The Missing Link in Every Workplace Violence Prevention Program

A written workplace violence prevention program satisfies regulators. It does almost nothing to stop an attack. The gap between the two is behavioral threat assessment: the discipline of noticing, reporting, and acting on the concerning behaviors that precede nearly every act of targeted workplace violence, months before the policy binder is ever opened.

What Is a Workplace Violence Prevention Program, and Why Isn’t Compliance Enough?

A workplace violence prevention program is a written plan, required by law in California and recommended everywhere else, that defines how an employer identifies, reports, investigates, and responds to violence risk. Under California’s SB 553, every covered employer must maintain one, complete with a violent incident log, hazard evaluation procedures, and documented training. California’s Occupational Safety and Health Standards Board is required to formally adopt its general industry standard no later than December 31, 2026, with enforcement expected to follow closely behind, according to the California Department of Industrial Relations.

That deadline is why most companies currently building a program are focused on the document. Names and titles of responsible parties. Reporting procedures. A training log. All of it defensible in an audit, none of it aimed at the actual mechanism of violence.

The federal data on where violence in the workplace originates is unambiguous about the mismatch. Over the 2023–2024 period, private industry recorded 78,340 nonfatal violent-act cases resulting in days away from work, restriction, or job transfer, an annualized rate of 3.7 per 10,000 full-time workers with a median of 11 days lost per incident, according to the Bureau of Labor Statistics. Those numbers describe outcomes. A compliance plan describes paperwork. Neither one, on its own, describes the person of concern six weeks before the incident, which is where prevention actually happens.

What Warning Signs Does Behavioral Threat Assessment Actually Catch?

Behavioral threat assessment catches the pattern of observable behavior that precedes violence: not a single red flag, but a cluster of them building over time. The FBI’s Behavioral Analysis Unit, studying active shooter incidents between 2000 and 2013, found that attackers displayed an average of four to five concerning behaviors observable to others before they acted, most frequently tied to deteriorating mental health, breakdowns in interpersonal relationships, and “leakage” (the intentional or unintentional disclosure of violent intent).

None of those signals show up on an OSHA log. A previously engaged employee who abruptly withdraws from colleagues. A grievance that calcifies into fixation rather than fading. A divorce or custody dispute that HR already knows about but never flags to security. Individually, each looks like an HR matter, a performance issue, or none of the company’s business. Assessed together by a team trained to connect them, they form a recognizable pathway. The FBI’s follow-on report on threat management found that people of concern are roughly 16 times more likely to escalate toward violence when they display these behaviors to bystanders who never intervene, according to the FBI Behavioral Analysis Unit’s findings as reported by ASIS International’s Security Management magazine. The absence of intervention, not the absence of warning, is usually the failure point.

Why Do HR and Security Operate in Separate Silos, and What Does That Cost?

HR and security operate in separate silos because their systems were never built to talk to each other, and that separation is precisely what lets warning signs go unconnected. HR holds the personnel history: the disciplinary record, the leave-of-absence pattern, the exit interview nobody escalated. Security holds the incident data: the access anomaly, the parking lot altercation, the visitor who won’t leave. A functioning threat assessment program needs both data sets in the same room, evaluated by the same team, on a recurring cadence, not reconstructed after the fact during an incident review.

In the assessments we run for mid-market clients rebuilding their workplace violence program from scratch, the finding that surprises HR leaders most isn’t a missing policy. It’s that three or four people across the organization each held one piece of a pattern that, assembled, would have qualified for intervention months earlier. No process existed to assemble it.

This is also where a compliance-driven build tends to stall. A workplace violence prevention program gets written to satisfy the statute, then filed. What’s actually needed is a standing, cross-functional team with defined intake, evaluation, and escalation authority, the kind of structure ASIS International’s forthcoming Workplace Violence Prevention and Intervention Standard, open for public comment through July 2026, is attempting to formalize industry-wide.

What Does the SB 553 Deadline Mean for Employers Outside California?

The SB 553 deadline is a California-specific mandate, but it functions as a national preview: it is the clearest signal yet that regulators expect behavioral threat management, not just a policy document, to sit underneath workplace violence compliance. California Labor Code section 6401.9 took effect July 1, 2024, and the Occupational Safety and Health Standards Board must adopt a corresponding general industry standard by the end of this year.

No other state currently mandates a program with this level of specificity. That will not last. Multi-site employers with any California footprint are already building their programs to the SB 553 standard rather than maintaining two versions, and a handful of other states have workplace violence legislation moving through committee. Waiting for a home-state mandate to force the issue is a bet against the direction every serious regulatory and insurance body is currently heading.

Who Should Own Your Workplace Violence Prevention Program?

Ownership belongs with a named, credentialed individual who has both the security judgment to assess threat severity and the standing to pull HR, legal, and facilities into a room on short notice — not a shared responsibility scattered across departments that each assume someone else is watching. Most mid-sized organizations don’t have a full-time chief security officer role to give that person, and building one for this purpose alone rarely pencils out.

A fractional chief security officer engagement solves that gap directly: an experienced security executive who builds the threat assessment structure, trains the intake team, and stays accountable for the program’s effectiveness, not just its paperwork, without the cost of a full-time hire. Pairing that leadership with structured workplace threat and vulnerability assessment work and formal workplace violence prevention plan development and training turns a compliance document into an operating program. For the behavioral indicators HR teams are best positioned to catch first, see our related analysis on behavioral early-warning indicators in workplace violence prevention.

Executive Takeaway

In the next 30 days, name one accountable individual for your workplace violence prevention program and give that person explicit authority to convene HR, security, and legal on short notice. Audit whether your current program exists only as a document or functions as a standing behavioral threat assessment process — most fall into the first category. If you cannot say who reviewed a concerning-behavior report in the last 90 days, you don’t have a program. You have a policy.

Frequently Asked Questions

What should be included in a workplace violence prevention program? An effective program includes a written policy, a named responsible party, reporting and investigation procedures, a violent incident log, and recurring training. Beyond the required elements, it needs a standing cross-functional team empowered to evaluate reported concerns and intervene before behavior escalates — the piece most compliance-only plans omit entirely.

Is a workplace violence prevention plan legally required? Yes, in California, where SB 553 requires nearly all employers to maintain a written plan as of July 1, 2024. No federal mandate currently exists, though OSHA’s general duty clause obligates every U.S. employer to maintain a workplace free of recognized hazards, which increasingly includes violence risk.

What’s the difference between a workplace violence policy and a behavioral threat assessment program? A policy is a document describing procedures and responsibilities. A behavioral threat assessment program is the operational practice of identifying, evaluating, and intervening on specific individuals showing concerning behavior. Employers frequently have the first without the second, which limits the policy’s practical effect.

Who should be responsible for workplace violence prevention at a company? A named, credentialed security leader with cross-departmental authority should own the program, supported by a threat assessment team spanning HR, legal, and facilities. Diffusing ownership across departments without a single accountable leader is one of the most common reasons programs fail during an actual incident.

How do you identify warning signs of workplace violence before an incident occurs? Warning signs cluster rather than appear in isolation: withdrawal from colleagues, fixation on a grievance, deteriorating mental health, and leakage of violent intent. FBI research found active shooters displayed an average of four to five such behaviors beforehand, which is why cross-functional reporting matters more than any single indicator.

Does workplace violence prevention training actually reduce risk? Training reduces risk when it teaches employees to recognize and report specific behavioral patterns, not just policy awareness. Programs that stop at “know your emergency exits” leave the behavioral detection gap wide open; programs that train managers and HR to recognize and escalate concerning behavior close it.

Building or auditing a workplace violence prevention program that goes beyond the compliance document requires the kind of judgment a checklist can’t provide. Read Outsourced. Exposed. Out of Time. for a fuller look at where security programs are structurally exposed, and what closing that gap requires.


Sources

Sign up!

For industry-leading guides and analysis sign up for our blog below.

  • This field is for validation purposes and should be left unchanged.

Latest News

Account Protection with Password Manager
Account Protection with a Password Manager What good is a password if anyone can read it? From Chesley Brown International Risk Management [dpArticleShare] Password managers are not a universal remedy... but can ...
Read More
Chesley Brown Announces Addition to Senior Team
Dell Spry Joins Chesley Brown Team To support the ongoing growth and demand Chesley Brown is pleased to announce Marvin O. “Dell” Spry has joined the Senior team as a Managing Director. ...
Read More
Happy kids with rucksacks walking leaving school
Federal Commission on School Safety Releases Comprehensive Report
  Federal Commission on School Safety Comprehensive Report Released From Chesley Brown International Risk Management [dpArticleShare] President’s Federal Commission on School Safety Releases Comprehensive Report After 9 months of research, visiting successful ...
Read More
Fighting Terrorism with Strong Private Sector Relationships
Fighting Terrorism with Strong Private Sector Relationships From Chesley Brown International Risk Management [dpArticleShare] "Threat mitigation is a team effort; it’s this relationship and collaboration which is critical to the counterterrorism fight." ...
Read More
face recognition, automatic face recognition biometric identification; biometric authentication; identity verification
Facial Recognition: the First Catch
Facial Recognition Makes its Grand Entry The new technology, deployed in airports across the country, makes its first catch. From Chesley Brown International Risk Management [dpArticleShare] On its third day of testing, ...
Read More
hands on a keyboard as if hacking into something
Are Employees an Unintentional Security Risk for Cyber Attacks?
Are Your Employees an Unintentional Security Risk for Cyber Attacks? In these times when malware is prevalent and easily disguised as email attachments or seemingly innocent software updates, one of the questions ...
Read More
DHS and Canada Team up for First Responders
DHS and Canada Team Up to Develop Resources for First Responders From Chesley Brown International Risk Management [dpArticleShare] Artificial Intelligence Meets Boots on the Ground to Improve Patient Outcomes The United States ...
Read More
preventing economic espionage, trade secret theft and intellectual property theft
Supreme Court Decision Regarding the Privacy of Digital Data
Supreme Court Decision Personal Rights and the Expectation of Privacy in the Digital Age From Chesley Brown International Risk Management [dpArticleShare] In Major Privacy Case, Court Rules Law Enforcement Must Obtain Warrant ...
Read More
The Evolution of School Security
Special E-Brief June 2018 In the current climate of school shootings, we have anguished over the potentials that may follow the ongoing rise in active shooter and other critical events in schools ...
Read More
Threats Our Kids Face Online
Protecting Our Children Against Online Threats Teaching our kids to be wary onlineChesley Brown E-Brief May 2018 From Chesley Brown International Risk Management [dpArticleShare] Cyber bullying and cyber-predators are real online threats ...
Read More
Outsourced. Exposed. Out of Time.