To understand risk management, you need to know the four core principles. (1) risk acceptance is a willingness to accept a loss; (2) risk reduction is the practice of reducing the exposure of an asset; (3) risk transfer means transferring risk by purchasing insurance to cover or partially cover a loss; and, (4) risk avoidance is the practice of placing an asset outside the effective reach of the threat element.
The risk management formula considers the following:
- Threat (T) to an asset
- Multiplied by the vulnerability (V) of the asset
- Multiplied by the consequence (C) of an attack on that asset
As a result, the risk management formula is R = T x V x C. As we develop our countermeasures to ensure expected risk mitigation results, we continuously assess risk to identify new threats, vulnerabilities, or other changes that could increase the risk level beyond an acceptable threshold. Threats can have moderate, significant, catastrophic, or severe consequences and can be divided into two major categories: natural and human.
Examples of natural threats are mainly weather-related, such as floods, tornadoes, hurricanes, snow storms, wild fires, and earthquakes. Human threats can be separated into accidental and intentional. An accidental threat could be a hazardous material spill or power failure. Intentional threats are primarily criminal in nature and can range in severity from theft and diversion to more serious active shooter incidents or acts of terrorism. Our risk management is designed to identify these threats, determine their probability, look at the possible consequences of these events, and create processes to manage this risk.