Developing a Comprehensive Risk Assessment
Download
Report
Transcript Developing a Comprehensive Risk Assessment
Developing A
Comprehensive Risk
Assessment
Charles S. Thomas
Managing Director, CACH International Ltd Co
Terminology
Threat
Vulnerability
Risk
Consequences
Accident
The goal is not to be understood.
It is to not be misunderstood.
Threat – Hazard - Danger
A
condition that is a prerequisite to a
mishap, accident, or emergency
May be
INTERNAL or EXTERNAL
Threat Classification
Natural
Hazards
Anthropogenic (man-caused) Threats
Technological or Accidental Threats
From Avoiding Disaster, ©2002, John Laye, FBCI
Publisher: John Wiley & Sons, Hoboken, NJ, USA
Natural
Avalanche
Cyclone - regionally, also:
Hurricane, Typhoon, Tornado,
Twister, etc.
Crop Failure
Drought
Agricultural
Urban
Earthquake
Epidemic – Pandemic
Firestorm
Floods, Flash flooding, Riverene
floods,
Urban flooding
Hailstorm
Lahar – Mudslide
Landslide
Solar storm
Tropical storm
Tsunami
Urban-Wildland Intermix Fires
Volcanic eruption (ash, pyroclastic
flow)
Wildland fire
Wildland-urban intermix fire
Windstorm - Chinook, Foehn wind,
Sandstorm, Sirocco, Williwaw
Winter storm
Anthropogenic (Human-Caused)
Arson
Bomb Incident
Bomb Threat
Detonation, explosion
Device found
Civil disorder – riot
Collateral damage
Cyber Attacks – may also be
terrorism related
Explosion
Extortion attempt
Funds missing
Kidnapping
Protests
Radioactive contamination
Subsidence - may also be
natural or accidental
Terrorism
Epidemic
Cyber attack
HazMat Releases
Transportation disruptions
Technological (Unintentional)
Building collapse
Cyber outages
Dam failure
Hazardous materials incidents
Stationary source
Transportation related
Infrastructure failures Communications, Gas,
Sewer, Water, Transportation
Information systems crashes
Lifeline failures – Infrastructure
Major fire
Nuclear facility incident
Power failure
Subsidence - may also be
natural or anthropogenic
Supply chain failure
Transportation accident – Air,
Highway, Pipeline, Rail,
Water
Threat – Fear/Terrorism
Perpetrators must have:
INTENT
+ CAPABILITY
Measurable?
Uncertainty Fear Risk (Real or Perceived)
Vulnerability
A
characteristic of a system that allows
a threat event to materialize
Always
INTERNAL
And
Always in RELATION to a threat
Accident - Emergency
A function of vulnerability
Relates to Cause
1st significant deviation from the norm
Reactive Risk Assessment
Anatomy of an Incident
Hazard
Event
Controlled
Conditions
Deviation
Impact
Parameter
Excursion
Initiating
Action
Mishap
Consequence
Uncontrolled
Condition
Adapted from Department of Energy Handbook, 1100-96
Complex Systems
Failure
in one part (by any threat) may
coincide or induce failure in an entirely
different part unforeseeable combination
resulting in cascading failures.
Cascading failures can accelerate out of
control.
Potentially limitless combinations in
complex systems.
Accidents are inevitable “normal”
Risk
Future Effect
Combination of Severity and
Likelihood
Undesirable (Insurance Co. view)
RA Subsets
Qualitative vs. Quantitative
Consequences
Matrix
Qualitative
Uncertainties
Risk Avoidance
Bayesian
Subjective…Uncertainties
Induction
“Reasoning
about the future from the
past”
Includes generalizations, predictions,
analogy, inference
Uncertainty
Inference
The
act or process of drawing a
conclusion solely on what one already
knows.
Common sense?
Uncertainty
Personal Probability
Interpretation
Frequency:
repeatable experiments
Logical: single-case event with highly
specific prior knowledge
Personal: epistemic uncertainty
Bayesian
Uses
probability but in the context of
degrees of belief
“There
can never be certainty, but as
evidence accumulates, the degree of
belief in a hypothesis changes” for
better or worse.
“What if” discussions
Subjective - Objective
Subjective
- one who judges according
to personal feelings or intuitions,
Objective – one who judges according
to observation, reasoning, and
judgment.
Is a “gut feel” necessarily wrong?
Subjective Scales
MEDICINE
Stable
Guarded
Serious
Critical
FOOD
Well done
Medium
Rare
MUSIC
Lento
Adagio
Moderato
Allegro
Presto
DON’T OVERDO
SCALES IN MATRIX
Subjective Scales
At
some point, everything in the RA
will need to be reduced to numbers.
Become the expert in developing a risk
assessment based on methodology.
Develop the local expertise needed for
the subjective and objective data.
Quantitative
Probability
P= f ÷ n
Frequency
f = x events/timeframe
Cost
$=$
Remember: sum of errors
Threat Assessment
Probability – How likely
Frequency – How often
Severity – “No mitigation” effect
Individual Threat Impact
Assessment
KISS:
3 x 3 = 9 cells
4x6 = 24 cells
7x12 = 84 cells!
RISK
1 - High
2 - Medium
CATEGORY
3 - Low
Catastrophic
Critical
Marginal
Negligible
Impossible
Improbable
Remote
Occasional
Probable
Frequent
Matrix
Consequence Categories
Impact ‘Measurements’
“un-mitigated”
Rankings
mitigated
RISK ASSESSMENT
Threat/Hazard
Pr
Fr
S
Threat
Rating
P1
P2
I
R
Impact
Fx ROI
RISK
Accident/Injury
0
0
0
Aircraft Accident
0
0
0
Armed Intruder(s)
0
0
0
Bomb Threat
0
0
0
Bus (& Stop) Violence
0
0
0
Bus Accident
0
0
0
Variable Matrices
Threat Factors
Probability
THREAT
Risk #1
X
(Onset
Speed
+
Forwarning
+
Duration
+
Intensity )
X
Impact
=
Relative
Weight
0
Purpose
People
Processes
Infrastructure
Reputation
People
IRPA – Individual Risk per Annum
LTIF – Lost Time Injury
PLL – Potential Loss of Life
FAR – Fatal Accident Rate
IR – Individual Risk Index
Typically driven by regulatory imperatives
Processes
Continuity
Resiliency
Supply Chain Emergency Management
Recovery
Awareness – integrated into the
business
Infrastructure
Equipment, machinery, tools, etc.
Building, grounds, geography
Transportation, motor pool, etc.
Reputation
Competition
Customer Sensitivity
Marketing & Opportunity
Risk Assessment
RISK ASSESSMENT
Threat/Hazard
Pr
Fr
S
Threat
Rating
P1
P2
I
R
Impact
Fx ROI
RISK
0
0
0
Aircraft Accident
0
0
0
Armed Intruder(s)
0
0
0
Bomb Threat
0
0
0
Bus (& Stop) Violence
0
0
0
0
0
0
Accident/Injury
Bus Accident
Methodology
Understand the Organization
Identify Threats & Vulnerabilities
Establish Probability & Frequency
Determine Consequences/Impact
Develop Mitigation Options
Examine Feasibility
Evaluate Cost/Benefit
Adapted from ASIS International Guideline, 2003
Technologies
Industry Specific
Threat/Hazard Specific
Business Model Specific
Checklists
Surveys (qualitative quantitative)
Focus Groups
HLS-CAM
Threat Assessment
Criticality Assessment
M/D SHARPP Matrix
Community Priority Assessment Plan
Vulnerability Assessment
CARVER Vulnerability System
Criticality
Accesibility
Recuperability
Vulnerability
Effect
Recognizability
Shock
ARA Threat/Vulnerability
Assessments & RA
Identify Assets and Mission
Determine Credible Threats
Determine Risk Level for Each Threat
Determine Acceptability of Risk
Re-Evaluate Threats based on Mitigation
Efforts
Identify Additional Upgrades for Unreduced
Threats
Proceed with Upgrades
SANDIA RAM-C
Assess Threats
Prioritize Targets
Identify Consequences
Evaluate Completeness and
Effectiveness of Physical Security
Systems
Help to Effectively use Resources to
Address Vulnerabilities
Critical Risk Identification
System
Identify Assets
Identify and Characterize Threats
Identify and Characterize
Vulnerabilities
Analyze and Assess Risk
Recommend Countermeasures w/ROI
More…
DHS evaluating Automated HLS-CAM
NFPA 1600 (Guidelines)
DOT HazMat
DOT Travel at Special Events
ASIS Guidelines
Etc.
Utilization
Emergency Response Planning
Business Continuity - COOP/COG
IT System (Disaster Recovery)
All Industry and Service Sectors
Personal Risk Decisions
Copyright 2003-2005, CACH International Ltd Co
Emergency Response & Crisis Management
Planning Flowchart
Pre-Plan & Define
Project Scope
Identify and get partnering commitment from all
necessary agencies and officials
Information Collection
Project Initiation
(Team Membership, Assignments, Checklists, Historical Documentation, etc.)
Evaluate Current Status of Awareness, Mitigation, Preparedness,
Response, and Recovery (Gap Analysis)
VULNERABILITY ASSESSMENT
Mitigate
Identify
Capability Assessment
&
Needs Analysis
Analyze
Analyze
Measure
Mitigate
Notification
Strategic Plan
ER&CM
Response
Interim Information &
Plan Updates
Plan
Plan
Implementation
TT&E
Recovery
Restoration
Event Management
AAR
Tabletop, Drills, and
Exercises
Plan Maintenance
Risk
Assessment
Risk
Assessment
THREAT ASSESSMENT
John Lubbock
What we see depends
mainly on what we
look for.