Keywords

consequence; asset; threat; vulnerabilities; human impact; economic impact; public confidence

Introduction

Chapter 2 discusses the question “What is risk?” This chapter continues that discussion and explores how to determine the consequences of an incident. The potential, or risk (R), for an adverse outcome is assessed as a function of threats (T), vulnerabilities (V), and consequences (C) associated with an incident, event, or occurrence.

$\mathrm{R}=\mathrm{T}\times \mathrm{V}\times \mathrm{C}$

The product or process that collects information and assigns values to risks for the purpose of informing priorities, developing or comparing course of action, and informing decision making is considered a risk assessment.

If previous chapters, we have discussed risk, threats, and vulnerabilities. Now we will cover the consequences of an incident.

Considering the Consequences

Although we are discussing it last, the potential consequences of an incident, such as a terrorist attack or a natural or man-made disaster, are the first factors to be considered in risk assessment.

In the context of the National Infrastructure Protection Plan (NIPP), consequence is measured as the range of loss or damage that can be expected.

Let’s take a look at the formula that has shown up in this text and evaluate how we consider risk. Aspects of this process are:

Some questions to ask are:

What is the risk assessment process? This part of a threat analysis will assist you in identifying real risks to your organization. It will assist your team with taking a look as actual probability of an occurrence to your organization and the actual result of impact to your organization.

Consequences are based on criteria in Homeland Security Presidential Directive 7 (see Chapters 1 and 6). Consequence criteria can be broken into four categories:

Economic Impact

Economic impact consists of the direct and indirect effects on the economy, including the cost to rebuild the organization, the cost to respond to and recover from an attack, indirect costs resulting from disruption of product or service, and long-term costs from environmental damage.

A prime example of this type of impact is the BP oil spill also known as the Deepwater Horizon oil spill in the Gulf of Mexico in April 2010 (Fig. 9.1). The spill had a strong EI to BP and on the Gulf Coast’s economy sectors such as offshore drilling, fishing, and tourism. BP’s expenditures on the spill included the cost of the spill response, containment, relief well drilling, grants to the Gulf States, claims paid, and federal costs (including fines and penalties). As of March 2012, BP estimated that the company’s total spill-related expenses were approximately $37.2 billion.¹

Determining Consequences

When determining consequences, what does a full consequence assessment consider? It considers:

Can we accurately estimate the consequences? The consequence assessment worksheet (Table 9.1) can be used to assign a numerical value to the potential consequences of a threat or hazard incident.

The Human Impact (HI) value is based on the estimate of the percentage of personnel in the vicinity of the asset that will be killed or sustain severe illness or injury. Psychological impact is not included in HI, only physical impact. The EI value is based on an estimate of the percentage of the total value of the asset that is lost as a result of the incident. The worksheet does not allow a “zero” value for EI for any incident.

In an incident such as a poison gas attack, the majority of the consequences are deaths and illnesses, but there will also be EI because of facility decontamination, lost operating time, and other factors. In any incident in which injury or death occurs, some EI must be estimated.

The total consequence score is the sum of the HI and EI values. These estimates do not consider all the many variables involved, but they serve as a simple model to rank HI and EI on a scale of 1 to 10, where 10 indicates maximum severity. You will need to complete the HI and EI worksheet for each of the scenarios: (1) a terrorist attack (2) a natural disaster, and (3) a man-made disaster

$\text{HI}+\text{EI}=\mathrm{C}$

A list of potential consequences of an incident is listed below. Note that items in this list are not independent. In fact, one can lead to another. For example, release of hazardous material can lead to injury or death.

Undesirable incidents of any sort detract from the value of an enterprise, but safety and security incidents can have longer term negative impacts than other types of incidents on all stakeholders, employees, shareholders, customers, and the communities where an organization operates.

Risk Assessment: The Applied Approach

Prioritizing vulnerabilities must include consideration of the consequences of an attack that exploits the specific vulnerability. What happens if someone gets through? What’s the worst thing that can happen? Based on threat knowledge, what’s the most likely thing that could happen? After the scenarios are defined, the consequences can be predicted.

$\mathrm{R}=\mathrm{T}\times \mathrm{V}\times \mathrm{C}$

T is threat (or hazard) from the jurisdictional threat (hazard) worksheet (value 1–10), V is vulnerability from the vulnerability assessment worksheet (score 1–12), and C is consequence value from the consequence assessment worksheet (value 1–10).

$\text{Plotprobability}(\mathrm{T}\times \mathrm{V})\text{vs}.\mathrm{C}$

Various methodologies are available to facilitate risk assessment. Many owners and operators use a risk assessment methodology as a component of their business continuity and disaster mitigation planning.

A common approach based on a robust understanding of existing methodologies is needed to enable the setting of protection priorities across sectors.

The first element of this approach is to establish a common definition and process for analysis of the basic factors of risk Critical Infrastructure and Key Resources (CIKR) protection. In the context of homeland security, the NIPP framework assesses risk as a function of consequence, vulnerability, and threat:

$\mathrm{R}=\mathrm{T}\times \mathrm{V}\times \mathrm{C}$

Risk assessments for CIKR protection consider all three components of risk and are conducted on an asset, system, network, or function basis, depending on the fundamental characteristics of the infrastructure being examined.

For some sectors, particularly those with specifically identifiable facilities that might be exploited, an asset-based approach is typically used; for others, particularly those with virtual or information based core processes, assessing system or network risk and resiliency is more appropriate.

Risk assessment combines the probability of an incident occurring with the severity (consequence) of an incident to “prioritize” vulnerabilities. The risk assessment diagram combines threat and vulnerability (T×V) into a probability that the event could occur and plots that probability against the severity (consequence, C) (Fig. 9.2).

Risk Definitions

Numerical values can be assigned to each of the factors. The total risk values are calculated by using a variety of formulas and a sample of this approach is show below:

$\mathrm{R}=\left(\mathrm{T}\times \mathrm{V}\right)\times \mathrm{C}$

Overall, the Department of Homeland Security Risk Lexicon defines part of risk, as a hypothetical situation comprised of a hazard; an entity impacted by that hazard, and associated conditions including consequences when appropriate.

What has been covered in this chapter is the expected magnitude of loss due to a terrorist attack, natural disaster, or other incident, along with the likelihood of such an event occurring and causing that loss. The DHS Risk Lexicon defines Risk Assessment as a process bycollecting information and assigning the values to certain risks for the purpose of informing priorities, the ability to prepare action plans and assist in the decision making process.

The consequences that are considered for the nation-level comparative risk assessment are based on the criteria set forth in HSPD-7 which we discussed in the beginning of the text. This chapter discussed the following four categories:

Various practices are available to complete a risk assessment. A common approach based a the understanding of existing practices is needed to enable the setting of protection across sectors. The basic element of this approach is to establish a common definition and process for analyzing the basic factors of risk for CI/KR protection.

In the context of homeland security, the National Infrastructure Protection Plan framework assesses risk as a function of consequence, vulnerability, and threat. These values can be assigned and a total risk value is calculated. Once the values have been assigned you can then prioritize the values.

Risk assessments consider all three components of risk and are conducted on functional basis depending on the fundamental characteristic of the actual infrastructure being assessed.