Risk Assessment: Completing a Threat and Risk Assessment

The process of performing a risk assessment, or Threat and Risk Assessment (TRA) is a complex endeavor if you have not performed one in the recent past.  

What is a risk assessment?

Risk assessment is the process or method where you:

• Identify risk factors and hazards that have the potential to cause harm.
• Analyze and evaluate the risk associated with that hazard. Known as risk analysis and risk evaluation.
• Determine appropriate ways to eliminate or control the risk, known as risk control.

What is the purpose of a risk assessment?

The purpose of the risk assessment or TRA is to identify the most relevant threats to the organization but also assess the current level of mitigation that is inherent within the organization.  Remember, hazard mitigation is sustained action taken to reduce or eliminate long-term risk to people and their property from hazards and their effects.  The greater the mitigation, the greater the reduction in long-term risk.

Completing a Risk Assessment 

Performing a comprehensive risk assessment will take at least 160 hours to complete from beginning to end and should be updated annually.

Below are the high-level steps to complete an assessment:

Preparation

In preparation for the assessment, gather the following information:

1. Maps of the Campus (e.g., GIS maps with layering is best)
2. Recent History of Events (e..g, Within last 5 years)
3. High-Value Assets (e.g., data centers, student buildings, dorms, research labs, stadiums,  etc.)
4. Key Infrastructure Locations (e.g., power, water, data/voice network, etc.)
5. Relevant Threat List Based on Location and Past History  (e.g., man-made, natural, technology)
6. FEMA Weather Based History (e.g/, hurricanes, floods, earthquakes, etc.)
7. Use of the Campus for High Profile Events (e.g., presidential visits, other high profile events, controversial issues, etc.)
8. Maximum Population of the University at Peak Time

Assessment

1. Schedule interviews of key personnel to include the Police Department, Campus Emergency Management, Environmental Health/Safety, Information Technology, Senior Faculty, Local Emergency Management,  etc.)
2. Interview personnel to determine level of mitigation in place for their key areas of responsibility to include emergency plans, backup power, network resiliency, business continuity, disaster recovery, stakeholder communications, evacuation planning, active shooter preparation,hazardous material spills, community readiness, ability of community to respond to a university event, etc.)
3. Interview senior faculty to address their understanding of risk/threats,  level of mitigation currently in place and most relevant concerns.  Use this information to compare to  the results of the study.
4. Tour the high value assets of the university and assess level of mitigation and hardening.
5. Tour key infrastructure areas (e..g, power, water, network) and assess level of mitigation and hardening.
6. Determine what high value assets need to have the most hardening.

Analysis

1. Assess level of mitigation based on results of the interviews.
2. Document critical exposures and opportunities for improvement.
3. Prioritize exposures and opportunities for improvement.
4. Determine most relevant threats to the university (e.g. focus on Top 5).
5. Document management report and mitigation plan over the next 18 to 24 months.
6. Review report and mitigation plan with university management.

Integrate the BIA and Risk Assessment

Business Impact Analysis (BIAs) and risk assessments are two long-standing components of any business continuity standard and methodology. They remain two of the most critical inputs toward any BCM program, as major strategy and funding decisions will be made based on their results and how critical they are to the enterprise.

The two studies have long been separated and not integrated. Yet, more than just an understanding of threats and risks, a risk assessment also includes determining whether mitigation measures can cost-effectively be implemented to lower the probability of the risk’s occurrence or lessen its impact. By looking at the BIA results and risk assessment results in a single view, management can gain a firmer understanding of where the most critical business functions reside and can apply a comparative risk rating to a particular site. By integrating the BIA and risk assessment results in this way, management will be able to make more informed business decisions on how to better allocate funds to reduce risks and determine which risks it is willing to assume.

At MHA, we have believed that the two need to be integrated as the combined studies provide a comprehensive snapshot of business process criticality and site risk all in one.  We typically produce a one page BIA and TRA summary for a site with the following information:

• List of the most critical business units and processes at the site
• List of the top five threats (e.g.,, hurricane, flooding, terrorist attack, etc.) to the site housing the business processes
• Status of the mitigating controls (e,g, backup power, network redundancy, physical security) at the site
• Site risk rating which is dependent on critical business units, threats and state of the mitigating controls

A site with critical business units (e.g., 24 hours or less), a list of threats with high probability and a low state of mitigating controls will have a high site risk rating indicating management attention is needed to reduce risks and exposures.  Now, on the flip side, even if you have a site with highly critical business units and high probability threats but have an above average level of mitigation, your site risk rating will be lower indicating the site is better prepared to deal with a threat.

So, integrate the two studies for each of your most critical sites and calculate your risk rating scores.  Present management with your results, focusing on the sites with the highest risk ratings.  Even small improvements in mitigation can make a big difference.

In closing, the TRA study should identify the most relevant threats and outline how we can best mitigate them.  It is important to note that senior faculty may choose to accept the risk and not implement mitigation steps that are too costly, too time-consuming, etc.  What is important is that you have identified what to be most concerned with and how to minimize its effect.

Further Reading

• Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
• BIA and Risk Assessment: Why Both Are Important