Lesson 5 Print Version
Lesson: 5 - Risk Assessment and Management
Risk Assessment and Risk Management Overview

This lesson will:

  • Provide a definition of risk and the various components to determine a risk rating
  • Review various approaches to determine risk
  • Review a rating scale
  • Demonstrate how to use the scale to determine a risk rating
Lesson Objectives

At the completion of this lesson, students will be able to:

  1. State what constitutes risk
  2. Provide a numerical rating for risk and justify the basis for the rating
  3. Evaluate risk using the Risk (Threat-Vulnerability) Matrix to capture assessment information
  4. Identify top risks for asset-threat/hazard pairs of interest that should receive measures to mitigate vulnerabilities and reduce risk
Risk Management

Risk management is the deliberate process of understanding "risk" — the likelihood that a threat will harm an asset with some severity of consequences — and deciding on and implementing actions to reduce it. In addition, risk management incorporates an understanding of the vulnerability of assets to the consequences of threats and hazards.

The objective is to reduce the vulnerability of assets through mitigation actions. Reducing vulnerabilities is the most straightforward approach to reducing risk.

However, realize that risk reduction has two other components, albeit not applicable to building design:

  • Reduce consequence (devalue the asset)
  • Reduce threat (intelligence and law enforcement team to arrest terrorists before an attack can be carried out)
Assessment Flow Chart
Reviewing the Assessment Flow Chart, the determination of quantitative risk values is the next step in the risk assessment process.
IS 0156 RiskAssessModel_L5
Definition of Risk

Risk is a combination of:

The probability that an event will occur

The consequences of its occurrence

In other words, risk can be defined as the potential for a loss or damage to an asset. It takes into account consequences of the degradation or loss of an asset, the threats or hazards that potentially impact the asset, and the vulnerability of the asset to the threat or hazard.

Values can be assigned to these three components of risk to provide a risk rating.

 

Low Risk

Medium Risk

High Risk

Risk Factors Total

1-60

61-175

>176

Threat Rating x Consequence Rating x Vulnerability Rating

Multiplying the values assigned to each of the three factors — threat, consequence, and vulnerability — provides quantification of total risk.

This quantification helps prioritize which protective measures should be adopted, given limited resources, to achieve a desired level of protection.

Quantifying Risk

The risk assessment process involves the following:

  • Determine threat rating
  • Determine consequence rating
  • Determine vulnerability rating
  • Determine relative risk for each threat against each asset

Select mitigation measures that have the greatest benefit while minimizing the cost of reducing risk.

An Approach to Quantifying Risk

The risk assessment analyzes the threat, consequence, and vulnerability to ascertain the level of risk for each critical asset against each applicable threat.

An understanding of risk levels enables the owner of assets to prioritize and implement appropriate mitigation measures, paying particular attention to high consequence threats, to achieve the desired level of protection.

A simplified approach to quantifying risk is shown here. Ratings can be assigned to the threat or hazard, consequence, and vulnerability of the asset to the threats, and numerical scores can be determined that depict relative risk of these assets to man-made hazards. (FEMA 426 Chapter 1, FEMA 452 Steps 1, 2, 3, and 4.)

Very High

10

High

8-9

Medium High

7

Medium

5-6

Medium Low

4

Low

2-3

Very Low

1

An Approach to Quantifying Risk
 

Low Risk

Medium Risk

High Risk

Risk Factors Total

1-60

61-175

>176

FEMA 426, Table 1-19: Total Risk Color Code, p. 1-38
Critical Functions Matrix

 This analysis completes the Critical Functions and the Critical Infrastructure Matrices that we saw in Lessons 2, 3, and 4.

The risk formula is applied and the numeric values color-coded as discussed on the previous screen. The color code helps visualize the functions and infrastructure that are vulnerable and the scale helps to identify those areas for in-depth mitigation measures analysis.

The risk ratings under the Administration and Engineering Functions are highlighted. The numeric ratings result in Medium and High risk ratings for the Functions asset-threat/hazard pairs.

Function

Cyber Attack

Armed Attack (single gunman)

Vehicle Bomb

CBR Attack

Administration

 280

140 

 135

 90

Threat Rating

8

4

3

2

Consequence Rating

5

5

5

5

Vulnerability Rating

7

7

9

9

Engineering

128

160

384

144

Threat Rating

8

5

6

2

Consequence Rating

8

8

8

8

Vulnerability Rating

2

4

8

9

Critical Infrastructure Matrix

This analysis completes the Critical Functions and the Critical Infrastructure Matrices that we saw in Lessons 2, 3, and 4.

The risk formula is applied and the numeric values color-coded as discussed on the previous screen. The color code helps visualize the functions and infrastructure that are vulnerable and the scale helps to identify those areas for in-depth mitigation measures analysis.

The risk ratings under the Administration and Engineering Functions are highlighted. The numeric ratings result in Medium and High risk ratings for the Functions asset-threat/hazard pairs.

Function

Cyber Attack

Armed Attack (single gunman)

Vehicle Bomb

CBR Attack

Site

 48

80

 108

 72

Threat Rating

4

4

4

4

Consequence Rating

4

4

3

2

Vulnerability Rating

3

5

9

9

Engineering

48

128

192

144

Threat Rating

3

4

3

2

Consequence Rating

8

8

8

8

Vulnerability Rating

2

4

8

9

Risk Assessment Results

The process is continued for all the asset-threat/hazard pairs of interest. This is a nominal example of a completed risk table.

The risk assessment results is a prioritized list of risks (i.e., asset - threat/hazard/consequence/vulnerability combinations) that can be used to select safeguards to reduce vulnerabilities (and risk) and to achieve a certain level of protection.

Function

Cyber Attack

Armed Attack (single gunman)

Vehicle Bomb

CBR Attack

Administration

 280

140

 135

 90

Threat Rating

8

4

3

2

Consequence Rating

5

5

5

5

Vulnerability Rating

7

7

9

9

Engineering

128

128

192

144

Threat Rating

3

4

3

2

Consequence Rating

8

8

8

8

Vulnerability Rating

2

4

8

9

Warehousing

96

36

81

54

Threat Rating

8

4

3

2

Consequence Rating

8

4

3

2

Vulnerability Rating

3

3

3

3

Data Center

360

128

216

144

Threat Rating

9

4

3

2

Consequence Rating

8

8

8

8

Vulnerability Rating

5

4

9

9

Food Service

2

32

48

36

Threat Rating

1

4

3

2

Consequence Rating

2

2

2

2

Vulnerability Rating

1

4

8

9

Security

280

140

168

126

Threat Rating

8

4

3

2

Consequence Rating

7

7

7

7

Vulnerability Rating

5

5

8

9

Housekeeping

16

64

48

36

Threat Rating

8

4

3

2

Consequence Rating

2

2

2

2

Vulnerability Rating

1

8

8

9

Day Care

54

324

243

162

Threat Rating

3

4

3

2

Consequence Rating

9

9

9

9

Vulnerability Rating

2

9

9

9

FEMA 426, Adaptation of Table 1-20: Site Functional Pre-Assessment Screening Matrix, p. 1-38

Risk Assessment Results (continued)

As stated previously, this subjective process is best applied to small organizations with few decision makers/decision levels. This subjective risk assessment process will probably not result in hard numbers that can be compared across different assessment teams, but the relative ranking of the asset-threat/hazard pairs on each team will have great correlation if both teams have consistent perspectives. Thus, the highest and lowest identified risks may not have the same rating numbers, but the same asset-thread/hazard pairs by the two teams will be close to identical. Divergence will occur if one team is concentrating on terrorism and the other team is concentrating on continuity of business operations.

Function

Cyber Attack

Armed Attack (single gunman)

Vehicle Bomb

CBR Attack

Administration

 280

140

 135

 90

Threat Rating

8

4

3

2

Consequence Rating

5

5

5

5

Vulnerability Rating

7

7

9

9

Engineering

128

128

192

144

Threat Rating

3

4

3

2

Consequence Rating

8

8

8

8

Vulnerability Rating

2

4

8

9

Warehousing

96

36

81

54

Threat Rating

8

4

3

2

Consequence Rating

8

4

3

2

Vulnerability Rating

3

3

3

3

Data Center

360

128

216

144

Threat Rating

9

4

3

2

Consequence Rating

8

8

8

8

Vulnerability Rating

5

4

9

9

Food Service

2

32

48

36

Threat Rating

1

4

3

2

Consequence Rating

2

2

2

2

Vulnerability Rating

1

4

8

9

Security

280

140

168

126

Threat Rating

8

4

3

2

Consequence Rating

7

7

7

7

Vulnerability Rating

5

5

8

9

Housekeeping

16

64

48

36

Threat Rating

8

4

3

2

Consequence Rating

2

2

2

2

Vulnerability Rating

1

8

8

9

Day Care

54

324

243

162

Threat Rating

3

4

3

2

Consequence Rating

9

9

9

9

Vulnerability Rating

2

9

9

9

FEMA 426, Adaptation of Table 1-20: Site Functional Pre-Assessment Screening Matrix, p. 1-38

Risk Assessment Results (continued)

Large organizations require a more objective approach in which the results of different assessment teams working independently can be compared by decision makers at many levels. These risk ratings will then be comparable across teams as to their numeric value, which is needed in a large organization.

In either case, the goal is to find where the application of limited resources will have the greatest benefit to reducing risk at the least cost.

Function

Cyber Attack

Armed Attack (single gunman)

Vehicle Bomb

CBR Attack

Administration

 280

140

 135

 90

Threat Rating

8

4

3

2

Consequence Rating

5

5

5

5

Vulnerability Rating

7

7

9

9

Engineering

128

128

192

144

Threat Rating

8

4

3

2

Consequence Rating

8

8

8

8

Vulnerability Rating

2

4

8

9

Warehousing

96

36

81

54

Threat Rating

8

4

3

2

Consequence Rating

8

4

3

2

Vulnerability Rating

3

3

3

3

Data Center

360

128

216

144

Threat Rating

9

4

3

2

Consequence Rating

8

8

8

8

Vulnerability Rating

5

4

9

9

Food Service

2

32

48

36

Threat Rating

1

4

3

2

Consequence Rating

2

2

2

2

Vulnerability Rating

1

4

8

9

Security

280

140

168

126

Threat Rating

8

4

3

2

Consequence Rating

7

7

7

7

Vulnerability Rating

5

5

8

9

Housekeeping

16

64

48

36

Threat Rating

8

4

3

2

Consequence Rating

2

2

2

2

Vulnerability Rating

1

8

8

9

Day Care

54

324

243

162

Threat Rating

3

4

3

2

Consequence Rating

9

9

9

9

Vulnerability Rating

2

9

9

9

FEMA 426, Adaptation of Table 1-20: Site Functional Pre-Assessment Screening Matrix, p. 1-38

Selecting Mitigation Measures

In every design and renovation project, the owner ultimately has three choices when addressing the risk posed by terrorism. He or she can:

  1. Do nothing and accept the risk (no cost)
  2. Perform a risk assessment and manage the risk by installing reasonable mitigation measures (some cost)
  3. Harden the building against all threats to achieve the least amount of risk (but at greatest cost)

 

IS 0156 Selecting Mitigation Measures
Mitigation Measures

A mitigation measure is an action, device, or system used to reduce risk by affecting a consequence, threat, or vulnerability.

Mitigation efforts can be conducted via:

  • Regulatory measures
  • Rehabilitation of existing structures
  • Protective and control structures
Mitigation Measures - Considerations

Higher risk hazards require mitigation measures to reduce risk. Mitigation measures are conceived by the design professional and are best incorporated into the building architecture, building systems, and operational parameters, with consideration for life-cycle costs.

There are many factors that impact what mitigation measures can be implemented at low, medium, and high levels of difficulty.

In some cases, mitigation measures to enhance security may be in conflict with other design intentions, building codes, planning board master plans, etc.

Mitigation measures can be evaluated against these parameters

 
Political SupportTechnical Capacity
Community AcceptanceMaintenance and Operations
Cost and BenefitEase and Speed of Implementation
Financial ResourcesTimeframe and Urgency
Adversely Affected PopulationShort-Term and Long-Term Solutions
Adverse Effects on the Built EnvironmentEstimated Cost
Environmental Impact 
Achieving Building Security

The assessment process provides concepts for integrating land use planning, landscape architecture, site planning, and other strategies to mitigate the Design Basis Threats as identified in the risk assessment.

Integrating security measures into the design and/or maintenance of buildings presents the asset owner with multiple opportunities to achieve a balance among many objectives such as reducing risk, facilitating proper building function, giving attention to aesthetics and matching architecture, hardening physical structures beyond required building codes and standards, and maximizing use of non-structural systems.

The last point tries to illustrate that the balanced approach to building security tries not to place everything into hardening the structure to deny the consequences to the terrorist's tactics. Thus, non-structural systems, especially in renovation projects, may provide a level of risk reduction comparable to structural hardening but can be implemented at a much reduced cost or at a more convenient time.

Cost-Benefit Analysis

Cost-benefit analysis involves comparing costs of a given protection solution to its perceived benefits. In many cases the cost is the initial cost of installation, although life-cycle costs or life-cycle analysis may be necessary in some situations. Some pertinent situations include:

  • If the benefits of all protection measures are similar, then the best solution is the least costly solution.
  • If the costs of all protection measures are similar, then the best solution is the one that provides the most benefits.
  • When costs and benefits vary, then a more in-depth cost-benefit comparison needs to be done. In some situations, the need for a more comprehensive life-cycle analysis is needed.
Life-Cycle Costs (LCC)

LCC requires cost analysis during the estimated life span of the protection solution. The main challenge is the accurate computation of difference costs, especially hidden or unexpected costs, during the life span of the asset. There are two limitations to LCC. It:

  • Considers only costs, and does not include benefit computations
  • Ignores the possibility that the life spans of the protection solutions can be different, although more rigorous LLC techniques can accommodate this difference
Process Review
  • Calculate the relative risk for each threat against each asset
  • Identify the high risk areas
  • Identify Mitigation Options to reduce the risk

To get the maximum benefit from limited resources, realize that certain mitigation measures can reduce risk for multiple, high-risk asset-threat/hazard pairs.

IS 0156 Process Review
Summary

Now that you have completed this lesson, you should be able to:

  1. State what constitutes risk
  2. Provide a numerical rating for risk and justify the basis for the rating
  3. Evaluate risk using the Risk (Threat-Vulnerability) Matrix to capture assessment information
  4. Identify top risks for asset-threat/hazard pairs of interest that should receive measures to mitigate vulnerabilities and reduce risk