Optimising intelligence operations for international law enforcement: harnessing THRIVE for national intelligence model advancement

ABSTRACT

THRIVE (Threat, Harm, Risk, Investigation, Vulnerability, and Engagement) represents a decision-making framework introduced by the United Kingdom’s (UK) National Police Chiefs’ Council in 2017, with a particular focus on vulnerability. Alongside THRIVE other intelligence-led policing models such as the National Intelligence Model (NIM), have become integral to policing practices. While THRIVE is widely adopted as a primary analysis and decision-making framework in UK police services, its examination remains limited, including its impact on the NIM and its use by intelligence personnel. Interviews with 15 police personnel from operation intelligence units within a specific English service were conducted to ascertain its level of adoption. A series of Freedom of Information (FOI) requests to all 43 UK police services in England and Wales were then initiated, to understand if the THRIVE model is adopted and, if so, where within their respective units. The findings indicate widespread acceptance and integration of THRIVE among intelligence practitioners, without immediate adverse effects on the application of the NIM. The use of heuristic naturalistic decision-making processes in THRIVE assessments, suggests a need for further research. Though, there is a risk of reduced decision-making capacity among frontline intelligence workers using THRIVE within the constraints of the NIM.

KEYWORDS:

• THRIVE
• intelligence
• national intelligence model
• decision-making
• vulnerability

Introduction

In 2017 the UKs National Police Chiefs’ Council (NPCC) created a guidance publication entitled ‘Better Understanding Demand – Policing the Future’ (NPCC, 2017). The guidance offered a range of insights into police demand including measures to identify, predict and prevent it. Chapter 7 introduced the concept of ‘THRIVE’ (Threat, Harm, Risk, Investigation, Vulnerability and Engagement) as a method of demand management (NPCC, 2017, pp. 42–47). Originally developed by West Midlands Police, THRIVE presented a framework for the police to assess calls received through 999 with the aim of rapidly identifying issues that presented threat, harm, risk and vulnerability. It was also used to help identify opportunities for investigation, community engagement and crime prevention. The applicability of THRIVE as a methodology to help police services prioritise activity based on a victim or community’s vulnerability has been the driver of its wide-scale adoption by UK police, who have now embedded the model outside of control rooms and into all areas of policing, making it one of UK policing’s most contemporary underpinning sets of principles (Walley & Adams, 2019).

The earliest decision-making model in the UK was the Discretionary Decision-Making Model (DDMM), which attempted to structure police discretion but lacked clear values. This shed light on the challenges in the structure, flexibility and ethics. In turn, the DDMM evolved into the NDM, providing a holistic approach to police decisions, used for various situations and processes. The College of Policing (CoP) has long recognised the importance of effective decision making and previously implemented the national decision model (NDM) in 2013 (College of Policing, 2013). The model includes six elements, ethics, information gathering, risk assessment, legal and policy considerations, option evaluation, action planning and outcome review (College of Policing, 2021). The NDM provides those responsible for decision making within the police with a structured process to underpin assessments (Halford, 2023). The intention is to help those making such decisions reduce the risk of mistakes. Using the NDM decision makers are advised to gather sufficient information and intelligence regarding the threat or risk. Once obtained, they then make their assessment of the risk and threat of harm and develop a suitable intervention by considering all available legal powers and policies regarding the options available to them. Finally, the decision maker then acts before reviewing the response, and if required, adapts it accordingly.

This study identifies that the area of intelligence working is one where THRIVE has been introduced. This is an important development as police intelligence forms the bedrock of decision making, particularly as it helps drive the framework of the National Intelligence Model (NIM), where key decisions are made on the tasking and coordination of police resources. Therefore, if the introduction of THRIVE has caused significant problems in the application of the NIM, or if staff do not fully embrace the principles it is based upon, then the foundation upon which the NIM is built may be negatively affected. This potentially increases the risk of harm to individuals and communities as the police may fail to intervene in areas of heightened risk or vulnerability.

To understand these issues this study seeks to explore how, and to what degree the principles of THRIVE have been embedded within intelligence work within a single police intelligence structure and ascertain if this has affected the application of the NIM. To achieve this aim, we conducted semi-structured interviews with intelligence practitioners to gather their views and experiences of this development. We then discuss the findings in the context of the uptake of the THRIVE philosophy, its impact on the NIM and what the changes mean for intelligence practitioners, particularly analysts.

Background

Introducing thrive

Despite its rapid uptake within police service in England and Wales, a search using Google Scholar and Web of Science identified only a single piece of non-peer reviewed empirical research on the application of the THRIVE model (Walley & Adams, 2019). In contrast, a web search using ‘THRIVE Police UK’ identified a long list of police services who outline on their websites that they have adopted the framework.

The College of Policing have extended the principles of the original ‘THRIVE’ (Threat, Harm, Risk, Investigation, Vulnerability and Engagement) concept. The decision to do so appears rooted in the belief that conventional checklists and risk assessment tools may no longer be sufficient for police decision-making. This rationale is grounded in findings of a review that highlighted the lack of empirical evidence regarding the effectiveness of many traditional checklists and tools designed to aid police decision making such as the domestic abuse risk assessment (DASH) and the present missing persons tool (Sidebottom, Tilley, & Eck, 2012). In the place of such aids, THRIVE emphasises the fact that both incidents and individuals often exhibit multiple vulnerabilities, making it unlikely for a single tool to adequately assess such complex issues. This, however, does not imply that checklists and tools are entirely without merit. Instead, the THRIVE model is seen as a valuable alternative, one that can guide users’ professional judgement through comprehending the nature and source of risks, while also facilitating consideration of the necessary support and protection required to prevent exploitation of vulnerable groups and individuals. Furthermore, THRIVE acts as a checklist of key considerations that the assessing officer can consider. In turn, this will then enable the gathering of sufficient information to better assess the incident and identify what level and nature of responses. Similarly, analysts, investigators and decision-makers use the tool in the same way. To illustrate, analysts use it to help make better assessments of risk. Leaders, however, will use it to inform resource capacity and capability decisions.

In their guidance on the subject the CoP outlined a four-step response that police services must take to embed THRIVE in police organisations. First, they must be able to identify an incident, group or individual’s vulnerability or vulnerabilities; second, they must understand how these interact with the situation to create harm or risk of harm; third, they must assess the level of harm or risk of harm; fourth, they must take appropriate and proportionate action if required to mitigate (College of Policing, 2021).

To support this study, we use the framework provided by THRIVE, ‘Threat, Harm, Risk, Investigation, Vulnerability and Engagement’ (NPCC, 2017). Threat is defined as ‘a person or thing likely to cause danger or damage’ (NPCC, 2017, p. 102). In respect of harm, the NPCC has stated that this means ‘if the threat is carried out, or the circumstance of the incident deteriorates, what is the likely level of harm caused’ (NPCC, 2017, p. 102). The CoP key definitions authorised professional practice (APP) guidance (College of Policing, 2014) goes further and uses a definition from the Children’s Act of 1989, section 31(9) and (10) (as amended), which defines harm as ‘ill-treatment or the impairment of health or development including, for example, impairment suffered from seeing or hearing the ill-treatment of another’. Furthermore, the APP defines ‘development’ as being ‘physical, intellectual, emotional, social or behavioral’, and ‘health’ as being ‘physical or mental health’, and ‘ill-treatment’ as ‘including sexual abuse and forms of ill-treatment which are not physical’ (College of Policing, 2014).

There is presently no formal definition of risk provided by the CoP. However, the NPCC have outlined it as ‘the possibility of something occurring … the likelihood that the threat or harm will occur’ (NPCC, 2017, p. 102). Investigation is simply the ‘Need for an investigation, and if so, in what form’ (NPCC, 2017, p. 102). Vulnerability is defined by the CoP who state that ‘a person is vulnerable if, as a result of their situation or circumstances, they are unable to take care of or protect themselves or others from harm or exploitation’ (College of Policing, 2021). Finally, engagement is defined by the NPCC who describe it as the ‘decision on how the incident is graded’ (NPCC, 2017, p. 102).

Existing decision analysis models

The principle of analysing information in a structured process is not innovative. The intelligence -led policing (ILP) model (Ratcliffe, 2003) has been widely adopted for several decades. The ILP model involves several similar stages to those described by the CoP within THRIVE. First, intelligence is obtained by the police and then is examined by analysts to interpret what is occurring within the criminal environment (Ratcliffe, 2003). Next, the products generated are used to drive decision-making regarding available interventions. Finally, police leaders use the products as aids to underpin the tasking and coordination of resources and their respective specialist skills (Ratcliffe, 2003). In the UK, this process of ILP is now commonly known as the 3i approach (interpret, influence, and impact) (Ratcliffe, 2008).

Such models aim to produce a mental map that can be used to aid the processing of intelligence and information, and ultimately decision making (Gill, 2010). THRIVE appears no different in this regard and serves to underpin decision making that drives interventions.

Prioritisation tools

Despite the implementation of these models and decision-making aides into policing and intelligence analysis particularly, the prioritisation of threat, harm and risk is often inconsistent. Specifically, it has been suggested that decision-making aides like THRIVE retain inherent flaws. For example, one interviewee in a 2019 study highlighted ‘There are various issues with THRIVE, it is very subjective, I would think that if you were to test it that the subjectivity would result in inconsistency. You would also probably find that it isn’t uniformly applied internally and externally … ’ (Walley & Adams, 2019, p. 25). Such views led to further tools being created to help support intelligence analysis, such as the ‘Management of Risk in Law Enforcement’ (MoRiLE) (Home Office, 2018) and the ‘Organized Crime Group Mapping’ (OCGM) framework. Both being developed to try and improve consistency in the analysis of intelligence. MoRiLE has been described as a harm-focused methodology that uses thematic descriptors, such as crime type, to classify the threat and risk posed by an issue or group (Mulholland & Cole, 2021). The OCGM is an attribute-focused method which incorporates factors concerned with an entity (i.e. an organised crime group), such as their intentions and capability (Mulholland & Cole, 2021). Despite their differences in methodology, both produce ‘a moderate level of agreement … in terms of their assessment of risk, harm and threat’ (Mulholland & Cole, 2021, p. 17).

Application of decision analysis tools

The distinctions between these analysis and decision models (ILP, NDM, THRIVE) are subtle and evolutionary, as is the link to tools such as MoRiLE and OCGM. This relationship can be best described as symbiotic, and linear. For example, ILP, NDM, and THRIVE policing tools, provide heuristic frameworks to assess the nature of the threat posed, levels of harm if realised, and the risk of such realisation, considering the vulnerability present. They then provide a thought process for assessing capacity and capabilities required to conduct an intervention. Tools such as MoRiLE and OCGM are a means of organising, and specifically prioritising these processes to identify those that require immediate attention and seek to mitigate against inconsistency where possible. In principle, assessment of the same information using these methods should be replicable and achieve the same results. Such assessment processes may occur in real time, or at a slower pace. They may be subjected to individual decision making, or organisational governance and oversight. Both are dependent on the nature, urgency, and timeliness of response. In theory, all issues except the most pressing or easily remedied, should be managed through a structured governance response that has not changed dramatically since its introduction, and is provided by the NIM.

The national intelligence model

The NIM emerged in the 1990s, followed by formal guidance in 2005 (National Centre for Policing Excellence, 2005). The NIM draws heavily on the principles of ILP and advocates the gathering, analysis and use of information and intelligence (National Centre for Policing Excellence, 2005). The NIM specifies that this should be conducted at 3 distinct operating levels. Level 1 should be focused on local events, level 2 regional and level 3 national and international (National Centre for Policing Excellence, 2005). In doing so, the NIM encourages police forces to use information and intelligence to set priorities at strategic and tactical levels, producing products such as reports on crime hot spots and prolific offenders, and generating plans to address these through proactive means (National Centre for Policing Excellence, 2005). Delivery of the NIM is through a set of governance and oversight meetings that occur at various frequencies, ranging from daily or weekly tasking and coordinating meetings, to monthly and quarterly reviews of strategic threats.

Research on the implementation of analysis models and tools

Since the emergence of the analysis and decision-making models after the introduction of Intelligence-led Policing and following the integration into the National Intelligence Model, there has been a variety of studies on their usefulness and applicability, especially surrounding problem-solving approaches within policing. Kirby and McPherson (2004) highlighted that the ILP model ‘defines a process for setting priorities and a framework in which problem solving can be applied’ (p. 36). The credibility of ILP has been repeatedly demonstrated in areas that relate to THRIVE, such as risk analysis (Katz, Webb, & Schaefer, 2000; Maguire & John, 2006; Sanders, Weston, & Schott, 2015), its usefulness as a method of prioritsation (Sanders et al., 2015), resource allocation (Ratcliffe & Guidetti, 2008; Sanders et al., 2015; Sheptycki, 2017; Walsh, 2007) and decision making. It has also demonstrated considerable value in supporting criminal investigations and crime prevention and reduction strategies (Carter & Fox, 2019; Cope, 2004; Maguire & John, 2006; Ratcliffe, 2003; Sheptycki, 2004).

The effectiveness of the NIM has also been highlighted by scholars (John & Maguire, 2003; Maguire & John, 2006) and analysts working within the intelligence sphere (see Kirby & McPherson, 2004), where the NIM has been used effectively to facilitate similar changes in policing philosophy, such as the move to problem orientated policing where it gained prominence in the late 1990s (Kirby & McPherson, 2004). In particular, the analysis of information gathered using the SARA model (Scanning, Analysis, Research and Assessment) has been effectively applied to underpin functions of the NIM, such as the Tactical and Strategic Assessments, and governance forums such as the Tasking and Coordinating Group (TCG) (Kirby & McPherson, 2004).

Despite evidence of successful amalgamation of new philosophies such as ILP and the SARA model into the NIM, such implementation was not without complications. For instance, John and Maguire (2003, p. 39) reported that amongst practitioners there was early misunderstanding regarding how the models were to be integrated (John & Maguire, 2003, p. 39). This led others to indicate that there was ‘considerable confusion as to how problem-oriented approaches (such as SARA) integrated with the national intelligence model’ (Kirby & McPherson, 2004, p. 1). More recent publications have pointed to problems in integration of ILP into the NIM (James, 2012, 2017). Specifically, James has pointed out that it is the people doing the work that was the key factor as to whether integration was achieved (James, 2017, p. 14), outlining that ‘failure depended not on the ILP technologies, organizational structures, or processes that routinely receive so much attention, but on people. In this context, the people assigned to collect the intelligence and to carry out intelligence-directed tasks’ (James, 2017, p. 14). This is because beyond control rooms, intelligence departments are often amongst the first to encounter information or intelligence in its written form, so how they analyse and interpret it is vital.

In the UK, the practice for considering, implementing, and evaluating new policies, practices and ways of working is inconsistent. Individual services have considerable autonomy to adapt and implement policy and practice changes, provided they remain aligned with national best practice and guidance supplied by the CoP, NPCC and central government. However, such best practice and guidance is rarely evaluated comprehensively, and as a result, the impact or effectiveness of new changes introduced is rarely understood in detail. The implementation of THRIVE is one such example. Despite the significant changes outlined regarding how the police interpret, influence, and generate impact based on information and intelligence, over the past decade there has been little research that has sought to understand how this may have affected the functioning of police intelligence work. As such, this study aims to refresh this area by examining how police practitioners within intelligence departments are using THRIVE to aid their present practice within the context of the NIM. Particularly focusing on how intelligence practitioners facilitate intelligence analysis and how judgements are made, and if this has affected application of the NIM framework.

This area of study is important as THRIVE has been employed by police services in England and Wales, and wider policing, as the principles upon which many assessments and police decisions are made. As a result, the tasking and co-ordination of police resources to tackle identified problems may be driven by THRIVE-based assessments, which are predominately underpinned by the analysis and interpretation of police intelligence. If this is not done correctly or does not fully embrace the principles it is based upon, then the foundation upon which this new system is based may be negatively impacted, creating a knock-on effect to the effectiveness of the NIM. To illustrate, the risk of harm to individuals and communities as the police may fail to identify the areas of heightened risk or vulnerability, failing to provide the correct interventions which in turn, will increase the chances of harm occurring.

Aims of the study

The primary aim of this study is therefore to ascertain how THRIVE, a model that considers the vulnerability, is in fact being used to facilitate intelligence. Furthermore, and to what degree the principles of the THRIVE decision-making model are embedded within intelligence work within the police, and if this has affected the application of the NIM.

To achieve this aim, we pursued several research methods which included a series of semi-structured interviews of intelligence practitioners, and data analysis of the findings. Freedom of Information Requests were also disseminated to UK police services to ascertain the breadth of the use of THRIVE within policing and specifically, intelligence.

Research framework

To help us understand if the introduction of THRIVE has altered the practice followed by the participants in their daily activity we use the NIM as our framework for comparison, and in particular we consider the intelligence products generated and the tasking and co-ordination groups for which they provide support.

Using THRIVE and the NIM as our framework for this study enables us to do two things. Firstly, it provides accepted language to assess knowledge and awareness. Secondly, it allows us to interpret how THRIVE may have influenced the work conducted by intelligence practitioners. Comparison with the NIM helps us retain consistency by enabling us to compare how THRIVE may have affected the way in which business is conducted as it relates to key components of the NIM, whilst also allowing us to assess the context of our findings against previous studies on this matter.

Method and data

Qualitative interviews

Despite the use and application of THRIVE being the most prominent in the Contact Management/ Control Room setting, that has been heavily examine previously (NPCC, 2017, pp. 42–47; Walley & Adams, 2019), we felt the study would provide greater value by exploring the application of THRIVE, in a previously unresearched area of policing specifically focusing on the operation of intelligence.

To facilitate this, we first obtained ethics approval and once approved, we liaised with one UK police service. In total we completed 15 interviews. Access to staff for the interviews was coordinated through a single ‘gate keeper’ who identified participants based upon our criteria – that they worked within operational intelligence and routinely assessed incoming intelligence and information. Once identified we provided each with a briefing document that outlined the nature and purpose of the study, including a voluntary declaration outlining their right to withdraw from the research at any time.

Study participants were drawn from various roles and ranks that ensured a broad base of strategic, operational, and tactical practitioners. A list of these can be seen in Table 1. All participants were working within the force intelligence structure, which includes the headquarters-based intelligence hub, divisional intelligence offices, or the dedicated source unit (DSU), which is the department that identifies, recruits, manages and gathers intelligence from covert human intelligence sources (CHIS). At the time of the study, we were advised that the service had approximately 110 officers and staff working in such roles. At the time the study was conducted the volume of participants was restricted due to the coronavirus pandemic, however, 15 interviews are roughly a 16.5% representation of interviews conducted, which is a notable number given that police research papers often have quite a small number of participants.

Table 1. Summary of interviewee profiles.

Operating Level	Rank	Interview Identifier
Strategic	Assistant Chief Constable	003-M-ACC
	Superintendent	015-M-SO
	Superintendent	013-M-SO
	Chief Inspector	011-M-SO-PM
Operational	Inspector	002-M-DI-SO-FIB
	Sergeant	006-M-DS-IO
	Sergeant	009-M-DS-IO
	Sergeant	012-F-PS-IO
	Constable	014-F-PC-IO
	Constable	008-M-PC-IO
Tactical	Analyst	001-M-PA
	Analyst	004-F-A
	Analyst	005-M-A
	Analyst	007-M-A
	Analyst	010-F-A

Interviews were then conducted on police premises and lasted an average of 45 min. All were recorded using a recorder which enabled easy, subsequent verbatim transcription. The analysis of interviews adhered to a six-phase framework for conducting thematic analysis as outlined by Braun and Clarke (2006). Initially, step 1 included becoming familiar with the data, step 2 was the generation of initial codes being completed manually, aligning content with predefined themes surrounding the area of study ad that was substantive to answering the research questions. Nvivo qualitative data analysis software was used in Step 3 to search for and identify additional emerging themes. The results were then exported to Microsoft Excel, where each theme was listed vertically, with 15 columns horizontally allocated for each participant. Relevant qualitative data was inputted into these columns to facilitate steps 4 and 5, involving the review and definition of themes. A manual review of each transcript was further conducted to ensure no themes were overlooked. In case new themes did surface, additional columns were added to the data sheet. For the final step, step 6, in the write-up phase, content from each row was transferred into a draft report for further editing.

Freedom of information requests

To help direct our efforts into the appropriate area of policing following the findings elicited from the interviews, we began the study by utilising Freedom of Information (FOI)¹ requests to identify areas where THRIVE is utilised. Despite historical neglect as a source of data for use in social science, FOI requests have become a commonly tapped resource for researchers (see Walby & Luscombe, 2018). Walby and Luscombe (2018) outline the extensive body of research that has harnessed this approach, with a significant presence in policing and security studies. Walby and Lasen (2011) contend that the method of using FOI requests proves especially useful when scrutinising government bodies, such as law enforcement agencies, in the context of ongoing, contemporary, or action-oriented matters (Walby & Larsen, 2011). Several benefits can be attributed to the adoption of this methodology.

FOI requests can play a role in democratising access to data, particularly that which remains unpublished in policing, as evidenced by Savage and Hyde (2014). Second, FOI requests can prove to be an effective method for initiating the analysis and assembly of data that might not be achieved through conventional means (see Savage & Hyde, 2014). This is beneficial to researchers, as the sheer volume, format and data refinement processes might be beyond the capacity of individual requestors. Consequently, the FOI process empowers single researchers or small research groups to obtain data that would have previously required prolonged consultation and a sizable research team for compilation and analysis. Furthermore, FOI requests also enable the presentation of specific questions, rather than waiting for routine and often summarised data releases from public bodies, as demonstrated by Savage and Hyde (2014). This proves advantageous to researchers as it allows them to access the fundamental data that supports public data releases.

One of the limitations of FOI methodology, however, lies in the scope and availability of data, which may at times offer insufficient information for meaningful analysis (Tracy 2010). Furthermore, the assembly and analysis process, if too time-consuming or resource-intensive, could lead to rejection by the relevant public body (see Savage and Hyde, 2014). Additionally, there are exemptions that public bodies can invoke, particularly when the request might potentially undermine legal proceedings, such as a court case, or raise concerns related to national security (Savage & Hyde, 2014). Consequently, striking a delicate balance becomes essential when formulating research questions using the FOI methodology. In applying this particular methodology, it has been suggested that researchers should assess the worth of the obtained data in terms of its rigor, credibility, relevance to the topic, and its contribution to the field, following Tracys’ insights from 2010. In a broader context, it is imperative for researchers to ensure that the collected data is valid, credible, and reliable, in turn, we believe that all these prerequisites have been met in our study, and the subsequent section will delineate how we have achieved this.

Regarding the FOI methodology for this study, we reached out to every police service in England and Wales to solicit data. To acquire the necessary information, we sent email inquiries to all police services in England and Wales, asking them to furnish responses to queries concerning the application of the THRIVE model. A copy of this is included in the appendix. Table 2 outlines the responses. Out of a total of the 43 police services contacted, 33 (77%) responded. However, only a limited number of these services provided all the requested data, with the majority supplying only partial responses. In certain cases, information was withheld due to the high cost or time required to fulfil the FOI request. The percentile reporting in Table 2 illustrates the use of the THRIVE model and demonstrates its application in more than one department, which was reported by multiple police services.

Table 2. Descriptive statistics of FOI responses.

Departments Using THRIVE	Number (%)
Contact Management / Control Room	19 (57%)
Intelligence Units	9 (27%)
Operational Departments	7 (21%)
999 Responders	5 (15%)
Resolutions Teams	3 (9%)
Training Units	3 (9%)
Public Protection	1 (3%)

Analysis of the findings from the FOI responses identified the specific departments where the THRIVE model was being implemented, with the Contact Management/Control Rooms, Intelligence Units and operational policing departments being the most cited.

We also identified that some police services have added additional components to the THRIVE model. Specifically, one service appended the acronym with an ‘A’ resulting in the new term THRIVEA. This addition, which stands for ‘Agency’, prompts the question whether the police service is the most appropriate agency to deal with the incoming call or contact for service. The inclusion of ‘A’ is designed to spark a critical query as to whether the police represent the most suitable agency to handle the given call or service contact. This aspect of the THRIVE model assumes significant as, akin to the NDM and various other intelligence-led policing (ILP) tools, it encourages introspection within the service itself.

Results

Our analysis of FOIs identified that THRIVE has been implemented as a key component in police services, particularly in order to analyse and assess incoming information and intelligence. Much like other intelligence-led policing approaches, THRIVE offers a structured framework for law enforcement personnel to conduct in-depth analyses of available information, pinpointing risks, threats, harm and vulnerabilities, and the overall data collected from our interviews supports the conclusion that THRIVE is deeply intertwined with ILP and the NIM framework of intelligence operations.

Threat analysis

In respect of threat analysis under the THRIVE tool, we identified that intelligence analysts collate information that is later used to identify threats in several ways that are consistent with methodologies outlined within ILP and the NIM:

So, I would start with a bit of scope- so that’s more like a strict sort of, along the lines of strategic assessment really, gathering data intelligence from various sources and to identify our threats at that stage. (010-F-ANALYST)

I have just started doing like a comparative case analysis, just looking for some sort of common themes to pick out with the key threats and identify longer term issues that are there and that we could focus our resources on. (010-F-ANALYST)

We identified that the assessment and prioritisation of intelligence using the THRIVE principles was conducted within a range of weekly, or bi-weekly governance and oversight meetings that was broadly in line with the NIM:

We have a series of meetings that have a governance structure and in theory, there is a flow of information between those meetings- you have a performance structure and a threat structure. (011-M-CHIEF INSPECTOR)

We have a bi-weekly tactical process to try and understand what our threats are and from an international perspective as to what is happening globally. (015-M-SUPERINTENDENT)

DCI (Detective Chief Inspector) will head up a document, then the CC or ACC will then chair the meeting. They will then decide what we are going to focus on. (009-M-DETECTIVE SERGEANT)

Each local police scenario has a commander, and they work with the DI to look at the crime, the public’s expectations or needs in that area and that’s fed back into a weekly threat meeting. (002-M-DETECTIVE INSPECTOR)

The tactical threat and coordination group is chaired by the ACC; analysts can be tasked to that process. (002-M-DETECTIVE INSPECTOR)

The ACC chairs the meetings, he will decide based on the information that we have provided, what areas are what we are going to be called threats. He will assign resources to those areas. (010-F-ANALYST)

Fortnightly assessment clearly identifies what the highest threats are in the covert arena. (015-M-SUPERINTENDENT)

One intelligence manager indicated that the focus of the meetings was to provide managers with a decision-making forum:

Make a lot of decisions, particularly the force level when it comes to identifying threats because that insight is required to make those decisions, which are completely driven by research and analysis of what’s currently going on. (002-M-DTECTIVE INSPECTOR)

In addition, it was outlined how the meetings provided them with an awareness of the criminal environment to support the tasking and coordination of additional assets, such as resource capacity, or specialist capabilities:

Truer understanding of what’s actually going on and what threats are posed and exist for our communities. Really, it tells the cops which way to drive when they leave the station. (002-M-DETECTIVE INSPECTOR)

It steers our patrol activity and our overt responses to mitigate such threats. (002-M-DETECTIVE INSPECTOR)

We use it (governance meetings) to manage investigations with covert tactics into drug dealers or SOC. (006-M-DETECTIVE SERGEANT)

With a greater picture we can understand the threat and therefore can put the right tactics to that threat to get the best outcome to reduce the threat. (003-M-ASSISTANT CHIEF CONSTABLE)

People end up with a more holistic assessment around the broader threat and risk around what resources, what's going to be prioritized then make their decision. (003-M-ASSISTANT CHIEF CONSTBALE)

For us we will look at the intelligence and make assessments in terms of where to best put the resources. (006-M-DETECTIVE SERGEANT)

One senior officer described how the tasking and coordination was not focused solely within the police service, but also included statutory partner agencies:

So, I try and pull partners, internal and external, and to try and meet the objectives of that plan and then deal with threat assessments, and putting together disruption against serious organized crime, whether it be OCGs or other identified serious organized crime trends. (002-M-DETECTIVE INSPECTOR)

Despite the evidently well-coordinated structure for assessing threats using the NIM framework within the intelligence arena, many participants interviewed outlined issues that they encountered. The first and most significant one related to the coverage they can attain with the given resources. As this is finite, participants outlined that this hindered their ability to have a full overview of existing threats within the criminal environment for which they had responsibility:

If you have not got coverage of your threat areas then you are effectively not going to understand the threats that exist. (002-M-DETECTIVE INSPECTOR)

We are always having to make decisions with 80% of 65% of the information we know. But we are having to take action because there is a threat or risk. (003-M-ASSISTANT CHIEF CONSTABLE)

From feedback from officers, observations by senior officers in meetings, threat meetings that take place, there is a bit of a disconnect at the local level and that’s why we’ve introduced local intelligence officers that are responsible for plugging that gap and providing that (intelligence) stream. (002-M-DETECTIVE INSPECTOR)

An additional issue was the frequency of the governance and oversight meetings that facilitated the assessment and prioritisation of threats. Concern was expressed that new threats emerged rapidly, but in contrast, governance was often only provided at set intervals:

We have the two-week tasking process where I set what the priorities are for the force over the next two weeks- this can change on a daily basis if there is intelligence that tells us there is greater threat. (003-M-ASSISTANT CHIEF CONSTABLE)

One specific example of periodic oversight that was highlighted by an intelligence manager was the conduct of national weeks of action (NPCC, 2019). Such periods of intensified action include heightened volumes of warrants, increased pro-active policing efforts, and often campaigns to arrest wanted offenders. Such national weeks of action are often driven and coordinated by the National Crime Agency (NCA), but it was suggested that the idea of periods of focused attention on a threat issue, such as exploitation, is not effective, given the rapidity and repetition of threats emerging:

We deal with the threat risk and harm based on the intelligence strategies on a daily basis, rather than having two weeks a year where the national (NCA) say we have to undertake activity. (015-M-SUPERINTENDENT)

This officer elaborated further and suggested that the national weeks of action may even drive some unwanted performance behaviours:

I know some forces do that because they don’t want to be seen at the bottom of the table, but it undermines the daily response to threat risk and harm intelligence strategies. (015-M-SUPERINTENDENT)

Ensuring a proportionate response to identified threats was also hi-lighted, especially those that originate from a single source of intelligence.

Making sure we are proportionate in terms of what we action, and making sure that we are not just acting on a single source of intelligence. (003-M-ASSISTANT CHIEF CONSTABLE)

Another key issue of note outlined was the methods of threat management and the differences between geographic areas, including across police services.

There are different mechanisms between services for understanding and identifying intelligence that is run on a threat matrix. (015-M-SUPERINTENDENT)

As we outlined in our review section, as police services use a variety of methods to assess threats, they sometimes emerge with distinct views on the assessment of those threats, or ownership of their management and mitigation, with some going as far as to suggest that bureaucracy sometimes hinders whether action is taken or not:

Where we have become aware of intelligence, we have got the intelligence coverage and that force refuses to accept any of that threat despite all of the subjects for that intelligence residing in that force area. (002-M-DETECTIVE INSPECTOR)

For me, I think we are all striving for the same thing. I think we’ve forgotten we are the good guys and we put bureaucracy policy, national agendas, international agendas, in the way of trying to harm the bad guys by taking their money or power. (015-M-SUPERINTENDENT)

Understanding harm and risk

In our literature review we also outlined the distinctions between the concepts of threat, harm, and risk. In doing so, we established that not all threats present a legitimate risk of harm, and as such, may not require mitigation or intervention. When we explored how intelligence practitioners make this judgement we identified that like the understanding of threat, it was difficult for participants to articulate their interpretation of risk and harm:

Whilst doing these searches I am trying to identify if we have a series or any patterns, or a specific crime group that is causing us some harm, and whether we need to put some resources around that and/or maybe develop intelligence or we might have an intel case about something. (010-F-ANALYST)

My daily functions are to review any of these reports and what the threat is, or have they got links to organized crime, anything to do with vulnerability. (009-M-DESTIVE SERGEANT)

Beyond identifying serial crime, identifiable crime groups, or vulnerability, how risk and harm are assessed was very unclear. One senior officer offered a rationale for this:

There is still a subjective element around how you assess the risk and the other elements. (003-M-ASSISTANT CHIEF CONSTABLE)

What participants did make clear is that the process involved complex heuristic decision making, balancing the multiple components of threat, risk, and harm:

We have to balance the risks of them and exposing them but also the safeguarding of potential victims in the future. (008-M-POLCIE CONSTABLE)

We always have to make a risk-based decision. (003-M-ASSISTANT CHIEF CONSTABLE)

Another reason why participants may have struggled to articulate this aspect of the THRIVE tool appeared to be because they in part, accepted that they would never be fully informed on the level of risk, and that due to the nature of policing, it was often inappropriate for them to delay action whilst this was resolved:

You are always going to make decisions without the full picture. (003-M-ASSISTANT CHIEF CONSTABLE)

In policing, you need to react to intelligence much quicker than you might react and develop intelligence in other environments, such as the military, or in the intelligence agencies, the ability to hold risk in local policing is much more limited to that nationally. (013-M-SUPERINTENDENT)

It was further suggested that being able to reach a decision on the assessment of risk and harm required a broad understanding of strategic threats for the police service, and the communities they serve, suggesting this may form a key component of their judgements:

This requires community engagement and strong understanding of the forces risks, threats and what's going on in the community. (002-M-DETECTIVE INSPECTOR)

The assessment and defining of risk at a strategic level was outlined as a key factor that often created further tension in the management, mitigation, and transfer of identified issues between police services and agencies:

In terms of the grading risk assessments of intelligence, we have had conflicts in the past with dissemination intelligence over forces. (002-M-DETECTIVE INSPECTOR)

Different agencies have different appetite for different risks. (003-M-ASSISTANT CHIEF CONSTABLE)

We have to sit down with senior officers, probably at the ROCU (regional organized crime unit), or maybe higher, to discuss what that looks like and at what point should risk ownership transfer. (002-M-DETECTIVE INSPECTOR)

Investigative contribution

A key part of THRIVE is also the conduct of interventions, particularly investigative. As such, as part of this study, we also wanted to understand how intelligence practitioners continued their contribution to investigations once a threat or risk had been identified. Many of those interviewed indicated that their involvement continued beyond the simple identification of the issues in hand:

I would keep police officer colleagues, investigating officers and investigation teams updated on all aspects and posted of any changes. (005-M-ANALYST)

We have an investigation team within the intelligence bureau which is called serious organized crime pursue team. So, I give them access to the intelligence we have. (008-M-POLICE CONSTABLE)

In addition to a one-way function of updating investigators, many intelligence practitioners described how their role involved the continued development of further intelligence that would enable investigators to progress their lines of enquiry, or address the issues in hand:

Between us we will develop that job and have regular meetings and I will take on what is required from the intelligence side but guided from the investigation as to what they need evidentially.(008-M-POLICE CONSTABLE)

I am often asking them to consider adding intelligence to be investigated. Often I am requesting this through the tasking process. (012-F-POLICE SERGEANT)

Part of the investigation is to see it from the intelligence perspective, can I develop it, is that new, where does that fit. (012-F-POLICE SERGEANT)

Updating and developing intelligence streams to support investigations is not the only role of intelligence practitioners when it comes to identifying threats and risks. Intelligence managers outlined how they used the identification of threats and risks to set their operational investigative objectives, their strategic capacity and capability considerations, directing resources throughout, and even supporting the development of entirely new teams and units:

For the investigation I will have several objectives I want to achieve. But my end game is the Crown Court proving that offence and getting in front of a jury. (006-M-DETECTIVE SERGEANT)

It’s key to most investigations, putting us in the right place, at the right time. (003-M-ASSISTANT CHIEF CONSTABLE)

Two years ago, I set up a new team called ‘xxxx’ that deals with proactive investigations using covert tactics as a result of intelligence, live crime, and action. (006-M-DETECTIVE SERGEANT)

Despite many positives being identified in how intelligence practitioners use their knowledge of threats and risk, investigative challenges remain. The most frequently cited issue was the problem related to sharing intelligence.

We have investigation teams that deal with our complex crimes like murders and serious offences, and there are times where we have sensitive information about that event that cannot be shared with the investigation team officially. […] we do have protocols in place where we can get it agreed where we can discuss it with this senior investigating officer. (008-M-POLICE CONSTABLE)

We have to find ways of where we can circumvent the intelligence to be able to break it out in probably less of sensitive format to assist the investigating officers. (008-M-POLICE CONSTABLE)

To conclude, our interviews identified that an overarching issue could be one of cultural acceptance, with one intelligence operations officer articulating moderate indifference to the model when asked if it was at the forefront of their minds during the decision-making stages:

I've probably got more pressing priorities. There are other models and stuff that I will use as an investigator. (006-M-DETECTIVE SERGEANT)

This indicates that although many intelligence workers use THRIVE and its principles as tools to underpin their work, it is either unconsciously or deliberately not considered their primary model. One operative indicated that it was the national decision model (NDM) that was at the forefront of their thought processing, potentially highlighting both the conflict, and interoperability of the two models:

When we consider, what do we need to do, we will work our way around the NDM and come to some conclusion. (009-M-DETECTIVE SERGEANT)

Discussion

Assessing threat, harm and risk and vulnerability

It was clear throughout the interviews that all participants demonstrated awareness of THRIVE. All showcased an ability to use the language of THRIVE openly and naturally, indicating that the philosophy appears to have been embedded into the psyche of those in the intelligence arena.

Despite its embeddedness, the nature of how the application of THRIVE was taking place was not consistent. Earlier we outlined how there are presently two main ways that intelligence is prioritised based upon its threat, harm, and risk (MoRiLE and the OCGM). These have been referred to as harm, and attribute focused methods (Mulholland & Cole, 2021). We identified that practitioners were assessing threat, harm and risk using a combination of both methods throughout the various THRIVE stages. For example, some described basing their assessment of threat upon crime type, particularly those that presented a ‘threat to life’, which is a harm focused approach. Others indicated that when assessing harm and risk, they used attributes of offenders, such as their alignment to organised crime groups. Only a select few provided further details regarding the indicators that they used to make their judgements, which was predominately a simple designation of a party or community as ‘vulnerable’, as defined by the CoP. Based on our overall assessment of how the THRIVE philosophy has embedded into the psyche of those in the intelligence arena it would be too critical to indicate this lack of descriptive detail is due to low awareness. Instead, we suggest this is more likely to demonstrate the complex heuristic balancing act that many referred to.

Klein outlines heuristic decision making as ‘intuition based on large numbers of patterns gained through experience, resulting in different forms of tacit knowledge’ (Klein, 2015, p. 1). There is a number of studies on such heuristic pattern-matching processes used by police officers when assessing anything from where they choose to patrol (Mitchell, 1972), the risk of burglary at certain premises (Garcia-Retamero & Dhami, 2009), the likely home of serial offenders (Bennell, Snook, Taylor, Corey, & Keyton, 2007), the occurrence of police shootings (Kleider-Offutt, Clevinger, & Bond, 2016) and the wider use of deadly force (Taylor, 2020). As such, it is quite plausible that police intelligence workers are using experiential heuristics to identify a threat, harm and risk or when assessing vulnerability.

In respect of problems encountered, the ongoing issue of a lack of intelligence persists. Multiple intelligence practitioners outlined how a lack of coverage in terms of incoming information from local police officers and intelligence from the public meant that they were frequently concerned they did not have a full intelligence picture of the threats, harm, and risk in their area. This is not a new issue within intelligence work, and we do not believe this is because of the emergence of THRIVE, or its integration into intelligence working, but is likely to have an impact on the overall effectiveness of the application of the NIM.

Impact of THRIVE on the national intelligence model

A clear finding from our study is that the main structure and delivery of components of the NIM appear unaffected by the move towards THRIVE. It was clear that interviewees were aware of, and actively participate as contributors, participants, or leaders of a range of tactical, operational, and strategic coordination groups set out in the NIM. Frontline intelligence analysts all referenced how their products, produced by considering THRIVE, continue to drive strategic assessments that are used by the service. In addition to its general acceptance, it was evidently clear that the analysis and products presented using THRIVE were actively used within these forums for their intended purpose, which both THRIVE and the NIM advocate is decision making regarding the ‘Need for an investigation, and if so, in what form’ (National Police Chiefs’ Council, 2017, p. 102).

These findings contrast with previous philosophies such as ILP and SARA, which both experienced reported implementation problems (James, 2012, 2017; John & Maguire, 2003; Kirby & McPherson, 2004). We suggest the integration of THRIVE appears to have been less problematic because it does not present a new way of working, as ILP or SARA did. Instead, it is evolutionary, and builds upon them, complimenting the existing and well-known NDM by providing a simple pneumonic to aid analysis and decision making. In addition, apart from vulnerability, each element of THRIVE represents key considerations for police officers that have not changed for several decades and does this in readily accepted and well-known terminology. We suggest therefore, that THRIVE may have aided in advancing the intelligence sphere and can effectively serve as an ILP strategy to help facilitate improved intelligence analysis.

Impact of THRIVE on the role of analysts

One possible problematic area we did identify was that because of the emergence and use of THRIVE, front line intelligence workers, such as police analysts, perceive that they are no longer required to make detailed assessments or recommendations. For instance, there were numerous statements provided by the analysts interviewed that indicate their role had become one of information retrieval and presentation, as opposed to true analysis. Previous research on this subject (Keay & Kirby, 2018) highlighted similar concerns were raised after the introduction of the NIM, suggesting the role of analysts would be undermined by the model. Some studies even highlighted the shift away from traditional intelligence analysis traits, such as the use of critical thinking and knowledge of criminal behaviour and crime indicators (International Association of Law Enforcement Intelligence Analysts, 2012; International Associate of Crime Analysts, 2018; Westell, 2010), to ones focused on computer literacy and managing databases provided by ‘off the shelf’ software (Evans & Kebbell, 2012; O’Shea & Nicholls, 2003). This led to some to suggest that ‘law enforcement analysts no longer need to fulfil the function of technical experts’ (Evans & Kebbell, 2012). In place of these traditional skills, new ones, such as interpersonal skills, particularly the ability to communicate and present information orally and provide briefings and presentations, have become dominant (Weston, Bennett-Moses, & Sanders, 2020).

Our findings support this, and we suggest that THRIVE, alongside prioritisation tools such as MoRiLE and OCGM, has reduced some analyst roles to one of collation, data entry, dissemination, and presentation. This is the result of a reduced need to interpret information to identify threats, which the harm, vulnerability, and attribute focus of THRIVE and associated prioritisation methods largely now automates. This results in only a few dominant scenarios existing within which analysts operate to support the NIM process.

First is the immediate threat to life cases, or incidents so serious to be easily identifiable as outliers in respect of their threat, harm, and risk, such as kidnapping, homicide or terrorism for example. In these scenarios the threat, harm and risk are self-evident and as such, the analysts role becomes one of disseminating intelligence within an investigation, or passively responding to requests for information from more senior officers. This is predominately the supply of attribute-based information (Mulholland & Cole, 2021). Second, is the collation and presentation of information based on a limited view of threat, harm, and risk, informed predominately by crime type, presence of serial offending or alignment to organised crime. This function is primarily a harm focused methodology (Mulholland & Cole, 2021) that is used to supply the many decision-making forums identified by the participants.

This effect appears to result in a greater distinction in the hierarchy of decision-making responsibility emerging within the intelligence departments we examined. As one senior officer outlined ‘all they do is present to the decision maker what their findings are’ (003-M-ACC). As the police is a hierarchical organisation with a clear rank structure, this may be expected, especially given the layered governance structure that the NIM advocates. Although this may be the ‘nature of the beast’, it potentially reduces critical thinking opportunities available to frontline intelligence practitioners, especially analysts, who have a long history of using their skills and experience to help devise investigative recommendations and evidence-based crime prevention intervention solutions for decision makers, thereby potentially failing to maximise the potential of such a significant asset.

Limitations and further research

This study has several limitations. First, it has only been conducted within a single police service in the UK. Although we conducted FOIs to confirm the use of THRIVE within intelligence, and interviewed a reasonable number of respondents, we cannot say the findings represent all police intelligence workers. To achieve this, further research would be required that interviewed more participants, and across several agencies and partners that use the THRIVE methodology. In addition, we focused our study on views, perspectives, and experiences of intelligence staff only. It is important to acknowledge these are a single group of employees who use the THRIVE framework who work in intelligence units. Interviews of staff working in wider policing who use THRIVE and operate within the NIM may provide additional insights. Furthermore, it was not discovered nor was it clear whether the process that the services take is because the THRIVE model drives them in that direction, or whether they would do it anyway, either out of learned behaviour or heuristic experiential judgement.

In respect of theoretical limitations and research, we did not explore the suggestion that heuristic decision making may be being used to assess police intelligence information using THRIVE. We believe this is worthy of further study as it represents a new and interesting area within policing that can contribute to the wider literature on naturalistic decision making.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Notes

1 Freedom of Information is a request to a police service for information to anyone around the world. Upon receiving the request, written acknowledgment is provided to the applicant and a response may be expected within 20 days.

Appendix

FOI Questions to all 43 UK Police Services

Q1. Does this police service use the THRIVE model?

Q2. What thematic areas/ departments use the THRIVE model within the service?

Q3. Does this service have any frameworks for underpinning the assessments that are used for the THRIVE model?

Q4. Does this police service use the assessments to support any national functions e.g. strategic/ tactical intelligence meetings?