
Why Do HR and Security Operate in Separate Silos, and What Does That Cost?
HR and security operate in separate silos because their systems were never built to talk to each other, and that separation is precisely what lets warning signs go unconnected. HR holds the personnel history: the disciplinary record, the leave-of-absence pattern, the exit interview nobody escalated. Security holds the incident data: the access anomaly, the parking lot altercation, the visitor who won’t leave. A functioning threat assessment program needs both data sets in the same room, evaluated by the same team, on a recurring cadence, not reconstructed after the fact during an incident review.
In the assessments we run for mid-market clients rebuilding their workplace violence program from scratch, the finding that surprises HR leaders most isn’t a missing policy. It’s that three or four people across the organization each held one piece of a pattern that, assembled, would have qualified for intervention months earlier. No process existed to assemble it.
This is also where a compliance-driven build tends to stall. A workplace violence prevention program gets written to satisfy the statute, then filed. What’s actually needed is a standing, cross-functional team with defined intake, evaluation, and escalation authority, the kind of structure ASIS International’s forthcoming Workplace Violence Prevention and Intervention Standard, open for public comment through July 2026, is attempting to formalize industry-wide.
What Does the SB 553 Deadline Mean for Employers Outside California?
The SB 553 deadline is a California-specific mandate, but it functions as a national preview: it is the clearest signal yet that regulators expect behavioral threat management, not just a policy document, to sit underneath workplace violence compliance. California Labor Code section 6401.9 took effect July 1, 2024, and the Occupational Safety and Health Standards Board must adopt a corresponding general industry standard by the end of this year.
No other state currently mandates a program with this level of specificity. That will not last. Multi-site employers with any California footprint are already building their programs to the SB 553 standard rather than maintaining two versions, and a handful of other states have workplace violence legislation moving through committee. Waiting for a home-state mandate to force the issue is a bet against the direction every serious regulatory and insurance body is currently heading.
Who Should Own Your Workplace Violence Prevention Program?
Ownership belongs with a named, credentialed individual who has both the security judgment to assess threat severity and the standing to pull HR, legal, and facilities into a room on short notice — not a shared responsibility scattered across departments that each assume someone else is watching. Most mid-sized organizations don’t have a full-time chief security officer role to give that person, and building one for this purpose alone rarely pencils out.
A fractional chief security officer engagement solves that gap directly: an experienced security executive who builds the threat assessment structure, trains the intake team, and stays accountable for the program’s effectiveness, not just its paperwork, without the cost of a full-time hire. Pairing that leadership with structured workplace threat and vulnerability assessment work and formal workplace violence prevention plan development and training turns a compliance document into an operating program. For the behavioral indicators HR teams are best positioned to catch first, see our related analysis on behavioral early-warning indicators in workplace violence prevention.
Executive Takeaway
In the next 30 days, name one accountable individual for your workplace violence prevention program and give that person explicit authority to convene HR, security, and legal on short notice. Audit whether your current program exists only as a document or functions as a standing behavioral threat assessment process — most fall into the first category. If you cannot say who reviewed a concerning-behavior report in the last 90 days, you don’t have a program. You have a policy.
Frequently Asked Questions
What should be included in a workplace violence prevention program? An effective program includes a written policy, a named responsible party, reporting and investigation procedures, a violent incident log, and recurring training. Beyond the required elements, it needs a standing cross-functional team empowered to evaluate reported concerns and intervene before behavior escalates — the piece most compliance-only plans omit entirely.
Is a workplace violence prevention plan legally required? Yes, in California, where SB 553 requires nearly all employers to maintain a written plan as of July 1, 2024. No federal mandate currently exists, though OSHA’s general duty clause obligates every U.S. employer to maintain a workplace free of recognized hazards, which increasingly includes violence risk.
What’s the difference between a workplace violence policy and a behavioral threat assessment program? A policy is a document describing procedures and responsibilities. A behavioral threat assessment program is the operational practice of identifying, evaluating, and intervening on specific individuals showing concerning behavior. Employers frequently have the first without the second, which limits the policy’s practical effect.
Who should be responsible for workplace violence prevention at a company? A named, credentialed security leader with cross-departmental authority should own the program, supported by a threat assessment team spanning HR, legal, and facilities. Diffusing ownership across departments without a single accountable leader is one of the most common reasons programs fail during an actual incident.
How do you identify warning signs of workplace violence before an incident occurs? Warning signs cluster rather than appear in isolation: withdrawal from colleagues, fixation on a grievance, deteriorating mental health, and leakage of violent intent. FBI research found active shooters displayed an average of four to five such behaviors beforehand, which is why cross-functional reporting matters more than any single indicator.
Does workplace violence prevention training actually reduce risk? Training reduces risk when it teaches employees to recognize and report specific behavioral patterns, not just policy awareness. Programs that stop at “know your emergency exits” leave the behavioral detection gap wide open; programs that train managers and HR to recognize and escalate concerning behavior close it.
Building or auditing a workplace violence prevention program that goes beyond the compliance document requires the kind of judgment a checklist can’t provide. Read Outsourced. Exposed. Out of Time. for a fuller look at where security programs are structurally exposed, and what closing that gap requires.
Sources
- Bureau of Labor Statistics — Employer-Reported Workplace Injuries and Illnesses, 2023–2024 (USDL-26-0101)
- California Department of Industrial Relations / Cal/OSHA — Workplace Violence Prevention for General Industry
- California SB 553 (Cortese) — Bill Text, Labor Code Section 6401.9
- FBI — A Study of the Pre-Attack Behaviors of Active Shooters in the United States Between 2000 and 2013
- FBI Behavioral Analysis Unit — Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks
- ASIS International / Security Management — Pathway to Violence or Pathway to Hope? Behavioral Threat Assessment and Intervention Are Key
- ASIS International — Draft for Review: Workplace Violence Prevention and Intervention Standard
- U.S. Department of Justice, Bureau of Justice Statistics — Indicators of Workplace Violence, 2019
Sign up!
For industry-leading guides and analysis sign up for our blog below.