Vulnerability Assessments are intended to be instruments that identify real risks with some type of reliable, objective process leading to the targeted dedication of resources toward the protection of critical assets. More specifically, these are assets, which if degraded or destroyed would effectively halt operations for an extended period of time – or worse yet – altogether.
There is one large problem. There are so many versions of these types of assessments that it can become overwhelming and confusing to the consumer. Let’s take a look at what is out there.
Traditional Risk Vulnerability Assessment
Historically, Risk Vulnerability Assessments have tended to examine only structural elements, such as buildings, facilities and infrastructure. Engineering analyses of the built environment would effectively determine the following:
• The vulnerability of structures based on the building type.
• The construction materials.
• The foundation type and elevation.
• The location within a Special Flood Hazard Area (SFHA).
• The wind load capacity, and other factors.
Today, Risk Vulnerability Assessments are performed for a variety of people, property, and resources. The following are typical components, or styles you might find in a Risk Vulnerability Assessment.
Critical Facilities Analyses
Critical facilities analyses focus on determining the vulnerabilities of key individual facilities, lifelines, or resources within the community. Because these facilities play a central role in disaster response and recovery, it is important to protect them to ensure that service interruption is reduced or eliminated. Critical facilities include police, fire, and rescue departments; emergency operation centers; transportation routes; utilities; essential governmental facilities; schools; hospitals; etc. In addition to identifying which critical facilities are generally vulnerable to hazards due to direct location in or close proximity to high-risk areas (e.g., 100-year flood plain), further assessments might be conducted to determine the structural and operational vulnerabilities.
Built Environment Analyses
Built environment analyses focus on determining the vulnerabilities of noncritical structures and facilities. The built environment includes a variety of structures such as businesses, single- and multi-family homes, and other man-made facilities. The built environment is susceptible to damage and/or destruction of the structures themselves, as well as damage or loss of contents (i.e., personal possessions and inventory of goods). When structures become inhabitable and people are forced to relocate from their homes and businesses, further social, emotional, and financial vulnerabilities can result. As such, assessments can indicate where to concentrate outreach to homeowners and collaboration with businesses to incorporate hazard mitigation measures.
Societal analyses focus on determining the vulnerability of people of different ages, income levels, ethnicity, capabilities, and experiences to a hazard or group of hazards. Vulnerable populations are typically those who are minorities, below poverty level, over age 65, single parents with children, age 25 years and older without a high school diploma, households that require public assistance, renters, and housing units without vehicles, to name a few. The term “special consideration areas” indicate areas where populations reside whose personal resources or characteristics are such that their ability to deal with hazards is limited. For example, these areas generally contain higher concentrations of low-to-moderate-income households that would be most likely to require public assistance and services to recover from disaster impacts. Structures in these areas are more likely to be uninsured or under-insured for hazard damages, and persons may have limited financial resources for pursuing individual hazard mitigation options. These are also areas where other considerations such as mobility, literacy, or language can significantly impact disaster recovery efforts. These areas could be most dependent on public resources after a disaster and thus could be good investment areas for hazard mitigation activities.
Environmental analyses focus on determining the vulnerability of natural resources (e.g., include bodies of waters, prairies, slopes of hills, endangered or threatened species and their critical habitats, wetlands, and estuaries) to natural hazards and other hazards that result from the impact of natural hazards, such as oil spills or the release of pesticides, hazardous materials, or sewage into areas of environmental concern. Environmental impacts are important to consider, because they not only jeopardize habitats and species, but they can also threaten public health (e.g., water quality), the performance of economic sectors (e.g., agriculture, energy, fishing, transportation, and tourism), and quality of life (e.g., access to natural landscapes and recreational activities). For example, flooding can result in contamination whereby raw sewage, animal carcasses, chemicals, pesticides, hazardous materials, etc. are transported through sensitive habitats, neighborhoods, and businesses. These circumstances can result in major cleanup and remediation activities, as well as natural resource degradation and bacterial illnesses.
Economic analyses focus on determining the vulnerability of major economic sectors and the largest employers within a community. Economic sectors can include agriculture, mining, construction, manufacturing, transportation, wholesale, retail, service, finance, insurance, and real estate industries. Economic centers are areas where hazard impacts could have large, adverse effects on the local economy and would therefore be ideal locations for targeting certain hazard mitigation strategies.
Assessments of the largest employers can help indicate how many people and what types of industries could be impacted by adverse impacts from natural hazards. Some of the most devastating disaster costs to a community include the loss of income associated with business interruptions and the loss of jobs associated with business closures.
The primary problem with the traditional Risk Vulnerability Assessments approach of evaluating “everything” is the time and cost factors. This type of assessment, albeit thorough, it very time consuming and expensive.
“Risk Assessment” is the determination of quantitative and/or qualitative value of risk related to a concrete situation and a recognized, perceived or potential threat. This term today is most often associated with risk management.
Example: The Environmental Protection Agency uses risk assessment to characterize the nature and magnitude of health risks to humans (e.g., residents, workers, and recreational visitors) and ecological receptors (e.g., birds, fish, wildlife) from chemical contaminants and other stresses that may be present in the environment. Risk managers use this information to help them decide how to protect humans and the environment from stresses or contaminants.
“Risk Management” is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources. The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk. Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, ergonomics, death and lawsuits). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments. The objective of risk management is to reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. On the other hand it involves all means available for humans, or in particular, for a risk management entity (person, staff, and organization).
(ASIS) is the largest organization for security professionals, with more than 36,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests. The ASIS International Guidelines Commission recommended approach and framework for conducting General Security Risk Assessments:
1. Understand the organization and identify the people and assets at risk. Assets include people, all types of property, core business, networks, and information. People include employees, tenants, guests, vendors, visitors, and others directly or indirectly connected or involved with an enterprise. Property includes tangible assets such as cash and other valuables and intangible assets such as intellectual property and causes of action. Core business includes the primary business or endeavor of an enterprise, including its reputation and goodwill. Networks include all systems, infrastructures, and equipment associated with data, telecommunications, and computer processing assets. Information includes various types of proprietary data.
2. Specify loss risk events/vulnerabilities. Risks or threats are those incidents likely to occur at a site, either due to a history of such events or circumstances in the local environment. They also can be based on the intrinsic value of assets housed or present at a facility or event. A loss risk event can be determined through a vulnerability analysis. The vulnerability analysis should take into consideration anything that could be taken advantage of to carry out a threat. This process should highlight points of weakness and assist in the construction of a framework for subsequent analysis and countermeasures.
3. Establish the probability of loss risk and frequency of events. Frequency of events relates to the regularity of the loss event. For example, if the threat is the assault of patrons at a shopping mall, the frequency would be the number of times the event occurs each day that the mall is open. Probability of loss risk is a concept based upon considerations of such issues as prior incidents, trends, warnings, or threats, and such events occurring at the enterprise.
4. Determine the impact of the events. The financial, psychological, and related costs associated with the loss of tangible or intangible assets of an organization.
5. Develop options to mitigate risks. Identify options available to prevent or mitigate losses through physical, procedural, logical, or related security processes.
6. Study the feasibility of implementation of options. Practicality of implementing the options without substantially interfering with the operation or profitability of the enterprise.
7. Perform a cost/benefit analysis.
Do You Need A Vulnerability Assessment?
There are approximately 30,000 incorporated cities in the United State