BUILDING DESIGN FOR HOMELAND SECURITY Unit V Risk Assessment/ Risk Management Unit Objectives Explain what constitutes risk. Evaluate risk using the Threat- Vulnerability Matrix to capture assessment information. Provide a numerical rating for risk and justify the basis for the rating. Identify top risks for asset Ð threat/hazard pairs that should receive measures to mitigate vulnerabilities and reduce risk. Risk Management Risk management is the deliberate process of understanding "risk" Ð the likelihood that a threat will harm an asset with some severity of consequences Ð and deciding on and implementing actions to reduce it. GAO/NSIAD-98-74: Combating Terrorism Ð Threat and Risk Assessments Can Help Prioritize and Target Program Investments, April 1998 Assessment Flow Chart Definition of Risk Risk is a combination of: . ¥ The probability that an event will occur, and . ¥ The consequences of its occurrence Table 1-19: Definitio n of Risk, page 1- 38 Quantifying Risk Risk Assessment Determine Asset Value Determine Threat Rating Value Determine Vulnerability Rating Value Determine relative risk for each threat against each asset Select mitigation measures that have the greatest benefit/cos t for reducing risk An Approach to Quantifying Risk Asset Value x Threat Rating x Vulnerability Rating BUILDING DESIGN FOR HOMELAND SECURITY Unit V-7 Critical Functions Function Cyber attack Armed attack (single gunman) Vehicle bomb CBR attack Administration 280 140 135 90 Asset Value 5 5 5 5 Threat Rating 8 4 3 2 Vulnerability Rating 7 7 9 9 Engineering 128 160 384 144 Asset Value 8 8 8 8 Threat Rating 8 5 6 2 Vulnerability Rating 2 4 8 9 Extracted from Table 1-20: Site Functional Pre-Assessment Screening Matrix, page 1-38 BUILDING DESIGN FOR HOMELAND SECURITY Unit V-8 Critical Infrastructure Function Cyber attack Armed attack (single gunman) Vehicle bomb CBR attack Site 48 80 108 72 Asset Value 4 4 4 4 Threat Rating 4 4 3 2 Vulnerability Rating 3 5 9 9 Structural Systems 24 32 240 16 Asset Value 8 8 8 8 Threat Rating 3 4 3 2 Vulnerability Rating 2 4 8 9 Extracted from Table 1-21: Site Infrastructure Systems Pre- Assessment Screening Matrix, page 1-40 BUILDING DESIGN FOR HOMELAND SECURITY Unit V-9 Risk Assessment Results Selecting Mitigation Measures Three Options: D o no thi ng an d ac ce pt th e ris k. Perfo rm a risk asse ssme nt and man age the risk by instal ling reas onab le mitig ation mea sure s. Harden the building against all threats to achieve the least amount of risk. Mitigation Measures A mitigation measure is an action, device, or system used to reduce risk by affecting an asset, threat, or vulnerability. BUILDING DESIGN FOR HOMELAND SECURITY Unit V-12 Measures to Reduce Risk THREATS ASSETS Deter Relocate Detect Reduce assets Deny Plan for Devalue recovery Insure Affect the threat posed by the adversary Reduce the impact on the assets VULNERABILITIES Conceal Reduce Eliminate Affect the degree of vulnerability Achieving Building Security: Planning Factors Building security integrates multiple concepts and practices. Objective is to achieve a balanced approach that combines aesthetics, enhanced security, and use of non- structural measures. Process Review Calculate the relative risk for each threat against each asset Identify the high risk areas Identify Mitigation Options to reduce the risk Summary Risk Definition Critical Function and Critical Infrastructure Matrix Numerical and color coded risk scale Identify Mitigation Options Unit V Case Study Activity Risk Rating Background Formula for determining a numeric value risk for each asset- threat/hazard pair: Risk = Asset Value x Threat Rating x Vulnerability Rating Requirements: Vulnerability Rating Approach Use worksheet tables to summarize HIC asset, threat, and vulnerability assessments conducted in the previous activities Use the risk formula to determine the risk rating for each asset-threat/hazard pair for: ¥ Critical Functions