Unit One

Risk Assessment within the

Framework of Risk
Identification, Risk Analysis
z and Risk Evaluation
z
RISK ASSESSMENT

Risk Identification Risk Analysis Risk Evaluation

• Find the risk • Comprehend the • Support fact-

• Recognize the nature of risk based and
risk and its: science-based
• Describe the risk • characteristics; decision
• sources;
• consequences;
• likelihood; and
• scenarios

RISK MANAGEMENT
z
WORDS TO REMEMBER

 RISK, which is usually expressed in terms of sources,

events, consequences and livelihood , is the effect of
uncertainty of objects. (PNS ISO 31000:2018)
 EFFECT, is a deviation from the expected which can be
positive, negative or both and can address, create or result in
opportunities and threats.
 OBJECTIVES can have different aspects and categories and
can be applied at different levels.
 RISK MANAGEMENT are coordinated activities to direct and
control an organization with regards to risk.
z
RISK MANAGEMENT PRINCIPLES

 INTEGRATED. It is an integral part of all organizational activities.

 STRUCTURED AND COMPREHENSIVE. A structured and

comprehensive approach to risk management contributes to
consistent and comparable results.

 CUSTOMIZED. The risk management framework and process are

customized and proportionate to the organization’s external and
internal context related to its objectives.

 INCLUSIVE. Appropriate and timely involvement of stakeholders

enables their knowledge, views and perceptions to be considered
resulting in improved awareness and informed risk management.
z
RISK MANAGEMENT PRINCIPLES

 DYNAMIC. Risk management anticipates, detects, acknowledges and

responds to changes and events in an appropriate and timely manner.

 BEST AVAILABLE INFORMATION. The inputs to risk management

are based on historical and current information and on future
expectations. Information should be timely, clear, and available to
relevant stakeholders.

 HUMAN AND CULTURAL FACTORS. Human behavior and culture

significantly influence all aspects of risk management at each level
and stage.

 CONTINUAL IMPROVEMENT. Risk management is continually

improved through learning and experience.
z

 RISK ASSESSMENT, which is the overall process

of risk identification, risk analysis and risk
evaluation, should be conducted systematically,
iteratively and collaboratively, drawing on the
knowledge and views of stakeholders. It should
use the best available information,
supplemented by further inquiry as
necessary.
z
FACTORS TO BE CONSIDERED IN RISK
IDENTIFICATION
 Tangible and intangible sources of risk;

 Causes and events;

 Threats and opportunities;

 Vulnerabilities and capabilities;

 Changes in external and internal context;

 Indicators of emerging risks;

 The nature and value of assets and resources;

z

 Consequences and their impact on objectives;

 Limitations of knowledge and reliability of information;

 Time-related factors;

 Biases;

 Assumptions; and

 Beliefs of those involved

z
TYPES OF RISKS

 COMPLIANCE (MANDATORY) RISKS. It

involves government-mandated licenses and
business permits and requirements.
 HAZARD (PURE) RISKS. These are risks that
can prevent and deter achievement of
company’s goals, missions and objectives.
z

 CONTROL RISKS. These are risks that can cause

uncertainty or doubt about the ability to achieve
company’s goals, missions and objectives.
 OPPORTUNITY RISKS. These are risks that are
usually deliberately sought or embraced by the
organization specifically for the future long-term
success of any organization.
z

 RISK ANALYSIS is an analytical process to provide

information regarding undesirable events in which it
estimates probabilities and expected consequences
for identified risks.
 EVENT is the occurrence or change of a particular set
of circumstances.
 CONSEQUENCE is an outcome of an event affecting
objectives.
z

 The purpose of risk analysis is to comprehend

the nature of risk and its characteristics,
where appropriate, the level of risk. It involves
a detailed consideration of uncertainties, risk
sources, consequences, likelihood, events,
scenarios, controls and their effectiveness.
z
RISK ANALYSIS SHOULD CONSIDER
FACTORS SUCH AS:

 The likelihood of events and consequences;

 The nature and magnitude of consequences;

 Complexity and connectivity;

 Time-related factors and volatility;

 The effectiveness of existing controls; and

 Sensitivity and confidence levels

z
THREAT AND VULNERABILITY
ASSESSMENT

 THREAT ASSESSMENT is consideration for the full

spectrum of threats for a given facility/location. The
assessment should examine supporting information to
evaluate the relative likelihood of occurrence for each
threat.
 VULNERABILITY ASSESSMENT is done to consider the
potential impact of loss from a successful attack and
vulnerability of the facility, location or event to an attack.
z
CATEGORY OF IMPACT OF LOST

 DEVASTATING. The facility is damaged/contaminated beyond

habitable use. Most items/assets are lost, destroyed or damaged
beyond repair/restoration.

 SEVERE. The facility is partially damaged/contaminated.

 NOTICEABLE. The facility is temporarily closed or unable to

operate, but can continue without an interruption of more than
one day.

 MINOR. The facility experiences no significant impact on

operations and there is no loss of major assets.
z
SAMPLE DEFINITONS FOR
VULNERABILITY RATINGS
 VERY HIGH. This is a high-profile facility that provides a very attractive
target for potential adversaries and the level of deterrence and/or defense
provided by the existing countermeasures is inadequate.

 HIGH. This is a high-profile regional facility or a moderate profile national

facility that provides an attractive target and/or the level of deterrence
and/or defense provided by the existing countermeasures is inadequate.

 MODERATE. This is a moderate profile facility that provides a potential

target and/or the level of deterrence and/or defense provided by the
existing countermeasures is marginally adequate.

 LOW. This is not a high-profile facility and provides a possible target and/or
the level of deterrence and/or defense provided by the existing
countermeasures is adequate.
z
RISK EVALUATION

 RISK EVALUATION is a process that is used to compare

risk analysis results with risk criteria in order to
determine whether or not a specified level of risk is
acceptable or tolerable.
 RISK EVALUATION MATRIX is a management tool
which accurately assess business exposure, based on
the frequency and severity of identified potential risks.
z
RISK EVALUATION CAN LEAD TO A
DECISION TO:

 Do nothing further;

 Consider risk treatment options;

 Undertake further analysis to better understand the risk;

 Maintain existing controls; and

 Reconsider objectives
z
RISK EVALUATION MATRIX

 RISK RETENTION is where both the frequency and severity of risk is low,
risk is often retain.

 RISK TRANSFER is where the frequency of risk potential is low, but the
severity of a potential incident is high, the most common and traditional
approach to risk management is transferring responsibility to other
members.

 RISK REDUCTION is where the severity of a potential risk remains low,

but the overall frequency of risk is increasing business operators need to
consider ways of reducing their exposure.

 RISK AVOIDANCE is where the frequency and severity of risk potential

are both high, business operators should consider cancelling a program
or activity.
 z

Reduce Avoid
Frequency of Risk

Risk Risk
Retain Transfer
Risk Risk
Severity of Risk