a risk analysis standard for natural and man-made hazards to higher education institutions
TRANSCRIPT
i
1828 L Street, N.W.
Suite 906
Washington, D.C. 20036
Tel 202.785.3756
Fax 202.429.9417
www.asme.org 1 2 3
4 5 6 7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
NOT FOR DISTRIBUTION
A Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions
Draft 3.0
ASME-ITI
February 2010
ii
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37 38 39 40
41 42 43 44 45
46 47 48 49 50 51
Copyright © 2010
ASME Innovative Technologies Institute, LLC 1828 L Street, NW Suite 906 Washington, DC 20036
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise without the prior permission of the copyright owner. RAMCAP Plus® is a registered trademark owned by ASME Innovative Technologies Institute. This trademark is not to be used without the prior express written consent of ASME Innovative Technologies Institute, LLC.
ASME Innovative Technologies Institute, LLC (ASME-ITI) is a not-for-profit Limited Liability Company that is a wholly owned subsidiary of ASME. ASME-ITI provides market-relevant engineering and technology-based products and services to the government, industry, and academic markets. Services provided by ASME-ITI include risk and vulnerability analysis for national and homeland security; program management for government, industry and academic clients; consortia and coalition management.
iii
52
53 54
DISCLAIMER (Placeholder)
iv
55 Table of Contents (Placeholder)
v
56 57 58 59
60 61
62
63 64 65 66 67
68 69 70 71 72 73 74 75 76 77 78
ASME-ITI
A Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions
(The following is the roster of the Committee at the time of approval of this Standard.)
STANDARD COMMITTEE OFFICERS Michael Abbiatti, Arkansas Research and Education Optical Network, Chair
Michael Mastrangelo, University of Texas System, Vice Chair James W. Jones, ASME-ITI, Secretary
STANDARDS COMMITTEE PERSONNEL Richard Benson, Virginia Tech
Grace Crickette, University of California System John Elwood, U.S. Air Force & National Guard Kim Hunter-Reed, Louisiana Board of Regents
Gary Langsdale, The Pennsylvania State University Mike Megna, University of Texas Medical Branch Galveston
Robert Pangborn, The Pennsylvania State University John Petrie, formerly of The George Washington University
David N. Sattler, Western Washington University John Sener, Sloan Consortium
vi
79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99
100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123
Foreword Resilience of our country’s higher education institutions has become a pressing national priority. A college or university’s ability to respond and recover from a disaster can save lives and help ensure academic continuity. The tragedies of the 2005 Gulf Coast hurricanes and the acts of violence that struck campuses like Virginia Tech, Delaware State University, and Northern Illinois University underscore the need to gain a better understanding of the threats, risks and vulnerabilities of higher education institutions due to disasters, large-scale crimes, and other emergencies. To aid that effort, ASME-Innovative Technologies Institute, LLC, a wholly owned subsidiary of the American Society of Mechanical Engineers (ASME), has convened academics, risk experts, and emergency management personnel to develop this Standard based on the Risk Analysis and Management for Critical Asset Protection (RAMCAP) Plus® process. Following the attacks of September 11, 2001, ASME convened more than 100 industry leaders at the request of the White House to define and prioritize the requirements for protecting our nation’s critical infrastructure. The leaders’ primary recommendation was to create a risk analysis process to support decisions allocating resources to risk-reduction initiatives. As a result, RAMCAP Plus® employs a common terminology, common metrics and consistent methodology – tailored to the technologies, practices and cultures of the respective industries – to permit direct comparisons within and across industry sectors. Such direct comparisons are seen as essential to supporting rational decision-making in allocating limited private and public resources to reducing risk to critical infrastructures. RAMCAP initially focused on terrorist-related events and evolved under ASME-ITI into the all-hazards RAMCAP Plus® methodology it is today. The Standard Committee that created this document has based this Standard on the RAMCAP Plus® approach. In general, approaches to estimating risk share a set of steps that include identifying the asset to be considered; identifying possible threats; estimating the probability that a given threat will affect that asset; estimating the probability that an incident involving that threat will occur; and estimating the risk of each threat identified on each asset. After following these steps, decisions can be made concerning how to reduce the risk for the assets under consideration. Some risk assessment methodologies may use slightly different terminology and may have a different number of steps. Any method that takes the same general approach as the one described above is acceptable under this Standard. A Standard can be defined simply as a set of technical definitions, guidelines, and “how to” instructions for users. This Standard provides a consistent and technically sound methodology to identify, analyze, and communicate hazards on college and university campuses. More specifically, the methodology considers security and safety for individuals as well as the campus infrastructure, including buildings, laboratories, utilities and other resources for key functions. It is flexible and can be implemented by campuses with varied populations and resources. Regardless of how many people work at and attend the institution, this Standard provides a starting point for decision-makers to determine the extent of risk on campus, thus allowing them
vii
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162
to design a plan and then to act appropriately. Use of the Standard is voluntary and at the discretion of the institution. The Standard acknowledges the importance of academic continuity and provides valuable resources for future reference. The primary role of institutions of higher education is to provide a safe and secure environment for the pursuit of education. An event that interrupts academic continuity can have adverse consequences for both the students and the institution. A student interrupted by the loss of one semester may have increased difficulty graduating due to financial hardship or personal challenges. A university that loses one semester of tuition income may have difficulty recovering from financial discontinuity. Instructors and researchers can lose the continuity of experiments or data accumulated over years. This Standard provides a vehicle for the exchange of safety and security recommendations and helps higher education institutions maintain the ability to continue key functions (e.g., academic and business continuity). This Standard will allow institutions to have access to the best available practices and provide a sound initial framework to help the academic community pre-plan for adverse events. In order to quantify risk (i.e., put a numerical value on the amount of risk associated with a particular event or postulated event), specific values must be used so that risks from different events can be compared. Further, once risk is estimated using specific numerical values, then the change in risk caused by upgraded security or other factors such as increased seismic requirements that reduce risk can be calculated. This ability to calculate risk numerically allows for better risk management. The cost to upgrade security or implement other risk reduction programs can be compared to the change in risk. For example, if it costs $20,000 to reduce risk by $10,000 then it is probably not a good investment. Thus, a numerical methodology for estimating risk is useful for justifying expenditures, calculating insurance rates and determining acceptable levels of risk. For the purpose of calculation, risk is defined as a function of the probability of an incident, the vulnerability to the incident, and the consequences of the incident. With this information, alternative initiatives for reducing risk and enhancing resilience can be evaluated for their ability to reduce the vulnerability to, probability of, and cost of adverse consequences as a result of the hazard. The reductions in risks are the benefits of the initiatives that can be used in estimating the benefit/cost ratios and allocation of resources for specific initiatives. This Standard provides a foundation for both existing and future developments in risk-based methodologies,1 and encourages the acceptance of a broad range of those methodologies through consistency in definitions and application. If any risk-based methodology is to be successful, consistency is a necessity. It is recognized that any such Standard must have wide-ranging support and user consensus. For that reason, the ASME-ITI Standard Committee has sought
1 It is recognized that other risk assessment tools may be implemented to evaluate other types of risk such as investment portfolio risk, insurance risk, financial risk, compliance risk, and strategic risk.
viii
163 164 165 166
feedback from appropriate entities from across the country to help guide this Standard to ensure flexibility and consistency. While this Standard seeks to protect physical assets on campus, the most important reason for its development is the protection of human lives and to ensure all personnel on campus can live, teach, and learn in a safe and secure academic environment.
1
167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185
186 187 188 189 190
191 192 193 194 195 196 197 198 199 200 201 202
203 204 205 206 207
A Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions 1 SCOPE The voluntary Standard provides consistent and technically sound methodology to identify, analyze, quantify, and communicate asset characteristics, vulnerabilities to natural and man-made hazards, and consequences of these hazards on the campuses of colleges and universities. Human life is the most important asset that a higher education institution has and the analysis includes risks to human life and well-being as well as risks to facilities and infrastructure. This Standard emphasizes operational hazards which could impact an institution. Although there are other categories of risk such as strategic, financial, and compliance risks which are not specifically addressed by this Standard, the institution must also recognize and plan for events arising from these other risk categories. It is an all-hazards approach that focuses not only on potential terrorist attacks, but natural disasters, infrastructure failures, major accidents, and violent crimes. It establishes requirements for the risk and resilience assessment and management process to inform decisions on allocation of resources to reduce risk and enhance resilience through countermeasures and mitigation strategies. The risk assessment process should2 be comprehensive and should take into account all operational hazards that might affect a given asset.
This Standard documents a process for identifying vulnerabilities and provides methods to evaluate the options for reducing these weaknesses. It is designed to be a starting point or even a pre-plan. This Standard is and will be maintained to be consistent as much as practicable with the current Risk Analysis and Management for Critical Asset Protection (RAMCAP) Plus® Standard developed and maintained by ASME Codes and Standards.
The RAMCAP Plus® methodology provides a method of assessing risk for certain types of threats and incidents, but does not address some preparedness and interoperability issues that are discussed in this Standard. The RAMCAP Plus® methodology is not specifically designed to fully address the ability to maintain the core mission of institutes of higher learning such as learning, teaching, research and health care. Rather, the RAMCAP Plus® methodology should be followed when applicable procedures may be necessary as indicated herein. The Standard addresses threats to persons, facilities, and academic operations and is based on the RAMCAP Plus ® approach. The Committee has made efforts to ensure the Standard is flexible and should be used in conjunction with business/academic continuity plans while addressing peripheral issues not directly addressed by RAMCAP Plus®, such as encouraging constant communication with Emergency Operations Centers (EOCs), and dealing with the media in the event of an emergency.
This Standard specifies the steps to be followed in analyzing, quantifying, managing, and communicating the risks from all potential hazards and establishes requirements for the risk assessment and management process. This process informs decisions on allocation of resources to reduce that risk through countermeasures, safety, prevention, preparedness, and mitigation strategies.
2 Use of “should” indicates that a statement is a recommendation, the advisability of which depends on the facts of certain situations.
2
208 209 210 211 212 213 214 215 216
217 218 219 220 221 222 223 224 225 226 227 228 229 230
231 232
233 234 235
236
237 238 239 240 241 242
243 244 245 246 247 248 249 250
Use of this Standard is voluntary at the discretion of the institution and is intended to serve as a guideline to help higher education institutions perform risk assessments. The Standard describes basic elements that should be in a risk assessment and provides latitude in how to implement a risk assessment so that institutions with varying levels of facilities and resources can benefit from the Standard. Voluntary standards serve as a vehicle of communication, define a common language, define quality, and establish safety criteria. A voluntary standard does not have the force of law. A standard is not intended to be a detailed workbook or complete checklist on how to conduct a risk assessment. The Standard provides guidelines, definitions and criteria for the development of more detailed assessment tools. It is, essentially, a blueprint for a plan.
This Standard is developed for use by a wide range of campuses that may be at risk of many different hazards. For some institutions, it may not be necessary to perform a detailed, quantitative risk assessment for all facilities and buildings. Screening tools (as described in Appendix A) should be used to determine the level of assessment necessary to insure safety and security for each campus. For example, a community college campus that serves commuting students (with no residential dormitories), has no ongoing long-term research on campus, no research reactor, minimal amounts of hazardous chemicals, and minimal hazardous biological material may not need to perform a detailed risk assessment for all facilities. However, building security, personal security and events such as a life threatening situation (e.g., active shooter) should be considered. Conversely, a large research university campus which may have radiation hazards, biological hazards and significant amounts of hazardous chemicals should perform a more detailed and extensive risk assessment because of the higher potential consequences from an incident, either man-made or from natural causes. This screening process will be described in more detail in the standard.
1.1 Jurisdiction: This Standard is under the jurisdiction of the ASME Innovative Technologies Institute, LLC.
1.2 Process: This Standard provides requirements for an all-hazards approach to help prepare for, prevent and mitigate threats on the campuses of higher education institutions. This standard provides risk methodologies for:
1.2.1 Threats to Personal Security
Personal security includes all hazards not considered to be natural hazards that can result in harm to the individual. Security inside the buildings will be included in Facility Security. Personal security includes life-threatening or dangerous behavior such as bodily assault, robbery, hate crimes, and intimidation.
1.2.2 Threats to Facility Security
Facility security includes all malevolent events except so-called natural hazards. Facility security considers:
1) Security of the building from damage by events other than natural hazards. This considers how a particular event affects the physical structures and components;
2) Security of the individuals in the facilities. This considers the probability of injury or fatality when an individual is within the facility; and
3) Data security and recovery. This considers the security of data contained in the facility that may include critical research that is difficult to replace or medical and personal data
3
251 252 253 254 255 256 257 258 259 260 261 262 263 264
265 266 267 268 269 270 271 272 273 274
275
276 277 278 279 280 281
282
283
284
285
286
287
288
289
290
291
that could result in the compromise of personal or administrative privacy which could prove embarrassing and damaging to the institution or individuals.
The risk to a building or other aspect of infrastructure is thus a function of location, the type of event being considered, and the changes in building code since the construction of the building or infrastructure element. Therefore, the risk to a building must be based upon the probability that the magnitude of the event will exceed the design basis. The greater the extent to which the event exceeds the design basis, the greater the damage to the structure and, conversely, the lower the probability of the event occurring. Building codes are continually changing and risk for a particular initiating event may be different depending on the code version used for design and construction. This fact must be considered when estimating risk due to events that are governed by building codes.
1.2.3 Threats from Natural Hazards
Natural hazards include earthquakes, hurricanes, tornadoes, tsunamis, floods, wild fires, winter storms and other threats that are often referred to as Acts of God. Natural hazards assessment will include:
• Risks to infrastructure • Risks to individuals
Natural hazards are considered in the design of all infrastructure components that are constructed in accordance with building codes. The philosophy of building codes is to design structures to withstand the effects of natural hazards that have a frequency of occurrence that is considered to be reasonable considering both the initial cost of construction and the cost of replacement.
1.2.4 Threats to Operations
Threats to operations include all malevolent incidents except natural hazards that pose a threat to the continuity of operations. Threats to operations include all that could impair the operation of the institution. These can include threats described in Sections 1.2.1, 1.2.2, and 1.2.3 or additional elements like pandemic illness, cyber attack, loss of utilities, incapacity of governance, rioting or other foreseeable events that can disrupt the mission of the institution of providing education, a safe learning environment, and services to the community.
4
292 293
294 295 296 297
298 299 300 301 302 303 304 305
306 307 308 309 310 311
312 313 314 315
316 317 318 319 320 321 322
323 324 325 326 327 328 329
2 DEFINITIONS3
The following definitions provide common and consistent language for user reference.
2.1 All-Hazards – a natural or man-made incident that compels action to protect life, property, environment, and public health or safety in an effort to minimize disruptions to the functions of the institution. In this Standard, the term “all-hazards” refers to operational risk and does not address strategic, financial, or compliance risks.
2.2 Asset – an item of value or importance that if targeted, exploited, destroyed, or incapacitated could result in large scale injury, death, economic damage to the owner of the asset or to the community it serves, destruction of property, or profound damage to the institution’s operations and/or reputation. Human lives, of course, are the most important asset on a campus and their protection is vital. Other assets may include physical elements (tangible property), cyber elements (information and communication systems), research animals and organisms, and personnel elements (critical knowledge and functions of people).
2.3 Bin – a range of values that can be grouped together. For example, consequences could be termed “low” if the consequences of an event falls between $0-10,000. The term “medium” could be applied to consequences between $10,000-100,000. The term “high” could be used to refer to consequences greater than $100,000. Thus bin 1 (low) could be plotted in green, bin 2 (medium) could be orange, and bin 3 (high) could be plotted in red for easily interpreted display purposes.
2.4 Configuration Control – the process by which the entire risk management process is documented initially and all subsequent changes are documented. Further, all updates to the process are documented by noting in the original. All copies of the document must be tracked and updated when changes are made.
2.5 Consequence – the immediate, short-, and long-term effect of any malevolent event. Effects include losses suffered by the owner of the asset and by the community served by that asset. They include human and property losses, environmental damages and loss of life. Property damage and losses from interruption of operations are expressed in monetary units. Consequences involving loss of life, injury, and environmental damage may be measured in natural units (e.g., fatalities; number of serious injuries; losses in air, land or water quality) or might be converted to economic terms for a combined analysis.
2.6 Consequence Analysis – for any particular incident or malevolent event, the user should assume the “worst reasonable case” for estimating consequences. If the incident is perpetrated by an individual or individuals, assume that the person(s) is intelligent, adaptive, and well-trained. If the incident is a naturally-occurring event, assume the worst reasonable case that could be expected. Consequences are measured in terms of dollars, fatalities and serious injuries. Include the effect of secondary effects such as interdependencies, loss of reputation, etc., whenever possible.
3 These definitions are based on All-Hazards Risk and Resilience: Prioritizing Critical Infrastructure Using the RAMCAP Plus® Approach.
5
330 331 332 333 334 335 336
337 338 339 340 341
342 343
344 345
346 347
348 349 350 351 352
353 354 355 356
357 358 359
360 361
362 363 364
365 366 367
368 369 370
2.7 Consequence Mitigation – the planned and coordinated action or system features that are designed to reduce or minimize the damage caused by attacks (consequences of an attack); support and complement emergency forces (first responders); facilitate field-investigation and crisis management response; and facilitate rapid recovery, reconstitution and resumption of function. Consequence mitigation may also include steps taken to reduce short- and long-term impacts, such as providing alternative sources of supply for critical goods and services.
2.8 Countermeasure – an action taken or a physical capability provided for the principal purpose of reducing or eliminating vulnerabilities or reducing the probability of occurrence of personnel attacks. The term countermeasure is not normally used to refer to changes to structures such as seismic upgrades, wind hardening, etc. Countermeasures may be designed to defend, detect, deter or diminish an attack.
2.8.1 Defend against attack by delaying or preventing an aggressor’s movement toward the asset or use of weapons and explosives;
2.8.2 Detect an aggressor who is planning or committing an attack or the presence of a hazardous device or weapon;
2.8.3 Deter an event from happening (i.e., through warning signs, physical barriers, cameras, and security guards); and
2.8.4 Diminish an attack by making a target less attractive or more costly for the aggressor. For example, it is possible to diminish the target value of a stadium on game day by increasing security. With enough security a potential aggressor may not risk available resources because of the low probability of success (i.e., the value of the target is not worth the risk of losing the resources).
2.9 Emergency Operations Center – the locations at which the coordination of information and resources to support incident management activities take place. Emergency Operations Centers are often organized at Federal, State, and local levels or through emergency response, law enforcement, or medical services.
2.10 Failure Mode – a way that failure can occur, described by the means or underlying physics by which element or component failures must occur to cause loss of the sub-system or system function.
2.11 Frequency – the rate of occurrence that is measured by the number of events per unit time, usually one year in this context unless otherwise specified.
2.12 Hazard – a condition that may result from either an external cause (e.g., earthquake, flood, or human agency) or an internal vulnerability, with the potential to initiate a failure. It is a source of potential harm or a situation with a potential to cause loss.
2.13 Initiating Event – include but are not limited to malevolent personnel attacks (including active shooter), bodily assault, robbery, chemical and biological attacks, cyber attacks, accidents, natural hazards, and chance events.
2.14 Malevolent Event – an event that is harmful. A malevolent event, as defined herein, is any event, man-made or naturally occurring, that could result in harm to personnel, structures, reputation, systems, or any undesirable consequence.
6
371 372 373
374 375 376 377
378 379 380 381 382
383 384 385 386 387 388 389 390
391 392 393 394 395 396 397 398
399 400 401 402 403 404 405 406 407
408 409 410 411
412 413
2.15 Preparedness – the combination of risk analysis and management, response planning, and recovery planning, including continuity of operations, for rapid restoration of function.
2.16 Probability – a measure of likelihood of a specific event occurring in a specific time period, usually one year frequency, expressed as a positive number from zero (no chance of occurring) to one (high likelihood of occurring) (0.0 – 1.0). The terms likelihood and probability are often used interchangeably.
2.17 Reference Threat – a particular malevolent event specified in terms of intensity or magnitude, mode and medium of delivery, to be used in a consistent fashion across numerous assets to facilitate direct comparisons. When calculating risk for comparison purposes, it is necessary to use the same threat and threat magnitude for all cases; otherwise the resulting risks cannot be compared.
2.18 Resilience – the ability of an asset or system to withstand an attack or natural hazard without interruption of the asset or system’s performance or, if the function is interrupted, to restore the function rapidly. For most commercial businesses, resilience should be measured in the ability to avoid lost revenue for the owner of the facility and lost economic activity for the metropolitan region in which the facility operates. However, for higher education institutions, resilience also includes an assessment of the ability to maintain the core mission of teaching, learning, research, service, and health care.
2.19 Risk – as used in the assessment method provided herein is the expected value of the consequences of an initiating event weighted by the probability of the event’s occurrence, the probability that the event will succeed, and the extent of the estimated consequences given that the event occurs. Risk should be based on identified events or event scenarios. Risk is commonly measured as the product of the probability of occurrence of an event and the probability that the event will produce the estimated consequences, given that the event occurs and the outcomes or consequences associated with the event’s occurrence. A more general discussion of risk is provided in the Forward.
2.20 Risk Analysis – the process of estimating the components of risk and combining them into the estimate of risk. Risk analysis provides the processes for identifying threats, hazards or hazard scenarios, event-probability estimation, vulnerability assessment and consequence estimation. The risk analysis process answers three basic questions: (1) What can go wrong and how it can happen?; (2) What is the probability that it will go wrong?; and (3) What are the consequences if it does go wrong? Risk analysis often includes estimating the impact of making any changes to a system to reduce risks by reducing the probability of an event, the vulnerability given that event occurs, and/or the magnitude or duration of consequences given the event.
2.21 Scenario – a combination of events that lead to an outcome of interest. A scenario defines a set of circumstances of interest in a risk analysis. In the context of this Standard, a scenario includes at least one specific incident or threat on a specific asset, with the associated probabilities and consequences (see the definition of “probability”).
2.22 Standard – a set of common guidelines. Standards serve as a vehicle of communication, defining a common language, defining quality and establishing safety criteria. This
7
414 415 416
417 418 419 420
421 422 423 424 425
426 427
428 429 430 431 432 433 434
435 436
437 438 439 440
441 442
443 444 445 446
447
448
449
450
451
452
453
Standard is voluntary and does not have the force of law and is not intended to be a detailed workbook or complete checklist on specifically how to conduct, in this case, a risk assessment.
2.23 System – a group of interacting, interrelated, or interdependent elements, such as people, property, materials, environment, and processes. The elements form a complex whole that can be a physical structure, process, or procedure encompassing some attributes of interest.
2.24 Threat – a malevolent or natural event with the potential to cause harm. In terrorism risk analysis, threat is based on the analysis of the intention and capability of an adversary to undertake actions that would be detrimental to an asset. Threats may also arise from natural hazards, dependencies (interruptions of supply chains), or being in close proximity to dangerous or hazardous neighbors.
2.25 Threat-Asset Pair – a combination of the list of assets with applicable threats. Some threats are not applicable to certain assets.
2.26 Threat Probability – the likelihood that an undesirable event will occur (see definition of “probability”). With natural hazards, the threat probability is the historical frequency of similar events but this may be modified if there is a belief that the future will differ from the past. With terrorist threats, probability is a function of available intelligence, the objectives and capabilities of the terrorist, and the attractiveness, symbolism or fear-inducing value of the asset as a target. Probability of accidents comes from historical data.
2.27 Vulnerability – an inherent state of a system (e.g., physical, technical, organizational, cultural) that can be exploited to cause harm or damage.
2.28 Vulnerability Analysis – a systematic examination of the ability of an asset to withstand a specific threat, including current security and emergency preparedness procedures and controls. A vulnerability analysis often includes countermeasures, mitigation features, and security improvements.
2.29 Vulnerability Estimate – the probability that an incident will cause estimated consequences, given the incident occurs.
2.30 Worst Reasonable Case – an assumption for estimating consequence values that utilizes the most severe but reasonable consequences for a specific threat or incident but does not combine unlikely coincidences, such as a tornado and seismic event happening at the same place and time.
8
454 455 456 457 458 459
460 461
462
463
464 465
466
467
468 469 470 471 472 473 474 475
476
477 478 479 480 481 482 483 484 485 486
3 SEVEN STEP PROCESS FOR RISK IDENTIFICATION
This Standard provides a process which can help identify assets and analyze risk encompassing an all-hazards4 approach for institutions of higher education. While colleges and universities have unique surroundings and circumstances, adhering to a model of identifying assets, quantifying risks, and measuring continuous improvement is recommended. The following steps provide a sound initial framework:5
1. Asset Characterization – identifying the personnel and critical facilities and assets on campus;
2. Threat Characterization – identifying specific threats;
3. Consequence Analysis – estimating the worst reasonable case of each threat to each asset;
4. Vulnerability Analysis – estimating the probability that a particular incident will adversely affect an asset given the existing security measures;
5. Threat Assessment – estimating the probability that the incident will occur;
6. Risk Analysis – estimating the risk of each incident on each asset; and
7. Risk Resolution – evaluating options for reducing risk (usually by considering benefit/cost) and selecting, implementing and managing those that are selected. Risk resolution also includes systematic implementation of the selected options, monitoring and evaluating the options for effectiveness, carrying out corrective actions when needed, and repeating this cycle. Risk resolution in institutes of higher education generally considers a more comprehensive set of variables including business continuity, academic continuity, and maintaining the core missions of the institute. Continual reassessment and improvement of security procedures is recommended.
The following sections describe this process in further detail.
3.1 Asset Characterization: Asset characterization determines the assets which, if damaged by malevolent, man-made, accidental or natural hazards, could result in prolonged campus disruptions to operations, injuries, fatalities, loss of access to campus facilities, detrimental economic impact, or any combination thereof. Ultimately, asset characterization produces a list of critical assets that must be considered in subsequent steps (e.g., threat, consequence and vulnerability analyses, estimation of risks and resilience). The organization may make this a two-phased process, in which the first phase, or “top screening,” is the assessment of the campus as a whole (e.g., residence facilities, lecture halls, stadiums) to select a subset of all facilities of a specific sort to be analyzed more thoroughly. The second phase is the analysis of the component assets of
4 It is recognized that Information Technology (IT) is a very important factor in the successful operation of an institution. This Standard is directed primarily to the human and physical aspects of safety and security. The security of the IT system should be addressed in detail using a more comprehensive IT sector specific methodology. The IT department(s) should have a detailed plan for protecting IT systems from internal and external threats and promptly restoring the system. This plan should be coordinated with the campus security plan.
5 It is not necessary to perform all seven steps of the assessment for all campuses. Screening tools can be used to determine the level of detail necessary for a particular campus. See Appendix A for additional discussion of screening tools.
9
487 488 489 490 491 492
493 494 495
496 497 498
499 500 501 502 503 504 505
506 507
508 509 510 511 512
513 514 515 516 517 518 519 520 521 522 523 524 525 526 527
528 529
the facility to be assessed in detail. The top screen includes a resource-conserving strategy to eliminate facilities with consequences below a threshold level from further analysis. The threshold is based on the nature of the decisions to be made. Alternatively, the organization may prefer to encourage universal application of Risk Analysis (see section 2.20), starting with the consideration of the components. In either case, the same procedure should be followed. Asset characterization uses a six-step procedure:
3.1.1 Identify the critical functions of the campus to determine which assets perform or support the critical functions or missions (e.g., fostering a safe and secure academic environment for students, faculty, and staff).
3.1.2 Identify a list of potentially critical assets that are required to perform the critical functions or missions. These may include people, equipment, systems, materials, and products and/or information, depending upon the type of facility being evaluated.
3.1.3 Identify the critical internal and external infrastructures (e.g., electric power, petroleum fuels, natural gas, telecommunications, transportation, water, emergency services, computer systems, air handling systems, fire control systems, process control systems, business information systems, human resource and student information systems) and all interdependencies that support the critical operations/functions of each asset. Assess the impact of loss of one or more of these critical infrastructures.
3.1.4 Identify and document existing countermeasures and mitigation features, including physical security, cyber security, administrative controls and other safeguards.
3.1.5 Estimate the worst reasonable case resulting from the destruction or loss of – or loss of access to – each asset, without regard to the threat. Consider the potential for fatalities, serious injuries, major economic losses to the facility or the community it serves, and loss of public confidence and/or inhibiting the effective function of institution administration, national defense, or civilian government at any level.
3.1.6 Prioritize the critical assets using the estimated consequences from Step 3.1.5. Identify assets by screening the prioritized list using criteria relevant to the decisions to be made.
3.2 Threat Characterization: This Standard takes an all-hazards approach that considers all
relevant initiating events as previously defined. Threat characterization should be performed to identify general and specific threat scenarios. These threat scenarios characterize the events or combination of events that produce harm or damage such as infrastructure failures. Man-made threats should include various modes of attack and various magnitudes of attack elements. Examples include terrorism, active shooter, assault, and dangerous behavior. For this Standard, natural hazards should include but are not limited to hurricanes, floods, tornadoes, wild fires, winter storms, earthquakes. Dependency hazards include interruptions of utilities, suppliers, employees, faculty, students, etc. Additional threats should include cyber security, pandemic, biological, and food-borne incidents.
3.2.1 Describe, for man-made threats, the capabilities of the individuals involved. Capabilities include weapons types, tactics, numbers, and means of delivery. It is
10
530 531 532 533
534 535 536 537
538 539 540 541 542 543
544 545
546
547 548 549 550 551 552
553 554 555 556 557 558 559
560 561 562 563 564
565 566
567 568 569 570 571
recommended that Threat Assessment Teams be put into place on campus to help identify potential persons of concern and gather and analyze information regarding the potential threat posed by an individual(s). Section 6 provides resources for implementing Threat Assessment Teams on campus.
3.2.2 Describe, for natural hazards, all hurricanes, earthquakes, floods, wild fires, winter storms, tsunamis, volcanic eruptions, and tornadoes that have occurred or could occur in the location of the facility. Define the range of the magnitudes from the smallest that would cause serious harm or damage to the largest reasonable case.
3.2.3 Combine the assets and threats into threat/asset pairs. This process involves considering each asset and each possible threat to determine if the asset is susceptible to the assumed threat. For example, a building would be susceptible to the threat posed by a hurricane or tornado but not susceptible to a pandemic. The resulting logical combinations are termed threat/asset pairs. If all (A) assets are susceptible to all (T) threats, the maximum number of threat/asset pairs is A times T (A x T).
3.2.4 Describe, for dependency hazards, all interruptions of utilities, suppliers, employees, customers and transportation and co-location with dangerous neighboring facilities.
3.2.5 Rank the threat/asset pairs according to the judged magnitude of the consequences.
3.2.6 Select the threat/asset pairs to be included in the rest of the analysis. The pairs selected are judged by the user to give the greatest possible consequences. Threats, however, that require greater investment by an adversary or have a lower probability of occurrence (natural hazards) may result in lower risk than an event with smaller consequences but a higher probability of occurrence. In general, these assets and threats will be the focus of assessment throughout the remainder of the analysis.
3.3 Consequence Analysis: This step identifies the worst reasonable case that can be generated by the threats to the assets identified in Step 3.2. Consequence analysis estimates the predicted outcomes of threat scenarios using common quantitative metrics that include number of fatalities, number of serious injuries, financial loss to the owners of the facility, and economic losses to the community (metropolitan area) in which it operates. The college/university should conduct a consequence analysis using the following procedure:
3.3.1 Apply worst reasonable case assumptions for each incident scenario. For terrorist or other life threatening events or behavior, assume the adversary to be intelligent and adaptive, attempting to optimize or maximize the consequences of a particular incident scenario. For natural hazards, assume all reasonable event magnitudes. Use judgment to define the worst reasonable cases.
3.3.2 Estimate the consequences in terms of loss of life and serious injury to persons on campus, and economic losses to the institution.
3.3.3 Evaluate additional consequences as needed. These may include sociopolitical impacts, lost strategic capability or output, detrimental effects to the university reputation, public confidence, psychological impacts, etc. Harm to reputation is difficult to measure and can be subjective. For example, observing correlations between crime trends and number of applicants could provide a starting point to
11
572 573 574 575 576
577 578 579 580
581 582 583 584 585
586 587 588
589 590 591 592
593 594 595 596 597 598 599
600 601 602 603 604
605 606 607 608 609
610 611
612 613
determine reputational impact. Media exposure is a possible metric as well, such as local coverage versus national coverage, length of time in coverage, etc. It is difficult to quantify reputation but it can be categorized. Because this is highly incident dependent, no attempt will be made in this specification to define metrics for damage to reputation.
3.3.4 Design a plan to respond to the media. Adverse or negative publicity can have unintended and undesired long-term consequences. The media can provide a valuable means to inform the community about the incident and recovery. Prepare a plan to communicate with institution’s constituents and identify a campus spokesperson.
3.3.5 Identify impact of damage to infrastructure and other services upon which the campus community relies. Damage may prevent supplies and resources from being delivered to the institution for an extended period of time (e.g., loss of a bridge). Collaboration and mutual aid agreements with Emergency Operations Centers (EOCs), local officials, and agencies are essential.
3.3.6 Document the method used for performing the consequence analysis, the worst reasonable case assumptions, and the results of the consequence analysis using suitable measures.
3.3.7 Record the consequence values. The consequences are recorded in dollars for cost related damage, deaths and serious injuries. Loss of reputation to the institution is estimated subjectively and as it relates to loss of business or academic continuity, credit rating, academic standing, or mission-critical functions.
3.4 Vulnerability Analysis: This step analyzes the strengths and weaknesses of each critical asset and its protective systems relative to a specified threat. Vulnerability analysis also estimates the conditional probability that a natural disaster or malevolent individual(s) will strike campus. The output from a vulnerability analysis is the probability of a natural hazard or attack scenario on campus and the impact on critical assets. The college/university should conduct a vulnerability analysis using the following four-step procedure:
3.4.1 Review pertinent details of the facility construction, systems, and layout. Include countermeasures and other impediments to threats, such as topographic, design, and equipment features that provide deterrence, detection systems, and buffer zones. Include information on interdependencies, first responders, personnel on site, process flows within the facility and other factors that will mitigate the event.
3.4.2 Analyze the vulnerability of each critical asset or system to estimate the conditional probability that, given the occurrence of a threat, the consequences estimated in Step 3.3 result. The organization may use fault tree analysis, path analysis, computer simulation methods or expert judgment rules-of-thumb consistently across all relevant assets.
3.4.3 Document the method used for performing the vulnerability analysis, the worst reasonable case assumptions, and the results of the vulnerability analysis.
3.4.4 Record the vulnerability estimates on a probability scale or other scales that can be mathematically transformed to probabilities. The probability of attack success may
12
614 615
616 617 618 619 620
621 622 623 624 625 626 627
628 629
630 631 632
633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656
be expressed as a fraction, a probability, or the number of successes among attempts, as either a point estimate or a range.
3.5 Threat Probability Assessment: This provides an estimate of the likelihood of attack or natural hazard event. The threat probability assessment produces the probability expressed as a positive number from 0.0 (no chance of occurring) to 1.0 (high-probability of occurring) that a particular threat-terrorist, life threatening event, or natural event will occur in a given timeframe (usually one year).
3.5.1 Estimates of the probability of natural hazards draw on the historical record for the specific location of the asset. Federal agencies make use of published records by federal and other agencies on hurricanes, earthquakes, tornadoes and floods to determine frequencies and severity of natural hazards. Wild fires, tsunamis and volcanic eruptions are prevalent in some areas and should be included in assessments of natural hazards. Probability may be available from state agencies (e.g., wild fires in the state of California).
3.6 Risk Analysis: This step combines the results from the previous five elements into risk estimates. The institution should:
3.6.1 Calculate risk for each threat/asset pair as the product of the results from Consequence Analysis (see 3.3), Vulnerability Analysis (see 3.4), and Threat Probability Assessment (see 3.5), using the following equation:
Risk = Consequences x (Threat Probability x Vulnerability)
Where: Risk should be expressed in dollars per year, fatalities, or serious injuries or combinations thereof. Threat probability, estimated in 3.5, is a probability of a specific threat occurring to the asset in question. The unit of measurement is the probability or frequency of occurrence over a given time period, generally understood to be one year. Vulnerability, estimated in 3.4, is a conditional probability that the threat to a particular asset results in the consequences estimated in 3.3, given that the threat occurs. Consequences, estimated in 3.3, are expressed for each threat/asset pair in terms of the number of fatalities, number of serious injuries, financial losses to the owner and economic losses to the metropolitan region in which the facility operates. When estimating risk, the number of fatalities, serious injuries, and economic consequences should be calculated separately. Placing a monetary value on life and/or injury has been used to combine fatalities and injuries with economic consequences into a single term for use in benefit-cost analysis. If the option to assign a monetary value to life or serious injuries is selected, the assumed values for life and injury should be clearly recorded. Lives lost, serious injuries and economic consequences should then be combined.
13
657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674
675 676
677 678 679
680 681 682
683 684 685 686 687 688 689 690 691 692
693 694 695 696 697 698 699 700
3.7 Risk Resolution: This step determines what level of risk is acceptable and at what cost. Risk resolution is the process of understanding risk and deciding upon and implementing action (e.g., defining new security countermeasures, consequence mitigation features or characteristics of the asset) to achieve an acceptable level of risk at an acceptable cost. It is recognized that risk management in institutes of higher education generally considers a more comprehensive set of variables including business continuity, academic continuity, and maintaining the core missions of the institute. These additional variables should be considered to the extent practicable. The initial risk analysis is based on the existing conditions of the asset. After this baseline risk level has been established, new methods to reduce risk should be defined and evaluated. The value or benefit of the new methods is estimated by re-visiting Steps 3.2, 3.3 or 3.4 and re-estimating the threat probability, vulnerability or consequences to calculate a new risk with the new method in place. The reduction in risk is the benefit or value of the method, which should be compared to the cost of implementing it and to the benefits of other options. The options are classified as either countermeasures (directed toward reducing threat probability or vulnerability), or consequence-mitigating actions (intended to reduce the economic and public health consequences of an attack and hasten a return to full functionality). Taking no action is always a baseline option against which all others are compared. The institution should:
3.7.1 Define alternative potential countermeasures and consequence-mitigation options. Estimate the investment and operating costs of each option.
3.7.2 Assume the implementation of alternative potential countermeasures and consequence-mitigation options and re-estimate consequences, threat probability and vulnerability, given the option’s implementation.
3.7.3 Calculate the risk, given the consequence mitigation option and subtract it from the risk without the option (the “do nothing” baseline option) to define the benefit of the option.
3.7.4 Calculate the benefit/cost ratio using the results of steps 3.7.1 and 3.7.3. This provides an estimate of the amount of risk reduction per unit of cost. For the economic metrics, the ratio should equal or exceed one (1.0) to be considered viable. For fatalities and serious injuries, the ratio is the reduction in the expected number of cases per dollar, with no obvious threshold level. The number of lives saved and serious injuries avoided is only a measure of the effectiveness of the improvements and does not in any way imply the value of the life saved or the injury avoided. This will often provide insight to a decision maker. For example, reducing the speed limit from 60 mph to 20 mph could drastically reduce fatalities but the cost to the public would be unacceptable in terms of loss of productivity and perceived quality of life.
3.7.5 Select the options that have the highest net benefits to costs. Because the metrics are not necessarily correlated, use judgment to make the needed trade-offs. Allocate the resources – financial, human, and other – needed to implement and operate the selected options. Consideration should also be given to the opportunity cost. Given the use of funds in the reduction of risk, for every dollar spent there will be another project which may be more central to the institution’s mission which may not be funded. Therefore, in addition to the net cost/benefit ratio calculation, judgment can be factored which weighs the cost/benefit of the alternative protection projects with
14
701 702 703 704
705 706 707 708
709 710 711 712 713 714 715
716 717 718 719
720 721 722
723
724
725
726
the value of other uses of the same funds. Among the risk reduction options, there may be one or more which accomplishes many of the stated goals but which leaves funds available for use in other core-mission categories. This result may not reduce a given risk to zero, but will reduce it to a tolerable level.
3.7.6 Manage the implementation and operation of the selected options, evaluate their effectiveness, and reassess and modify routinely for maximum effectiveness. Repeat the risk analysis cycle periodically or as needed given new information and a changing environment.
3.7.7 Communicate with those who may be impacted by the incident. A detailed communication plan, which is in place and familiar to all potentially affected individuals, should be developed and implemented. The communication plan should be updated frequently as communication technology changes rapidly. Standard means of communication should be utilized. Multiple communication methods should be included such as internet, cellular phone, social network sites, and message boards.
3.7.8 Consider evacuation, if necessary, as part of risk resolution. This plan should consider all reasonable types of incidents which could affect evacuation routes, mode of evacuation and timing. The plan should include estimates of the number of able-bodied and handicapped individuals, and the means for evacuating them.
3.7.9 Evaluate the potential human, medical, social, economic and legal impact of a pandemic at the highest levels of the university administration and prepare a pandemic plan as a supplement to the campus disaster preparedness plan.
15
727 728 729 730 731
732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749
750 751 752 753
754 755
756 757 758
759 760
761 762 763 764 765 766 767 768 769
4 CONFIGURATION CONTROL
This section provides configuration control (see section 2.4 for definition) suggestions for the risk analysis and resolution processes. These can help support resource allocation decisions with the intent of reducing the identified risks to critical infrastructure through countermeasures and mitigation strategies.
4.1 Establish a configuration control program. (a) Include a process for monitoring risk analysis and collecting new information such as
additional threats to personnel or facilities that were previously unknown. (b) Include a process that maintains and updates the risk assessment in a manner that is
consistent with protecting critical infrastructure, including pending changes. (c) Include a process that evaluates the advantages and disadvantages of any changes
made to the risk assessment. (d) Include a function that tracks trends and new information for changes in the security
environment for the type and location of assets being assessed. (e) Establish a clear process to become familiar with the state and other agencies’
emergency operations plan. This should include communication, interoperability, identification of contact points and chain of command.
(f) The campus Emergency Management (EM) staff must be familiar with and integrated into the local community EM staff, the regional EM staff, and the state EM organization. Establishing mutual aid agreements with appropriate organizations, institutions, agencies, and jurisdictions is recommended.
(g) Document the program.
5 VERIFICATION This section provides for the review of the risk assessment and management process to support decisions for assessing the risk to critical assets of the malevolent events considered in this Standard.
5.1 Verify risk assessments using independent reviews, peer review processes, or other established practices.
5.2 Evaluate the risk assessment to determine if the process and its implementation meet the requirements of this Standard. Evaluate sufficient aspects of the risk assessment to assure adequacy of the approach and use of results in the decision-making process.
5.3 Demonstrate and document that the review process has appropriately implemented the review requirements.
5.4 Perform exercises and simulations to ensure integration, communication and collaboration between the emergency management staff of the campus and local, regional and state EM partners. Note that nearby events (off campus) can result in having an influx of people taking refuge on the campus. Training exercises should consider the effects of the event and how to respond to off-campus events.
16
770 771 772 773 774 775
6 ADDITIONAL RESOURCES
The following resources may be helpful in conducting a risk assessment.
• ASIS National Standard – Organizational Resilience: Security, Preparedness, and Continuity Management Systems – Requirements with Guidance for Use, March 2009.
• Applied Risk Management – Campus Violence Prevention and Response: Best Practices for Massachusetts Higher Education. http://www.arm-776 security.com/pdf/ARM_MA_Colleges_Campus_Violence_Prevention_And_Response.p777 df 778
779 • British Standard 25999: Business Continuity Management. http://www.thebci.org/standards.htm. 780
781 782 783 784 785 786 787
o Part 1: Code of Practice o Part 2: Specification
• Deisinger, O’Neill, Randazzo, and Savage. 2008. The Handbook for Campus Threat Assessment & Management Teams. Massachusetts: Applied Risk Management, LLC.
• FEMA 452, Risk Management Series, Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings, 2005.
• HAZUS-Multi-Hazard Methodology: http://www.fema.gov/plan/prevent/hazus/hz_overview.shtm 788
• National Incident Management System: http://www.fema.gov/emergency/nims/ 789 790 o Incident Command System:
http://www.fema.gov/emergency/nims/IncidentCommandSystem.shtm 791 792 • NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity
Programs, 2007 Edition. http://www.nfpa.org/assets/files/pdf/nfpa1600.pdf 793 794 795 796 797 798
• Plummer and Randazzo. 2009. Implementing Behavioral Threat Assessment on Campus: A Virginia Tech Demonstration Project. Blacksburg: Virginia Polytechnic Institute and State University.
• Target Capabilities List: A companion to the National Preparedness Guidelines. U.S. Department of Homeland Security, September 2007. https://www.rkb.us/download.cfm?id=1458 799
800 801
• The University of Louisiana Lafayette Disaster Resistant University Hazard Mitigation Plan, July 2009.
o http://www.nimsat.org/Images/Interior/hazard%20mitigation%20plan%20part%2802 01.pdf 803
o http://www.nimsat.org/Images/Interior/hazard%20mitigation%20plan%20part%2804 02.pdf 805
o http://www.nimsat.org/Images/Interior/hazard%20mitigation%20plan%20part%2806 03.pdf 807
o http://www.nimsat.org/Images/Interior/hazard%20mitigation%20plan%20part%2808 04.pdf 809
o http://www.nimsat.org/Images/Interior/hazard%20mitigation%20plan%20part%2810 05.pdf 811
812 813
• The University of New Orleans Hazard Mitigation Plan: The Center for Hazards Assessment, Response and Technology, August 2006. http://chart.uno.edu/publications/docs/Full%20Plan.pdf 814
17
815 • The Virginia Tech Review Panel Report, August 2007. http://www.vtreviewpanel.org/report/index.html 816
817 818
819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859
7 REFERENCES AND BIBLIOGRAPHY
• American Society of Industrial Security – General Security Risk Assessment Standard. • ASME, Risk Analysis and Management for Critical Asset Protection: General Guidance,
Washington, D.C., July 30, 2004. • ASME Innovative Technologies Institute, LLC, Introduction to Risk Analysis and
Management for Critical Asset Protection, Washington, D.C., 2005. • ASME Innovative Technologies Institute, Risk Analysis and Management for Critical
Asset Protection (RAMCAP) Applied to Terrorism and Homeland Security, Washington, D.C., August 30, 2005.
• ASME Innovative Technologies Institute, 2006. RAMCAP: The Framework, Version 2.0, Washington, D.C., May 2006.
• ASME Innovative Technologies Institute, RAMCAP: The Framework, Version 3.0, Washington, D.C.
• ASME Innovative Technologies Institute, All-Hazards Risk and Resilience: Prioritizing Critical Infrastructure Using the RAMCAP Plus® Approach, Washington, DC., 2009.
• DRII, Professional Practices for Business Continuity Practitioners, July of 2008. • National Incident Management System, U.S. Department of Homeland Security,
December 2008. • NFPA 1600; Standard on Disaster/Emergency Management and Business Continuity
Programs. • FEMA 452 - Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks
Against Buildings, 2005. • Report of the Virginia Tech Review Panel, Mass Shootings at Virginia Tech April 16,
2007, August 2007.
18
860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885
APPENDIX A: SCREENING TOOLS Screening tools should be used to provide an initial risk assessment for the purpose of determining if a more detailed analysis is necessary. The criteria for screening are based upon the expected consequences of an event. The seven step process described in Section 3 is shown schematically in Figure A-1. Consistency requires that a risk assessment be performed using a standard set of threats. Larger schools should include more assets and would calculate risk more precisely. Smaller schools may prescreen out all but their most important assets and can assign a high/medium/low coding to identify the highest priority risks. Unless all risk assessments consider the same reference threats, including threat type and magnitude, the results cannot be compared. Figure A-2 provides an example of possible threats. A complete risk assessment is performed when all of the assets identified in Section 3.1 are evaluated for the threats shown in Figure A-2. However, some of the threats are not applicable to certain assets. As an example, the most valuable assets on a campus are the students, instructors and university employees. These assets are clearly vulnerable to an active shooter but theft or diversion6 cannot easily be applied to individuals. Conversely, a pandemic is not an applicable threat to a building or stadium. This illustrates how each asset should be matched against the individual threats to determine if the threat is reasonable or logical. Further, it can also be seen that if the maximum consequence that could be reasonably expected to occur is below a certain threshold, this asset can be excluded from additional risk analysis. By making use of screening tools a smaller institution with limited planning personnel, time and resources could nonetheless conduct a valid risk assessment. Valuable planning time should be devoted to the most likely threats to people, to facilities, and to infrastructure.
6 Diversion of shipped goods, for example, to another location where they can be used for nefarious purposes can have the same result as theft of goods that may be orchestrated by cyber hackers or insiders.
19
886 887 888 889 890 891 892
Figure A-1: Seven Step Process for Asset Identification and Risk Assessment. Note: Level of quantification and detail for each step may vary based on the needs and size of the institution.
Incident Type Examples of Incidents Health Threats
Minor Outbreak Pandemic
Land-based Improvised Explosive Device
Backpack Car Van Mid-size Truck
Active Shooter 1 Assailant 2-4 Assailants
Sabotage
Physical-Insider Physical Outsider Cyber-Insider Cyber-Outsider
Theft or Diversion
Physical-Insider Physical Outsider Cyber-Insider Cyber-Outsider
Product Contamination
Chemical Radionuclide Biotoxin Pathogenic Weaponization of waste disposal system
20
Incident Type Examples of Incidents
Natural Hazards
Hurricanes Earthquakes Tornadoes Floods Volcanoes Tsunamis
Dependencies
Loss of Utilities Loss of Suppliers Loss of Employees Loss of Students Loss of Transportation
893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939
Figure A-2: Reference Incidents Figure A-2 above shows examples of a variety of incidents that may threaten an institution. The size and impact of the threat may range from minor or severe. Note that “insider” refers to an individual within the institution and “outsider” refers to individuals not associated with the institution.
21
940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976
APPENDIX B: EXAMPLES OF THREE RISK ASSESSMENT APPROACHES
The seven-step process described in the Standard (Section 3) provides the framework for calculating or estimating risk. The following examples provide a range of options that can be used to determine and manage risk. In all cases, it is possible to utilize the RAMCAP Plus® methodology but the level of detail and accuracy of the risk assessment will increase with the amount of effort expended on the assessment. It should be noted that the examples given below illustrate the methodology for developing a color-coded system that can be used to inform decisions about risk reduction. These examples are for illustrative purposes only, and should consider factors like the size of the university, importance of university to commerce, research projects that may be considered desirable targets by terrorist groups, location (urban, rural, suburban), hazardous materials on campus that can be weaponized, iconic value, and many other factors that will require study and evaluation. The weighting factors that are used to judge the vulnerability of various assets must be carefully decided by experts in risk assessment, and individuals knowledgeable in terrorism and current motives of terrorist groups as well as the availability of resources and funding. The factors should be updated periodically as conditions change. Evaluating the results of a risk assessment and developing an action plan The results of a risk assessment must be used by decision makers in formulating a plan to address risk. Figure B-2 provides a graphic method of visualizing how risks of different levels can be addressed by the risk manager. For risks in the lower left quadrant, (i.e., low consequence and low weighted vulnerability), the risk will normally be tolerated or accepted. It is too costly to further reduce these risks and the benefit/cost ratio is poor. For high consequence and low weighted vulnerability risks (lower right quadrant), the risk may be deflected by buying insurance. High risks with both high weighted vulnerability and consequence are actionable items and must be avoided or mitigated. Expert elicitation can be used to screen out low risk that is acceptable. Using check lists and partial quantification as demonstrated in the example questions below will provide a better estimate of risk and identify high risk areas. For very high-risk assets, the detailed approach should be utilized to insure that everything possible is being done to reduce risk to the lowest possible levels. The following three examples are provided to illustrate the degree of detail that can be used in conducting a risk assessment.
22
↑ Very
Hig
hH
igh
Pandemic
Med
ium
Hurricane Earthquake Wild fire
Low
Very
Low Tornado, Mud
slide, Ice storm Terrorist attack
Very Low Low Medium High Very High
→Consequence Severity
Wei
ghte
d Vu
lner
abili
ty
977 978 979 980 981
Figure B-1: Risk Chart for RAMCAP Campus Color Coded Results - Example
982 983 984
Figure B-2: Action Quadrants
23
985 986 987 988 989 990 991 992 993 994 995 996 997 998 999
1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029
Example 1. Expert Elicitation – Conducting a Subjective Risk Assessment The most common method of performing risk assessments is expert elicitation. Expert elicitation, or obtaining the expertise of an individual with experience in risk assessment, risk management or other pertinent aspects of the RAMCAP Plus® process, is an important method that can be utilized. Expert elicitation is a somewhat subjective approach to estimating risk since it depends to a large extent on the experience and judgment of the person making the risk estimates. Ideally, several experts are polled to gain the advantage of different perspectives and backgrounds. However, the judgment of a wise and experienced person should not be underestimated. For expert elicitation the individuals are typically asked to estimate the risk associated with a particular event. For example, what is the risk of wildfire for a particular asset? The responder will consider the frequency of the event, (i.e., how often has it occurred in the past, what precautions are being taken to avoid the event, what would be the damage or danger from such an event and how would this affect the operations of the campus). Thus, a response could be that the potential for consequence would be high and the weighted vulnerability would be medium. The wildfire would plot as shown on Figure B-1. Figure B-1 presents a risk matrix that has five levels (from very low to very high) of consequence severity (horizontal or x-axis) and five levels (from very low to very high) of weighted vulnerability (vertical or y-axis). The measure of consequence severity can be in dollars, potential lives lost, or potential for serious injuries. The vertical axis, weighted vulnerability, is a measure of how probable is it that the event will occur and cause the consequence that is plotted on the x-axis. Thus, the weighted vulnerability includes both the probability that the event will occur and the probability that, if the event occurs, it will result in causing the damage plotted on the consequence severity axis. If several knowledgeable experts were polled and the general consensus was similar, this would provide a certain level of confidence in the assessment. This level of confidence would be increased or decreased depending on the qualifications of the experts. For example, the fire chief with 40 years of experience in the locale in question would have a greater credibility than someone with less experience or from another area of the country. Even if there is no formalized procedure for conducting a risk assessment, someone who is responsible for providing security, fire protection, or business continuity for a facility should make these assessments and make decisions based on the assessment of risk as part of their job description. The use of a risk matrix such as Figure B-1 and a formalized process can improve the confidence level in this procedure. Further, the same set of events and assumptions should be used by all individuals that participate in risk assessments. This will result in more consistent assessments and a higher confidence level. The advantage of expert elicitation is that it can be performed quickly and with a minimum of calculations. The expert(s) are responsible for informing themselves regarding the assets in
24
1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070
question and the events that are to be considered. Experts in different areas may be necessary to provide input for all of the events considered, replacement and repair values, loss of revenue, etc. The disadvantage of this method is that it is subjective and depends largely on experts that may not all have identical views or assessments. The better the experts the better the assessment. Further, it is difficult to determine the effectiveness of proposed changes to increase security or mitigate losses if an event or emergency does not take place. It is also unlikely to have comparability in results when different experts with varying expertise are used for future assessments. Example 2. Checklist Method – Conducting a Partially Quantified Risk Assessment. The “partially quantified” assessment described in this example is typically adequate for institutions of higher education. This approach is based upon assigning numeric values to the responses to a series of questions posed to the user. The weighted responses7 are used to assign a quantitative value for vulnerability or frequency rather than require the user to develop specific quantified responses. Consequence values, such as replacement cost, repair cost, loss of revenue, etc., are input by the user as quantities. Normally, the consequence represents the cost suffered by the institution. In the more detailed risk assessments discussed in Example 3, consequence evaluation can be more extensive. Detailed economic input/output models at the local, regional, state, or national levels are required to assess the comprehensive consequences of the loss of an asset. For example, loss of a navigation lock on the Mississippi River would affect interstate shipping routes and could have a significant impact on the national economy. Loss of a major international shipping port is another example. Such detailed assessments likely would not be useful to most higher education institutions. In general, approaches to estimating risk share a set of steps that include identifying the asset to be considered; identifying possible threats; estimating the probability that a given threat will affect that asset; estimating the probability that an incident involving that threat will occur; and estimating the risk of each threat identified on each asset. Decisions should be then made on whether to try to reduce that risk for the assets under consideration. Some risk assessment methodologies use slightly different terminology, and may have a different number of steps. Any of those methods that take the same general approach as the one described above are acceptable under this Standard. This section provides an example of how to develop a RAMCAP Plus® compatible methodology that can be easily implemented. The risk matrix used to display the results is shown above in Figure B-1 (the same as Example 1 above). This will be used to evaluate the level of risk for each asset and threat. A series of questions will be answered pertaining to consequence severity
7 Some questions are more important in determining the final value of a variable and thus are given more weight. For example, if security personnel are present 24 hours a day, this is given a higher weight for estimating vulnerability than if there is a chain link fence around the property with not security. Both will decrease the vulnerability of the asset, but having guards on duty is valued higher.
25
1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116
and vulnerability. Answers to the questions will be a weighted score depending upon the response (from very low to very high). The vulnerability score will be weighted by a threat frequency factor when applicable. The resulting values will be plotted on the matrix shown in Figure B-1. The color code will indicate the risk level for each asset. The calculated values from the weighted questions can then be divided into bins as described in section 2.3 for color coding and plotting. A red rating can be used to indicate events that require action, (i.e. actionable items) as seen in the quadrants in Figure B-2. Yellow can represent medium level risks and green can indicate risk is acceptable and no action is needed. Risk plots as shown in Figure B-1 can be useful in determining the best way to reduce risk. Risk can be lowered by reducing the consequences of an event, which is termed mitigation of the event. Risk can also be reduced by lowering the weighted vulnerability. This is normally done with security or reducing the frequency of a man-made event. The questions contained in the example below are for illustration purposes only. They illustrate how a series of relevant questions can be answered by employees of a college or university without special training can be used to determine the approximate level of risk associated with events that could cause significant consequences. Careful consideration must be given to crafting the questions properly and assigning appropriate weighting factors. Each campus is unique. Many of the questions and weighting factors used in the checklist are relevant to a particular location. For example, a campus located in Florida may have little risk of an earthquake. The wind loads required by the Uniform Building Code and its successor the International Building Code result in a design that should withstand the weak seismic events that may happen in Florida. Thus, the seismic questions may be eliminated for these sites. Further, knowing the campus is located in Miami, for example, allows the risk expert to determine the frequency of hurricanes of a given intensity and incorporate this information into the assessment questions. NOTE: The following example considers a building with only classrooms in Florida. It determines consequence severity if the building is lost and the potential threats to the building. An institution would perform this assessment for each building on campus. Part of this assessment (e.g., Vulnerability Analysis) involves assigning numerical values to represent level of risk, from low to high. Institutions may generate these numerical values at their own discretion. These values can be used to create a chart indicating vulnerability to and consequence severity of various threats (see Figure B-1). Many threats occur only in specific locations. Asset vulnerability to some threats (e.g., tornados, ice storms, and mudslides) in locations such as Florida will be low. The following example is for illustration purposes only and is not intended to cover all aspects of a risk assessment. The institution should determine the specific questions asked within each level of assessment. This table gives examples of the types of questions that could be asked.
26
Table B-1: Example of Checklist Method Asset Characterization Building 1 (example only) used for
classrooms Use/Purpose of Building Classrooms, offices, etc. Cost of replacement $ Cost of lost revenue per year $ Number of occupants Loss of facility results in closing of campus No/Yes. Automatic red if “yes.” Note:
Red ratings (see color coded Figure B-1) are used to indicate events that require action to reduce risk, i.e. actionable items.
1117 Threat Characterization (Low- medium-high) Worst case threats Natural hazard threats Man-made threats Supply chain scenarios 1118 Consequence Analysis Sum of replacement cost and lost revenue Measured in dollars/year Expected fatalities Best estimate Expected serious injuries Best estimate Operational disruptions Automatic red if “yes.” 1119 Vulnerability Analysis The values below are for illustration
purposes only. 1) Threat: Earthquake a) Is the building constructed or retrofitted to the latest seismic requirements?
Yes = 0 No = 5
b) Primary building material Wood frame = 3 Reinforced masonry = 5 Unreinforced masonry = 10
c) Roof type: Tile with reinforced joist = 0 Tile with unreinforced joist = 7 Wood shingle = 3 Composite = 3
d) Frequency Low = 0 Medium = 5 High = 10
e) Magnitude Magnitude 5.0 = 3 Magnitude 6.0 = 5 Magnitude 7.0 = 7
Answers to questions a-e above: Seismic requirements a = 5
27
Building Material b = 5 Roof Type c = 3 Frequency d = 0 Magnitude e = 7
Earthquake total (Sum of questions above) 20 Divide total (20) by number of questions (5) = 4.00 Earthquake vulnerability value 4.00 Frequency Questions From the USGS seismic map, determine
the expected return frequency of a seismic event that exceeds the design basis event. (Note, this process is explained more fully in the Natural Hazards Appendix that has been developed by ASME-ITI and is part of the Water Standard.)
1120 2) Threat: Hurricane Vulnerability Questions a) Is the asset constructed to latest Building Code requirements?
Yes = 0 No = 5
b) Is the asset located in flood zone? Yes = 10 No = 0
c) Is the asset located within 10 miles of the coast?
Yes = 10 No = 0
d) Is the asset located within 20 miles of the coast?
Yes = 5 No = 0
e) Height of asset? Less than two stories = 0 Two to five stories = 5 Five to ten stories = 7 Greater than ten stories = 10
f) Category 1-5 Category 1 = 1 Category 2 = 3 Category 3 = 5 Category 4 = 7 Category 5 = 9
Answers to questions a-f above: Building Code Requirements a = 0 Flood Zone b = 0 10 miles of coastline c = 5 20 miles of coastline d = 0 (controls, no points for location) Height e = 10 Category f = 3
Hurricane total (Sum of questions above) 18 Divide total (18) by number of questions (6) = 3 Hurricane vulnerability value 3 Frequency Questions Using the maps supplied in the Natural
28
Hazards appendix, determine the return frequency for a hurricane with intensity exceeding the design basis wind speed for building 1. (See note above regarding the Natural Hazards Appendix.)
1121 3) Threat: Wild Fire Vulnerability Questions a) Time since last fire within 20 mile radius:
One year = 10 (if local area burned recently, reduce value by one-half to account for lack of fuel). More than five years = 5 Never = 2
b) Brush/grass abatement program: Cleared for 50 yards = 10 Cleared for 100 yards = 5
c) Local fire protection: Major firefighting capability including air support = 0 Local firefighting, no air support = 5 Volunteer firefighting, no air support = 10
Answers to questions a-c above: Time a = 5 Brush abatement b = 5 Local fire protection c = 0
Wild fire total (Sum of questions above) 10 Divide total (10) by number of questions (3) = 3.33 Wild fire vulnerability value 3.33 Frequency Questions What is the estimated time period for wild
fire in this local based upon the best available records?
1122 Scoring and Plotting on Color Code Chart
Risk Chart Values (Example)
A) Weighted (by frequency) Vulnerability Very low = score is between 0 and 2.0 Low = score is between 2.01 and 4.0 Medium = score is between 4.01 and 6.0 High = score is between 6.01 and 8.0 Very High = score is between 8.01 and 10.0
B) Weighted (by frequency) Consequence Expected fatalities Very low = 0 to 1 Low = 2- 4 Medium = 4-8 High = 8-16 Very High = 16 and above
Expected Serious Injuries Very low = 0 - 10 Low = 20 - 40
29
Medium = 40-80 High = 80-160 Very High = 160 and above
Cost of event Very low = below $500K Low = $.5M to $1.0M Medium = $1.0 M to $2.0M High = $2.0M to $4.0M Very High = $4.0M and above
1123 1124 1125 1126
Notes: A risk matrix will be developed for every asset and for all applicable threats. This is commonly referred to as the table of asset/threat pairs. The threat/asset pairs must be scored for economic consequences, fatalities and serious injuries. This will result in three risk matrices for every asset. The risk evaluation should be performed periodically and compared to prior assessments to determine if risk is decreasing as a result of the risk management program.
1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159
Scoring and Plotting Once all questions are answered and the results tallied for all asset/threat pairs, a risk chart should be drawn. The simplest way to display risk is to rank the scores for the frequency-weighted vulnerability questions and the consequence questions separately. Frequency weighting the vulnerability results simply means that the sum of the numerical answers to the vulnerability questions is multiplied by the expected frequency of occurrence. This provides a vulnerability score that reflects or contains information on how often the event is expected to happen. For example, assume building 1 is vulnerable to hurricane force winds because it is not designed to withstand winds exceeding 80 MPH. Based on the answers to the vulnerability questions building 1 will receive a high score for vulnerability. However, if the building is located in an area that has a very low expected hurricane return rate, (i.e., a hurricane only happens every 200 years on average), and then the weighted vulnerability would be low. Thus, the product of the vulnerability score and the low return rate gives a low score for this asset (building 1) subjected to this event (a hurricane or high wind). In other words, it does not matter if the building is poorly designed for wind loading if the wind is always calm at that particular location. This example clearly illustrates the interaction between the three variables of risk. Even if the cost of replacing the building was great and lost revenue high (maximum consequence), the vulnerability weighted by the frequency of occurrence results in low risk. This is, of course, true only for the hurricane event. The risk to building 1 may be high when the wildfire event is considered, for example. Thus the total risk for building 1 is the sum of the risks for each event. The advantage of this method over expert elicitation is that the more detailed assessment method provides more accurate results. The checklist ensures that all risk assessments are performed using the same ground rules and definitions. The answers are less subjective and it is easier to
30
1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196
quantify the results. Further, there is a lasting record of the assessment that should be used to identify particular areas that require changes or improvements. These records can be particularly useful to justify funding requests or to respond to requests for production in litigation. The disadvantage is that the assessments are more time consuming. Example 3. Conducting a Detailed and Quantified Risk Assessment This level of risk assessment and management has not been developed and is not available at this time for campus risk assessments. In more detailed risk assessments, consequence evaluation is usually more encompassing. Detailed economic input/output models for the local, regional, state and national levels are required to assess the comprehensive consequences of the loss of an asset. Similarly, the vulnerability of a major asset should be evaluated by a team of trained security and operations personnel. Every conceivable threat scenario should be considered so that the probability of success can be determined. This vulnerability assessment will require extensive work and documentation. Each site should be considered independently. An assessment at this level of detail is expensive, time consuming, and is normally justified only when the possible consequences of an event rise to the regional, state, or national level. In a detailed RAMCAP Plus ® risk assessment, every event that is considered possible must be paired with each asset and a risk assessment performed. The consequences of the event, the vulnerability of the asset to the event and the threat probability must be calculated. Risk is the product of these three variables as described in the Standard. Sector specific guidelines have been developed for numerous economic sectors (such as nuclear plants, water treatment plants) that provide detailed guidelines describing how to apply RAMCAP Plus ® in these specific applications. These guidelines have been developed for areas considered by the Department of Homeland Security to have potentially high consequences that rise to a national level of concern.