risk assessment about building and risk

Prepare By Faheem

Risk AssessmentsHow Much Risk are you willing to accept?

• “Risk”

• Conducting a Risk Assessments

• Concept of a Risk Assessment

• Critical Assets

• Threats

• Vulnerabilities, Frequency, Impact

• Risk levels

• Developing Mitigating Options

• Conclusion

Risk Assessments

Risk Assessments

“Risk”In simple terms “Risk” can be defined as:

Risk = Impact x (Threat x Vulnerability)

ASSETS ASSETS

VULNERABILITIES THREATS VULNERABILITIES THREATS

RISK ASSETS ASSETS

VULNERABILITIES THREATS VULNERABILITIES THREATS

Threat x Vulnerability = Probability

Impact = Expected Impact (Asset Value)

Conducting a Risk Assessment

In today’s security environment there are numerous sources of information explaining and providing guidelines on how to perform a

Risk Assessment

- ASIS Risk Assessment Guidelines

- Homeland Security Guidelines

- Websites

- College text

- Independent Consultants

But which is the best source, who has the right answers, why are there so many different ways to perform a risk assessment?

Risk Assessments

The Concept of a Risk AssessmentAnswer: No one has the absolute correct answer! Each source has a general

idea of what needs to be, or should be, in an assessment. However, they all agree on the following:

1. There is a General Assessment Process

2. Assessments are not and can not be performed in a vacuum

3. Clients make the final decision concerning how much “Risk” is acceptable!!

Risk Assessments

General Assessment Process

Assess

Assets

1

Assess

Threats

2

Assess

Vulnerabilities

3

Assess Risk

4 Determine

Mitigating

Options

5

Client Makes final

Decision

6

Cost Analysis

Benefit Analysis

Client Makes

Decision

4-5

Assessments can not be performed in a vacuum

• Coordinate with local authorities to determine threats

• Local Law Enforcement: criminal statistics

• Federal/Military Officials: possible terrorist information

• Federal/State Officials: natural threat information

• Information Technology (IT) specialist: vulnerabilities to IT systems

• Structural Engineers: vulnerabilities to structure

• Water/Gas/Electrical Engineers: Vulnerabilities to infrastructure

You are expected to be the expert, know who to ask for the right answers!

Risk Assessments

Assess/Determine Your Critical Assets

• Interview, Interview, Interview

• Inquire: Who to talk to and Why

• Talk to those who know

• CEOs, Presidents, and Owners

• Get management by-in?

• Gather as much information as possible

• What will stop production, distribution, services?

• What needs to be protected?

• Why?

Risk Assessments

What are your Critical Assets?

1. People (factory/General employees and/or Executive employees)2. The Facility (the building, property, and all production machinery)3. Raw Material

Assets at Risk ThreatVulnerability

Level Frequency Impact

Risk Level

ok?Mitigating Measure

New Risk Level

People (General)

People (Executives)

Facility

Raw Material

Risk Assessments

Know the Threat• Identify threat categories and adversaries

Insider Outsider, Criminal Environmental Other

Disgruntle employee Professional Burglars Fire/lightening Terrorist

Former employee Weather

• Assess intent and motivation of known/suspected adversaries

• Assess the capabilities of an adversary or threat

• Frequency of threat-related incidents based on historical data.

• Estimate degree of threat relative to each critical asset

Risk Assessments

Dam Safety Earthquakes Extreme Heat

Fires Hazardous Material

Criminal Activity Hurricanes Landslides Nuclear

Multi-Hazard Thunderstorms Tornadoes

Terrorism Floods Volcanoes

Wildfires Information Security Winter Storms

More Potential Threats

Risk Assessments

Knowing what the critical assets are, will aid in determining the Threats

Assets at Risk ThreatsVulnerability


Risk Level


New Risk Level

People (General)

Aggravated Assaults

Aggravated Assaults

Travel to Foreign Country

Kidnapping

Heat

Tornados

Unauthorized Entry

Terrorism

O utsider Theft

Insider Theft

People (Executives)

Facility

Raw Material

Risk Assessments

Vulnerability Level

Vulnerabilities are generally assessed by looking at and asset, examining the threat and determining how the asset can be affect by the threat

Risk Assessments

Example

Asset = Executive Vice President of Production, Major Oil ProducerThreat = Kidnapping (Ransom)

Examination of the two shows the EVP, every single morning without variation, leaves the house at the same time, drives the same vehicle, takes the same

route to work, parks in the same space, departs at the end of the day at exactly the same time, and again takes the same route home.

The Vulnerability Level for this EVP is Extremely High. At almost any point in this EVP’s day he/she can be affected by the threat of kidnapping.

In many cases, Vulnerability assessments should be conducted in conjunction with a Risk Assessment

Assets at Risk ThreatsVulnerability


Risk Level


New Risk Level

People (General)

Aggravated Assaults

Medium

Aggravated Assaults

Low


Medium

Kidnapping High

Heat High

Tornados Medium

Unauthorized Entry

High

Terrorism Low

Outsider Theft Low

Insider Theft Medium

People (Executives)

Facility

Raw Material

Risk Assessments

Frequency & Impact (Effect)

Most Risk Assessment Experts tend to disagree at this point of the process. Different professionals will use different formulas to determine how Threats affect

Vulnerabilities, how to score Probability, and finally determining Frequency

How it WorksThe following uses historical records and subjective estimates to determine the

Probability of a hazard occurring, and the affect (Impact) the probability would have

Levels of Probability Levels of Effects (Impact)

7 = An Event happens once Critical 7 = Threat would affect 100,000 or more per year or more people

6 = An Event happens once 1-3 years 6 would affect 50,000 to 99,999 people

5 happens once every 3-5 years 5 would affect 10,000 to 49,999 people



2 happens once every 100 years 2 would affect 500 to 999 people1 has never occurred 1 would affect 1 to 499 people

Risk Assessments

Med High

Medium

Low

High

Med low

Impact (Effect)

The product of the Probability times the Effects of the Hazard equals the Risk Index for the hazard:

Probability x Effects = Risk Index

Using our previous example of a: Asset = Executive Vice President of Production, Major Oil Producer

After performing our research and evaluating all the interviews conducted we discovered kidnappings of Corporate level executives occur about once every three years, and generally affect 50 thousand to 99,999 thousand people (depending on the size of the company and the number of people this executive has regular contact with). Using the calculations previously given

Probability 6 (High) X Effect (Impact) 6 (High) = Risk Index 36 (High)

Risk Assessments

Frequency & Impact (Effect)

Assets at Risk HazardVulnerability


Risk Level


New Risk Level

People (General)

Aggravated Assaults

Medium Low Medium

Aggravated Assaults

Low Low High


Medium Low High

Kidnapping High High High

Heat High Medium Medium

Tornados Medium Low Medium

Unauthorized Entry

High Low High

Terrorism Low Low High

Outsider Theft Low Low Low

Insider Theft Medium Low Low

People (Executives)

Facility

Raw Material

Risk Assessments

Risk Level ResultsObviously, as we can see, the Asset we have been watching has a Risk Level of High, but so do other

Assets. Will our Client accept this? Or, are these areas of concern also?

Assets at Risk HazardVulnerability


Risk Level


New Risk Level

People (General)

Aggravated Assaults

Medium Low Medium Medium

Aggravated Assaults

Low Low High Medium


Medium Low High Medium

Kidnapping High High High High

Heat High Medium Medium High

Tornados Medium Low Medium Medium

Unauthorized Entry

High Low High High

Terrorism Low Low High Low

Outsider Theft Low Low Low Low

Insider Theft Medium Low Low Low

People (Executives)

Facility

Raw Material

Risk Assessments

Impact of Events - Risk Levels – Acceptable?Assets at Risk Hazard

Vulnerability Level

Frequency ImpactRisk

Level ok?

Mitigating Measure

New Risk Level

People (General)

Aggravated Assaults

Medium Low Medium Medium Yes

Aggravated Assaults

Low Low High Medium Yes


Medium Low High Medium Yes

Kidnapping High High High High No

Heat High Medium Medium High No

Tornados Medium Low Medium Medium Yes

Unauthorized Entry

High Low High High No

Terrorism Low Low High Low Yes

Outsider Theft Low Low Low Low Yes

Insider Theft Medium Low Low Low Yes

People (Executives)

Facility

Raw Material

Risk Assessments

Client Participation

As discussed from the very beginning, the Client must be involved in this process.

The Client has said “No” to the Risk Level concerning the Executive Officers of the Company

What’s Next?

Risk Assessments

General Assessment Process

Assess

Assets

1

Assess

Threats

2

Assess

Vulnerabilities

3

Assess Risk

4 Determine

Mitigating

Options

5

Client Makes final

Decision

6

Cost Analysis

Benefit Analysis

Client Makes

Decision

4-5

Development of Mitigating Options• Client will not except any Risk level of High or above.

• Some may not accept anything over medium• Others Medium-High

• Things to remember before presenting Mitigating Options• Consistency• Accuracy• Speed• But, most of all they want to understand.

If a client does not understand why they must do something (Acceptable Risk), then they will not understand why they must spend money to fix it (Cost/Benefit Analysis).

• Finally, explain the benefits for suggesting mitigating options• Cost: Annual Security Awareness Briefings to the Executive officers ($1,000 per

person, per year)• Benefit: Possible prevention of a kidnapping (company savings: Life Insurance, Hiring

of Security Personnel, Ransom; All of which could cost in the millions)

Risk Assessments

Development of Mitigating Options

Risk Assessments

Assets at Risk Hazard FrequencyVulnerability

Level Impact

Risk Level

ok? Mitigating Measure

People (General)

Aggravated Assaults Low Medium Medium Medium Yes N/A

Aggravated Assaults Low Low High Medium Yes N/A


Low Medium High Medium Yes N/A

Kidnapping High High High High No1. Awareness Briefs 2. Def. Driving Crse

People (Executives)

Possible Mitigating Options to our current scenario:1. Annual Security Awareness Briefing2. Defensive Driving Course3. Personal Security Advisor4. Newly installed security equipment for work and home

The head of our company has chosen Options 1 & 2 after hearing the cost and benefits

New, Acceptable Risk Levels

Risk Assessments

Assets at Risk

Hazard FrequencyVulnerability

Level Impact

Risk Level

ok? Mitigating MeasureNew Risk

LevelPeople

(General)Aggravated

AssaultsLow Medium Medium Medium Yes N/A

Aggravated Assaults

Low Low High Medium Yes N/A


Low Medium High Medium Yes N/A

Kidnapping High High High High No1. Awareness Briefs 2. Def. Driving Crse Medium

People (Executives)

New Risk Levels are discussed based on the Mitigating Options chosen for each Asset, Threat, Impact, and Risk Level

Is this now an acceptable Risk Level for our Client?

Risk Assessments

How Much Risk are you willing to accept?

Question ?

Risk Assessments

Sources of Information: Risk Assessments

1. Risk Management for Security Professionals

2. Risk Assessment Guidelines: ASIS International

3. National Strategy for Homeland Security Jul 2008

4. Contemporary Security Management

5. Principles of Emergency Planning Management

6. Readings in Security Management: Principles and Practices

risk assessment about building and risk

Career

risk assessments risk

risk assessmentshow

risk levels

critical assets

mitigating options