Risk analysis in practice with focus on societal security Jørn Vatn Professor at NTNU http://folk.ntnu.no/jvatn/ppt/RiskAnalysisInPractice.ppt

The Core of the IRGC Framework: The Risk Governance Phases http://www.irgc.org/IMG/pdf/IRGC_WP_No_1_Risk_Governance__reprinted_version_.pdf

Bowtie model – accident scenario what can go wrong? how likely is it? and if, what are the consequences?

4 domains as a basis for risk definition Real world domain Observables such as number of gas leakages next year Scientific cause and effect domain What is the relation between the observables, which theories exists? We do not claim to possess true knowledge in this domain Uncertainty domain (we do not know with certainty) Lack of sure (certain) knowledge regarding future values of observables, current values of observables, and cause & effects Value and preferences domain How desirable the various outcomes in the real world are

What is risk? Conceptual definition: risk is to be understood as the uncertainty regarding the occurrence and the severity of events) Operational definition (expressing uncertainty) R = {<ei,pi,Si>} ei = undesired events pi, = an expression of the uncertainty regarding occurrence of events, i.e., probability statements are the quantitative language to express uncertainty (not an inherent property of the system) Si = Severity of the event, also uncertain, i.e., we need probability statements to express Si

The issue of conditional risk A risk statement is never unconditional, it should reflect many aspects U = the relevant information, the theories, the understanding, the assumptions etc. which are the basis for the risk assessor when risk is assessed D = the result of dialog processes and risk communication processes conducted in order to agree upon which elements of severity to focus on (e.g., fatality rate vs gross accidents) “Ambiguity” V = the result of the verification processes to verify the correctness of the assessment given U and D  R = {<ei,pi,Si>} | D, U, V Be as explicit as possible regarding D, U, V

Complexity and risk Complexity has been defined as interaction between subsystems that cannot be foreseen (Perrow, 1984) If complexity is something we cannot really touch, does it then make sense to assess it’s “risk” Many authors claim that it does not make sense, or that there is so huge uncertainty that risk assessment is valueless Many of these authors see risk as a system property which is hidden behind huge uncertainty We focus on risk as an expression of uncertainty If a system is believed to have many interactions we are not able to foresee or express, most of us will say that system performance is uncertain, and hence operation is “risky”  Risk and complexity make sense In order to express how risky this will be, we need risk analysis

Some challenges in risk modelling of critical infrastructure Many critical infrastructures are network structures The capacity modelling is demanding both with respect to model specification, and calculation (computer time) We need to combine the physical capacity models with probabilistic models for component reliability Common cause failures may disable several critical parts of the network and it is demanding to identify common cause scenarios and define them in the model Interdependency across infrastructures Dependency := one infrastructure depend on another infrastructure Interdependency := mutual dependency between two or more infrastructures, e.g. ICT and Electricity

Main steps in the DECRIS methodology Establish event taxonomy and risk dimensions Perform a simple analysis (like a “standard” ROS) for screening purposes Perform a detailed scenario analysis according to the following criteria High risk The scenario has a large degree of interdependencies between infrastructures The scenario is demanding from a communicative point of view (wrt to decision makers (politicians), and/or the public Analysis of interdependencies Select the main undesired event(s) and the relevant infrastructure elements based on step 2 Investigate the scenarios and the systems in terms of explicit functions and malfunctions Analyse interdependencies of the scenario relative to the functional analysis Apply results in the overall ROS and conclude with respect to overall risk Other detailed analysis http://www.sintef.no/Projectweb/SAMRISK/DECRIS/

Event taxonomy, example of structure

Consequence dimensions to include Life and health Environment Economy Manageability Political trust Supply failure, both quality and availability of delivery Energy supply ICT supply Water supply etc

Calibration of matrixes – what is high risk? Example related to impact:

Risk matrixes, example Probability (5) More than once a year Low risk Medium risk High risk Very high risk (4) Once pr 1-10 year (3) Once pr 10-100 year Very low risk (2) Once pr 100-1000 year (1) Less than once pr 1000 year   (1) Delimited (2) Some damage (3) Serious (4) Critical (5) Catastrophic Consequences

Perform a simple analysis for screening purposes Perform brain storming processes with professionals within selected areas = “standard ROS” For a comprehensive analysis this may lead to more than hundred events for a town like Oslo The events are categorised under the heading of “main event types” Probabilities are used to express uncertainty related to: The frequency of the main event (occurrence probability) The probability of the various consequences, typical a “likely” worst case situation

Probability assessments To support the probability assessment a set of vulnerability factors are identified: Area Culture Degree of coupling Dependency with other social critical functions Duration Geographic scope Mental preparedness Outdoor temperature Population density pr 1 km² Substitution opportunities for infrastructure Time of day

Guideline for assessment, example Vulnerability Factor Influence Comment Degree of coupling (1) Very little Anarchism (2) Little Simple set of rules sufficient for activity functions (3) Medium Complex set of rules sufficient for activity functions (4) Huge Operative governing functions necessary (5) Very huge Strong centralized governed with small tolerance for deviations

Example of result

Case study 1 - Analysis of interdependencies The Oslo-S event on November 27th, 2007 will be used to illustrate the methodology An entrepreneur unwarily broke a cable when digging a ditch, and the cable break led to short circuit and fire at the Oslo S railway station The fire resulted in loss of electric energy supply for vital system paralyzing the region’s rail traffic and transportation systems for 20 hours, 80,000 passengers affected the internet systems for about 10 hours (important customers)

Course of events 22:46 Ditch digging 22:46 Earth fault in cable 23:37 Attempt to reconnect causes fire in cable 23:47 Evacuation of Oslo S, train circulation closed 00:45 All power supply cut (except for backup unit) 02:20 Fire under control 04:30 ICT services close down (no more battery capacity) 04:30 Train control centre reopened, train communication unavailable due to ICT service without power 12:31 ICT service provided with power from diesel aggregate 17:40 ICT service reports full functionality 19:15 Train circulation starts 19:30 Oslo S reopened for travellers

Classical dependency analysis General matrixes have been provided to assess the general dependencies between infrastructures E.g., ICT is very dependent on Electricity Electricity is weakly dependent on ICT These general matrixes may be used to “modify” the result of the ROS analysis The dependency numbers are “general”, and do not provide insight into the specific scenarios  there is a need for a more scenario specific approach

(inter) dependency analysis Two types of dependencies “Common cause”, i.e., location specific, physical dependencies, operational dependencies, common protection against threats etc Functional, or cascading dependencies, i.e., one critical infrastructure depends on the functioning of another critical infrastructure In the dependency analysis these types are treated in two steps As a direct cause of the main event “common cause” failures are identified  identification of functions directly affected As a result of these malfunctions, we search for “cascading effects”

Location vs functional interdependencies

First and second order interdependencies

(Semi) quantification Probability assessment (P) Assessment of the extent of the “event” (E) Assessment of the duration of the event (D)  “dependency measure” may be constructed

Detailed analysis for supporting the assessments, e.g., Electricity support has various “backups” UPS = uninterruptible power supply = battery Diesel operated backup Fault tree analysis is one of the most commonly used risk analysis methods to analyse causes of undesired events

Main result of the analysis Expected loss of service ( “# of end users  Downtime”) Measure of interaction effects, i.e., an interdependency measure A framework for analysing effect of risk reducing measures, e.g.: Effect of backup generator Increased battery capacity Cost/benefit

Background – Case study 2 NOKAS (Norsk Kontantservice AS) was established 1st of July 2001 The business concept of NOKAS is to deliver reliable, effective and profitable solutions to banks for treatment, control and distribution of Norwegian and foreign cash In Stavanger NOKAS operates from three different locations up to May 2004 In order to improve security, NOKAS decides to move to new premises at Frøystad outside the centre of Stavanger The building application was approved in February 2003 Frøystad Barnehage (Kindergarten) achieve a neighbour notice, and the NOKAS- building emerges People are concern about vehicle traffic related to the premises, and the lack of parking places

Police officer shot to dead in brutal robbery It was the 53 year old police officer Arne Sigve Klungland that was shot and killed under an armed robbery of Norsk Kontantservice in the centre of Stavanger Monday morning 5th of april 2004

NOKAS relocation to Frøystad The focus at Frøystad is not traffic issues, or parking places any more: In one month a cash depot will start operating in the neighbourhood With the brutality demonstrated in the NOKAS robbery in the centre of Stavanger, there is a fair that something could happed to the children And especially in the Kindergarten located only eight meter from the NOKAS building

Neighbours Kinder-garten NOKAS

Next events … The Kindergarten and some of the neighbours organize themselves into a group which attempts to stop NOKAS from moving into their new premises The municipal demands NOKAS to consider Societal Security NOKAS moves into their new premises May 2004 A consultant company performs the risk consideration on behalf of NOKAS The cooperation with the neighbours fails, and thus there is no trust in the risk analysis report The report is also heavily criticised by Terje Aven

Why was the consultant report so bad? Terje Aven: The Scandpower report claims that there exist an objective risk which is hard to assess. From Avens point of view, risk does not exist objectively Also, the Scandpower report claims that the risk is acceptable, which is not a statement to be claimed by the consultant It is the decision maker, e.g., NOKAS, or the politicians in this situation that should make the value statement regarding which risk to accept

The municipal of Stavanger takes lead The situation has become an issue for the local press in Stavanger Dailey reportages: ”We are fearing a bloodshed” ”We are not fearing NOKAS as a neighbour” The municipal of Stavanger asks SINTEF to contribute The work is divided in two parts A set of dialogue meetings to enhance risk communication A quantitative assessment of the risk picture based on the qualitative findings from the dialogue meetings The SINTEF work will from the basis for a case to be presented for a political decision

Dialogue meetings – Risk communication Elements An initial mass meeting was arranged to inform about the process to come Group meetings to discuss the threats and risk reducing measures Neighbours with children in the Kindergarten Neighbours without children in the Kindergarten Employees in the Kindergarten Employees at NOKAS Representatives for the Stavanger police force The results from the group meeting was discussed in a new group, now with one representative from each group The result was continuously documented in a protocol available to all (after quality checks)

Some results from dialogue meeting The two step procedure worked according to it’s intention The discussion between the group representatives acted as an informal information channel where issues could be discussed in a relaxed environment. In fact this meeting was seen as a first promising step in a future dialogue. The perceived risk was an important issue for the neighbors and the employees in the kindergarten. These representatives argued in terms of that something will happen, the question is when it will happen The representatives from NOKAS and the police had sympathy to the neighbors whish to have more information related to the security issues A central dilemma is that some information cannot be communicated opened, e.g., information about security systems, and the arrangements made by the police force From the neighbors point of view lack of information, and lack of control leads to increased perceived risk. Increased trust is therefore an important factor in the future dialogue and problem solving process A relatively large number of risk reducing measures were proposed. These measures covered both the short- and the long time horizon.

Risk quantification Risk was calculated based on six identified scenarios The scenarios were primarily a result of the group discussions The scenarios were structured in order to facilitate quantification Background data and assumptions comprised historical events, input from NOKAS, the police force in Stavanger and Oslo, available reports, and SINTEF judgements

Scenarios Robbery of a money conveyance without intention to enter the cash depot Hijacking of a money conveyance with the purpose to enter the cash depot Use of explosives with the purpose to enter the cash depot Taking hostages in order to enter the cash depot Use of “insiders” to get access to the cash depot Robbery of a larger money conveyance

Scenario modell

Scenario modelling The most important risk scenario was: Robbery of a money conveyance without intention to enter the cash depot Main parameters to assess What is the likelihood of the scenario? Will the police force interfere if an attack occurs?  Number of bullets fired off Probability of hitting 3rd person Probability of escape route passes playing children In the analysis statements regarding these aspects are discussed and presented

Assessment of parameter values Different aspects applies when assessing parameters What type of statistical material exists? E.g., how many robberies take place every year, and how many NOKAS like facilities exist, and are they comparable? How relevant is the data? How to use the “similarity principle”, i.e. is Stavanger equal to Oslo? Will the police force keep away according to their statement: “Why interfere when we at the end of the day will capture the robbers, as we did last time”

Risk picture summary

Risk evaluation

The interpretation by the media Stvng Aftenbl. Frøystad Kindergarten is safe NRK: High risk of robbery

The political process The scope of SINTEFs work was not to interfere with the political processes that were running in Stavanger at the time of the study. However, the two SINTEF reports (Risk + Dialouge) should make a basis for the political discussions in Stavanger The statement of the case from the city manager to the politicians in the City of Stavanger contained two parts Part one was a general discussion about the risk involved, both the assessed risk by SINTEF, and the result from the risk communication that had taken part in the spring of 2005 Part two was an explicit proposal to vote about. This proposal reads

The politician voted for the following: The societal security related to third persons in the neighbourhood of the new NOKAS facilities is not worsened in such a way that moving the kindergarten nor the NOKAS facilities is necessary The city of Stavanger will actively contribute to reduce the perceived risk in the neighbourhood by allocating necessary resources for dialog and communication The city of Stavanger assumes that those measures NOKAS had suggested based on the SINTEF report will be implemented

Comments and discussion