When somebody like me walks into a sanctuary and starts talking about parking-lot lighting, trespass policies, and insurance exclusions, I know how it lands. You did not go into ministry to study premises liability. You were called to feed a flock, preach the Word, and love people. So let me say this at the outset, the way I would if I were sitting in your office: nothing in what follows is meant as criticism. I have family in churches just like yours. I worship every Sunday. When I walk onto a campus to assess it, I am walking in as someone who knows what is at stake , for the people in those pews, for the children in the classrooms, and for the pastor up front carrying the weight of it all.
Everything in this article, I want you to hear that way. Not as fear. As stewardship, the same stewardship you already give to your finances, your buildings, and your teaching. Safety belongs in that same sentence.
The conversation has changed
Fifteen years ago, a church board could say, “That won’t happen here,” and most insurance carriers and most courts would let it go. After November 5, 2017, when 26 people were killed at First Baptist Church in Sutherland Springs, Texas, and after December 29, 2019, when a gunman opened fire at West Freeway Church of Christ in White Settlement, Texas, before being stopped within seconds by a trained volunteer — that posture stopped working. Insurance companies adjusted their expectations. Courts adjusted theirs. The standard moved.
And I want pastors to hear this from the right place. Faith and preparation are not opposites. When the wall was being rebuilt and threats came, Nehemiah “prayed to our God and posted a guard day and night to meet this threat” (Nehemiah 4:9, NIV). Two verbs. One verse. That is the model. Wise people see danger coming and prepare; the unwise do not look. Scripture and the law come down in the same place.
Risk is not an event. It is a condition.
The biggest misunderstanding I encounter in church leadership is the idea that risk is something that happens, a Sunday, an incident, a phone call. It is not. Risk is a condition. It is the temperature of the room. It is there every time the doors are unlocked, even when nothing goes wrong. The churches that handle this well — the ones I never end up talking about in a deposition — treat risk as something they manage every day. They build simple systems. They write things down. They give somebody ownership.
In a courtroom, the case is built before the incident, in the records you keep, or fail to keep. The jury is not asked whether yours is a good church. They are asked whether a reasonable organization, knowing what your church knew or should have known, would have done something differently. That question gets answered by looking backward, at emails, at board minutes, at the assessment that was recommended in 2022 and never scheduled. Empty file cabinets are loud in a courtroom.
Security is the lock on the gate. Risk management is the whole shepherd’s job.
When most churches say “security,” they picture a camera in the parking lot, a volunteer with a radio in the back of the sanctuary, and a lock on the office door. That is good. That is the foundation. But it is not the whole job.
Risk management is the watching. And it is not only watching for the person at the door with bad intent, though that matters too. It is the child handed off to the wrong parent in children’s ministry. The volunteer in counseling who was never background-checked. The bus driver on the youth trip whose license lapsed last month. The ransomware on the giving platform. The staff member with a wrongful-termination claim. Not one of those is somebody walking in with bad intent. And every single one of them has resulted in claims against churches.
A church that only does security can still lose on a claim, because the lawsuit comes from the area it never looked at.
Where security and risk management overlap is one word: foreseeability. A real assessment tells you what is reasonably foreseeable at this campus, for this population, given this history. Once you know that, you can build security against it. Without the assessment, every dollar you spend on cameras, fencing, and guards is a shopping list with no defensible reason behind it. With the assessment, every dollar has a written rationale, and that written rationale is what holds up under cross-examination.
In Texas, the foreseeability question has a specific test. In Timberwalk Apartments, Partners, Inc. v. Cain, 972 S.W.2d 749 (Tex. 1998), the Texas Supreme Court laid out five factors a court will weigh when deciding whether prior crime made future crime foreseeable to a property owner: proximity, recency, frequency, similarity, and publicity. Other states have their own variations. The principle is the same everywhere. If you knew or had reason to know, the duty applies.
A misconception worth correcting
I hear pastors invoke the “ministerial exception” the way they would invoke a force field, as if any claim against a church gets dismissed because the church is a religious organization. That is not what the doctrine does.
The Supreme Court recognized the ministerial exception unanimously in Hosanna-Tabor Evangelical Lutheran Church and School v. EEOC, 565 U.S. 171 (2012), and broadened it in Our Lady of Guadalupe School v. Morrissey-Berru, 591 U.S. 732 (2020). Both decisions bar certain employment-discrimination claims brought by ministerial employees against their religious employers. Neither one shields a church from negligent security, negligent hiring, negligent supervision, or premises liability. When a visitor is injured on your campus because a foreseeable risk was ignored, the First Amendment is not a defense. The duty applies.
The blind spots I see most often
After years of vulnerability assessments, the same patterns surface again and again:
- Children’s ministry check-in and release. The highest-consequence area in most churches, often run by volunteers with no written procedure and no plan for reuniting families if something goes sideways.
- Parking lots, sidewalks, and the curb. According to the Faith Based Security Network’s deadly-force incident tracking — work begun in 1999 by Carl Chinn, who survived two such incidents himself — a substantial share of violent events at faith-based facilities begin outside the building, before anyone walks into the sanctuary.
- Counseling and pastoral care. One-on-one meetings, late hours, no visibility. A blind spot on the safety side and on the false-accusation defense side.
- Keys, codes, and access. Former staff, former volunteers, former contractors, former spouses of staff. Half of them still have access to your building because nobody tracks it.
- Outside renters and co-tenants. Daycares, schools, support groups, and counseling programs operating in your building bring their own risk profiles under your roof — and your liability.
- The gap between policy and operational readiness. A binder on a shelf is not a plan. A plan is something staff have walked through, in the building, more than once.
What the data actually says
Two pieces of research belong on every board’s reading list.
The first is the FBI’s 2018 study, A Study of the Pre-Attack Behaviors of Active Shooters in the United States Between 2000 and 2013 (Silver, Simons, & Craun). The researchers found that each active shooter, on average, displayed four to five concerning behaviors observable to people in close contact before the attack. Seventy-seven percent spent a week or longer planning. The average attacker carried 3.6 significant life stressors in the year prior. The signals were there. The question every time is whether anybody was looking.
The second is the Faith Based Security Network’s ongoing deadly-force incident tracking. Bias-motivated incidents are a small share of total events but the most common driver of mass-murder attacks at houses of worship. Domestic-violence spillover is the second most common attack trigger overall. These are not abstractions. They touch every kind of church, in every kind of community.
Leadership, budget, and the mission statement
When I tell a board their work is to govern risk, the most common pushback I hear is, “Jeff, we don’t have a budget for safety.” That is not true. Every church has a budget. It is just allocated somewhere else right now.
Here is the honest question. What does your mission statement say? Most church mission statements include some version of “a place where people can come and worship safely.” If safety is in the mission, the budget has to follow the mission. An unfunded safety mandate is not just bad governance. In a courtroom, it is an exhibit, proof that leadership knew, and did not act.
And here is the part most church leaders do not realize: federal money is on the table. The Department of Homeland Security’s Nonprofit Security Grant Program (NSGP) made $274.5 million available in fiscal year 2025, split evenly between the Urban Area and State allocations ($137.25 million each). A 501(c)(3) house of worship is eligible to apply. A nonprofit may submit up to three project applications, each capped at $200,000, for a maximum of $600,000 per organization, per state, per funding stream. Most churches I assess have never applied.
A scenario worth testing yourself against
Picture a church with open access, a friendly culture, deep community relationships, no formal vulnerability assessment, no incident log, and no documented decisions about security. Leadership believes the culture is enough.
Let me say this carefully: culture is real. It protects people. I am not dismissing it. But culture is what the regulars do on a good day. A real plan works the same way on a Sunday when the senior pastor is there and on a Wednesday night when he is not. It works when the regulars are in the building, and when a stranger walks in for the first time. A friendly culture is not a safety plan. Only a written, practiced plan is something you can count on.
If that church is sued, the missing assessment alone can decide the case. The plaintiff’s lawyer does not have to prove the church made the wrong call. They only have to prove the church never looked.
Three steps, in this order
If a pastor is reading this on a Tuesday morning, here is what I would ask them to do, and to do in this order.
First, commission a written vulnerability assessment from a qualified independent professional. Built to a real standard: ANSI/ASIS RA.1, ISO 31000, or FEMA’s THIRA methodology. Not a walk-through by a member. Not a checklist downloaded from the internet. The real thing.
Second, stand up a safety and security team with written roles, written authority, and documented training. Distinguish safety volunteers; medical, fire, weather, evacuation, behavioral disturbance, from security volunteers, who handle threat response. Decide in advance which roles, if any, are armed, under what policy, with what selection criteria, and with what documentation. Write all of that down. Then notify your insurance carrier. The standard armed-security exclusion is not theoretical. Churches stand up an armed team, never tell the carrier, and find out at claim time the policy does not cover what they were doing.
Third, put risk on the board’s standing agenda, fund it, and document the decisions, including the decision not to act. A documented “no” is defensible. An undocumented “no” is not. And while you are at it, apply for a Nonprofit Security Grant. Most churches never ask for that money.
A closing word, plainly said
People do not rise to the occasion. They default to their level of training. The mark of a mature program is that the question of whether the church is prepared never has to be asked. The answer is already in the files.
A few weeks ago, on April 25, an armed man sprinted past a security checkpoint outside the White House Correspondents’ Dinner at the Washington Hilton, one of the most heavily protected events of the year. If complacency can find that perimeter, it can find a soft-target church that thinks it is too small, too friendly, or too remote to draw trouble.
You can be fully welcoming and fully prepared at the same time. One is the posture; the other is the duty. Hospitality is the posture. Stewardship is the duty. Watchfulness is an act of love.
For the board on Monday: preparedness is not a departure from the mission. It is part of how the mission gets to keep going.
About the author
Jeffrey C. Kearnan is the Principal of Kearnan Consulting Group, LLC, based in the Dallas–Fort Worth area, and operates Church Security Solutions, a dedicated practice serving houses of worship. A 30-year law enforcement veteran, he provides vulnerability assessments, policy development, emergency operations planning, federal and state grant writing, and serves as a premises-liability and excessive-force expert witness.
Sources & Verified Citations
- FBI — Silver, J., Simons, A., & Craun, S. (2018). A Study of the Pre-Attack Behaviors of Active Shooters in the United States Between 2000 and 2013. U.S. Department of Justice, Federal Bureau of Investigation.
- Timberwalk Apartments, Partners, Inc. v. Cain, 972 S.W.2d 749 (Tex. 1998). Five-factor foreseeability test for premises liability against criminal acts of third parties.
- Hosanna-Tabor Evangelical Lutheran Church and School v. EEOC, 565 U.S. 171 (2012). Unanimous recognition of the ministerial exception. Does not bar negligent-security or premises-liability claims.
- Our Lady of Guadalupe School v. Morrissey-Berru, 591 U.S. 732 (2020). Expanded application of the ministerial exception. Same caveat — it does not shield premises liability.
- DHS / FEMA — Nonprofit Security Grant Program (NSGP), Fiscal Year 2025 Notice of Funding Opportunity. $274.5M total ($137.25M Urban Area / $137.25M State); $200,000 cap per project; up to three projects per organization, per state, per funding stream.
- Faith Based Security Network — Carl Chinn, Deadly Force Incident Study (1999–present).
- ANSI/ASIS RA.1 (Risk Assessment); ISO 31000 (Risk Management Guidelines); FEMA THIRA (Threat and Hazard Identification and Risk Assessment).
- Nehemiah 4:9, New International Version.
