Thought Leadership
July 13, 2026
12 min read

What Is an Insider Risk Program Assessment?

Most organizations do not struggle because they have done nothing. They struggle because they have done many things without a clear way to determine whether those efforts function as a coherent enterprise program.

Most organizations do not struggle because they have done nothing about insider risk. They struggle because they have done many things, often across different teams, without a clear way to determine whether those efforts function as a coherent program.

Security may be monitoring user activity. Human Resources may be managing workforce concerns. Legal and Privacy may be establishing boundaries around monitoring and investigations. Information Technology may be enforcing access controls. Investigations may be responding to individual cases.

All of that activity matters. But activity is not the same as an effective program.

An insider risk program assessment helps an organization determine whether its policies, people, processes, technology, governance, and decision-making structures work together effectively to identify, manage, and reduce insider risk.

It is not simply a review of tools. It is not a compliance checklist. It is not a count of alerts, cases, policies, or meetings. A meaningful insider risk program assessment evaluates whether the organization has built a sustainable, defensible, and measurable enterprise program.

At ITMG, the Program Assessment is informed by the Insider Risk Capability Framework™ (IRCF™), a public, practitioner-informed reference model for understanding the capabilities required to build, manage, and mature an insider risk program.

The IRCF™ provides the common language. The Program Assessment determines whether those capabilities function together as an effective operating model.

What Is an Insider Risk Program Assessment?

An insider risk program assessment is an evidence-based review of how an organization governs, coordinates, operates, measures, and improves its insider risk or insider threat program.

The assessment examines whether the program has the authority, stakeholder alignment, workflows, safeguards, resources, metrics, and operational discipline required to manage insider risk across the enterprise.

A strong assessment should answer several basic questions:

  • Does the organization have a clearly defined insider risk operating model?
  • Are responsibilities understood across Security, Human Resources, Legal, Privacy, Information Technology, Compliance, and Investigations?
  • Do stakeholders know how and when to coordinate?
  • Are risks being identified before they become incidents?
  • Are monitoring and response activities legally and ethically defensible?
  • Can leadership see where the organization is exposed?
  • Are program investments tied to measurable improvement?
  • Can the organization show that identified weaknesses are actually being addressed?

In my experience, many organizations can answer some of these questions. Far fewer can answer all of them with evidence. That is the real purpose of the assessment.

What Does a Program Assessment Evaluate?

A Program Assessment evaluates whether the insider risk function works as a coherent, governed, and defensible enterprise program. It focuses on the "connective tissue" of the program.

That includes:

Program authority
Executive sponsorship
Governance
Stakeholder alignment
Roles & decision rights
Operating procedures
Cross-functional workflows
Escalation paths
Legal & privacy safeguards
Metrics & reporting
Accountability
Improvement planning

The assessment should determine whether the individual parts of the program function together.

This distinction is important because an organization may have strong technical tools, experienced investigators, mature policies, or committed stakeholders and still have a weak operating model.

I have reviewed organizations where the individual parts were relatively strong, but the program still struggled because responsibilities were unclear, decisions were inconsistent, or no one had a complete view of the organization's exposure. A Program Assessment is designed to identify those weaknesses.

Why Organizations Need an Insider Risk Program Assessment

Insider risk programs often develop gradually. A monitoring tool is introduced. A working group is formed. Human Resources and Security establish a referral process. Legal approves certain monitoring activities. Investigations develops procedures. Leadership begins asking for metrics.

Over time, the organization accumulates activity, controls, documentation, and technology. What it may not accumulate is clarity.

The organization may not know whether responsibilities overlap, whether critical gaps remain, whether stakeholders are applying the same standards, or whether program activities are actually reducing risk.

That uncertainty becomes especially visible during a serious incident. When something happens, the questions come quickly:

Who owns the response? What information can be shared? What legal approvals are required? Which team makes the decision? What is the escalation threshold? Was the risk previously identified? Were controls operating as intended? Can the organization explain why it acted, or why it did not?

A Program Assessment should identify these weaknesses before an incident forces the organization to discover them under pressure.

How the IRCF Informs a Program Assessment

The Insider Risk Capability Framework™ defines the broad capabilities organizations need to understand, assess, and improve across the insider risk lifecycle.

The IRCF™ includes 10 interconnected components:

  1. Governance
  2. Monitoring
  3. Analysis
  4. Investigation
  5. Identity and Access Management
  6. Data Protection
  7. Personnel Assurance
  8. Oversight and Compliance
  9. Training
  10. Risk Management and Reporting

During a Program Assessment, ITMG uses the IRCF™ as a reference lens to determine whether the organization's operating model accounts for these necessary capability areas and whether they work together effectively.

The purpose is not to conduct a detailed maturity evaluation of every IRCF™ capability. That deeper, component-level review is performed through ITMG's Insider Risk Capability Assessment.

In the Program Assessment, the IRCF™ helps identify whether weaknesses in one or more capability areas are affecting:

  • Governance and stakeholder coordination
  • Program execution and escalation
  • Decision-making and executive visibility
  • Legal defensibility and accountability
  • Sustained program improvement

The Program Assessment is therefore IRCF-informed. The Capability Assessment is IRCF-based.

How the Program Assessment Views the IRCF Components

The Program Assessment considers each IRCF™ component through an enterprise operating-model lens.

IRCF™ Component Program Assessment Perspective
Governance Are authority, ownership, sponsorship, and decision rights clear?
Monitoring Is monitoring aligned to defined risks and governed use cases?
Analysis Can information be translated into consistent and defensible decisions?
Investigation Are concerns triaged, escalated, investigated, and resolved consistently?
Identity & Access Management Are access risks integrated into program processes and governance?
Data Protection Are critical data risks understood, prioritized, and governed?
Personnel Assurance Are workforce events integrated into insider risk processes?
Oversight & Compliance Are legal, privacy, compliance, and audit safeguards embedded?
Training Are stakeholders prepared to perform their assigned roles?
Risk Management & Reporting Can leadership understand exposure, priorities, ownership, and progress?

This approach helps determine whether the organization has built a functioning enterprise program. It does not replace the deeper capability-level analysis performed through a Capability Assessment.

Program Assessment vs. Capability Assessment

A Program Assessment and a Capability Assessment are related, but they answer different questions.

A Program Assessment evaluates whether the overall insider risk program operates as a coherent, governed, and defensible enterprise function. It focuses on program structure, governance, stakeholder coordination, authority, decision-making, workflows, reporting, and accountability.

A Capability Assessment performs a deeper IRCF-based evaluation of the organization's individual insider risk capabilities. It focuses on which capabilities exist or are missing, how mature each capability is, what evidence supports the rating, and what component-level improvements are required.

The Program Assessment asks whether the program works. The Capability Assessment asks how strong each underlying capability is.

An organization may need one or both assessments depending on its objectives. A leadership team seeking to understand why the program is fragmented may begin with a Program Assessment. A team seeking a detailed evaluation across the IRCF™ components may need a Capability Assessment.

Insider Risk Program Assessment vs. Insider Threat Assessment

The terms insider risk assessment, insider threat assessment, and insider risk program assessment are often used interchangeably. They should not always mean the same thing.

An insider threat assessment may focus on specific threat actors, scenarios, employees, contractors, indicators, or concerning activity.

An insider risk assessment may examine broader organizational exposure involving access, data, workforce conditions, technology, critical assets, and control weaknesses.

An insider risk program assessment evaluates the enterprise function responsible for managing that exposure. It asks whether the organization has the governance, coordination, workflows, safeguards, and accountability needed to manage insider risk consistently.

This distinction matters because an organization can have advanced monitoring technology and still have a weak program. It can have mature policies and still struggle to make timely decisions. It can have experienced investigators and still lack a consistent escalation process.

What Areas Should a Program Assessment Review?

A comprehensive Program Assessment should examine the full operating environment, not just one team, tool, or process.

Governance and Executive Oversight

The assessment should determine whether the program has clear authority, executive sponsorship, decision rights, and accountability. It should also examine whether governance forums are active and useful.

Many organizations have an insider risk committee or working group on paper. The more important question is whether that group makes decisions, resolves conflicts, prioritizes investments, and holds owners accountable. A meeting calendar is not evidence of effective governance.

Roles and Stakeholder Coordination

Insider risk is inherently cross-functional. No single team can manage it alone. The assessment should evaluate how Security, Human Resources, Legal, Privacy, Information Technology, Compliance, Physical Security, and Investigations work together. It should identify unclear ownership, duplicated responsibilities, inconsistent practices, and handoff failures.

Policies, Standards, and Procedures

Policies should define the program's purpose, authority, scope, safeguards, escalation requirements, and expected behavior. Procedures should translate those policies into repeatable action. The assessment should determine whether written documentation reflects actual practice. This matters because many programs look more mature in documents than they do in operation.

Risk Identification and Prioritization

The organization should have a repeatable way to identify and prioritize insider risk. That includes understanding critical assets, high-risk access, workforce populations, business processes, threat scenarios, and control weaknesses.

The program should not rely only on detected activity. By the time an alert is generated, the organization is already responding to something that has occurred. A mature program also examines where exposure may emerge and where existing controls may be insufficient.

Monitoring Governance

The assessment should examine whether monitoring activities are aligned with defined program risks and use cases. It should also determine whether monitoring is properly governed, legally reviewed, technically validated, and regularly evaluated.

The presence of a user activity monitoring, data loss prevention, or behavioral analytics platform does not by itself demonstrate program maturity. The organization should be able to explain: why a monitoring use case exists, what risk it addresses, who authorized it, what data it uses, who reviews the output, how privacy safeguards are applied, and whether it is producing useful results. Without that discipline, monitoring can create more activity without creating better decisions.

Investigations and Case Management

The assessment should evaluate how concerns are received, triaged, assigned, investigated, documented, escalated, and closed. It should also examine whether similar concerns receive similar treatment. A mature program should not depend entirely on who receives the issue first or which individual is available.

Workforce and Personnel Processes

Insider risk is closely connected to workforce events. Role changes, disciplinary actions, performance concerns, layoffs, resignations, mergers, reorganizations, and contractor transitions can alter risk. The assessment should determine whether relevant workforce events are integrated into program processes. The objective is to recognize when access, circumstances, and organizational change create conditions that require additional safeguards.

Access and Data Protection Coordination

The assessment should determine whether access risks and data protection risks are integrated into the program. This includes privileged access, excessive permissions, dormant accounts, third-party access, critical data, SaaS platforms, cloud environments, and AI-enabled tools.

Legal, Privacy, and Compliance Safeguards

An insider risk program must be effective, but it must also be defensible. The assessment should determine whether legal, privacy, compliance, and employee-relations considerations are embedded into program processes. This includes monitoring approval, data handling, information sharing, retention, documentation, and cross-border considerations.

Metrics and Executive Reporting

A program should be able to show more than the number of alerts reviewed or cases opened. Those are activity measures. Leadership needs to understand exposure, control weaknesses, unresolved risks, remediation progress, and the impact of program investments.

What Evidence Should Be Reviewed?

A credible insider risk program assessment should be evidence based. It should not rely only on interviews or self-reported maturity scores.

Relevant evidence may include:

  • Program charters and policies
  • Governance records and meeting minutes
  • Procedures, playbooks, and escalation criteria
  • Risk assessments and Risk Register entries
  • Monitoring use cases and approvals
  • Legal and privacy review documentation
  • Training and awareness materials
  • Case management workflows and procedures
  • Access review processes and logs
  • Operational metrics and dashboards
  • Prior assessments and audit findings
  • Remediation and roadmap records
  • Executive reports and briefings

The objective is not to create a burdensome document collection exercise. The objective is to validate how the program actually operates. A program may have a strong policy and weak execution. Another may have effective informal practices that have never been documented, governed, or institutionalized. Both conditions create risk.

Who Should Participate in the Assessment?

An insider risk program assessment should not be limited to the security team. Participation will often include representatives from:

Insider Risk / Threat
Cybersecurity
Human Resources
Legal & Privacy
Compliance & Audit
Information Technology
Identity & Access
Investigations

The exact stakeholders depend on the organization. What matters is that the assessment reflects the real operating environment. Insider risk rarely fails entirely within one team. It usually fails between teams.

What Should the Organization Receive?

A useful Program Assessment should produce more than a maturity score and presentation. The organization should receive a clear view of:

  • Program strengths and operating-model weaknesses
  • Governance gaps and stakeholder coordination issues
  • Material exposure implications and executive decision points
  • Priority recommendations with estimated effort and required evidence
  • Accountable owners and dependencies mapped into a living roadmap

The output should help the organization decide what to do next. This is where many traditional assessments fall short. They identify weaknesses, assign ratings, deliver a report, and stop. That is not enough. A meaningful assessment should create a practical path from finding to action.

Why a Program Score Is Not Enough

A score can be useful. It provides a baseline and helps summarize complex information. But a score alone can create false confidence.

Two organizations may receive similar scores while facing very different problems. One may have weak governance. Another may have inconsistent investigations. A third may have strong technical tools but poor stakeholder coordination. A fourth may have mature processes that are not adapted for AI, SaaS, contractors, or a distributed workforce.

The score does not tell leadership what to address first. It also does not show: why the issue matters, who should own it, what level of effort is required, what dependencies exist, how progress will be demonstrated, or whether exposure is actually decreasing. The objective is not to achieve a perfect score. The objective is to improve how the program manages risk.

Self-Assessment vs. Independent Assessment

Self-assessments can be valuable. They help establish awareness, identify obvious gaps, and prepare stakeholders for a more detailed review. They also have limitations. Internal teams may normalize longstanding practices, overestimate consistency, or assess documentation rather than actual execution.

An independent assessment brings an outside perspective, comparative experience, and the ability to challenge assumptions.

The best approach may involve both. An organization can use a self-assessment to gather baseline information, then engage an experienced practitioner to validate evidence, test operating effectiveness, identify hidden weaknesses, and prioritize action.

How RiskTKO® Supports Program Improvement

The IRCF™ provides a public reference model for understanding insider risk capabilities. The Program Assessment uses that framework to identify whether capability weaknesses are affecting the overall operating model.

RiskTKO® helps operationalize what happens next. Instead of leaving findings in a static report, RiskTKO® helps connect them to:

Recommendations
Priorities and Tasks
Owners & Milestones
Risk Register Items

This allows the organization to manage the assessment as a living improvement process. The assessment establishes the baseline. RiskTKO® helps maintain it.

From Static Assessment to Living Program Improvement

A traditional assessment produces a point-in-time view. That view may be accurate on the day it is delivered. The problem is that insider risk changes.

People change roles. Access expands. Contractors join and leave. Technology changes. AI use grows. Business priorities shift. Risks are accepted, mitigated, transferred, or ignored. A static report cannot reflect that movement.

A living model connects findings to actions, owners, costs, timelines, risks, and evidence. As work is completed, the program baseline should change. Leadership should be able to see whether the program is improving, whether exposure is increasing or decreasing, and whether investments are producing measurable value. The assessment should not end with a report. It should become an operating baseline for sustained improvement.

How AI Changes the Program Assessment

Artificial intelligence introduces new insider risk considerations across the enterprise. Employees may use AI tools to process sensitive information, generate unauthorized summaries, move data more efficiently, bypass established workflows, or expose information to unapproved platforms.

At the same time, insider risk teams may use AI-enabled tools to support triage, analysis, prioritization, reporting, and administration. A Program Assessment should determine whether these changes are being addressed across the operating model. That includes reviewing AI governance, approved and unapproved AI use, roles and accountability, data handling, monitoring authority, human review, privacy safeguards, escalation, investigation procedures, reporting, and training.

AI should not be treated as a separate issue disconnected from the program. It should be integrated into governance, workflows, safeguards, and accountability.

How Often Should an Insider Risk Program Be Assessed?

There is no single cadence that applies to every organization. Many organizations benefit from a formal Program Assessment annually, with more frequent reviews of high-risk areas.

An assessment should also be considered when there is significant change, including:

  • A merger or acquisition or major workforce reduction
  • A serious insider incident
  • A new monitoring platform or cloud/SaaS adoption
  • Significant expansion into new countries or increased contractor use
  • New artificial intelligence capabilities or a change in executive leadership

The program should not remain static while the organization changes around it.

What I Have Learned From Assessing Insider Risk Programs

Over more than 25 years working across insider threat, insider risk, investigations, national security, and enterprise environments, I have seen the same lesson repeat itself. Most program weaknesses are not caused by a complete absence of effort. They are caused by fragmentation.

The organization has policies, but no shared operating model. It has monitoring, but no clear connection to prioritized risk. It has a working group, but limited authority. It has case procedures, but inconsistent escalation. It has metrics, but they measure activity instead of exposure. It has recommendations, but no durable mechanism for implementation. It has capable people, but no common framework for aligning their work.

These are not theoretical problems. They are the types of weaknesses that become visible during real incidents, audits, investigations, workforce transitions, and executive reviews. The purpose of a Program Assessment is to make those weaknesses visible sooner.

When Should You Consider an Insider Risk Program Assessment?

An assessment may be appropriate when:

  • Leadership cannot clearly explain how the program operates
  • Stakeholders disagree about roles or authority
  • The program lacks a defined operating model
  • Monitoring tools produce activity but limited actionable value
  • The program relies heavily on informal relationships
  • Findings from earlier reviews remain unresolved
  • Metrics focus on volume rather than exposure reduction
  • The organization is preparing for audit or regulatory scrutiny
  • Executives want a defensible investment roadmap
  • AI or SaaS adoption is changing data exposure
  • The organization needs to move from reactive threat response to proactive risk management

The most important signal is uncertainty. When leadership cannot confidently explain how the program works, where it is weak, which issues matter most, and what is being done about them, a Program Assessment can provide the needed clarity.

Frequently Asked Questions

What is the purpose of an insider risk program assessment?

The purpose is to evaluate whether the organization has the governance, operating model, stakeholder alignment, workflows, safeguards, evidence, and accountability required to manage insider risk effectively.

How does the IRCF support a Program Assessment?

The IRCF provides a common reference model for the capabilities an insider risk program should address. During a Program Assessment, ITMG uses the IRCF to identify whether weaknesses in those capability areas are affecting program governance, coordination, execution, reporting, or accountability.

Is the Program Assessment a full IRCF capability maturity assessment?

No. The Program Assessment is IRCF-informed, but it does not perform a detailed maturity review of every IRCF capability. That deeper evaluation is conducted through ITMG's Insider Risk Capability Assessment.

What is the difference between a Program Assessment and a Capability Assessment?

A Program Assessment evaluates whether the insider risk function operates as a coherent, governed, and defensible enterprise program. It focuses on the operating model, stakeholder alignment, authority, workflows, reporting, and accountability. A Capability Assessment performs a deeper IRCF-based evaluation of the organization's individual capabilities.

Is an insider risk program assessment the same as a cybersecurity assessment?

No. Cybersecurity is an important part of insider risk, but a Program Assessment also evaluates Human Resources, Legal, Privacy, Investigations, governance, workforce processes, training, reporting, and cross-functional decision-making.

Does the assessment evaluate technology?

Yes, but technology is only one part of the review. The assessment determines whether technology supports clearly defined risks, use cases, workflows, safeguards, and decisions.

Final Thought

An insider risk program assessment should not be designed merely to tell an organization that it has problems. Most leaders already know gaps exist.

The value is in determining whether the program functions as a coherent enterprise capability, where the operating model is breaking down, why those weaknesses matter, and what should happen next.

The IRCF™ provides a common language for understanding the capabilities that support an effective insider risk program. The Program Assessment uses that language to determine whether those capabilities work together.

The strongest programs are not the ones with the most tools, policies, committees, or alerts. They are the ones that can coordinate effectively, make informed decisions, act consistently, and prove that their efforts are reducing exposure. That is what a meaningful insider risk program assessment should make possible.

ST

About the Author

Shawn M. Thompson, Esq.

Shawn M. Thompson, Esq. is the founder and CEO of ITMG, founder of RiskTKO, and creator of the Insider Risk Capability Framework and Insider Risk Body of Knowledge. A former FBI Assistant General Counsel, federal prosecutor, NSA Insider Threat Program Manager and Senior Special Agent, and Google Global Insider Risk Practice Lead, he has supported more than 300 insider risk engagements for over 100 Fortune 500 organizations.

Evaluate Your Enterprise Operating Model

Partner with Shawn Thompson and the ITMG team to conduct an expert-led, IRCF-informed Insider Risk Program Assessment and turn findings into an actionable roadmap.