The process applied to identify, assess and manage risk and to enable decision making that balances risk and cost. Risk Management improves your organizations ability to decide how best to employ given resources to reduce risk associated with threats and hazards. Risk Management consists of two core activities: Assessment and Planning.
Assessment: involves the identification of assets based on criticality impacts, probable threats and hazards, and degrees of vulnerability to determine the overall risk posture of the asset. Essentially, it is a systematic, rational, and defendable process for identifying, quantifying, and prioritizing risks. The assessment includes physical, personnel, and cyber security as well as procedural reviews.
Planning: is the process of determining options or courses of action to reduce the risk of loss to the asset, and thus reduce impact on your organization. Planning includes recommended countermeasures, a cost-benefit analysis, and acknowledgement of risk to assets where appropriate, rather than dedicating resources to reduce the identified threat or hazard.
Threats (Human caused intentional threats)
- Insider threat
- Active shooter/lone offender
- Foreign Intelligence Entities (FIE)
- Domestic terrorists
- Transnational terrorists
- Chemical, Biological, Radiological, Nuclear, and Explosives (CBRNE)
- Non-violent crime
- Violent crime
- Gang activity and narcotics
- Civil disturbance
Hazards (Natural, human-caused accidental, and technologically caused events)
- Construction accidents
- Loss of power, water, fuel or communications
- Aging assets and infrastructure
- Equipment failure caused by power surges or “dirty” power
- Software bugs that disrupt systems and networks