Risk Management Plan

1
Risk Management Plan

• A key component to any risk management plan is
  the establishment of a risk assessment.
• The risk assessment process calls for
  comprehensive deliberation of likely risks, not
  necessarily all risks
• Effective risk assessments can assist in
  revealing possible threats, identifying potential
  targets as well as the vulnerabilities of the
  targets

2
3 Components of a Risk Management Plan

• Threat assessment
• Criticality assessment
• Vulnerability assessment

3
Threat Assessment

• A threat assessment may be used as a decision
  support tool to assist in creating and
  prioritizing security-program requirements,
  planning, and resource allocations
• Deals with such issues as how operations might be
  negatively affected or what weaknesses can be
  identified

4
Criticality Assessment

• A criticality assessment is a practice, based on
  a variety of factors, that recognizes and
  calculates important
• Assets,
• Infrastructure
• Critical functions

5
Criticality Assessment Factors

• May include
• The importance of its mission
• Function
• Whether people will be at risk
• Significance of the structure or system

6
Vulnerability Assessment

• A vulnerability assessment is an evaluation of
  those areas that are susceptible to an attack by
  an individual(s) who desire to create physical or
  psychological harm to an organizations
  infrastructure, including its employees or
  patrons

7
Vulnerability Assessment

• A vulnerability assessment assists in the
  identification of weaknesses that may be
  exploited and suggest options to eliminate or
  address those weaknesses

8
Vulnerability Assessments

• Vulnerability assessment might reveal
• Weaknesses in an organization's security systems
• Avenues of ingress and egress
• Distance from parking lots to important buildings
  as being so close that a car bomb detonation
  would damage or destroy the buildings and the
  people working in them.
• Facility access
• Food vendor access
• Areas for concealed threats
• Access to locker rooms
• Lighting and entrance

9
Risk Management

• While risk management will not work miracles, it
  can assist in the preparation to reduce the
  number of potential untoward surprises
• However, even when serious risk management
  efforts are employed, it is unlikely that actions
  that may disrupt events may be accurately
  predicted.
• One of the great tests faced in risk managing is
  to bridge the gap between the anticipated events
  surfaced through risk management and reality

10
Fundamental Elements of Risk Management

• Likelihood
• Deals with the probability that an attack or
  injurious situation can occur
• Impact
• Deals with the effect of an attack or injurious
  situation on the organizations reputation,
  economic,

11
Theory of Probability

• The theory of probability follows that once the
  frequency of an incident occurring over time
  becomes small enough, effectively equaling zero,
  the potential of the incident occurring may be
  viewed as outside the range of appropriate
  concern (Rescher, 1983).

12
Theory of Probability

• According Vickers (2001), to solely use deductive
  reasoning when incidences that have not
  previously occurred or knowledge is minimal
  presumes logical omniscience.
• Korcz (2000) proposed that a persons reason for
  doing anything is justified through hard data or
  the individual will not be able to reasonably
  develop, implement, or manage a plan.
• While likelihood is difficult to ascertain, the
  impact may be inferred relative to cost.

13
Example

• A sport event manager may view the likelihood
  that a stadium or arena being the focus of a
  terrorist attack to be near zero.
• While this prospect is relatively low in risk,
  the impact would be great if in catastrophic
  event could have been prevented or mitigated
  through relatively inexpensive security measures

14
Security Measures

• Operative security measures can be defined as any
  item that may reduce a foes capability to take
  advantage of a targets vulnerabilities.
• Security policies and procedures are developed as
  a result of effective risk management planning

15
Synergizing Risk Management with Security Planning

• Traditionally, risk management plans have helped
  to ensure the protection of the agency by
  supplying a structure for managers in finance,
  security, and human resources
• Security plans describe the way of making the
  intent of the risk management plans concrete.

16
Synergizing Risk Management with Security Planning

• A risk management plan, then, provides a
  framework while security plans provide a road
  map for the implementation and conduction of the
  risk management plan.
• Security for any system should be commensurate
  with its risks.
• Risk management and security should be a
  never-ending process they should be analyzed and
  evaluated on a daily basis.

17
Synergizing Risk Management with Security Planning

• Security measures can include improvements in
  physical protective systems or changing
  procedures to minimize the potential of being
  victimized.
• If risk management plans are not communicated to
  all members of the organization on a regular
  basis the security measures cannot be enacted.

18
S.W. v. Spring Lake School District (1997)

• After completing the test the girl went into the
  locker room to change into her normal school
  clothes.
• While changing she was raped by an intruder.
• Even though a swim instructor, clerical worker,
  and school custodian reported having seen the
  offender around the girls locker room, they felt
  that there was no responsibility on their part to
  refer the offender to the principals office for
  a visitors pass since the teachers handbook did
  not address anyone except the schools fulltime
  teachers and had no application to part-time
  instructors, clerical personnel, or custodians.

19
S.W. v. Spring Lake School District (1997)

• A memorandum from the school principal asked the
  teachers to make certain that either a plan
  regarding locker room security be developed or
  that each department take appropriate action to
  secure locker rooms.
• The school district conceded that it had no
  security policy.