Unit Objectives Explainwhat constitutes risk. Evaluaterisk using the Threat-Vulnerability Matrix to capture assessment information. Providea numerical rating for risk and justify the basis for the rating. Identifytop risks for asset-threat/hazard pairs that should receive measures to mitigate vulnerabilities and reduce risk. Risk Management Risk management is the deliberate process of understanding “risk”–the likelihood that a threat will harm an asset with some severity of consequences –and deciding on and implementing actions to reduce it. GAO/NSIAD-98-74: Combating Terrorism –Threat and Risk Assessments Can Help Prioritize and Target Program Investments, April 1998 Assessment Flow Chart AssetValueAssessment(Section 1.1) VulnerabilityAssessment(Section 1.3) Risk Assessment(Section 1.4) IdentifyMitigation Options(Chapters 2 and 3) Threat/HazardAssessment(Section 1.2) Cost AnalysisDecision(Risk Management) (Section 1.5) Analyze how mitigationoptions affect asset criticalityand ultimately riskAnalyze how mitigationoptions change vulnerabilityand ultimately risk Text Box: FEMA 426, Figure 1-3: The Assessment Process Model, p. 1-5 Definition of Risk Risk is a combination of: ..The probability that an event will occur, and ..The consequences of its occurrence FEMA 426, Table 1-19: Total Risk Color Code, p. 1-38 Quantifying Risk Risk Assessment Determine Asset Value Determine Threat Rating Value Determine Vulnerability Rating Value Determine relative risk for each threat against each asset Select mitigation measures that have the greatest benefit/cost for reducing risk FEMA 426, p. 1-38 An Approach to Quantifying Risk Risk =Risk =Asset Value x Threat Rating x Vulnerability Rating Critical Functions 9842Vulnerability Rating2658Threat Rating8888Asset Value144384160128Engineering9977Vulnerability Rating2348Threat Rating5555Asset Value90135140280AdministrationCBR attackVehicle bombArmed attack (single gunman)Cyber attackFunctionFEMA 426, Adaptation of Table 1-20: Site Functional Pre-Assessment Screening Matrix, p. 1-38 Critical Infrastructure 9842Vulnerability Rating2343Threat Rating8888Asset Value14419212848Structural Systems9953Vulnerability Rating2344Threat Rating4444Asset Value721088048SiteCBR attackVehicle bombArmed attack (single gunman)Cyber attackInfrastructureFEMA 426, Adaptation of Table 1-21: Site Infrastructure Systems Pre- Assessment Screening Matrix, p. 1-39 Risk Assessment Results FEMA 426, Table 1-20: Site Functional Pre-Assessment Screening Matrix, p. 1-38 Selecting Mitigation Measures FEMA 426, Figure 1-13: Risk Management Choices, p. 1-44 Three Options: Do nothing and accept the risk. Perform a risk assessment and manage the risk by installing reasonable mitigation measures. Harden the building against all threats to achieve the least amount of risk. Mitigation Measures A mitigation measure is an action, device, or system used to reduce risk by affecting an asset, threat, or vulnerability. Text Box: Regulatory measures Rehabilitation of existing structures Protective and control structures Mitigation Measures Text Box: Political Support Community Acceptance Cost and Benefit Financial Resources Legal Authority Adversely Affected Population Adversely Effects on the Built Env. Environmental Impact Technical Capacity Maintenance and Operations Ease and Speed of Im Achieving Building Security: Planning Factors Building security integrates multiple concepts and practices. Objective is to achieve a balanced approach that combines aesthetics, enhanced security, and use of non-structural measures. Process Review Calculatethe relative risk for each threat against each asset Identifythe high risk areas IdentifyMitigation Options to reduce the risk Summary Risk Definition Critical Function and Critical Infrastructure Matrices Numerical and color-coded risk scale Identify Mitigation Options Unit V Case Study Activity Risk Rating Background Formula for determining a numeric value risk for each asset- threat/hazard pair: Risk = Asset Value x Threat Rating x Vulnerability Rating Requirements: Vulnerability Rating Approach Use worksheet tables to summarize Case Study asset, threat, and vulnerability ratings conducted in the previous activities Use the risk formula to determine the risk rating for each asset- threat/hazard pair for: ..Critical Functions ..Critical Infrastructure