I don't have a copy but I'd set it out like any other risk assessment or even a bit like HACCP? I.e. I'd be systematic about it. Look for all the potential ingress points on your site for people for a starting point. Think about the likelihood / severity if someone accessed at that point. Also think about any intake points for materials. How are these secured and if someone accessed them, what would that do?
In my last employer, I also helped a team develop an internal threat assessment as well. So not just for external activist / terrorist attacks but assuming that someone who worked for the company wanted to contaminate. I don't still have a copy unfortunately but some of the things we considered were:
- How we recruited people (e.g. taking up references)
- Employee engagement
- How we parted ways with employees or managed disciplinary (e.g. suspension during investigation for serious issues to reduce risk)
- Where in the process someone with a grudge could have access to the line, including quieter areas and areas where the material (if contaminated) went into multiple batches
- The chances of detection, e.g. with CCTV, testing and the preventive impact
Where we found that the severity and likelihood multiplied together came out with a moderate or high score, whether that was for external risks or internal risks, we looked to put in controls. So for example, there was one area where it was lone working but had high risk if contaminated, so we put in card access only which logged who accessed it with CCTV (and communicated that's what we'd done). We put a lock on an intake pipe which was external to the building but inside the barrier fence to make it more secure. The key then being held in the team leader's office (bonus that they then had to be present and check the filtration on the delivery as well which had often been an issue.)
Then as a yearly activity (minimum) we audited it as a cross functional team, looking for risks. We'd always find some sadly. Once we found a dustbin just outside the perimeter fence, could be used to climb over. We once found a card operated external door had been forced and no longer worked. Etc etc.
Hope that's helpful.
