Risk assessment presentation

Risk Analysis

Completing the Risk Analysis PuzzleA Presentation by Michelle Magario

For BSDP 583 Spring 2012

Table of Contents

• Part 1:

• Risk Analysis• Limitations• Interdependency

• Part 3

• In Practice

• Part 2:

• Interventions• Recommendations• Budgetary considerations

Purpose Statement

Purpose:• Characterize• Define• Mitigate• Eliminate

Protect Defend

Vulnerabilities

Threats

Risks

Assets

Risk Management

© Copyright 2004 Risk Mitigation Associates -- All rights reserved.

Risk Analysis

• Phase 1– Analyze RisksAssetsThreatsVulnerabilitiesRisks

• Phase 2– CountermeasuresMitigation OpportunitiesPlan DevelopmentPolicy Institution

Phase 1

Risk Assessment: Phase 1

• Asset Characterization• Criticality Analysis• Threat Identification• Consequence Analysis• Vulnerability Analysis• Probability Assessment• Risk Assessment• Risk Prioritization• Risk Management

Assets

ThreatsVulnerabilities

Risks


Assets

PeoplePropertyProprietary InformationReputation


• Criticality Analysis

-which assets are criticalUnderstand• Mission related

-describe the assetDescribe• Location• Type

-assign a valueRank• Numeric• Relative


Hazard• Natural• Manmade• Unintentional• Safety• Security• Disasters• Political/Military• Environmental or Behavioral

Threat• Manmade• Intentional• With Malice• Terrorists• Petty or Economic Criminals• Subversives


• Consequence Analysis– Losses• Human life• Property• Proprietary information• Reputation

– Impact• Environmental• Economical


• Vulnerability Analysis

– 3 distinct steps• Define• Evaluate• Identify Vulnerability

Define

EvaluateIdentify


• Probability Assessment– View point dependent– Based on attractiveness– Historic Data– Statistics


Risk = Probability x Vulnerability x Consequence


• Risk:

– Assessment– Prioritization– Management

Assess

Prioritize

Manage

Phase 2


Countermeasures• Mitigation opportunities– Safety– Security– Policy Development

• Enforcement• Costs

Mitigation

Security

SafetyPolicy


Safety: In Place• Identify• Evaluate• Enforce

Safety: In Need Of • Identify• Evaluate• Implement• Assess• Enforce


Security: In Place• Identify• Evaluate• Enforce

Security: In Need Of• Identify• Evaluate• Implement• Assess• Enforce


• Policy Development and Implementation:

Trigger

Review

Impact

Expert Review

Approval

Monitor

Phase 3


• In Practice:– Small facility– 5 employees– Widgets


Asset Risk Consequence Vulnerability Probability

Employees 12 2 3 2

Facility 16 4 2 2

Equipment 20 5 2 2

Proprietary info 100 5 5 4

Reputation 125 5 5 5

Risk Assessment: 3


Employee 12 2 3 2

Risk Assessment: 3


Facility 16 4 2 2

Risk Assessment: 3


Equipment 20 5 2 2

Risk Assessment: 3


Proprietary info 100 5 5 4

Risk Assessment: 3


Reputation 125 5 5 5


• Prioritization

Asset Risk

Reputation 125

Proprietary Information 100

Equipment 20

Facility 16

Employees 12


• Countermeasures

– QA/QC support– Sabotage protection– Computer back-up and security– Visitor management


• Policy Development and Implementation

References

Booz-Allen and Hamilton, Inc. (2000). Analytical risk management: A course guide for

security risk management.

Norman, T. L. (2010). Risk Analysis and Security Countermeasure Selection. Boca Raton,

FL: Taylor & Francis Group.

Business

Risk assessment presentation