Download - Risk Assessment About Building And Risk
Prepare By Faheem
Risk AssessmentsHow Much Risk are you willing to accept?
• “Risk”
• Conducting a Risk Assessments
• Concept of a Risk Assessment
• Critical Assets
• Threats
• Vulnerabilities, Frequency, Impact
• Risk levels
• Developing Mitigating Options
• Conclusion
Risk Assessments
Risk Assessments
“Risk”In simple terms “Risk” can be defined as:
Risk = Impact x (Threat x Vulnerability)
ASSETS ASSETS
VULNERABILITIES THREATS VULNERABILITIES THREATS
RISK ASSETS ASSETS
VULNERABILITIES THREATS VULNERABILITIES THREATS
Threat x Vulnerability = Probability
Impact = Expected Impact (Asset Value)
Conducting a Risk Assessment
In today’s security environment there are numerous sources of information explaining and providing guidelines on how to perform a
Risk Assessment
- ASIS Risk Assessment Guidelines
- Homeland Security Guidelines
- Websites
- College text
- Independent Consultants
But which is the best source, who has the right answers, why are there so many different ways to perform a risk assessment?
Risk Assessments
The Concept of a Risk AssessmentAnswer: No one has the absolute correct answer! Each source has a general
idea of what needs to be, or should be, in an assessment. However, they all agree on the following:
1. There is a General Assessment Process
2. Assessments are not and can not be performed in a vacuum
3. Clients make the final decision concerning how much “Risk” is acceptable!!
Risk Assessments
General Assessment Process
Assess
Assets
1
Assess
Threats
2
Assess
Vulnerabilities
3
Assess Risk
4 Determine
Mitigating
Options
5
Client Makes final
Decision
6
Cost Analysis
Benefit Analysis
Client Makes
Decision
4-5
Assessments can not be performed in a vacuum
• Coordinate with local authorities to determine threats
• Local Law Enforcement: criminal statistics
• Federal/Military Officials: possible terrorist information
• Federal/State Officials: natural threat information
• Information Technology (IT) specialist: vulnerabilities to IT systems
• Structural Engineers: vulnerabilities to structure
• Water/Gas/Electrical Engineers: Vulnerabilities to infrastructure
You are expected to be the expert, know who to ask for the right answers!
Risk Assessments
Assess/Determine Your Critical Assets
• Interview, Interview, Interview
• Inquire: Who to talk to and Why
• Talk to those who know
• CEOs, Presidents, and Owners
• Get management by-in?
• Gather as much information as possible
• What will stop production, distribution, services?
• What needs to be protected?
• Why?
Risk Assessments
What are your Critical Assets?
1. People (factory/General employees and/or Executive employees)2. The Facility (the building, property, and all production machinery)3. Raw Material
Assets at Risk ThreatVulnerability
Level Frequency Impact
Risk Level
ok?Mitigating Measure
New Risk Level
People (General)
People (Executives)
Facility
Raw Material
Risk Assessments
Know the Threat• Identify threat categories and adversaries
Insider Outsider, Criminal Environmental Other
Disgruntle employee Professional Burglars Fire/lightening Terrorist
Former employee Weather
• Assess intent and motivation of known/suspected adversaries
• Assess the capabilities of an adversary or threat
• Frequency of threat-related incidents based on historical data.
• Estimate degree of threat relative to each critical asset
Risk Assessments
Dam Safety Earthquakes Extreme Heat
Fires Hazardous Material
Criminal Activity Hurricanes Landslides Nuclear
Multi-Hazard Thunderstorms Tornadoes
Terrorism Floods Volcanoes
Wildfires Information Security Winter Storms
More Potential Threats
Risk Assessments
Knowing what the critical assets are, will aid in determining the Threats
Assets at Risk ThreatsVulnerability
Level Frequency Impact
Risk Level
ok?Mitigating Measure
New Risk Level
People (General)
Aggravated Assaults
Aggravated Assaults
Travel to Foreign Country
Kidnapping
Heat
Tornados
Unauthorized Entry
Terrorism
O utsider Theft
Insider Theft
People (Executives)
Facility
Raw Material
Risk Assessments
Vulnerability Level
Vulnerabilities are generally assessed by looking at and asset, examining the threat and determining how the asset can be affect by the threat
Risk Assessments
Example
Asset = Executive Vice President of Production, Major Oil ProducerThreat = Kidnapping (Ransom)
Examination of the two shows the EVP, every single morning without variation, leaves the house at the same time, drives the same vehicle, takes the same
route to work, parks in the same space, departs at the end of the day at exactly the same time, and again takes the same route home.
The Vulnerability Level for this EVP is Extremely High. At almost any point in this EVP’s day he/she can be affected by the threat of kidnapping.
In many cases, Vulnerability assessments should be conducted in conjunction with a Risk Assessment
Assets at Risk ThreatsVulnerability
Level Frequency Impact
Risk Level
ok?Mitigating Measure
New Risk Level
People (General)
Aggravated Assaults
Medium
Aggravated Assaults
Low
Travel to Foreign Country
Medium
Kidnapping High
Heat High
Tornados Medium
Unauthorized Entry
High
Terrorism Low
Outsider Theft Low
Insider Theft Medium
People (Executives)
Facility
Raw Material
Risk Assessments
Frequency & Impact (Effect)
Most Risk Assessment Experts tend to disagree at this point of the process. Different professionals will use different formulas to determine how Threats affect
Vulnerabilities, how to score Probability, and finally determining Frequency
How it WorksThe following uses historical records and subjective estimates to determine the
Probability of a hazard occurring, and the affect (Impact) the probability would have
Levels of Probability Levels of Effects (Impact)
7 = An Event happens once Critical 7 = Threat would affect 100,000 or more per year or more people
6 = An Event happens once 1-3 years 6 would affect 50,000 to 99,999 people
5 happens once every 3-5 years 5 would affect 10,000 to 49,999 people
4 happens once every 5-10 years 4 would affect 5,000 to 9,999 people
3 happens once every 10-50 years 3 would affect 1,000 to 4,999 people
2 happens once every 100 years 2 would affect 500 to 999 people1 has never occurred 1 would affect 1 to 499 people
Risk Assessments
Med High
Medium
Low
High
Med low
Impact (Effect)
The product of the Probability times the Effects of the Hazard equals the Risk Index for the hazard:
Probability x Effects = Risk Index
Using our previous example of a: Asset = Executive Vice President of Production, Major Oil Producer
After performing our research and evaluating all the interviews conducted we discovered kidnappings of Corporate level executives occur about once every three years, and generally affect 50 thousand to 99,999 thousand people (depending on the size of the company and the number of people this executive has regular contact with). Using the calculations previously given
Probability 6 (High) X Effect (Impact) 6 (High) = Risk Index 36 (High)
Risk Assessments
Frequency & Impact (Effect)
Assets at Risk HazardVulnerability
Level Frequency Impact
Risk Level
ok?Mitigating Measure
New Risk Level
People (General)
Aggravated Assaults
Medium Low Medium
Aggravated Assaults
Low Low High
Travel to Foreign Country
Medium Low High
Kidnapping High High High
Heat High Medium Medium
Tornados Medium Low Medium
Unauthorized Entry
High Low High
Terrorism Low Low High
Outsider Theft Low Low Low
Insider Theft Medium Low Low
People (Executives)
Facility
Raw Material
Risk Assessments
Risk Level ResultsObviously, as we can see, the Asset we have been watching has a Risk Level of High, but so do other
Assets. Will our Client accept this? Or, are these areas of concern also?
Assets at Risk HazardVulnerability
Level Frequency Impact
Risk Level
ok?Mitigating Measure
New Risk Level
People (General)
Aggravated Assaults
Medium Low Medium Medium
Aggravated Assaults
Low Low High Medium
Travel to Foreign Country
Medium Low High Medium
Kidnapping High High High High
Heat High Medium Medium High
Tornados Medium Low Medium Medium
Unauthorized Entry
High Low High High
Terrorism Low Low High Low
Outsider Theft Low Low Low Low
Insider Theft Medium Low Low Low
People (Executives)
Facility
Raw Material
Risk Assessments
Impact of Events - Risk Levels – Acceptable?Assets at Risk Hazard
Vulnerability Level
Frequency ImpactRisk
Level ok?
Mitigating Measure
New Risk Level
People (General)
Aggravated Assaults
Medium Low Medium Medium Yes
Aggravated Assaults
Low Low High Medium Yes
Travel to Foreign Country
Medium Low High Medium Yes
Kidnapping High High High High No
Heat High Medium Medium High No
Tornados Medium Low Medium Medium Yes
Unauthorized Entry
High Low High High No
Terrorism Low Low High Low Yes
Outsider Theft Low Low Low Low Yes
Insider Theft Medium Low Low Low Yes
People (Executives)
Facility
Raw Material
Risk Assessments
Client Participation
As discussed from the very beginning, the Client must be involved in this process.
The Client has said “No” to the Risk Level concerning the Executive Officers of the Company
What’s Next?
Risk Assessments
General Assessment Process
Assess
Assets
1
Assess
Threats
2
Assess
Vulnerabilities
3
Assess Risk
4 Determine
Mitigating
Options
5
Client Makes final
Decision
6
Cost Analysis
Benefit Analysis
Client Makes
Decision
4-5
Development of Mitigating Options• Client will not except any Risk level of High or above.
• Some may not accept anything over medium• Others Medium-High
• Things to remember before presenting Mitigating Options• Consistency• Accuracy• Speed• But, most of all they want to understand.
If a client does not understand why they must do something (Acceptable Risk), then they will not understand why they must spend money to fix it (Cost/Benefit Analysis).
• Finally, explain the benefits for suggesting mitigating options• Cost: Annual Security Awareness Briefings to the Executive officers ($1,000 per
person, per year)• Benefit: Possible prevention of a kidnapping (company savings: Life Insurance, Hiring
of Security Personnel, Ransom; All of which could cost in the millions)
Risk Assessments
Development of Mitigating Options
Risk Assessments
Assets at Risk Hazard FrequencyVulnerability
Level Impact
Risk Level
ok? Mitigating Measure
People (General)
Aggravated Assaults Low Medium Medium Medium Yes N/A
Aggravated Assaults Low Low High Medium Yes N/A
Travel to Foreign Country
Low Medium High Medium Yes N/A
Kidnapping High High High High No1. Awareness Briefs 2. Def. Driving Crse
People (Executives)
Possible Mitigating Options to our current scenario:1. Annual Security Awareness Briefing2. Defensive Driving Course3. Personal Security Advisor4. Newly installed security equipment for work and home
The head of our company has chosen Options 1 & 2 after hearing the cost and benefits
New, Acceptable Risk Levels
Risk Assessments
Assets at Risk
Hazard FrequencyVulnerability
Level Impact
Risk Level
ok? Mitigating MeasureNew Risk
LevelPeople
(General)Aggravated
AssaultsLow Medium Medium Medium Yes N/A
Aggravated Assaults
Low Low High Medium Yes N/A
Travel to Foreign Country
Low Medium High Medium Yes N/A
Kidnapping High High High High No1. Awareness Briefs 2. Def. Driving Crse Medium
People (Executives)
New Risk Levels are discussed based on the Mitigating Options chosen for each Asset, Threat, Impact, and Risk Level
Is this now an acceptable Risk Level for our Client?
Risk Assessments
How Much Risk are you willing to accept?
Question ?
Risk Assessments
Sources of Information: Risk Assessments
1. Risk Management for Security Professionals
2. Risk Assessment Guidelines: ASIS International
3. National Strategy for Homeland Security Jul 2008
4. Contemporary Security Management
5. Principles of Emergency Planning Management
6. Readings in Security Management: Principles and Practices