Why Most Corporate EP Programs Fail Before the Threat Arrives

When an executive protection program fails, the post-incident analysis almost always focuses on the wrong things. The agent's positioning. The route selection. The advance work. The response time. These are operational variables, and they matter, but they are rarely the origin of the failure. The origin is almost always structural, and it is almost always present long before any threat materializes.

Most corporate EP programs are built wrong from the first conversation. The buying process is driven by procurement, legal, or HR, not security professionals. The vendor is selected based on price, insurance certificates, and reference calls with other procurement departments. The program is scoped around a budget number, not a threat assessment. Agents are deployed before anyone has asked what, specifically, they are there to protect against.

This is not a criticism of the people involved. It is a criticism of the process, and the process is broken at an industry level.

The Four Structural Failures

Across program audits and advisory engagements, the same failures appear repeatedly. They are not random. They are predictable consequences of how corporate EP programs are typically initiated and managed.

1. The program is designed around the vendor's capabilities, not the principal's threat profile

When an organization engages an EP vendor before conducting a threat assessment, the program is inevitably shaped by what the vendor offers rather than what the principal actually needs. A vendor with a large armed agent roster will propose armed coverage. A vendor with residential security capabilities will recommend residential coverage. A vendor with a TSCM division will find surveillance vulnerabilities that justify their TSCM services.

This is not necessarily dishonest. Vendors genuinely believe in their capabilities, but it produces programs that are vendor-centric rather than threat-centric. The principal's actual exposure profile, which may call for a completely different configuration, gets filtered through the vendor's service menu.

The fix is sequencing. Threat assessment comes first, always. The program design follows from the threat assessment. The vendor is selected and scoped based on the program design, not the other way around.

2. The Individual Security Study is missing, templated, or prepared by the wrong party

The IRS requires a formal Individual Security Study to qualify EP expenditures as working condition fringe benefits under Section 132(d). Beyond the tax implications, the ISS serves a more fundamental purpose: it forces a rigorous, documented analysis of what specific threats the principal faces and why the protection program is the appropriate response.

Most organizations either skip the ISS entirely, use a templated document that could apply to any executive, or, most problematically, have the ISS prepared by the EP vendor providing the services. Each of these creates a different kind of failure. The first creates tax exposure. The second fails to actually identify the specific threats. The third is a structural conflict of interest that the IRS has specifically challenged in audit proceedings.

A properly prepared ISS is principal-specific, prepared by an independent qualified security professional, and connects the identified threats directly to the principal's business role. It is the evidentiary foundation of the entire program. Without it, every other component of the program rests on an unverified assumption about what the threat actually is.

3. The program has no internal accountability structure

In most corporate EP arrangements, the vendor manages the program and reports to someone in HR, legal, or administration who has no security expertise. There is no internal program director. There is no independent oversight of the vendor's performance. There is no mechanism to evaluate whether the agents deployed meet the criteria stated in the contract.

This creates a principal-agent problem at the worst possible level. The organization is entirely dependent on the vendor's self-reporting about the quality of its own service. Deficiencies go unreported because there is no one on the organization's side to detect them. Agents who should be removed stay on assignment because no one with authority is watching.

The program may operate for years in this condition, technically active and practically unaccountable, until something goes wrong. At that point, the post-incident review reveals that the program was deficient in ways that were detectable and correctable, but no one was positioned to detect or correct them.

4. The threat assessment is static when the threat environment is dynamic

Threat environments change. Principals change roles, increase their public profile, become involved in high-visibility litigation, make statements that generate adversarial attention, travel to elevated-risk jurisdictions. The threat landscape they face in year three of a program is materially different from the landscape in year one.

Most EP programs have no mechanism to reflect this. The initial threat assessment, if one was conducted at all, sits in a file and ages. Agents operate on protocols designed for a threat environment that no longer exists. The program provides the coverage it was designed to provide without asking whether that coverage still matches the current threat.

The IRS compounds this problem: a static ISS that is not updated as conditions change loses its qualification status. But even setting aside the tax implications, a program that does not evolve with the threat environment is not protecting the principal. It is performing protection.

What a Properly Architected Program Looks Like

The structural failures above have structural solutions. None of them require a larger budget. Most of them require a different sequence and a different accountability model.

A properly architected program begins with an independent threat assessment, conducted before any vendor is engaged, that produces a specific, documented analysis of what threats the principal faces, why they exist, and what level of protection is warranted. The ISS is prepared by the independent assessor, not the vendor. The program is designed to address the identified threats, not to consume the available budget.

A qualified program director, internal or engaged through an independent advisory relationship, provides ongoing oversight of vendor performance, reviews agent assignments against documented criteria, and ensures that the program evolves as the threat environment changes. The vendor delivers services. The program director holds the vendor accountable for the quality of those services.

The threat assessment is revisited at defined intervals and whenever the principal's exposure profile changes materially. The ISS is updated to reflect current conditions. The program director's relationship with the principal is direct, not mediated through the vendor.

The Cost of Getting It Wrong

The financial cost of a poorly structured EP program is significant and frequently underestimated. IRS reclassification of non-qualifying EP expenditures as taxable compensation can produce retroactive tax liability that dwarfs the cost of proper program design. Vendor contract disputes arising from poorly defined performance standards are expensive to resolve. The reputational and legal consequences of a security failure that was attributable to program deficiencies, rather than an unforeseeable event, are existential.

The non-financial cost is harder to quantify but more important. A program that fails to protect the principal it was built to protect has failed at its only purpose. The structural failures described above do not make that outcome inevitable, but they make it more likely than it needs to be.

Getting the architecture right is not complicated. It requires sequencing, independence, and accountability. The organizations that build programs this way do not make headlines. That is exactly the point.