Risk assessments give you an overview of what your vulnerabilities are, but if you're dealing with a lone wolf as they call the perpetrator in Seattle, it's much more difficult to gain intelligence and prevent that attack through prior warning. So what you have in place has to protect you - as opposed to an organized attack where you have better probability of picking up intelligence and being able to raise your threat level and heighten your security to counteract that.
I definitely believe in risk assessments, and included in that assessment process is the question of what do you do if an incident does occur. The after-action is something that the Secret Service has always emphasized. What protocols do you have in place to deal with an emergency? For example, one of the lessons learned from this situation is to have a good, solid Secure-in-Place protocol. In other words, if you don't have a chance to evacuate before the incident occurs, then what is the appropriate thing to do after it begins to cut down your odds that you'll be negatively impacted by that situation?