Risk Assessment as a Foundation for Disaster Preparedness

Size: px

Start display at page:

Download "Risk Assessment as a Foundation for Disaster Preparedness"

Matthew Nelson
5 years ago
Views:

Risk Assessment as a Foundation for Disaster Preparedness Jeffrey A.

2 Session Objectives Poorly Managed Disasters are Expensive Understand the Concept of Loss Learn about Organizational Resilience and its relationship to Enterprise Longevity All Hazard Risk Threat and Vulnerability Assessments are essential for Enterprise Security Risk Management. Assessment by the Pound is neither efficient or analytical. You need quality information to make good decisions. Business Buy-In to the risk program only occurs if we can make the Business Case. Copyright 2016 OR3M, Do Not Reproduce Without Permission 2

RISK, RESILIENCE, AND REWARD Copyright 2016

4 When Disaster Happens People Seek Leadership Everyone else is having an emergency you are doing your job In a stress situation people will resort to their lowest common denominator of training. Practice makes perfect. Goodwill and good intentions cannot be relied on in an disaster. Communication is the first medium to fail Vulnerable populations need to be included in planning Incorporate supporting partners in planning Copyright 2016 OR3M, Do Not Reproduce Without Permission 4

5 Hindsight is 20/20 "Study the past if you would define the future..." Confucius What would you have done? BP Oil Spill in the Gulf The Tohoku Earthquake and Tsunami San Bernardino Terrorist Attack Copyright 2016 OR3M, Do Not Reproduce Without Permission 5

7 The Value of Risk Loss of Revenue Stream Loss of Public Confidence Loss of Civil Order Loss of Life Loss of Personnel Loss of Supply Chain Loss of Utility Loss of Facilities Loss of Finances Loss of Communication Loss of I.T. Systems 7

Resilience Definition Resilience is an organization s ability to quickly, efficiently, and effectively adapt to a change such as disruptive events

8 Resilience Definition Resilience is an organization s ability to quickly, efficiently, and effectively adapt to a change such as disruptive events (natural, intentional or unintentional), by implementing adaptive, proactive and reactive strategies. Copyright 2016 OR3M, Do Not Reproduce Without Permission 8

9 Benefits of Resilience Fewer surprises. Exploitation of opportunities. Improved planning, performance and effectiveness. Economy and efficiency. Improved stakeholder relationships. Improved information for decision making. Enhanced service delivery and reputation. Accountability, assurance and governance. Resilience Business Continuity Disaster Recovery Emergency Management ERM Compliance Enterprise longevity. Copyright 2016 OR3M, Do Not Reproduce Without Permission 9

10 Defining the Problem Problem Solving Process; 1. Identify the Problem 2. Gather Facts 3. Generate Options 4. Evaluate and Implement 5. Monitor Results In our industry we have a process for defining the problem it is called an all hazards risk, threat, and vulnerability assessment. Copyright 2016 OR3M, Do Not Reproduce Without Permission 100

11 What is a Risk, Threat, and Vulnerability Assessment? A Vulnerability Assessment is a systematic evaluation in which quantitative and or qualitative techniques are use to predict Physical Protection System component performance and overall system effectiveness by identifying exploitable weaknesses in asset protection for a defined threat. Dr. Mary Lynn Garcia, Vulnerability Assessment of Physical Protection Systems; Copyright 2016 OR3M, Do Not Reproduce Without Permission 111

12 What is a Risk, Threat, and Vulnerability Assessment? The world according to Jeffrey A. Slotnick, CPP, PSP An all hazards, Risk, Threat, and Vulnerability Assessment is a can be a systematic evaluation which should be real-time, persistent, and accurate. Enterprise Risk Management Copyright 2016 OR3M, Do Not Reproduce Without Permission 122

Traditional Formula R=Pa*(1-Pe)*C Copyright

Enterprise Risk View ISO 31000 Includes Manmade, Technological, and

16 Finding Balance To cost-effectively manage risk, balanced strategies must be developed that adaptively, proactively and reactively address minimization of both the likelihood and consequences of disruptive events. 166

17 So, how do you Accomplish Risk Assessments? Paper Based? MS Word Document? Excel Spreadsheet? Checklist? Template? Automated Tool? Do you own the data? Others? Assessment by the Pound? Copyright 2016 OR3M, Do Not Reproduce Without Permission 177

19 How Do You Manage? How do you manage large assessments, enterprise wide assessments, multiple facilities, and multiple verticals? What do you do with the information you gather? Copyright 2016 OR3M, Do Not Reproduce Without Permission 199

1. Is your Risk, Threat, and Vulnerability Assessment Mission Critical? 2.

20 The Value Stream All Mission Critical Enterprise Functions, public or private, should deliver the right information, at the right time, within the right context, to create value and mitigate risk. 1. Is your Risk, Threat, and Vulnerability Assessment Mission Critical? 2. Does your assessment provide the right information so leaders, can understand enterprise risks and its opportunities. 20

The True Value of a Properly Accomplished Risk Assessment Maximize results of traditional Risk, Threat, and Vulnerability Assessments Obtain information and intelligence from the assessment to drive

21 The True Value of a Properly Accomplished Risk Assessment Maximize results of traditional Risk, Threat, and Vulnerability Assessments Obtain information and intelligence from the assessment to drive the value proposition for security systems and personnel. Engage a method for aligning security department goals with enterprise goals. Ensure your security strategies are linked to the strategies of the Enterprise. Copyright 2016 OR3M, Do Not Reproduce Without Permission 21

22 W. Edwards Deming Continuous improvement requires that good data be collected Without accurate data, how can anyone tell if things are getting better or worse? "There is no substitute for knowledge." Copyright 2016 OR3M, Do Not Reproduce Without Permission 22

Risk Assessment Data Data must be organized; often in forms Forms must be correlated and compared; analytics Analytics leads to intelligence Intelligence leads to

23 Risk Assessment Data Data must be organized; often in forms Forms must be correlated and compared; analytics Analytics leads to intelligence Intelligence leads to action Action leads to results Results have metrics Metrics can lead to continuous quality improvement Copyright 2016 OR3M, Do Not Reproduce Without Permission 23

24 A New Way of Thinking View the assessment process as Data Points. Quantify, Rank, and Analyze the Data Portray the data for security related business decisions. Data is subjected to analytics. Copyright 2016 OR3M, Do Not Reproduce Without Permission 24

25 What are the Data Points Nature of the Threat Threat level by facility, region, or vertical Compliance requirements, ISO, Govt. or Industry Measure of Loss and Consequence by type and impact Vulnerability by type and impact Physical Security Network Architecture Integration Mapping Guard Force Management Policies, Procedures, and Plans by type and effectiveness Copyright 2016 OR3M, Do Not Reproduce Without Permission 25

26 Final Thoughts An all hazard Risk, Threat, and Vulnerability Assessment is not a project, it is not static, it is a persistent process in real time. When the data obtained is properly evaluated and analyzed we gain critical information for Enterprise Risk Management and Business Process. Copyright 2016 OR3M, Do Not Reproduce Without Permission 26

27 Take Away s All Hazard Risk Threat and Vulnerability Assessments are the entry point for ESRM. Poorly Managed Disasters are Expensive Organizational Resilience is essential to Enterprise Longevity Assessment by the Pound is neither efficient or analytical. You need quality information to make good decisions. Business Buy-In to the Enterprise Risk program only occurs if we can make the Business Case. Copyright 2016 OR3M, Do Not Reproduce Without Permission 27

Understand you can t eat a whole pie at once but you can enjoy each bite. 5.

28 How do we get there from here? 1. Create a Vision and Paint a Picture 2. Detail what success looks like 3. Create metrics to quantify success 4. Understand you can t eat a whole pie at once but you can enjoy each bite. 5. Keep your eye on the long term 6. Celebrate your successes 7. Maintain Momentum by Communicating, Planning and Reaching for the Next Step Copyright 2016 OR3M, Do Not Reproduce Without Permission 28

29 Thank You, Jeffrey A. Slotnick CPP, PSP Success demands a high level of logistical and organizational competence. General George Patton Jr Copyright 2016 OR3M, Do Not Reproduce Without Permission 29

The New Enterprise Security Risk Manager

SETRACON INC. Committed to excellence in Security, Training, and Consulting Services The New Enterprise Security Risk Manager Jeffrey A. Slotnick, PSP, CPP President Setracon Inc. Partner in OR 3 M Copyright