Risk assessments and future challenges

FBI Law Enforcement Bulletin,The, July, 2005 by W. Dean Lee

By recognizing existing and emerging threats, law enforcement agencies can improve their risk assessment and management programs. Too often, for example, security risk assessments focus mostly on identifying flaws in physical security (e.g., perimeter barriers and screening visitors) without fully recognizing the impact of other security challenges (e.g., internal people problems and cyberthreats). Applying a systematic approach of fact finding and balancing costs and benefits should lead to better security and operational decision making.

[ILLUSTRATION OMITTED]

The analytical risk management (ARM) process is a systematic and interactive approach for identifying and evaluating assets, potential threats, and existing vulnerabilities, along with calculating risks and determining requisite countermeasures. (1) Departments can view the ARM process as three interacting spheres of assets, threats, and vulnerabilities. Where these three areas merge, or overlap, are the calculated risks. Once a department's risk managers determine the risks, then they can select appropriate countermeasure options to mitigate them. Most important, ARM can service both security and operational assessments.

The ARM process expresses risk, defined as the potential destruction, disruption, or denial of essential assets, in the formula Risk = Impact of Loss of Asset X Threat X Vulnerability or R = I X T X V. In other words, a risk assessment (R) determines the possibility of an adversary's (T) successful exploitation of an identified vulnerability (V) and the resulting degree of damage or impact (I) on the asset. Basically, risk management constitutes the continuing process of selecting and applying explicit countermeasures to achieve optimum results while balancing acceptable risks and costs. By developing a full-spectrum risk assessment and management program, a department can discover its security and operational strengths and weaknesses. In addition, it can determine how best to maximize asset usage.

[ILLUSTRATION OMITTED]

ASSETS

For the ARM process, assets comprise resources of essential value that a department must protect to effectively fulfill its essential public safety and law enforcement responsibilities, a definition that differs from that traditionally used in law enforcement and intelligence circles. Assets include people, information, operations, equipment, facilities, and social-psychological resources (PIOEFS).

Assessing assets involves three sequential actions. First, a department's risk managers identify all important local organizational and operational PIOEFS resources requiring protection. Second, they write a brief statement for each describing the worst undesirable event should some adverse situation affect that asset. For example, within the people category, a department should include law enforcement officers as a critical asset, and an applicable undesirable event would be criminals or terrorists attacking with improvised explosive devices that could result in the loss or injury of the officers.

Third, the risk managers assign a linguistic rating (value/criticality) to each asset based on the impact of loss or damage. This means that risk mangers first assess an asset according to one of the four defined criticality ratings of critical, high, medium, and low and then further refine the resource into three values of low, medium, or high.

* Critical: grave effects leading to loss of life, serious injury, or mission failure.

* High: serious effects resulting in loss of highly sensitive resources that would impair operations affecting public safety and community interests for an extended period of time.

* Medium: moderate effects resulting in loss of sensitive resources that could impair operations affecting public safety and community interests for a limited period of time.

* Low: little or no effects impacting human life or the continuation of operations affecting public safety and community interests.

In the example of officers as a critical asset, the department might assign an impact rating of low/critical, meaning that it deemed the resource as overall critical but at the lower end of that category. Finally, the risk managers convert the linguistic ratings into numeric impact values. The numeric value will be impact (I) in the equation I X T X V = R. Chart 1 and Table A illustrate this process.

THREATS

Threats are general situations with the potential to cause loss or harm to essential assets, whereas adversaries constitute specific hostile individuals or groups with the intentions, capabilities, and histories to conduct detrimental activities against law enforcement agencies and public safety. Conventional external threats involve individuals, domestic groups, and sometimes foreign entities. Individual dangers include street criminals of varying sophistication; computer hackers intent on penetrating, stealing, altering, controlling, or deleting law enforcement data; insiders, such as corrupt officers, supervisors, and administrators; and people with personal, emotional, or psychiatric crises. Group threats can involve regional and international organized crime figures; left-wing, right-wing, and special interest extremists; and foreign, domestic, and transnational terrorists. Foreign perils can comprise foreign intelligence services masquerading as business persons, visiting delegations, false-front companies, travelers, journalists, scientists, students, and diplomats; state-sponsored entities attempting to influence the American public through the media and select organizations and to acquire U.S. research and development technology; and foreign economic menaces endeavoring to control U.S. industrial, banking, and commercial interests.