MANAGING RISKS TO PHYSICAL ASSETS A PRACTICAL

Transcription

1 FEATURE ahrals ARC 2007 ANAGING RIK TO PYICA AET A PRACTICA APPROACBy A K oorthy, CPP, FyI, FI Adversary An individual, group or organisation with the motivation and capability to carry out activities that are harmful to a business and its physical assets. The adversary may be a foreign power, hostile intelligence service, political or terrorist groups, criminals, a private individual or other interested party. The management of risks is becoming an integral part of business across a wide spectrum of markets and industries. Physical assets are vital to the smooth and efficient function of organisations in achieving their goals. The effective management and continuous availability of these assets are vital to the success of businesses. Uncertainties in the social, political, economic, and technological environments in which the business operates may expose the physical assets to a diversity and multiplicity of risks. These risks could be posed by a range of threats such as natural disasters, manmade disasters, criminal acts, terrorist attacks and even war. If these risks are left unmitigated, the effects can be detrimental to the operation and survival of a business. A comprehensive and effective programme to identify, analyse and mitigate potential risks should be incorporated as an essential and integral process in the management of corpora- tions to ensure the safety, security and undisrupted availability and use of their physical assets for the continuity of their businesses. This article discusses some practical issues in managing risks to physical assets of businesses. OVERVIEW OF BAIC RIK ANAGEENT CONCEPT In the context of this article, the following terms and definitions will apply. Asset People, property (both tangible and intangible), information, activities or processes that are valued by its owner and his adversary. Criticality The significance of an asset in terms of its value and role in the business and the effects of any loss or damage of that asset. Threat Any indication, situation or event that has the potential to cause loss or damage to an asset. Risk The potential damage or loss of an asset which is valued by its owner. The general types of risks are speculative and pure. An example of a speculative risk is the difference between a loss or gain in a gambling bet or investment in the stock, commodities or futures markets. Pure risk refers to a loss or no loss situation that is generally dealt with through insurance. Natural and man-made disasters, civil/labour unrest, terrorist attacks, criminal acts, unethical practices are some examples of pure risks. Risk Analysis A process to identify assets that need to be protected, the potential risks to the assets and the probability of the risks occurring. 40 ahrals.com

2 ahrals ARC 2007 Risk Assessment The process of evaluating threats to and vulnerabilities and determining the probability of loss or damage of physical assets and estimating their impact on the business or the organisation. Vulnerability The weaknesses prevalent in the security or protection measures for physical assets in a business which can be exploited by an adversary or a threat. Countermeasure The means employed to minimise or eliminate the vulnerabilities of physical assets of a business so as to reduce the likelihood of risk of loss or damage. Countermeasures could consist of a combination of security policies, procedures, processes, personnel, technological, architectural and structural design. Risk anagement The process of identifying, analysing, assessing and employing countermeasures to mitigate or controlling risks to an acceptable level and at an acceptable cost. Cost Benefit Analysis A management tool or process of determining the costs and benefits of various countermeasures and selecting the most appropriate one for risk mitigation. RIK ANAGEENT GOA The primary goal of risk management in an asset protection context is to prevent losses by mitigating risks to minimise injuries to people and reducing losses of or damages to property and other physical assets. The secondary goal of risk management is contribute towards increased effectiveness and efficiency of asset management and operations. RIK ANAGEENT ETODOOGY A generic model of the process of risk management is shown at Figure 1 below. tep 1: Identify Assets This step identifies the physical assets, their value and their criticality to the role, functions and operations of the business. tep 2: Assess Threats & azards This step identifies possible threats and hazards to the physical assets of the business which can cause illness, injuries and death to people or damage, destruction, disruption and losses to the business and its operations. tep A brief description of the process is as follows: itigate Risks 5 6 Determine Risks Countermeasures & Options Identify Assets 1 onitor, Review, Communicate & Consult 4 3: Assess the Vulnerabilities This step identifies the vulnerabilities, sources of risk and the exposure of people and assets to the specific threat or hazard as well as the existing controls and risk mitigation measures, their inadequacies and weaknesses. Assets Risks Figure 1 - Generic Risk anagement odel (Adapted from Australian New Zealand tandard AN/NZ 4360) tep 4: 2 3 Assets Threats & azards Assets Vulnerabilities Analyse the Risks This step analyses the risks using quantitative and qualitative methods or a combination of both to determine the level of risk associated with specific threats and hazards. This step defines the potential likelihood (probability or frequency) of the threat or hazard occurring and the potential consequence (impact or magnitude of the effect) if it should occur. The questions to be addressed in this step are the likelihood of risks occurring with the existing controls/measures in place and the impact of the threats and hazards in terms of: The potential consequences if the risk should occur Assets and resources affected Costs both direct and indirect People Operations, activities, performance Intangible losses ahrals.com 41

3 ahrals ARC 2007 Table 1 Threat Probability Ratings evel ikelihood (Probability) Description A B C D E Table 3 Risk atrix Almost Certain ikely oderate Unlikely Remote Almost Certain ikely oderate Unlikely Remote Table 2 Threat Impact Ratings (Adapted from Australia New Zealand tandard AN/NZ 4360) evel Impact Description Catastrophic Critical edium ow Negligible Consequences ikelihood Catastrophic Critical edium ow Negligible = igh Risk: Requires measures to eliminate or reduce the risk = ignificant Risk: enior management attention required. = oderate Risk: anage by specific monitoring or response procedures. = ow Risk: anage by routine procedures. Given no changes, the event will occur. The likelihood of occurrence is much greater than that of non-occurrence. The event is more likely to occur than not to occur. The event is less likely to occur than not to occur. This does not imply impossibility, but merely improbability. The event may occur in exceptional circumstances. Death, huge financial loss, facility is totally disabled and operations will be disrupted for a long term. Extensive injuries, loss of operational capability and high financial loss edical treatment required, medium financial loss First aid treatment and low financial loss No injuries, negligible financial loss The relationship between the likelihood and consequence will help derive the level of risk according to the matrix at Table 3 below. Possible ratings for probability and consequences (impact) are shown in Tables 1 & 2 below (Adapted from Australian New Zealand tandard A/NZ 4360). tep 5: Assess and Prioritise the Risks This step determines if risks are acceptable or unacceptable. If a risk is considered unacceptable, then it is reviewed and prioritised for action. Responsibility for risk treatment or mitigation is also assigned in this step. An important point to be considered is that an acceptable risk is not necessarily an insignificant risk. tep 6: itigate the Risks This objective of this step is to formulate the risk management plan to select the appropriate countermeasures and allocate the funds, material, personnel, time and other resources to implement the required measures to mitigate the risks. This step will achieve the following: Prioritised risks with assigned re sponsibility for risk treatment or mitigation Identification and evauation of risk mitigation strategies as: Risk avoidance (e.g. locate facility in less risk prone area) Risk transfer (largely through insurance) Risk reduction (adopting measures to reduce risk which may include risk pooling or spreading) Risk absorption (business owner s decision to accept the risks) ONITORING AND REVIEW At every step of the risk management process, there must be continu- 42 ahrals.com

4 ahrals ARC 2007 ous communication and consultation between management and all the parties concerned. It is also desirable to document every step of the risk management process to facilitate the monitoring and review. After the risk mitigation measures are implemented they must be reviewed periodically to ascertain their relevance and effectiveness. Corporate management and staff must carry out their responsibilities to ensure that the measures are maintained over time. The risk management process is a continuous one that must be sustained throughout the business life cycle. Risks are dynamic and are very likely to change from time to time. OTER TOO FOR RIK ANAYI Risk analysis is not confined to security threats alone. It can also be applied to other threats or risks in the business activities, its facilities or operating processes, which are hazardous in nature and may endanger life safety inside and outside the plant including its external environment. Examples of such plants, facilities and processes are chemical plants and nuclear power plants. The risk management methodology will employ various other tools which may be required by national regulatory authorities for risk analysis in accordance with the requirements specified by law, codes, or industry standards. A discussion on these tools is outside the scope of this article. ome of these tools are: Cause consequence analysis Use of a combination of fault and event trees to project causes of acci dents and outcomes. Checklists A comprehensive list of questions that is used to check compliance to established practices and standards. Event tree analysis Graphical representation of possible outcomes of an accident triggered by an event. Failure modes and effects analy sis (FEA) Tabulation of equipment and their associated single point failure modes, consequences and safe guards. Failure modes, effects and criticality analysis (FCEA) An extension of FEA by inclusion of the criticality analysis. Fault tree analysis Use of graphical model to display various combinations of equipment failures and human errors that can cause the main system failure. uman reliability analysis ystematic evaluation of factors that influence the performance of operators, maintenance staff, technical and other staff. What if analysis Brainstorming by a group of experienced persons on concerns over undesirable incidents. QUAITITATIVE AND QUANTITATIVE APPROACE IN RIK ANAGEENT Risk assessment is a means of identifying and assessing the likelihood of a threat or hazard occurring and the potential damage or loss that can be caused by that event so as to justify security countermeasures for the protection of a business. There are generally two different methods for the assessment of risk as described below. The Qualitative ethod This method of assessing risks or threats is based on judgement, intuition and experience to determine the possible risks, the potential damage or loss. Under this method, no numbers or monetary values are assigned to assets and losses. The method examines different scenarios of risk possibilities and ranks the seriousness of the threats relative to the sensitivity of the asset. ome of the methods used are; Expert Interviews, Wideband Delphi Technique, Brainstorming, Nominal Group Technique, Affinity Diagram and Analogy Techniques. An example of a qualitative risk matrix is shown at Figure 2 below. Figure 2 Qualitative Risk Assessment atrix RIsk igh eduium ow A C C E P T N O N I T O R Resolve ANAGE CR CA IPACT (Note : N = Negligible, = arginal, Cr = Critical, Ca = Catastrophic) ahrals.com 43

5 ahrals ARC 2007 The Pros and Cons of the Qualitative ethod are as follows: - Pros Is simple, readily understood and executed Cons acks uniformity and consistency although it provides some order of measurement. cenario 1 The following is an example of risk exposure computation for an asset such as plant/machinery in a production facility with the following cost attributes: Provides a general indication of significant areas of risk that should be addressed. The Quantitative ethod This method attempts to assign real numbers to the cost of countermeasures and the extent of damage that can occur. The quantitative model is based on the following steps: Assigning values to assets Estimating the potential loss per risk event Performing risk assessment Deriving the overall loss potential per risk Choosing countermeasures for each risk Determine risk response The quantitative method uses the following metrics: Asset Value Valued at cost or replacement value Exposure Factor (EF) Percentage of asset loss that could be caused by an identified threat. ingle oss Expectancy (E) The product of asset value and exposure factor; (i.e., V x EF) Annualised Rate of Occurrence (ARO) Estimated frequency of a threat occurring within a year. It is calculated on an annual basis. For e.g., a threat occurring once every 10 years has an ARO of 0.1, a threat occurring 10 times a year will have an ARO of 10. Annualised oss Expectancy (AE) E x ARO Countermeasure Cost/ Is subjective in both processes and metrics Cannot provide cost benefit analysis Benefit Analysis (AE before implementing the counter measure minus AE after implement ing the countermeasure) (Annual Cost of Countermeasure) = Value of Countermeasure to the Business. Total cost of loss is expressed by the formula {Tc=(Cp+Cr+Ct+Ci) I} Where Tc = Total cost of loss, Cp = Cost of replacement, Ct= Cost of tem porary substitute, Cr = Total related costs, Ci = ost income cost, I = Available insurance or indemnity (adapted from Protec tion of Assets anual). Pros Applies probability concepts to determine the likelihood of a threat occurring or not occurring. Information is expressed in monetary values with supporting rationale. Risk assessment results are derived and expressed in management language. A. Value of Asset = $ 5,000,000 B. Annual Insurance Premium = $ 100,000 C. Cost of lost production (if disabled) = $ 600,000 D. Other Costs = $ 200,000 E. Insurance Claim Payout (estimate) = $ 4,000,000 Notes: 1) Cost of lost production is the loss of revenue arising from the as set being unavailable. It alsoin cludes profits lost that would have been generated by other assets that are dependent on the availability of this machine. 2) Other costs may include addition al insurance premiums, adverse publicity etc 3) Items D & E may need to be qualified by a time period. The risk exposure is arrived by the formula (A+B+C+D-E) which in the above example is equal to [($ 5,000,000+$ 100, 000+$600,000$+$200,000)-$4,000,000] = $ 1,900,000 The Pros and Cons of the Quantitative ethod are as follows: - Cons Purely quantitative analysis is not possible because quantitative measures must be applied to qualitative elements. Can be less ambiguous but using numbers can give appearance of specificity that does not really exist. Vast amount of data has to be obtained and managed. 44 ahrals.com

6 ahrals ARC 2007 cenario 2 A Company s assets (plant, ma chinery, raw materials, work-inprocess and finished goods) are valued at $ 100 million. Based on past history, the manage ment assessed the AE (annual loss estimate) that without any se curity countermeasures to mitigate risk of loss; annual losses could amount to $ 10 million with a 0.3 probability. anagement assessed that with security countermeasures in place the probability of loss would be only 0.1 and the loss amount was estimated at $ 3 million The initial capital cost of install ing the security countermeasures is $ 1 million. The annual recur ring cost of operating and main taining the security countermeas ures are estimated at $ 200, 000. Based on the above scenario, should the company s management invest in security countermeasures? cenario 3 Another quantitative tool in risk analysis is the estimate of return on investment in security countermeasures. This is illustrated in Table 4 below; A statistical decision tree model can be used to assist management in arriving at a decision as shown in figure 2 below. Figure 2 - Decision Tree odel $ 3.7 $ 0.2 $ 3.9 AE $ 7.9 $ 0.2 $ 7.9 $ 1 $ 2.7 $ 7 $ 0.9 P = 0.1 P = 0.9 P = 0.7 P = 0.3 $ $ Note: = No oss. = oss, P = Probability of event occurring, = ecurity Countermeasures in place, = No security countermeasures in place, AE = Annual loss estimate The decision tree analysis shows that the Annual loss estimate is significantly lower with the security countermeasures in place than with out them. Table 4 Return on Investment In ecurity Countermeasures Without ecurity easures With ecurity easures Assets Value (A) $ 50 million $ 50 million Probability of Risk (B) Direct cost of loss (C) $ 40 million $ 10 million Other costs (D) $ 5 illion $ 1 million oss of Income (E) $ 8 million $ 2 million Insurance payout (F) $ 32 million $ 8 million Deductibles (G) $ 8 million $ 2 million Annual oss Estimate (AE) = (C+D+E)-(F-G) $ 29 million $ 7 million Difference in AE $ 29 million - $ 7 million = $ 22 million Investment in security countermeasures $ 0 $ 1 million Return on investment (ROI) 22/1 = 22 Comparison & Contrast Between Quantitative & Qualitative ethods Attributes Quantitative Qualitative ethod ethod Independent and Objective etrics - Cost/Benefit Analysis - onetary Based - Work effort, cost and time - Volume of information required - Ease of automation - Degree of subjective judgement (assumptions) - Value of Information Understood - There are several computer software programmes available to automate the risk analysis process. A discussion on the different software based programmes and methods is outside the scope of this presentation.

7 ahrals ARC 2007 BENEFIT OF RIK ANAGEENT ome of the benefits of applying risk management are: Clear definition and identification of potential threats and risks. ystematic, well informed and thorough method of decision making in determining countermeas ures to eliminate or reduce risks to acceptable levels and at acceptable costs. inimised disruption to business operations and optimal utilisation of resources. Increased opportunities for risk education, awareness and promoting a corporate culture that is not risk averse for continued improvement. CONCUION Risk management is a systematic and analytical process to determine the likelihood of a threat or hazard occurring at a business, and to identify countermeas- ures to minimise risk and mitigate the consequences of an attack or loss event. It is impossible to eliminate risk totally, but proactive measures can be taken to reduce it. The risk management process consists of several elements; the identification of assets and threats, an analysis and assessment of the threats and risks, prioritising and mitigating risks through selected countermeasures and continuous monitoring review, consultation and communication. Risk management should be undertaken as a team effort with the active support and participation of the corporation s senior management. There must be a conscious and continuous effort to promote risk awareness to educate management and staff on the benefits of having an effective risk management programme. This will foster a corporate culture that is not risk averse. Adopting an active risk management programme can contribute to loss prevention and increased profitability. It can also contribute increase efficiency in physical asset management and operations to sustain business continuity. References: AI International (2003). General ecurity Risk Assessment Broder, James (1999). Risk Analysis and the ecurity urvey. Butterworth-einemann, Woburn,.A., UA Fay, John, Jay (1993). Encyclopaedia of ecurity anagement. Butterworth-einemann, Woburn,.A., UA Fennelly, awrence, J. (1996). andbook of oss Prevention & Crime Prevention (3rd Edition). Butterworth_einemann, Woburn,.A., UA Purpurra, Philip, P. (1998). ecurity and oss Prevention An Introduction. Butterworth_einemann, Woburn,.A., UA ennewald, Charles, A (2003). Effective ecurity anagement (4th Edition). Butterworth-einemann, Woburn,.A., UA Walsh, Timothy & ealy, Richard, J (2001). Protection of Assets anual. erritt Corporation, anta onica, California, UA. Australia-New Zealand tandard: 4360: tandards Australia, ydney About the Author A K oorthy, CPP, FyI, FI holds a Bc (ecurity) and c (ecurity anagement) degree from Edith Cowan University, Western Australia. e is Board Certified in ecurity anagement (Certified Protection Professional) by AI International also a Fellow of The ecurity Institute, United Kingdom of Great Britain and the International Institute of ecurity & afety anagement. e is presently a Principal ecurity Consultant with ecurity olutions Pte td, ingapore. e is a volunteer leader in AI International and is presently its enior Regional Vice President of AI International Group 18 (which includes India & outh East Asia). oorthy has contributed articles to regional security publications and has also presented papers at regional security conference. (The views expressed in this article are entirely the author s own and do not necessarily reflect that of AI International). 46 ahrals.com