Power Point Presentation

Unit 3 study gudie Lesson

Background to Risk Assessment and Analysis

In a previous unit, we covered risk identification and briefly touched on risk assessment. This unit will address

common questions about risks and common misconceptions. How does one identify threats and the

contributors to those threats? It really depends on the exposure, sensitivity, and risk profile of individuals and

organizations. As we can conclude by now, risk is the opposite of opportunity, but risks can also be used to

create value, depending on the organization. As individuals and organizations evolve, so does the complexity

of risks. Therefore, each entity is unique in what a risk is and what value can be derived from it. As an

example, some risks are acceptable to some entities while the same risks can be catastrophic to others. This

can be defined in terms of a risk profile.

The risk management approach and the risk defined by organizations are contextual. Thus, the risk

management process needs to be uniquely tailored to address the risks and decision-making processes of

the organization. Furthermore, the risk management approach needs to be continuously calibrated to align to

the changes taking place in the environment.

Risks Sources and Causes

Hazards and threats can be considered one and the same, but in different states. Newsome (2014) expands

on this concept by providing an illustration of a river far away as the hazard, but once the river overflows

causing a potential flood nearby, it becomes a threat. Thus, the threat/hazard effect depends on a given state

of the source. However, this should not be confused with risk. Risk is NOT a different state of the source.

UNIT III STUDY GUIDE

Risk Assessment and Analysis

BBA 4226, Risk Management 2

UNIT x STUDY GUIDE

Title

Newsome (2014) reminds us that risk is considered the potential harm as a result of the state of the source

such as the potential losses and damages caused by a fire.

Finding and mitigating the root cause of a potential threat is preferred rather than dealing with the risks after

the fact. The identification and mitigation of the root cause will therefore eliminate the hazard, threat, and risk.

Figure 1 on page 52 in your textbook illustrates the causes and sources of heart disease. The figure not only

illustrates the causal effects of specific behavioral and socioeconomic factors but, if analyzed carefully, we

can also identify the root causes, hazards, threats, and risks of heart disease (Newsome, 2014).

The Department of Homeland Security (DHS) outlined an approach to identify sources and causes of risk

through a process called Threat and Hazard Identification and Risk Assessment (THIRA). The THIRA process

consists of the following four steps:

1. Identify the threats and hazards of concern and classify each one.
2. Describe each threat and hazard by demonstrating how they affect an entity (individual, organization,

or area).

3. Establish capability targets by assessing each threat and hazard within the target’s context and

develop a mitigation plan.

4. Execute the preparedness, avoidance, or mitigation plan. In other words, for each capability target,

estimate the resources needed for avoidance, mitigation, or acceptance (Department of Homeland

Security, 2013)

Note: Capabilities refer to prevention, protection, mitigation, and response.

Risk Strategies

Newsome (2014) says that risks are identified as they relate to a target and its vulnerabilities. A target’s

vulnerability refers to the fact that a target can be harmed by a threat (Newsome, 2014). A target’s

vulnerability exposure changes over time depending on environmental and situational conditions. As an

example, a new car parked on a busy street increases the vulnerability to being damaged as compared to the

same car parked in a garage. In essence, the vulnerability of the target, in this case the car, increases in

direct correlation to the exposure.

A risk management strategy does not wait for risks to take place. A risk management plan starts with

examining potential causes of hazards and threats by developing strategies to minimizing the exposure of

targets to risks. A risk strategy plan prepares for potential risks and outlines the actions required to deal with

the impact of those risks and to recover from them. Presidential Policy Directive-8 (or PPD-8) integrates risk

avoidance using prevention, protection, mitigation, response, and recovery.

 Prevention: Capabilities needed to prevent or stop a hazard from becoming a threat.

 Protection: Capabilities to protect against man-made or natural acts from risks.

 Mitigation: Capacity to reduce damage to targets or lessening the impact from threats.

 Response: Capabilities needed to save or protect targets after an event/incident has occurred.

Figure 2: An Example of Context Description

(Department of Homeland Security. 2013, p. 10)

BBA 4226, Risk Management 3

UNIT x STUDY GUIDE

Title

 Recovery: Capacity of an individual, organization, community, or nation to help targets affected by an

incident recover efficiently. Recovery concentrates on timely restoration and renewal of the targets

(Department of Homeland Security, 2011).

Summary

Risk assessment starts with the identification of hazards, threats, and the level of exposure of targets. The

overall risk profile of an entity can be composed of a complex set of variables that vary depending on the

target. The hazards and threats also vary as a function of time. In addition, there are overlaps between some

of the potential hazards and threats. In essence, the number of combinations of potential risks can be

different, contextually speaking.

Risks can be defined and evaluated by identifying the various factors or variables unique to those risks

(hazards, threats, and exposure). Risks can also be evaluated based on past experience and unique

elements for that potential risk, making it a subjective evaluation of risks. Fundamentally, the evaluation of

risks is based on what is perceived as acceptable or not acceptable in terms of the outcomes of those risks.

References

Department of Homeland Security. (2011). Presidential Policy Directive / PPD-8: National Preparedness.

Retrieved from https://www.dhs.gov/presidential-policy-directive-8-national-preparedness

Department of Homeland Security. (2013, August). Threat and Hazard Identification and Risk Assessment

Guide: Comprehensive Preparedness Guide (CPG) 201. (2nd ed.). Retrieved from

http://www.fema.gov/media-librarydata/8ca0a9e54dc8b037a55b402b2a269e94/CPG201_htirag_2nd_edition.pdf

Newsome, B. (2014). A practical introduction to security and risk management. Thousand Oaks, CA: Sage.