Developing A Developing A Comprehensive Risk Comprehensive Risk

AssessmentAssessment

Developing A Developing A Comprehensive Risk Comprehensive Risk

AssessmentAssessment

Charles S. ThomasManaging Director, CACH International Ltd Co

TerminologyTerminologyTerminologyTerminology

ThreatVulnerabilityAccident

The goal is not to be understood. It is to not be misunderstood.

Risk Consequences

Threat – Hazard - DangerThreat – Hazard - DangerThreat – Hazard - DangerThreat – Hazard - Danger

A condition that is a prerequisite to a mishap, accident, or emergency

May beINTERNAL or EXTERNAL

Threat ClassificationThreat ClassificationThreat ClassificationThreat Classification

Natural HazardsAnthropogenic (man-caused) ThreatsTechnological or Accidental Threats

From Avoiding Disaster, ©2002, John Laye, FBCIPublisher: John Wiley & Sons, Hoboken, NJ, USA

NaturalNaturalNaturalNaturalAvalancheCyclone - regionally, also:

Hurricane, Typhoon, Tornado, Twister, etc.

Crop FailureDroughtAgriculturalUrbanEarthquakeEpidemic – PandemicFirestormFloods, Flash flooding, Riverene

floods, Urban floodingHailstorm

Lahar – MudslideLandslideSolar stormTropical stormTsunamiUrban-Wildland Intermix FiresVolcanic eruption (ash,

pyroclastic flow)Wildland fireWildland-urban intermix fireWindstorm - Chinook, Foehn

wind, Sandstorm, Sirocco, Williwaw

Winter storm

Anthropogenic (Human-Anthropogenic (Human-Caused) Caused)

Anthropogenic (Human-Anthropogenic (Human-Caused) Caused)

ArsonBomb IncidentBomb ThreatDetonation, explosionDevice foundCivil disorder – riotCollateral damageCyber Attacks – may also

be terrorism relatedExplosion Extortion attempt

Funds missingKidnappingProtestsRadioactive contaminationSubsidence - may also be

natural or accidentalTerrorismEpidemicCyber attackHazMat ReleasesTransportation disruptions

Technological Technological (Unintentional)(Unintentional)Technological Technological

(Unintentional)(Unintentional)Building collapseCyber outagesDam failureHazardous materials

incidentsStationary sourceTransportation relatedInfrastructure failures -

Communications, Gas, Sewer, Water, Transportation

Information systems crashesLifeline failures –

InfrastructureMajor fireNuclear facility incidentPower failureSubsidence - may also be

natural or anthropogenicSupply chain failureTransportation accident –

Air, Highway, Pipeline, Rail, Water

Threat – Fear/TerrorismThreat – Fear/TerrorismThreat – Fear/TerrorismThreat – Fear/Terrorism

Perpetrators must have:

INTENT + CAPABILITY

Measurable?Uncertainty Fear Risk (Real or Perceived)

VulnerabilityVulnerabilityVulnerabilityVulnerability

A characteristic of a system that allows a threat event to materialize

AlwaysINTERNAL

AndAlways in RELATION to a threat

Accident - EmergencyAccident - EmergencyAccident - EmergencyAccident - Emergency

A function of vulnerability Relates to Cause 1st significant deviation from the

norm Reactive Risk Assessment

Anatomy of an IncidentAnatomy of an IncidentAnatomy of an IncidentAnatomy of an Incident

Adapted from Department of Energy Handbook, 1100-96

Hazard Event Deviation MishapImpact

Controlled Conditions

Initiating Action

Parameter Excursion

UncontrolledCondition

Consequence

Complex SystemsComplex SystemsComplex SystemsComplex Systems

Failure in one part (by any threat) may coincide or induce failure in an entirely different part unforeseeable combination resulting in cascading failures.

Cascading failures can accelerate out of control.

Potentially limitless combinations in complex systems.

Accidents are inevitable “normal”

RiskRiskRiskRisk

Future Effect

Combination of Severity and Likelihood

Undesirable (Insurance Co. view)

RA SubsetsRA SubsetsRA SubsetsRA Subsets

Qualitative vs. Quantitative

Consequences

Matrix

QualitativeQualitativeQualitativeQualitative

Uncertainties Risk Avoidance Bayesian

Subjective…Uncertainties

InductionInductionInductionInduction

“Reasoning about the future from the past”

Includes generalizations, predictions, analogy, inference

Uncertainty

InferenceInferenceInferenceInference

The act or process of drawing a conclusion solely on what one already knows.

Common sense?

Uncertainty

Personal Probability Personal Probability InterpretationInterpretation

Personal Probability Personal Probability InterpretationInterpretation

Frequency: repeatable experiments

Logical: single-case event with highly specific prior knowledge

Personal: epistemic uncertainty

BayesianBayesianBayesianBayesian

Uses probability but in the context of degrees of belief

“There can never be certainty, but as evidence accumulates, the degree of belief in a hypothesis changes” for better or worse.

“What if” discussions

Subjective - ObjectiveSubjective - ObjectiveSubjective - ObjectiveSubjective - Objective

Subjective - one who judges according to personal feelings or intuitions,

Objective – one who judges according to observation, reasoning, and judgment.

Is a “gut feel” necessarily wrong?

Subjective ScalesSubjective ScalesSubjective ScalesSubjective Scales

MEDICINEStable GuardedSeriousCritical

FOODWell doneMediumRare

MUSICLentoAdagioModeratoAllegroPresto

DON’T OVERDO SCALES IN MATRIX

Subjective ScalesSubjective ScalesSubjective ScalesSubjective Scales

At some point, everything in the RA will need to be reduced to numbers.

Become the expert in developing a risk assessment based on methodology.

Develop the local expertise needed for the subjective and objective data.

QuantitativeQuantitativeQuantitativeQuantitative

ProbabilityP= f ÷ n

Frequencyf = x events/timeframe

Cost$ = $

Remember: sum of errors

Threat AssessmentThreat AssessmentThreat AssessmentThreat Assessment

Probability – How likely Frequency – How often Severity – “No mitigation” effect

Individual Threat Impact Individual Threat Impact AssessmentAssessment

Individual Threat Impact Individual Threat Impact AssessmentAssessment

RISK

1 - High

2 - Medium CATEGORY Impossible Improbable Remote Occasional Probable Frequent

3 - Low Catastrophic            

Critical            

Marginal            

Negligible            

Increasing Risk

KISS: 3 x 3 = 9 cells 4x6 = 24 cells

7x12 = 84 cells!

MatrixMatrixMatrixMatrix

RISK ASSESSMENT

Threat/Hazard Pr Fr SThreat

Rating  P1 P2 I R Impact Fx ROI RISK

Accident/Injury       0           0 0

Aircraft Accident       0           0   0

Armed Intruder(s)       0           0   0

Bomb Threat       0           0   0

Bus (& Stop) Violence       0           0   0

Bus Accident       0           0   0

mitigated

Consequence Categories Impact ‘Measurements’

“un-mitigated”

Rankings

Variable MatricesVariable MatricesVariable MatricesVariable Matrices

THREAT

 

(Onset Speed

T h r e a t F a c t o r s  

Relative Weight

Probability

X +

For-warning +

Dura-tion +

Inten-sity ) X

Im-pact

=

Risk #1 0

PurposePurposePurposePurpose

People Processes Infrastructure Reputation

PeoplePeoplePeoplePeople

IRPA – Individual Risk per Annum LTIF – Lost Time Injury PLL – Potential Loss of Life FAR – Fatal Accident Rate IR – Individual Risk Index

Typically driven by regulatory imperatives

ProcessesProcessesProcessesProcesses

Continuity Resiliency Supply Chain Emergency

Management Recovery Awareness – integrated into the

business

InfrastructureInfrastructureInfrastructureInfrastructure

Equipment, machinery, tools, etc.

Building, grounds, geography

Transportation, motor pool, etc.

ReputationReputationReputationReputation

Competition

Customer Sensitivity

Marketing & Opportunity

Risk AssessmentRisk AssessmentRisk AssessmentRisk Assessment

RISK ASSESSMENT

Threat/Hazard Pr Fr SThreat

Rating  P1 P2 I R Impact Fx ROI RISK

Accident/Injury      0           0 0

Aircraft Accident       0           0   0

Armed Intruder(s)       0           0   0

Bomb Threat       0           0   0

Bus (& Stop) Violence       0           0   0

Bus Accident      0           0   0

MethodologyMethodologyMethodologyMethodology Understand the Organization Identify Threats & Vulnerabilities Establish Probability & Frequency Determine Consequences/Impact Develop Mitigation Options Examine Feasibility Evaluate Cost/Benefit

Adapted from ASIS International Guideline, 2003

TechnologiesTechnologiesTechnologiesTechnologies

Industry Specific Threat/Hazard Specific Business Model Specific Checklists Surveys (qualitative

quantitative) Focus Groups

HLS-CAMHLS-CAMHLS-CAMHLS-CAM

Threat Assessment Criticality Assessment M/D SHARPP Matrix Community Priority Assessment

Plan Vulnerability Assessment

CARVER Vulnerability CARVER Vulnerability SystemSystem

CARVER Vulnerability CARVER Vulnerability SystemSystem

Criticality Accesibility Recuperability Vulnerability Effect Recognizability Shock

ARA Threat/Vulnerability ARA Threat/Vulnerability Assessments & RAAssessments & RA

ARA Threat/Vulnerability ARA Threat/Vulnerability Assessments & RAAssessments & RA

Identify Assets and Mission Determine Credible Threats Determine Risk Level for Each Threat Determine Acceptability of Risk Re-Evaluate Threats based on

Mitigation Efforts Identify Additional Upgrades for

Unreduced Threats Proceed with Upgrades

SANDIA RAM-CSANDIA RAM-CSANDIA RAM-CSANDIA RAM-C

Assess Threats Prioritize Targets Identify Consequences Evaluate Completeness and

Effectiveness of Physical Security Systems

Help to Effectively use Resources to Address Vulnerabilities

Critical Risk Identification Critical Risk Identification SystemSystem

Critical Risk Identification Critical Risk Identification SystemSystem

Identify Assets Identify and Characterize Threats Identify and Characterize

Vulnerabilities Analyze and Assess Risk Recommend Countermeasures

w/ROI

More…More…More…More…

DHS evaluating Automated HLS-CAM

NFPA 1600 (Guidelines) DOT HazMat DOT Travel at Special Events ASIS Guidelines Etc.

UtilizationUtilizationUtilizationUtilization

Emergency Response Planning Business Continuity - COOP/COG IT System (Disaster Recovery) All Industry and Service Sectors Personal Risk Decisions

TH R EA T A S S ES S M ENT V ULN ER A B ILITY A S S ES S M EN T

E ve nt M anag e m e nt

R ec o v er y

R es to r a tio n AART ab le to p , D r ills , an d

E x er c is es

P l an M ai nte nanc e

S tr a teg ic P lan

M eas u r e

An aly ze

M itig a te I d en tif y

An aly ze

M itig a te

C ap ab ility A s s e s s m e n t&

N e e d s A n alys is

E v alu ate C u r r en t S ta tu s o f Aw ar en es s , M itig a tio n , P r ep ar ed n es s ,R es p o n s e , an d R ec o v er y ( G ap An aly s is )

P r e- P lan & D ef in eP r o jec t S c o p e

P r o jec t I n itia t io n( T eam M em b er s h ip , As s ig n m en ts , C h ec k lis ts , His to r ic a l D o c u m en ta tio n , e tc . )

Info r m at i o n C o l l e c t i o n

E m e rg e n c y R e s p o n s e & C ris is M a n a g e m e n tP la n n in g F lo w c h a rt

I d en tif y an d g e t p ar tn er in g c o m m itm en t f r o m a lln ec es s ar y ag en c ies an d o f f ic ia ls

Risk

Assessm

ent

Ris

kA

sses

smen

t

R es p o n s e

N o tif ic a tio n

C o p yrigh t 2003-2005 , C A C H In tern ation a l L td C o

E R & C MP la n

P l anIm pl e m e ntat i o n TT& E

I n te r im I n f o r m atio n &P lan Up d ates

John Lubbock

What we see depends mainly on what we

look for.