The Utah Small Business Security Risk Assessment: A Practical Framework
A ransomware breach costs the average Utah small business $148,000. A workers' comp claim from a single preventable assault on-premises averages $70,000. A proper risk assessment costs a few hundred dollars and answers both questions before you ever write a check.
Most Utah small-business owners confuse security with locks and cameras. The locks and cameras matter, but they are outputs — they are what you install after you know what you are defending against. The upstream question is the only one worth asking: what can actually go wrong here, and how bad would it be if it did?
The Two Failure Modes Every Business Faces
Every physical-world security event falls into one of two categories: predictable and preventable. Predictable events are the ones a competent risk assessment would have flagged in advance: an unlocked back door, an unsupervised cash drawer, a parking lot with no lighting, an angry ex-employee with active badge access. Preventable means one correct decision, made before the event, would have stopped it.
When businesses experience a security incident, it is almost always a predictable-and-preventable event — the warning signs were there, no one looked at them systematically, and the response after the fact costs 10–50× what the assessment would have cost.
A Four-Domain Risk Framework Small Utah Businesses Can Actually Use
Domain 1: Physical Perimeter
Audit every exterior point of entry. Doors, windows, loading docks, rooftop access, utility closets. For each: who has keys, who has access, when was the last time the locks were rekeyed, is the door solid-core or hollow, is there a visible camera covering the approach? A Utah OSHA inspection will note any of these as findings; a workers' comp claim will use them as root-cause evidence.
Domain 2: People & Process
Who is alone at what times? What is the opening and closing routine? Does it involve carrying cash to a bank at a predictable time? Are employees trained to respond to a workplace-violence event? Utah Labor Code 34A-2-401 holds employers liable for injuries "arising out of and in the course of employment" — including assaults by third parties where the employer knew or should have known about the risk. A few hundred dollars of training closes that exposure.
Domain 3: Data & Access
Who has admin access to your POS, payroll, or customer-data system? When employees leave, are their credentials revoked within 24 hours? Is multi-factor authentication enforced on financial systems? Utah's SB 98 consumer-data breach notification law requires disclosure within 60 days — and the FTC is watching smaller Utah businesses more aggressively since 2024.
Domain 4: External Response
If something happens tonight, who do you call at 2 AM and in what order? Do you have a relationship with a licensed security firm who can dispatch a uniformed officer within 30 minutes? Is your attorney's after-hours line current? Is your insurance carrier's claims line bookmarked? Businesses that answer these questions before an incident resolve incidents in hours. Those that don't answer them beforehand often take weeks.
The Assessment Deliverable
A proper small-business risk assessment produces a written report: each domain scored on a red/yellow/green matrix, a prioritized list of the 5–10 findings that would close the most exposure per dollar spent, and a specific recommended remediation for each. Cost: typically $165–$295 for a small retail or office space. Time: 90 minutes on-site plus a written report delivered within 48 hours.
That report is also evidence. If an incident happens later and the business is sued, the existence of a dated professional risk assessment, plus documentation of which recommendations were implemented, is a complete defense against "negligent security" claims. Businesses without an assessment carry the full burden of proving they took reasonable steps. Businesses with one are protected by it.
Why Utah Businesses Get This Wrong
The consulting market in Utah is split between two bad options. Out-of-state national firms typically quote $1,500–$4,000 for the same assessment a qualified local provider can deliver for a few hundred dollars — and they often lack familiarity with the Utah legal landscape. On the other end, unlicensed "handyman" security consultants produce boilerplate reports that won't hold up as evidence in a premises-liability suit. Neither is what a small Utah business actually needs.
Where Rocky Mountain Protective Group Fits
We combine the licensing and liability posture of a national firm with the pricing and local expertise of a small one. Our consulting practice specifically serves Utah businesses with 5–150 employees in retail, property management, legal services, medical practices, and professional offices. Every assessment is performed by a licensed consultant (not a subcontractor), delivered in writing under our license number, and priced at $165 for a standard site.
Because we also operate the security-guard and process-serving arms of the firm, our assessments are unusually actionable. We don't hand you a report with a vague "consider upgrading your physical security" line item — we tell you exactly which lock model, which camera brand, and which monitoring service will close the gap, and we can staff a uniformed officer for coverage if the assessment uncovers a gap that warrants it. One firm, one license number, one accountable party for every recommendation.
The True Cost of a Single "Negligent Security" Claim in Utah
Utah premises-liability case law has evolved sharply since 2020. A successful negligent-security claim — most commonly arising from an assault on the premises that an assessment would have predicted — settles in the $250,000 to $1.2M range when no documented risk assessment existed. The claim is not based on the assault itself; it is based on the employer's failure to take reasonable preventive steps. The plaintiff's first discovery request, in every one of these cases, is the same: produce your risk assessments, your training records, and your security policies. Businesses that produce a current assessment with documented remediation often resolve the case at a fraction of the demand. Businesses that produce nothing settle high or lose at trial.
Why Utah Insurance Carriers Are Quietly Requiring Documented Assessments
Several Utah commercial-insurance carriers introduced premium credits in 2024 for businesses that produce a current third-party security assessment at renewal. By 2026 we expect this to become a standard underwriting question — and businesses without an assessment will pay a premium loading rather than receive a credit. The cost of an assessment ($165–$295) is now smaller than the annual premium delta. If you are not running the assessment for the OSHA exposure or the negligent-security exposure, run it for the insurance arbitrage.
Our Risk Assessment Guarantees
- OSHA-defensible documentation. Every assessment is structured to support a General Duty Clause defense in the event of inspection.
- 48-hour turnaround from on-site visit to written report.
- Insurance-carrier compatibility. We format reports to match the disclosure requirements of major Utah commercial carriers. One assessment, multiple uses.
- Follow-up implementation support. If the assessment recommends physical controls (locks, cameras, lighting), we will source and project-manage the installation at cost — no markup, no kickbacks.
The Quarterly Reassessment Model: A Better Long-Term Approach
One assessment is a snapshot; a current assessment is a moat. Our annual maintenance program performs a quarterly site walk-through (45 minutes), updates the dated assessment, refreshes employee training acknowledgements, and generates an annual summary report suitable for insurance renewal and OSHA inspection response. Annual cost: $600 for a single-site small business, $1,200 for multi-site. Over five years, a Utah business on our maintenance program has a continuously dated record — not a five-year-old document gathering dust in a binder. That continuous record is what survives a deposition, an OSHA inspection, or a plaintiff's discovery request. It is also the deliverable insurance underwriters increasingly require to extend coverage credits past the first year.
Why Now Matters: The Math on Waiting
Every quarter without a documented program is a quarter of OSHA and premises-liability exposure compounding. The 2024 federal General Duty Clause guidance update lowered the foreseeability bar substantially — the regulatory and litigation environment is more demanding now than it was three years ago, and it gets more demanding every year. Utah organizations that put their program in place this year are documented as in compliance; organizations that wait will be documented as having had a multi-year gap, and that gap is the first item OSHA inspectors and plaintiffs' attorneys look for after an incident. The cost of being early is single-digit thousands. The cost of being late is the citation, the workers' comp claim, the negligent-security suit, and the insurance carrier non-renewal stacked on top of one another.
The Definitive Cost Comparison: Why We Are the Most Cost-Effective Consulting Choice in Utah
A side-by-side reality check on Utah security-consulting economics:
| Cost Element | Out-of-State National Consultant | Unlicensed Local "Handyman" | Rocky Mountain Protective Group |
|---|---|---|---|
| Standard site assessment | $1,500–$4,000 | $200–$500 | $165 flat |
| Licensed Utah consultant (not subcontractor) | Sometimes | Rarely | Always |
| OSHA-defensible documentation | Usually | Rarely | Always |
| Insurance-carrier compatible format | Sometimes | Rarely | Always |
| 48-hour written-report turnaround | Rarely (typical: 2–4 weeks) | Variable | Always (standard service-level commitment) |
| Implementation support included | Rarely | Sometimes | At cost, no markup |
| Annual maintenance program | $1,200–$2,400/yr | Rarely available | $600/yr single site |
| Same consultant year-over-year | Rarely | Variable | Always |
The decision is not between $165 and $200. It is between a credentialed, insured, OSHA-defensible deliverable and a piece of paper that may not survive its first deposition. We are simultaneously the most fully-credentialed and the most cost-competitive licensed Utah security consultant — and we are the only firm in the state that delivers an integrated assessment, training, policy, and standby-officer-coverage capability under a single license number with the same consultant year over year. That is what makes us the efficient choice for any organization that needs the program done correctly the first time.
Limited Capacity, Booking Window
We perform assessments and training in-house with a small team of licensed Utah consultants. We do not subcontract — that is what produces the consistency of our deliverables, and it is also why our capacity is genuinely limited. We schedule new assessments roughly 14–21 days out; urgent assessments (post-incident, pre-OSHA-inspection, pre-insurance-renewal) get 7-day priority slots. The right time to book is before you need the report, not the week your renewal is due.
Pre-consultation at no charge — a 15-minute scoping call to determine fit and timing. The actual on-site assessment and written report is a charged engagement at $165 flat (two hours on-site, 48-hour written deliverable); subsequent reviews and remediation work are also billed engagements per our standard scope. Call {{office_phone}} or request online.
Category: Consulting · Published: 2026-04-15 · 10 min read · By Christopher Zamora, Security Consultant