How to Document Student Threat Assessments and Behavioral Risk Evaluations in Schools

How to Document Student Threat Assessments and Behavioral Risk Evaluations in Schools

A practical guide for school psychologists, counselors, administrators, and threat assessment team members on documenting student threat assessments and behavioral risk evaluations. Covers CSTAG documentation requirements, transient vs substantive threats, factual vs speculative writing, FERPA considerations, safety plans, law enforcement coordination, and common documentation mistakes.

When a student makes a threatening statement or engages in concerning behavior, the school's response depends not just on what happens in the hallway or the principal's office, but on what gets written down afterward. Documentation is the record of how the threat assessment team identified the level of risk, what information informed that judgment, and what steps were taken to protect everyone involved.

Poor documentation creates serious problems: it cannot defend the team's decisions in a legal challenge, it fails to capture the behavioral specifics that predict escalation, and it may inadvertently speculate about a student's mental state in ways that cause harm. Good documentation is factual, behavioral, and decision-anchored. This guide explains what that looks like in practice.

Why Threat Assessment Documentation Is Different from Other School Records

Student threat assessment sits at the intersection of school discipline, mental health, law enforcement, and education law. The documentation that comes out of a threat assessment process is not a counseling note, not a disciplinary incident report, and not a mental health evaluation. It is its own category, with its own standards and its own legal sensitivities.

Several features distinguish threat assessment documentation from other school records:

Multi-source information. A well-executed threat assessment draws on student interviews, parent interviews, teacher and peer reports, social media review, prior disciplinary records, and sometimes law enforcement intelligence. Every source needs to be documented separately, attributed clearly, and treated with appropriate skepticism until corroborated.

Decision-trail requirements. The team makes a sequence of consequential decisions: Is this threat transient or substantive? Does it involve an identified target? Is there access to means? What level of intervention is warranted? Each decision point needs to be documented, along with the reasoning, not just the outcome.

Legal exposure. Threat assessment records may be reviewed in the context of civil liability, law enforcement investigations, juvenile court proceedings, or administrative hearings. What is written becomes evidence. Vague, conclusory, or speculative documentation creates exposure; specific, behavioral, decision-anchored documentation provides protection.

FERPA complexity. Threat assessment records involve multiple students and multiple types of information, which creates layered FERPA considerations. Understanding where these records live and who can access them is not just a compliance question. It has real consequences for students.

Threat Assessment vs. Risk Assessment: Understanding the Distinction

These terms are often used interchangeably in schools, but they describe different processes.

A threat assessment is triggered by a specific threatening communication or behavior: a student makes a statement ("I'm going to hurt someone"), writes threatening content, or engages in threatening conduct. The threat assessment process evaluates whether the threat is credible and what response is warranted. It is event-driven.

A behavioral risk evaluation (sometimes called a behavioral threat assessment and management process) is broader. It may be triggered by a pattern of concerning behavior that has not yet resulted in an explicit threat: a student who is socially isolated, is fixated on a particular peer or teacher, is writing increasingly violent content, or is showing warning signs associated with targeted violence. It is pattern-driven rather than event-driven.

Both processes require documentation. But the documentation for a behavioral risk evaluation is typically more longitudinal, tracking warning signs over time, while threat assessment documentation is more concentrated around the specific incident and the team's response to it.

In practice, many schools use CSTAG (the Comprehensive School Threat Assessment Guidelines, developed by Dewey Cornell and colleagues at the University of Virginia) as the governing framework. CSTAG provides a structured decision tree that distinguishes transient from substantive threats, with documentation guidance built into the model.

What to Document During Initial Threat Reports

When a threat is first reported, the team member who receives the report needs to capture specific details immediately. Waiting until after a series of follow-up conversations to write down the initial report introduces reconstruction bias and loses information.

The initial report documentation should capture:

Who reported the threat. The name and role of the person making the report, the time and method of the report (in-person, phone, written referral), and whether the reporter was a direct witness or reporting secondhand.

The exact words or behavior. Quote the threatening language verbatim if possible. Do not paraphrase or soften. If the threat was written, preserve or attach a copy. If it was verbal, capture the words as accurately as possible, with quotation marks to indicate this is a direct quote.

Context of the statement or behavior. Where did it occur? Who was present? What was happening immediately before the threatening statement? What happened immediately after?

Identified target, if any. If the student named or gestured toward a specific person, document that exactly. "Student pointed at peer J.R. and said..." is more useful than "student made a threatening gesture."

Reporter's emotional state and demeanor at time of report. This helps the team assess the reliability of the information.

Example of an initial report note done poorly:

"Teacher reported that a student made a threatening comment in class and seemed upset. The student may have been targeting another student."

Example of the same report done well:

"At 10:14 a.m. on Tuesday, Ms. Chen (8th-grade English teacher) came directly to the counseling office and reported the following incident from her 9:30 a.m. first-period class. She stated that during independent reading time, student T.M. (Grade 8, age 14) said audibly, 'I know where Jordan lives. I could make him disappear.' Ms. Chen reported that peer Jordan R. was seated two rows away and appeared to hear the statement. According to Ms. Chen, no other student was present in the immediate area. T.M. made no other statements and returned to reading. Ms. Chen was visibly shaken when reporting and stated she had not spoken to T.M. or Jordan R. before coming to the office."

The difference is not the seriousness of the situation. It is the specificity and behavioral grounding of the documentation.

Documenting Student and Parent Interviews

The student interview is the core of most threat assessment processes. How it is documented matters enormously.

Document questions and responses separately. Do not write a summary narrative that blends the interviewer's interpretations with the student's words. Write what was asked and what the student said, in their own words where possible.

Capture behavioral observations during the interview. Note the student's affect, posture, eye contact, and any notable changes during specific questions. These observations are behavioral, not diagnostic. "Student became tearful when asked about the target" is a behavioral observation. "Student appeared depressed" is an inference. Use the former.

Document context the student provides. Students frequently provide information that helps classify the threat: "I was just joking," "I was angry and I didn't mean it," or "I've been thinking about this for a long time." This context is central to the transient-versus-substantive determination. Capture it verbatim.

Document parent communication and responses. When parents are contacted, note the time of contact, the method (phone, in-person), who was present, what was shared, and what the parent's response was. If the parent confirms concerning information (e.g., access to weapons at home), document the exact language they used.

Example: "At 11:40 a.m., Dr. Alvarez (school psychologist) called T.M.'s father, Mr. M., to inform him of the incident. Mr. M. stated, 'He probably didn't mean anything by it. He's been really stressed out lately with everything going on at home.' When asked whether there were firearms or other weapons accessible in the home, Mr. M. paused and said, 'We have a shotgun. It's locked up. He doesn't have the combination.' Dr. Alvarez documented that she informed Mr. M. that the school would be following up and that additional steps might be recommended."

Transient vs. Substantive Threats: How to Document the Classification

The CSTAG model's most consequential decision point is whether a threat is transient or substantive. This determination shapes everything that follows: whether the student returns to class the same day, whether parents are required to attend a meeting, whether law enforcement is notified, and what support services are offered.

A transient threat is one that the student did not intend as a serious expression of intent to harm. It is typically made in anger, frustration, or as an attempt at humor, and the student can readily explain and retract it. Documentation of a transient threat classification should include:

  • The specific language or behavior that triggered the assessment
  • The factors the team weighed in classifying it as transient (student's explanation, context, absence of planning or access to means)
  • What corrective action was taken (conversation with student, parent notification, apology if appropriate)
  • Any brief monitoring plan, if applicable

A substantive threat is one that the team determines involves a genuine intent to harm. Documentation needs to be more extensive: the factors that distinguish the threat from a transient expression, evidence of planning or means, any identified targets, and the team's step-by-step decision process.

Do not write: "Team determined this was a substantive threat."

Write: "Following review of the student interview, parent interview, teacher report, and the student's prior disciplinary record, the threat assessment team determined this threat is substantive rather than transient based on the following factors: (1) the student was unable to provide an explanation indicating this was made in jest or frustration; (2) the student had researched the identified target's home address using social media, as confirmed by the student's own statement; (3) the student had access to a firearm in the home, as reported by the parent. The team therefore proceeded under the substantive threat protocol."

The reasoning chain matters. A future reviewer, whether a parent attorney, a judge, or a licensing board, needs to be able to follow how the team reached its conclusion.

FERPA Considerations for Threat Assessment Records

Threat assessment records present complex FERPA questions because they typically involve multiple students: the student who made the threat and any identified targets. Under FERPA, each student's personally identifiable information is protected with respect to that student's records. That means:

  • Records about the student who made the threat are part of that student's education record and subject to parental access rights (and the student's own access rights at age 18).
  • Information in those records about identified targets or other students must be handled carefully. A parent of the threatening student cannot use FERPA to access information about a target student that reveals that student's identity or personal information.
  • Threat assessment records are generally treated as education records and subject to FERPA, not as sole-possession notes, because they are typically created by and shared among a team.

One practical implication: when documenting target information, consider whether the redaction of the target student's identifying information would be necessary if the record were disclosed to the threatening student's parents. Some school legal counsel recommend using initials or role-based identifiers ("the identified peer") rather than full names in threat assessment records for this reason. Check your district's policy.

The law enforcement exception under FERPA is also relevant here. Schools may disclose education records to law enforcement without parental consent in situations involving health or safety emergencies. If law enforcement is involved in a threat assessment, document the basis for any disclosures made under this exception: the nature of the emergency, what information was shared, with whom, and at what time.

Documenting Safety Plans, Monitoring Plans, and Re-Entry Plans

After a substantive threat assessment, the team typically develops a safety plan that specifies what protective steps will be taken while the assessment is ongoing. A monitoring plan establishes how the student's behavior and adjustment will be tracked over time. A re-entry plan addresses the conditions under which a student who has been suspended or removed from school can return.

Each of these deserves a separate, structured document. Vague safety plans are not useful. Compare:

Poor: "Student will be monitored by school staff."

Better: "Monitoring plan for T.M. (effective [date]): (1) Daily check-in with school counselor Ms. Garcia at 8:15 a.m., Monday through Friday; (2) Ms. Garcia will document each check-in using the district's threat monitoring form; (3) T.M.'s first-period teacher will communicate any notable behavioral changes to Ms. Garcia via email by 10:00 a.m. daily; (4) Team will reconvene in 10 school days to review monitoring notes and assess current risk level."

A re-entry plan should document: what conditions the student must meet before returning, what support services will be in place upon return, what modifications to the student's schedule or environment will be made (for example, separating the student from an identified target), and how the plan will be monitored and reviewed.

Coordinating with Law Enforcement: Documentation Considerations

When law enforcement is involved in a school threat assessment, the documentation landscape becomes more complex. Law enforcement agencies maintain their own records, and those records follow different rules than school education records. Schools cannot control what law enforcement documents, but schools can and should document their own role in the process carefully.

Document:

  • The name and agency of any law enforcement officers involved in the assessment
  • The specific information shared with law enforcement and the basis for that disclosure (for example, the FERPA health and safety exception)
  • The date and time of any joint interviews or consultations
  • Whether law enforcement conducted an independent interview of the student, and whether school personnel were present
  • Any recommendations law enforcement made to the school, and whether the school followed those recommendations

If law enforcement determines that no criminal charges are warranted, document that outcome and who communicated it. The school's own threat assessment does not stop when law enforcement declines to press charges. Document that the school's independent assessment process continued based on school safety considerations, separate from the criminal law standard.

Common Documentation Mistakes

Editorializing Instead of Observing

One of the most common documentation errors in threat assessment is mixing interpretive language into factual reporting. Threat assessment documentation should describe what happened, what was said, and what was observed. It should not characterize the student's mental state, diagnose, or editorialize about motives.

Avoid: "The student is clearly disturbed and has a vendetta against his classmates."

Write: "Student stated during the interview, 'Nobody in this school cares about me. They all deserve what's coming.' Student's affect was flat throughout the interview. Student declined to make eye contact when asked about the identified target."

Missing the Behavioral Specifics

Documentation that describes the situation in general terms without capturing the behavioral specifics that drove the team's decision-making is nearly useless. "The team reviewed the situation and found it concerning" explains nothing. What did the team review? What specific behaviors or statements were concerning? What pattern did they observe?

Not Documenting the Decision Rationale

Each consequential decision made by the threat assessment team needs its reasoning documented. The team classified the threat as substantive: document why. The team recommended a five-day suspension: document what factors informed that recommendation. The team decided not to notify law enforcement: document the reasoning and who made that call. Without documented rationale, the team's decisions look arbitrary, even when they were thoughtful and justified.

Mixing Records from Multiple Students

When a threat assessment involves multiple students (the student making the threat, identified targets, witnesses), keeping their records cleanly separated is both a FERPA requirement and a practical necessity. Do not include a target student's identifying information in the threatening student's file beyond what is strictly necessary. Label records clearly by student.

Filing in the Wrong Place

Some schools file threat assessment records in the general student cumulative file, alongside academic records and routine discipline notes. Others maintain a separate confidential threat assessment file. Which approach applies depends on district policy and, sometimes, state law. Know where your district requires these records to be filed, and follow that policy consistently.

A Note on Factual, Behavioral Documentation

The standard for good threat assessment documentation runs through every section of this guide: write what you observed, what was said, and what the team decided, not what you inferred or felt. That standard protects students by ensuring the documentation reflects the actual assessment, not a post-hoc rationalization. It protects the team by creating a defensible record. And it improves outcomes by making the documentation useful to anyone who reviews it later, whether that is a judge, a new team member, or a clinician providing follow-up services.

If your team documents threat assessments using structured templates with built-in fields for behavioral observations, interview summaries, classification rationale, and plan components, the quality of documentation improves consistently regardless of who is filling it out. Tools like NotuDocs let teams build those templates once and apply them reliably across every assessment, so nothing is missing because someone was rushed or working from memory. For complex multi-student documentation workflows, that kind of structural consistency matters.

Documentation Checklist

Initial Threat Report

  • Name and role of the person who made the report
  • Time, date, and method of report (in-person, phone, written)
  • Whether reporter was a direct witness or reporting secondhand
  • Verbatim quote or close paraphrase of threatening language, in quotation marks
  • Location, time, and witnesses present during the incident
  • Identified target, if any, with specific detail about how the target was identified
  • Reporter's demeanor and emotional state at time of report

Student Interview Documentation

  • Interview date, time, location, and persons present
  • Questions asked and student responses documented separately (not blended into a narrative)
  • Verbatim quotes from the student where possible
  • Behavioral observations during the interview (affect, posture, eye contact)
  • Any context the student provided about the threat (joking, venting, intent)
  • Student's response to being informed of consequences and next steps

Parent/Guardian Communication

  • Date and time of contact, method, and who was reached
  • What information was shared and by whom
  • Parent's response, including any verbatim statements
  • Any information parent provided about access to weapons, stressors at home, or prior incidents
  • Parent's agreement or refusal to cooperate with next steps

Transient vs. Substantive Classification

  • Clear statement of the classification (transient or substantive)
  • Numbered factors the team weighed in reaching the classification
  • Specific information from student interview, parent interview, and collateral sources that supported the classification
  • Team members present at the time of classification decision
  • Date and time of classification decision

Safety Plan and Monitoring Plan

  • Named responsible parties for each monitoring action
  • Specific frequency and method of check-ins
  • Communication protocol between monitoring team members
  • Scheduled review date for the monitoring plan
  • Criteria for escalating or de-escalating the level of response

Law Enforcement Coordination

  • Name and agency of law enforcement officers involved
  • Information disclosed to law enforcement and the FERPA basis for disclosure
  • Date and time of any joint consultations or interviews
  • Law enforcement's findings or recommendations, and school's response
  • Documentation of whether the school's independent assessment continued after law enforcement involvement

Re-Entry Planning

  • Conditions the student must meet before returning
  • Support services in place upon return
  • Environmental modifications (schedule changes, separation from identified target)
  • Re-entry monitoring plan and review timeline
  • Persons responsible for implementing and overseeing the re-entry plan

Record-Keeping and FERPA Compliance

  • Records filed according to district policy (cumulative file, confidential threat file, etc.)
  • Target student's identifying information handled consistently with FERPA obligations
  • Law enforcement disclosures documented with FERPA basis noted
  • Multi-student records kept cleanly separated

Related reading: How to Document School-Based Counseling and Mental Health Services | How to Document Crisis Intervention and Suicide Risk Assessments | How to Document Wraparound Services and Multidisciplinary Team Meetings

Gerelateerde artikelen

Behavior Intervention Plan (BIP) Template

Behavior Intervention Plan (BIP) Template

Free behavior intervention plan template for educators. Includes target behaviors, replacement behaviors, prevention strategies, and progress monitoring.

IEP (Individualized Education Program) Template

IEP (Individualized Education Program) Template

Free IEP template for special education teachers. Includes present levels, annual goals, accommodations, services, and transition planning sections.

Lesson Plan Documentation Template

Lesson Plan Documentation Template

Free lesson plan documentation template for teachers. Includes objectives, standards alignment, differentiation, assessment, and reflection sections.

Stop met notities schrijven vanaf nul

NotuDocs zet uw ruwe sessienotities automatisch om in gestructureerde, professionele documenten. Kies een sjabloon, neem uw sessie op en exporteer in seconden.

Probeer NotuDocs gratis

Geen creditcard vereist