Developing A Comprehensive Risk Assessment Charles S. Thomas Managing Director, CACH International...
-
Upload
mariah-dennis -
Category
Documents
-
view
215 -
download
3
Transcript of Developing A Comprehensive Risk Assessment Charles S. Thomas Managing Director, CACH International...
Developing A Developing A Comprehensive Risk Comprehensive Risk
AssessmentAssessment
Developing A Developing A Comprehensive Risk Comprehensive Risk
AssessmentAssessment
Charles S. ThomasManaging Director, CACH International Ltd Co
TerminologyTerminologyTerminologyTerminology
ThreatVulnerabilityAccident
The goal is not to be understood. It is to not be misunderstood.
Risk Consequences
Threat – Hazard - DangerThreat – Hazard - DangerThreat – Hazard - DangerThreat – Hazard - Danger
A condition that is a prerequisite to a mishap, accident, or emergency
May beINTERNAL or EXTERNAL
Threat ClassificationThreat ClassificationThreat ClassificationThreat Classification
Natural HazardsAnthropogenic (man-caused) ThreatsTechnological or Accidental Threats
From Avoiding Disaster, ©2002, John Laye, FBCIPublisher: John Wiley & Sons, Hoboken, NJ, USA
NaturalNaturalNaturalNaturalAvalancheCyclone - regionally, also:
Hurricane, Typhoon, Tornado, Twister, etc.
Crop FailureDroughtAgriculturalUrbanEarthquakeEpidemic – PandemicFirestormFloods, Flash flooding, Riverene
floods, Urban floodingHailstorm
Lahar – MudslideLandslideSolar stormTropical stormTsunamiUrban-Wildland Intermix FiresVolcanic eruption (ash,
pyroclastic flow)Wildland fireWildland-urban intermix fireWindstorm - Chinook, Foehn
wind, Sandstorm, Sirocco, Williwaw
Winter storm
Anthropogenic (Human-Anthropogenic (Human-Caused) Caused)
Anthropogenic (Human-Anthropogenic (Human-Caused) Caused)
ArsonBomb IncidentBomb ThreatDetonation, explosionDevice foundCivil disorder – riotCollateral damageCyber Attacks – may also
be terrorism relatedExplosion Extortion attempt
Funds missingKidnappingProtestsRadioactive contaminationSubsidence - may also be
natural or accidentalTerrorismEpidemicCyber attackHazMat ReleasesTransportation disruptions
Technological Technological (Unintentional)(Unintentional)Technological Technological
(Unintentional)(Unintentional)Building collapseCyber outagesDam failureHazardous materials
incidentsStationary sourceTransportation relatedInfrastructure failures -
Communications, Gas, Sewer, Water, Transportation
Information systems crashesLifeline failures –
InfrastructureMajor fireNuclear facility incidentPower failureSubsidence - may also be
natural or anthropogenicSupply chain failureTransportation accident –
Air, Highway, Pipeline, Rail, Water
Threat – Fear/TerrorismThreat – Fear/TerrorismThreat – Fear/TerrorismThreat – Fear/Terrorism
Perpetrators must have:
INTENT + CAPABILITY
Measurable?Uncertainty Fear Risk (Real or Perceived)
VulnerabilityVulnerabilityVulnerabilityVulnerability
A characteristic of a system that allows a threat event to materialize
AlwaysINTERNAL
AndAlways in RELATION to a threat
Accident - EmergencyAccident - EmergencyAccident - EmergencyAccident - Emergency
A function of vulnerability Relates to Cause 1st significant deviation from the
norm Reactive Risk Assessment
Anatomy of an IncidentAnatomy of an IncidentAnatomy of an IncidentAnatomy of an Incident
Adapted from Department of Energy Handbook, 1100-96
Hazard Event Deviation MishapImpact
Controlled Conditions
Initiating Action
Parameter Excursion
UncontrolledCondition
Consequence
Complex SystemsComplex SystemsComplex SystemsComplex Systems
Failure in one part (by any threat) may coincide or induce failure in an entirely different part unforeseeable combination resulting in cascading failures.
Cascading failures can accelerate out of control.
Potentially limitless combinations in complex systems.
Accidents are inevitable “normal”
RiskRiskRiskRisk
Future Effect
Combination of Severity and Likelihood
Undesirable (Insurance Co. view)
RA SubsetsRA SubsetsRA SubsetsRA Subsets
Qualitative vs. Quantitative
Consequences
Matrix
QualitativeQualitativeQualitativeQualitative
Uncertainties Risk Avoidance Bayesian
Subjective…Uncertainties
InductionInductionInductionInduction
“Reasoning about the future from the past”
Includes generalizations, predictions, analogy, inference
Uncertainty
InferenceInferenceInferenceInference
The act or process of drawing a conclusion solely on what one already knows.
Common sense?
Uncertainty
Personal Probability Personal Probability InterpretationInterpretation
Personal Probability Personal Probability InterpretationInterpretation
Frequency: repeatable experiments
Logical: single-case event with highly specific prior knowledge
Personal: epistemic uncertainty
BayesianBayesianBayesianBayesian
Uses probability but in the context of degrees of belief
“There can never be certainty, but as evidence accumulates, the degree of belief in a hypothesis changes” for better or worse.
“What if” discussions
Subjective - ObjectiveSubjective - ObjectiveSubjective - ObjectiveSubjective - Objective
Subjective - one who judges according to personal feelings or intuitions,
Objective – one who judges according to observation, reasoning, and judgment.
Is a “gut feel” necessarily wrong?
Subjective ScalesSubjective ScalesSubjective ScalesSubjective Scales
MEDICINEStable GuardedSeriousCritical
FOODWell doneMediumRare
MUSICLentoAdagioModeratoAllegroPresto
DON’T OVERDO SCALES IN MATRIX
Subjective ScalesSubjective ScalesSubjective ScalesSubjective Scales
At some point, everything in the RA will need to be reduced to numbers.
Become the expert in developing a risk assessment based on methodology.
Develop the local expertise needed for the subjective and objective data.
QuantitativeQuantitativeQuantitativeQuantitative
ProbabilityP= f ÷ n
Frequencyf = x events/timeframe
Cost$ = $
Remember: sum of errors
Threat AssessmentThreat AssessmentThreat AssessmentThreat Assessment
Probability – How likely Frequency – How often Severity – “No mitigation” effect
Individual Threat Impact Individual Threat Impact AssessmentAssessment
Individual Threat Impact Individual Threat Impact AssessmentAssessment
RISK
1 - High
2 - Medium CATEGORY Impossible Improbable Remote Occasional Probable Frequent
3 - Low Catastrophic
Critical
Marginal
Negligible
Increasing Risk
KISS: 3 x 3 = 9 cells 4x6 = 24 cells
7x12 = 84 cells!
MatrixMatrixMatrixMatrix
RISK ASSESSMENT
Threat/Hazard Pr Fr SThreat
Rating P1 P2 I R Impact Fx ROI RISK
Accident/Injury 0 0 0
Aircraft Accident 0 0 0
Armed Intruder(s) 0 0 0
Bomb Threat 0 0 0
Bus (& Stop) Violence 0 0 0
Bus Accident 0 0 0
mitigated
Consequence Categories Impact ‘Measurements’
“un-mitigated”
Rankings
Variable MatricesVariable MatricesVariable MatricesVariable Matrices
THREAT
(Onset Speed
T h r e a t F a c t o r s
Relative Weight
Probability
X +
For-warning +
Dura-tion +
Inten-sity ) X
Im-pact
=
Risk #1 0
PurposePurposePurposePurpose
People Processes Infrastructure Reputation
PeoplePeoplePeoplePeople
IRPA – Individual Risk per Annum LTIF – Lost Time Injury PLL – Potential Loss of Life FAR – Fatal Accident Rate IR – Individual Risk Index
Typically driven by regulatory imperatives
ProcessesProcessesProcessesProcesses
Continuity Resiliency Supply Chain Emergency
Management Recovery Awareness – integrated into the
business
InfrastructureInfrastructureInfrastructureInfrastructure
Equipment, machinery, tools, etc.
Building, grounds, geography
Transportation, motor pool, etc.
ReputationReputationReputationReputation
Competition
Customer Sensitivity
Marketing & Opportunity
Risk AssessmentRisk AssessmentRisk AssessmentRisk Assessment
RISK ASSESSMENT
Threat/Hazard Pr Fr SThreat
Rating P1 P2 I R Impact Fx ROI RISK
Accident/Injury 0 0 0
Aircraft Accident 0 0 0
Armed Intruder(s) 0 0 0
Bomb Threat 0 0 0
Bus (& Stop) Violence 0 0 0
Bus Accident 0 0 0
MethodologyMethodologyMethodologyMethodology Understand the Organization Identify Threats & Vulnerabilities Establish Probability & Frequency Determine Consequences/Impact Develop Mitigation Options Examine Feasibility Evaluate Cost/Benefit
Adapted from ASIS International Guideline, 2003
TechnologiesTechnologiesTechnologiesTechnologies
Industry Specific Threat/Hazard Specific Business Model Specific Checklists Surveys (qualitative
quantitative) Focus Groups
HLS-CAMHLS-CAMHLS-CAMHLS-CAM
Threat Assessment Criticality Assessment M/D SHARPP Matrix Community Priority Assessment
Plan Vulnerability Assessment
CARVER Vulnerability CARVER Vulnerability SystemSystem
CARVER Vulnerability CARVER Vulnerability SystemSystem
Criticality Accesibility Recuperability Vulnerability Effect Recognizability Shock
ARA Threat/Vulnerability ARA Threat/Vulnerability Assessments & RAAssessments & RA
ARA Threat/Vulnerability ARA Threat/Vulnerability Assessments & RAAssessments & RA
Identify Assets and Mission Determine Credible Threats Determine Risk Level for Each Threat Determine Acceptability of Risk Re-Evaluate Threats based on
Mitigation Efforts Identify Additional Upgrades for
Unreduced Threats Proceed with Upgrades
SANDIA RAM-CSANDIA RAM-CSANDIA RAM-CSANDIA RAM-C
Assess Threats Prioritize Targets Identify Consequences Evaluate Completeness and
Effectiveness of Physical Security Systems
Help to Effectively use Resources to Address Vulnerabilities
Critical Risk Identification Critical Risk Identification SystemSystem
Critical Risk Identification Critical Risk Identification SystemSystem
Identify Assets Identify and Characterize Threats Identify and Characterize
Vulnerabilities Analyze and Assess Risk Recommend Countermeasures
w/ROI
More…More…More…More…
DHS evaluating Automated HLS-CAM
NFPA 1600 (Guidelines) DOT HazMat DOT Travel at Special Events ASIS Guidelines Etc.
UtilizationUtilizationUtilizationUtilization
Emergency Response Planning Business Continuity - COOP/COG IT System (Disaster Recovery) All Industry and Service Sectors Personal Risk Decisions
TH R EA T A S S ES S M ENT V ULN ER A B ILITY A S S ES S M EN T
E ve nt M anag e m e nt
R ec o v er y
R es to r a tio n AART ab le to p , D r ills , an d
E x er c is es
P l an M ai nte nanc e
S tr a teg ic P lan
M eas u r e
An aly ze
M itig a te I d en tif y
An aly ze
M itig a te
C ap ab ility A s s e s s m e n t&
N e e d s A n alys is
E v alu ate C u r r en t S ta tu s o f Aw ar en es s , M itig a tio n , P r ep ar ed n es s ,R es p o n s e , an d R ec o v er y ( G ap An aly s is )
P r e- P lan & D ef in eP r o jec t S c o p e
P r o jec t I n itia t io n( T eam M em b er s h ip , As s ig n m en ts , C h ec k lis ts , His to r ic a l D o c u m en ta tio n , e tc . )
Info r m at i o n C o l l e c t i o n
E m e rg e n c y R e s p o n s e & C ris is M a n a g e m e n tP la n n in g F lo w c h a rt
I d en tif y an d g e t p ar tn er in g c o m m itm en t f r o m a lln ec es s ar y ag en c ies an d o f f ic ia ls
Risk
Assessm
ent
Ris
kA
sses
smen
t
R es p o n s e
N o tif ic a tio n
C o p yrigh t 2003-2005 , C A C H In tern ation a l L td C o
E R & C MP la n
P l anIm pl e m e ntat i o n TT& E
I n te r im I n f o r m atio n &P lan Up d ates
John Lubbock
What we see depends mainly on what we
look for.