Presentation is loading. Please wait.

Presentation is loading. Please wait.

Terrorism Risk Assessment and Management (TRAM) Methodology Overview Briefing June 6, 2008.

Published byAlbert Chambers Modified over 6 years ago

Similar presentations

Presentation on theme: "Terrorism Risk Assessment and Management (TRAM) Methodology Overview Briefing June 6, 2008."— Presentation transcript:

1 Terrorism Risk Assessment and Management (TRAM) Methodology Overview Briefing
June 6, 2008

2 Introduction to Hazard Risk Management
Objectives of Hazard Risk Management: Develop and implement structured, risk-based analysis practices to enable emergency planning Support investment decision making Establish processes and metrics for continuous risk monitoring Three Distinct components to Risk Management Continuous Risk Assessment - Current Risk Historical Risk Monitoring - Looking Back Risk Mitigation - Looking Forward Current methodology established for terrorism risk. However, structure is general in approach, in order to facilitate assessment and comparison of other risk types.

3 History of PANYNJ / DHS Collaboration
Methodology originally developed, applied, and validated by DHS in conjunction with the Port Authority of New York and New Jersey PANYNJ sought technical assistance from DHS to develop risk management capabilities for critical infrastructure protection DHS sought to allow the use of risk-based needs assessment as an effective means of making defensible homeland security investments DHS/PANYNJ/SAIC developed and continue to refine a “best-practice” model for conducting risk/needs assessment Serves as a model for other agencies across the nation

4 Continuous Risk Assessment
Risk Analysis Continuous Risk Assessment

5 Risk Assessment Goals:
Produce a relative measurement of the risk of different hazard scenarios occurring at jurisdictional assets Use common risk metrics across business areas, asset types, and hazard types Employ data that is collectible in a real-world environment with reasonable effort Methods must be discrete enough to enable evaluation of the effectiveness of specific security, response, and recovery capabilities

6 Overview of the Risk Assessment Process

7 Criticality Assessment
Criticality describes the overall importance of an asset to the organization, to the region, and to the nation. Critical Asset Factors describe the broad mission(s), both internal and external: Casualty Impact Economic Impact Agency Business Continuity Emergency Response Functions National Strategic Importance Replacement Cost Environmental Impact Contribution of Asset specifies the extent that each asset contributes to the accomplishment of the mission(s) of the jurisdiction Critical Asset Factors Contribution of Asset Criticality

8 Example Criticality Results

9 Threat Assessment

10 Threat Assessment Risk assessment is scenario-based. Evaluates the likelihood and consequence of specific scenarios (attack type and target asset) Threat describes the likelihood of a specific type of event occurring or being directed at a specific asset. Capability captures the general likelihood (not specific to an asset) that a terrorist organization would execute a given attack based on the complexity of obtaining a weapon and executing the attack Intent describes the likelihood that a terrorist organization would execute a given attack against a specific asset based on the asset’s target attractiveness and level of deterrence Intent Capability Threat

11 Capability Attack Likelihood (capability) answers the question: “What is the relative likelihood that a terrorist organization would execute a given attack in the jurisdiction based on the complexity of obtaining the weapon and executing the attack?” Attack Likelihood answers the question: “What is the relative likelihood that a terrorist organization would execute a given attack in the jurisdiction based on the complexity of obtaining and executing the attack?” Attack Type Attack Likelihood Small Conventional Explosive 10 Large Conventional Explosive 6 Chemical Agent 2 Radiological Weapon 1 Biological Agent 0.5 Improvised Nuclear / Nuclear -

12 Target Attractiveness (Intent)
Deterrence Factors Target Value Factors

13 Example Threat Results

14 Scenario Discussion/Development
Goal is to select a complete set of scenarios that are important and plausible: High Scenario Likelihood High perceived Vulnerability High Criticality Specific threats to asset History of attacks on assets of similar type or function What are the attack scenarios that keep you up at night? Scenarios are not overly detailed – they describe an asset an attack type, intended to encompass all potential vulnerabilities at an asset.

15 Vulnerability Assessment

16 Vulnerability Assessment
Likelihood of Successful Attack (LSA) measures an asset’s vulnerability to attack, based on existing and proposed physical security. It is determined through an analysis based on onsite assessments of the asset using a standardized security capability survey. The survey includes general countermeasure types (i.e., fencing, barriers, etc.) and effectiveness classes. Security Survey Security Countermeasures & Classes: Fencing/Gates Barriers CCTV IDS Patrols/Guards Vehicle Screening Personnel Screening CBRNE Detection Access Control Public Notification LSA Guidelines Likelihood of Access Denial Likelihood of Detection Likelihood of Interdiction Vulnerability (LSA) Attack Type

17 Evaluation of Security Countermeasures
Example Likelihood Reduction Ratings L1 = 0.8 L1 = 0.6 L1 = 0.4 L1 = 0.1

18 Decision Tree Analysis
77% 23 77 Attacks 100 24 Attacks Not Detected Attacks Interdicted 3 Attack Fails 53 Attacks Not Stopped Attack Successful Access Denied 20 Access Gained 80 Attacks Detected 56 LSA: Failure: Question 3 L3 (attack interdicted) 0.05 Question 2 L2 (attack detected) 0.7 Question 1 L1 (access denied) 0.2 Success: N Y

19 Example Vulnerability Results

20 Response & Recovery Capabilities Assessment

21 Response & Recovery Capabilities Assessment
The Response Assessment provides the jurisdiction and local emergency response agencies a “self-assessment” tool to identify capabilities, gaps and shortfalls, to include: Staffing & Personnel Training Equipment & Systems Planning Exercise, Evaluation & Corrective Actions Organization & Leadership The Recovery Assessment reviews agency functions and capabilities, in an effort to manage recovery elements and business continuity following a terrorist attack to include: Plans & Procedures Alternate Facilities Operational Capacity Communications Vital Records & Databases Tests, Training and Exercises

22 Example RRCA Ratings

23 Impact Assessment

24 Vulnerability to Failure
Impact Assessment The Impact assessment leads to the calculation of Consequence for a particular scenario, based upon the initial asset Criticality rating. While the Criticality rating represents the asset’s total contribution to the jurisdiction’s mission, the Impact rating represents that portion of the asset’s criticality that is lost as a result of a successful terrorist attack. Response & Recovery Capabilities Vulnerability to Failure Structural Failure Casualties, Downtime, Etc. Consequence Asset Criticality

25 Example Impact Calculations

26 Risk Assessment

27 Overview of the Risk Assessment Process
Threat Likelihood of an Event Occurring Vulnerability Likelihood that Event would Impact Asset Likelihood Likelihood of Event Occurring and Impacting the Asset Relative Risk Consequence Portion of Criticality Eliminated as a Result of the Event Criticality Importance of Asset Overall Impact Fraction of Asset Criticality Lost

28 Risk Diagram Risk Communication Tool
Relative Risk Diagram Downtown Bus Terminal Heart Bridge Memorial Tunnel Heart Bridge Risk Communication Tool Identifies relative risks to jurisdiction Helps prioritize risk management activities Headquarters Building Likelihood Headquarters Building Memorial Tunnel - Large Conventional Explosive - Small Conventional Explosive - Radiological - Biological Consequence

29 Cost-Benefit Analysis
Risk Monitoring

30 Benefit Analysis Deterrence Improvements to Operational Security
Threat Modified Vulnerability Likelihood Risk Reduction Consequence Criticality Modified Impact Improvements to Site Hardening or Response and Recovery

31 Security improvements at an asset
Risk Reduction Relative Risk Diagram Downtown Bus Terminal Heart Bridge Heart Bridge Memorial Tunnel Risk Reduction Headquarters Building Likelihood Security improvements at an asset Headquarters Building Memorial Tunnel - Large Conventional Explosive - Small Conventional Explosive - Radiological - Biological Consequence

32 Hardening improvements at an asset
Risk Reduction Relative Risk Diagram Downtown Bus Terminal Heart Bridge Heart Bridge Memorial Tunnel Hardening improvements at an asset Risk Reduction Headquarters Building Likelihood Headquarters Building Memorial Tunnel - Large Conventional Explosive - Small Conventional Explosive - Radiological - Biological Consequence

33 Response/Recovery improvements at an asset
Risk Reduction Relative Risk Diagram Downtown Bus Terminal Heart Bridge Heart Bridge Memorial Tunnel Response/Recovery improvements at an asset Risk Reduction Headquarters Building Likelihood Headquarters Building Memorial Tunnel - Large Conventional Explosive - Small Conventional Explosive - Radiological - Biological Consequence

34 Historical Risk Reduction Performance
Relative Risk Diagram Downtown Bus Terminal Heart Bridge Baseline Risk Baseline Risk Memorial Tunnel Heart Bridge Headquarters Building Likelihood Headquarters Building Memorial Tunnel Baseline Risk Consequence

35 Tracking of Project Specific Results
Relative Risk Diagram Downtown Bus Terminal Heart Bridge Memorial Tunnel Heart Bridge IDS at tunnel entrances Hardening of Tunnels Headquarters Building Likelihood Headquarters Building Memorial Tunnel Baseline Risk Baseline Risk Consequence

36 Risk Tracking Risk Mitigation

37 Risk Mitigation Risk Mitigation is a process of identifying and evaluating potential projects to reduce the Risk profile of the agency. Primarily a cost-benefit analysis effort, comparing the risk reduction benefit of potential projects with the estimated costs. Goal is to select a set of projects that result in the maximum possible risk reduction for the amount invested - greatest Return on Investment (ROI). Risk Mitigation is an on-going iterative process: Initial projects identified through high-level analysis effort Generalized project descriptions ROM Costs Candidate projects are refined and more accurate estimates developed Cost-benefit analysis updated and continually reevaluated as project descriptions mature

38 Cost Analysis Produce comparable cost estimates for proposed solutions
Initial estimates are relative “national-average” rough costs to enable comparison Not actual jurisdictional costs Next step should always be to produce “real” cost estimates Lifecycle costs Capture true long-term cost of implementation and operation Allow comparison of infrastructure projects versus manpower projects

39 Return on Investment Comparison of cost versus benefit for proposed solution sets Identifies projects that result in maximum benefit for different levels of investment at a specific asset Identifies marginal Return on Investment (ROI) for each set 4 3 3/4 2/3/4 1/2/3/4 Marginal Risk Reduction = 0.1 Marginal Cost = $1.3M Marginal Risk Reduction = 1.0 Marginal Cost = $3.1M Marginal Cost = $5.1M Marginal Risk Reduction = 2.8 Marginal Cost = $550K Cost Per Unit of Risk Reduction = $200K Marginal Risk Reduction = 2.3 Cost Per Unit of Risk Reduction = $42M Cost Per Unit of Risk Reduction = $3.1M Marginal Risk Reduction = 1.3 Cost Per Unit of Risk Reduction = $565K Reduction = $1.0M 1/2/4 1/2/3 1/2 1/3/4 1/4 1/3 Options 1 - Class 3 Law Enforcement 2 - Class 1 IDS 3 - Cable Hardening 4 - Class 3 CCTV 1 2/4 2/3 2

40 All-Hazards Risk Management
Risk methodology is extendible to other (non-terrorism) hazards Applicable to a wide-range of hazard types: Allows comparison of relative risk across all hazards Allows for the assessment of total risk reduction benefits for proposed solutions Human-Initiated Hazards Failure Hazards Natural Hazards Theft Sabotage Vandalism Etc. Structural Failure Equipment Failure Operational Failure Hurricane Earthquake Blizzard

41 Backup June 6, 2008

42 Target Attractiveness
Intent Attack Elasticity (AE) Scenario Likelihood (SL) Target Value (TV) Deterrence (D) Target Attractiveness (TA)

43 Target Attractiveness
Attack Elasticity The Attack Elasticity specifies the relative likelihood that different attack types might be used against particular assets/targets based on intent Target Attractiveness SCE LCE Chemical Bio Rad

Download ppt "Terrorism Risk Assessment and Management (TRAM) Methodology Overview Briefing June 6, 2008."

Similar presentations

Gaining Senior Leadership Support for Continuity of Operations

Gaining Senior Leadership Support for Continuity of Operations
Department of Homeland Security Site Assistance Visit (SAV)

Department of Homeland Security Site Assistance Visit (SAV)
Consequence Management Planning Meg Scott Phipps, Commissioner John T. Hoffman Director, Threat & Mitigation

Consequence Management Planning Meg Scott Phipps, Commissioner John T. Hoffman Director, Threat & Mitigation
Lessons Learned from the Application of Risk Management in the Shipment of LNG.

Lessons Learned from the Application of Risk Management in the Shipment of LNG.
Structural Vulnerability, Risk Assessment and Land Use Issues for Transportation Infrastructure May 18, 2005 Shay K. Burrows, P.E. Senior Structural Engineer.

Structural Vulnerability, Risk Assessment and Land Use Issues for Transportation Infrastructure May 18, 2005 Shay K. Burrows, P.E. Senior Structural Engineer.
Session 8: Modeling the Vulnerability of Targets to Threats of Terrorism 1 Session 8 Modeling the Vulnerability of Targets to Threats of Terrorism John.

Session 8: Modeling the Vulnerability of Targets to Threats of Terrorism 1 Session 8 Modeling the Vulnerability of Targets to Threats of Terrorism John.
1 Continuity Planning for transportation agencies.

1 Continuity Planning for transportation agencies.
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
State Homeland Security Assessment and Strategy Program State Process and SHSS.

State Homeland Security Assessment and Strategy Program State Process and SHSS.
Session 131 Hazard Mapping and Modeling Supporting Emergency Response Operations using GIS and Modeling.

Session 131 Hazard Mapping and Modeling Supporting Emergency Response Operations using GIS and Modeling.
Session 141 Vulnerability to a natural hazard can be defined as to the extent to which people will experience harm and property will be damaged from that.

Session 141 Vulnerability to a natural hazard can be defined as to the extent to which people will experience harm and property will be damaged from that.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Unit Introduction and Overview

Unit Introduction and Overview
IAEA International Atomic Energy Agency International Cooperation in Nuclear Security David Ek Office of Nuclear Security.

IAEA International Atomic Energy Agency International Cooperation in Nuclear Security David Ek Office of Nuclear Security.
Technician Module 2 Unit 8 Slide 1 MODULE 2 UNIT 8 Prevention, Intelligence & Deterrence.

Technician Module 2 Unit 8 Slide 1 MODULE 2 UNIT 8 Prevention, Intelligence & Deterrence.
Part of a Broader Strategy

Part of a Broader Strategy
Maritime Security Risk Analysis Model

Maritime Security Risk Analysis Model
Jeffery Graviet Emergency Services Coordinator, Salt Lake County Chairperson, Salt Lake Urban Area Working Group.

Jeffery Graviet Emergency Services Coordinator, Salt Lake County Chairperson, Salt Lake Urban Area Working Group.
Continuity of Operations. COOP Defined  Efforts to ensure continuance of essential functions across a wide range of potential emergencies – building.

Continuity of Operations. COOP Defined  Efforts to ensure continuance of essential functions across a wide range of potential emergencies – building.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

Similar presentations

Ads by Google