Skip to Content

Key Personnel Protection (KPP) at the Enterprise Level

David Nicastro | March 1, 2006

On This Page
Three women and two men in suits

Mention personal protection to almost any executive, and they will tell you they neither need it nor want it. Generally, the upper echelon of corporate America doesn't wish to be bothered by security personnel involved in their day-to-day activities.

When most people think of personal protection, they either envision presidential security provided by the Secret Service or burly bodyguards often seen hovering around Hollywood's elite. Typically, executives don't see themselves needing either level of service. After all, the profession often conjures up a poor reputation due to horror stories about overzealous types that create more problems than anything else.

Take the case of Edmund Safra, the billionaire banker reportedly killed by his bodyguard/nurse Ted Maher. Maher, a former Green Beret, had hoped to get a raise or reward by staging a scene in which he would "heroically" save his boss's life in the middle of a seemingly accidental fire. However, things did not work out as planned. Fires are notoriously hard to tame. The bodyguard lost control of the fire at Safra's Monaco residence. The 67-year-old mogul was suffocated by the smoke before the firefighters could reach him. Maher was convicted in 2002 and sentenced to 10 years in prison.

Corporate executives—like most people from money—enjoy the trappings of wealth (private aircraft, mansions, yachts, and luxurious travel to exotic places) but abhor the attention that they perceive associated with personal security. After all, security is generally related with inconvenience and a loss of freedom.

This article is aimed at business managers charged with developing a risk mitigation program for protecting key personnel at the corporate level. There is definitely a time and place for personnel protection in corporate America, and professional and discreet security is readily available.

First and most importantly, the organization needs someone to champion the cause for executive security. Many Fortune 500 firms have a dedicated security professional in this position; others assign responsibility for asset protection to risk management, finance, or legal. You might be asking, what does asset protection have to do with executive security or key personnel protection? Along with protecting facilities and proprietary assets, a company's most important asset is its people. Senior management at the "C" level, as well as employees assigned abroad and those traveling to dangerous countries, should all fall under the key personnel protection (KPP) plan. The umbrella of protection extends from the boardroom to abroad.

The Executive Protection Program

Implementing an executive protection program within a large international organization can be a daunting task. Corporations have the responsibility of providing a reasonable level of safety and security for its employees. Predictably, the most visible and vulnerable of those employees are its most senior executives. In many instances there is a profit motive associated with the security of key employees. If a strong CEO or president of a major corporation were kidnapped and held for an extended length of time or killed, the corporation would undoubtedly suffer semi-paralysis at the decision-making level, costing perhaps millions of dollars. In a publicly traded company, the share price could plummet. Therefore, key personnel are among the corporation's most valuable, and perhaps irreplaceable, assets.

The need for a management protection plan in today's world is based on the following risk factors.

  1. Public prominence of the executive or the corporation represented.
  2. Involvement in a controversial industry or business.
  3. Documented threats, abusive letters, or extortion attempts directed at the executive or the enterprise.
  4. Local conditions associated with a specific geographical location or an event that creates a higher threat level.

As added incentive, the IRS has established rules applicable for protecting executives of organizations that can show a "bona fide business-oriented security concern." If the company does not provide 24-hour security for the executive, the first step is for the organization to have an independent security study conducted. If the employer's security program meets Internal Revenue Service requirements, the value of any additional security protection provided to transport those employees and related services may be excluded from income under section 132(d) of the Internal Revenue Code.

Threat, Vulnerability, and Needs Analysis

A threat, vulnerability, and needs analysis will identify situations that place the protected person at risk. Barring chronic health problems, there are four primary risk factors that apply to executives:

  1. Accidents. The most common fatal accidents are motor vehicle accidents and fire.
  2. Random Acts. These generally occur as a result of being in the wrong place. They include carjacking, armed robbery, mugging, drive-by shooting, and terrorist action.
  3. Direction of Interest Incidents. These threat incidents include stalking, workplace violence, child abduction, identity theft, and crimes committed by interest groups such as groups that oppose abortion.
  4. Conspiracies. Murder for hire, extortion, and kidnapping all involve conspiracy.

Key Personnel Protection Plan

A key personnel protection plan sets forth action steps to be taken in the event of a crisis involving a protected person. The plan should be strategic. It needs to assign responsibilities and establish a response procedure. It should also require training, equipping, and organizing plan responders. Above all else, protected persons should be trained in how to minimize personal risk and what to do if attacked or kidnapped.

Security is predicated on the perceived threat, and protection services are crafted to prevent the threat or mitigate damage caused by it. Good security is all about planning and anticipating problems before they happen. Effective security services require a logical and systematic approach that corresponds realistically to dangers that potentially or actually confront the protected persons.

The plan's main objective is to prevent occurrence of an adverse event, and failing that, to be prepared to deal with the event and minimize the magnitude of consequences. The plan may address the most likely adverse events such as extortion, kidnapping, or workplace violence. Once the plan and its tactics are developed, training, equipping, and organizing can begin. The next steps are practice, evaluation of the practical exercise, and revision of the plan in light of lessons learned.

Following are the components of the plan.

  • A rationale and a mandate that should answer questions such as who owns the process and who is covered by it. The covered persons logically include senior management, expatriates and their families, international travelers, and employees known to be at risk of violence in the workplace.
  • A component that establishes command and control. In other words, the plan outlines who will be in charge.
  • Designation of the place where command and control is to be carried out.
  • Identification of equipment needed to operate the command and control center.
  • Identification of persons responsible for plan execution.
  • Identification of first- and secondary-responders.
  • Notification procedures.
  • Procedures that direct and/or guide the responders.
  • A component that specifically addresses the organization's KPP program.
  • Laws that apply such as the federal law requiring that the FBI be notified when a kidnapping occurs or laws that apply to the possession of firearms by security persons assigned to defend against an attack of a protected person.

The objective of the KPP Program is to create an acceptable, safe, and secure environment for the protected persons. In most cases, these persons will be members of the enterprise's executive team and their dependents. These persons are at greatest risk due to their prominence publicly or within the enterprise.

The belief that people are a company's most valuable asset is the driving force behind the KPP plan. Implementing a KPP program within a large, international organization can be a complex process. By its very nature, personal security will vary from individual to individual because of varying lifestyles and daily routines. However, certain minimum standards and guidelines can be developed to provide sustainable long-term solutions.

Key Personnel Protection Protocol

The chief risk officer's duty is to develop for the enterprise a KPP program that reduces risks to an acceptable level. The protection program consists of the following elements.

  • Gathering and evaluating timely and accurate threat intelligence.
  • Minimizing through careful analysis and planning.
  • Training persons to carry out their protective functions such as teaching executives how to anticipate and respond to danger and how to survive if kidnapped, and ensuring that the executive's driver is skilled at evasive driving tactics, can perform CPR, defibrillation, and first aid, and knows the location of emergency treatment facilities.
  • Utilizing advanced electronic technologies such as CCTV, GPS vehicle tracking, intrusion detection, and duress devices.
  • Planning and coordinating security for the protected person's travel, lodging, and public appearances, especially in unstable regions.
  • Security training in executive protection tactics, evasive-driver techniques, and security procedures.
  • Utilization of high-level electronics such as CCTV, GPS vehicle tracking systems, intrusion detection alarms and the like.
  • Advance security planning and coordination for executive management traveling to dangerous regions of the world.
  • Crisis management planning and practical drills to address events such as kidnapping, egregious threat, or country evacuation.


This article has presented a proactive approach to protecting an enterprise's key personnel. A proactive approach anticipates threats, makes preparations to prevent them or reduce their impact, and has a program in place to respond when a threat event occurs. The person most responsible for developing a KKP is the chief security officer.

This article supports a proactive and strategic approach that management initiates in relation to protecting key management personnel before an incident occurs. The most difficult part is in convincing senior management to create a well-designed program that fits the culture of the enterprise. Frequently, doing so takes someone to "champion" security. Key personnel protection should always be discreet, professional, and commensurate with the threat. Protection is all about planning and training. Using qualified, knowledgeable, and experienced specialists goes without saying.

The organization needs to develop the right processes, procedures, and standards that focus on prevention, deterrence, detection, and response. The KPP framework should be built on sound executive protection principles such as periodic threat assessments, risk avoidance countermeasures, advance planning, and trained/qualified protection personnel and drivers. Additionally, the organization needs to have a well-conceived crisis management and business continuity plans that are routinely exercised and updated.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.