11. Risk Assessments Conducting a Risk Assessment In today’s security environment there are numerous sources of information explaining and providing guidelines on how to perform a Risk Assessment ASIS Risk Assessment Guidelines Homeland Security Guidelines Websites College text Independent Consultants But which is the best source, who has the right answers, why are there so many different ways to perform a risk assessment?
12. Risk Assessments Cost Analysis 1 Assess Assets 5 Client Makes Decision 4-5 2 Determine Mitigating Options 4 Client Makes final Decision 6 Assess Threats Assess Risk 3 Assess Vulnerabilities Benefit Analysis The Concept of a Risk Assessment Answer: No one has the absolute correct answer! Each source has a general idea of what needs to be, or should be, in an assessment. However, they all agree on the following: There is a General Assessment Process Assessments are not and can not be performed in a vacuum Clients make the final decision concerning how much “Risk” is acceptable!! General Assessment Process
34. Risk Assessments Vulnerability Level Vulnerabilities are generally assessed by looking at and asset, examining the threat and determining how the asset can be affect by the threat Example Asset = Executive Vice President of Production, Major Oil Producer Threat = Kidnapping (Ransom) Examination of the two shows the EVP, every single morning without variation, leaves the house at the same time, drives the same vehicle, takes the same route to work, parks in the same space, departs at the end of the day at exactly the same time, and again takes the same route home. The Vulnerability Level for this EVP is Extremely High. At almost any point in this EVP’s day he/she can be affected by the threat of kidnapping.
35. Risk Assessments In many cases, Vulnerability assessments should be conducted in conjunction with a Risk Assessment
36. Risk Assessments High Med High Low Medium Med low Frequency & Impact (Effect) Most Risk Assessment Experts tend to disagree at this point of the process. Different professionals will use different formulas to determine how Threats affect Vulnerabilities, how to score Probability, and finally determining Frequency How it Works The following uses historical records and subjective estimates to determine the Probability of a hazard occurring, and the affect (Impact) the probability would have Levels of ProbabilityLevels of Effects (Impact) 7 = An Event happens once Critical 7 = Threat would affect 100,000 or more per year or more people 6 = An Event happens once 1-3 years 6 would affect 50,000 to 99,999 people 5 happens once every 3-5 years 5 would affect 10,000 to 49,999 people 4 happens once every 5-10 years 4 would affect 5,000 to 9,999 people 3 happens once every 10-50 years 3 would affect 1,000 to 4,999 people 2 happens once every 100 years 2 would affect 500 to 999 people 1 has never occurred 1 would affect 1 to 499 people
37. Risk Assessments Impact (Effect) The product of the Probability times the Effects of the Hazard equals the Risk Index for the hazard: Probability x Effects = Risk Index Using our previous example of a: Asset = Executive Vice President of Production, Major Oil Producer After performing our research and evaluating all the interviews conducted we discovered kidnappings of Corporate level executives occur about once every three years, and generally affect 50 thousand to 99,999 thousand people (depending on the size of the company and the number of people this executive has regular contact with). Using the calculations previously given Probability 6 (High) X Effect (Impact) 6 (High) = Risk Index 36 (High)
39. Risk Assessments Risk Level Results Obviously, as we can see, the Asset we have been watching has a Risk Level of High, but so do other Assets. Will our Client accept this? Or, are these areas of concern also?
41. Risk Assessments Cost Analysis 1 Assess Assets 5 Client Makes Decision 4-5 2 Determine Mitigating Options 4 Client Makes final Decision 6 Assess Threats Assess Risk 3 Assess Vulnerabilities Benefit Analysis Client Participation As discussed from the very beginning, the Client must be involved in this process. The Client has said “No” to the Risk Level concerning the Executive Officers of the Company What’s Next? General Assessment Process
50. Cost: Annual Security Awareness Briefings to the Executive officers ($1,000 per person, per year)
51.
52. Risk Assessments New, Acceptable Risk Levels New Risk Levels are discussed based on the Mitigating Options chosen for each Asset, Threat, Impact, and Risk Level Is this now an acceptable Risk Level for our Client?
54. Risk Assessments Sources of Information: Risk Assessments Risk Management for Security Professionals Risk Assessment Guidelines: ASIS International National Strategy for Homeland Security Jul 2008 Contemporary Security Management Principles of Emergency Planning Management Readings in Security Management: Principles and Practices