Transcript Developing a Comprehensive Risk Assessment

Developing A
Comprehensive Risk
Assessment
Charles S. Thomas
Managing Director, CACH International Ltd Co
Terminology
 Threat

 Vulnerability

Risk
Consequences
 Accident
The goal is not to be understood.
It is to not be misunderstood.
Threat – Hazard - Danger
A
condition that is a prerequisite to a
mishap, accident, or emergency
May be
INTERNAL or EXTERNAL
Threat Classification
 Natural
Hazards
 Anthropogenic (man-caused) Threats
 Technological or Accidental Threats
From Avoiding Disaster, ©2002, John Laye, FBCI
Publisher: John Wiley & Sons, Hoboken, NJ, USA
Natural
Avalanche
Cyclone - regionally, also:
Hurricane, Typhoon, Tornado,
Twister, etc.
Crop Failure
Drought
Agricultural
Urban
Earthquake
Epidemic – Pandemic
Firestorm
Floods, Flash flooding, Riverene
floods,
Urban flooding
Hailstorm
Lahar – Mudslide
Landslide
Solar storm
Tropical storm
Tsunami
Urban-Wildland Intermix Fires
Volcanic eruption (ash, pyroclastic
flow)
Wildland fire
Wildland-urban intermix fire
Windstorm - Chinook, Foehn wind,
Sandstorm, Sirocco, Williwaw
Winter storm
Anthropogenic (Human-Caused)
Arson
Bomb Incident
Bomb Threat
Detonation, explosion
Device found
Civil disorder – riot
Collateral damage
Cyber Attacks – may also be
terrorism related
Explosion
Extortion attempt
Funds missing
Kidnapping
Protests
Radioactive contamination
Subsidence - may also be
natural or accidental
Terrorism
Epidemic
Cyber attack
HazMat Releases
Transportation disruptions
Technological (Unintentional)
Building collapse
Cyber outages
Dam failure
Hazardous materials incidents
Stationary source
Transportation related
Infrastructure failures Communications, Gas,
Sewer, Water, Transportation
Information systems crashes
Lifeline failures – Infrastructure
Major fire
Nuclear facility incident
Power failure
Subsidence - may also be
natural or anthropogenic
Supply chain failure
Transportation accident – Air,
Highway, Pipeline, Rail,
Water
Threat – Fear/Terrorism
Perpetrators must have:
INTENT
+ CAPABILITY
Measurable?
Uncertainty  Fear  Risk (Real or Perceived)
Vulnerability
A
characteristic of a system that allows
a threat event to materialize
Always
INTERNAL
And
Always in RELATION to a threat
Accident - Emergency
A function of vulnerability
 Relates to Cause
 1st significant deviation from the norm
 Reactive Risk Assessment

Anatomy of an Incident
Hazard
Event
Controlled
Conditions
Deviation
Impact
Parameter
Excursion
Initiating
Action
Mishap
Consequence
Uncontrolled
Condition
Adapted from Department of Energy Handbook, 1100-96
Complex Systems
 Failure
in one part (by any threat) may
coincide or induce failure in an entirely
different part  unforeseeable combination
resulting in cascading failures.
 Cascading failures can accelerate out of
control.
 Potentially limitless combinations in
complex systems.
 Accidents are inevitable  “normal”
Risk

Future Effect

Combination of Severity and
Likelihood

Undesirable (Insurance Co. view)
RA Subsets

Qualitative vs. Quantitative

Consequences

Matrix
Qualitative
Uncertainties
 Risk Avoidance
 Bayesian

 Subjective…Uncertainties
Induction
 “Reasoning
about the future from the
past”
 Includes generalizations, predictions,
analogy, inference
Uncertainty
Inference
 The
act or process of drawing a
conclusion solely on what one already
knows.
 Common sense?
 Uncertainty
Personal Probability
Interpretation
 Frequency:
repeatable experiments
 Logical: single-case event with highly
specific prior knowledge
 Personal: epistemic uncertainty
Bayesian
 Uses
probability but in the context of
degrees of belief
 “There
can never be certainty, but as
evidence accumulates, the degree of
belief in a hypothesis changes” for
better or worse.
 “What if” discussions
Subjective - Objective
 Subjective
- one who judges according
to personal feelings or intuitions,
 Objective – one who judges according
to observation, reasoning, and
judgment.
 Is a “gut feel” necessarily wrong?
Subjective Scales
MEDICINE
Stable
Guarded
Serious
Critical
 FOOD
Well done
Medium
Rare


MUSIC
Lento
Adagio
Moderato
Allegro
Presto

DON’T OVERDO
SCALES IN MATRIX
Subjective Scales
 At
some point, everything in the RA
will need to be reduced to numbers.
 Become the expert in developing a risk
assessment based on methodology.
 Develop the local expertise needed for
the subjective and objective data.
Quantitative
Probability
P= f ÷ n
 Frequency
f = x events/timeframe
 Cost
$=$
 Remember: sum of errors

Threat Assessment

Probability – How likely

Frequency – How often

Severity – “No mitigation” effect
Individual Threat Impact
Assessment
KISS:
3 x 3 = 9 cells
4x6 = 24 cells
7x12 = 84 cells!
RISK
1 - High
2 - Medium
CATEGORY
3 - Low
Catastrophic
Critical
Marginal
Negligible
Impossible
Improbable
Remote
Occasional
Probable
Frequent
Matrix


Consequence Categories
Impact ‘Measurements’

“un-mitigated”
Rankings
mitigated
RISK ASSESSMENT
Threat/Hazard
Pr
Fr
S
Threat
Rating
P1
P2
I
R
Impact
Fx ROI
RISK
Accident/Injury
0
0
0
Aircraft Accident
0
0
0
Armed Intruder(s)
0
0
0
Bomb Threat
0
0
0
Bus (& Stop) Violence
0
0
0
Bus Accident
0
0
0
Variable Matrices
Threat Factors
Probability
THREAT
Risk #1
X
(Onset
Speed
+
Forwarning
+
Duration
+
Intensity )
X
Impact
=
Relative
Weight
0
Purpose
People
 Processes
 Infrastructure
 Reputation

People
IRPA – Individual Risk per Annum
 LTIF – Lost Time Injury
 PLL – Potential Loss of Life
 FAR – Fatal Accident Rate
 IR – Individual Risk Index

Typically driven by regulatory imperatives
Processes
Continuity
 Resiliency
 Supply Chain Emergency Management
 Recovery
 Awareness – integrated into the
business

Infrastructure

Equipment, machinery, tools, etc.

Building, grounds, geography

Transportation, motor pool, etc.
Reputation

Competition

Customer Sensitivity

Marketing & Opportunity
Risk Assessment
RISK ASSESSMENT
Threat/Hazard
Pr
Fr
S
Threat
Rating
P1
P2
I
R
Impact
Fx ROI
RISK
0
0
0
Aircraft Accident
0
0
0
Armed Intruder(s)
0
0
0
Bomb Threat
0
0
0
Bus (& Stop) Violence
0
0
0
0
0
0
Accident/Injury
Bus Accident
Methodology
Understand the Organization
 Identify Threats & Vulnerabilities
 Establish Probability & Frequency
 Determine Consequences/Impact
 Develop Mitigation Options
 Examine Feasibility
 Evaluate Cost/Benefit

Adapted from ASIS International Guideline, 2003
Technologies
Industry Specific
 Threat/Hazard Specific
 Business Model Specific
 Checklists
 Surveys (qualitative  quantitative)
 Focus Groups

HLS-CAM
Threat Assessment
 Criticality Assessment
 M/D SHARPP Matrix
 Community Priority Assessment Plan
 Vulnerability Assessment

CARVER Vulnerability System
Criticality
 Accesibility
 Recuperability
 Vulnerability
 Effect
 Recognizability
 Shock

ARA Threat/Vulnerability
Assessments & RA







Identify Assets and Mission
Determine Credible Threats
Determine Risk Level for Each Threat
Determine Acceptability of Risk
Re-Evaluate Threats based on Mitigation
Efforts
Identify Additional Upgrades for Unreduced
Threats
Proceed with Upgrades
SANDIA RAM-C





Assess Threats
Prioritize Targets
Identify Consequences
Evaluate Completeness and
Effectiveness of Physical Security
Systems
Help to Effectively use Resources to
Address Vulnerabilities
Critical Risk Identification
System
Identify Assets
 Identify and Characterize Threats
 Identify and Characterize
Vulnerabilities
 Analyze and Assess Risk
 Recommend Countermeasures w/ROI

More…
DHS evaluating Automated HLS-CAM
 NFPA 1600 (Guidelines)
 DOT HazMat
 DOT Travel at Special Events
 ASIS Guidelines
 Etc.

Utilization
Emergency Response Planning
 Business Continuity - COOP/COG
 IT System (Disaster Recovery)
 All Industry and Service Sectors
 Personal Risk Decisions

Copyright 2003-2005, CACH International Ltd Co
Emergency Response & Crisis Management
Planning Flowchart
Pre-Plan & Define
Project Scope
Identify and get partnering commitment from all
necessary agencies and officials
Information Collection
Project Initiation
(Team Membership, Assignments, Checklists, Historical Documentation, etc.)
Evaluate Current Status of Awareness, Mitigation, Preparedness,
Response, and Recovery (Gap Analysis)
VULNERABILITY ASSESSMENT
Mitigate
Identify
Capability Assessment
&
Needs Analysis
Analyze
Analyze
Measure
Mitigate
Notification
Strategic Plan
ER&CM
Response
Interim Information &
Plan Updates
Plan
Plan
Implementation
TT&E
Recovery
Restoration
Event Management
AAR
Tabletop, Drills, and
Exercises
Plan Maintenance
Risk
Assessment
Risk
Assessment
THREAT ASSESSMENT
John Lubbock
What we see depends
mainly on what we
look for.