Threat, Vulnerability and Risk Assessment (TVRA) — bread and butter for the physical security professional. If thoughtfully and logically done, the TVRA should achieve its goal of thoughtful risk analysis and logical risk recommendations, aligned with your business and operational goals. However, having done or perused quite a few in my career, I must say I have not completed nor seen the perfect TVRA… yet. In this post, I am going to share some of my opinions and recommendations for consideration.
‘Cookie-Cutter’ Methodologies
FEMA 426, FEMA 452, GEBSS (Guidelines for Enhancing Building Security in Singapore) and countless other in-house solutions available online— just to rattle off a few TVRA methodologies that I have referred to or assessed during my course of work. Don’t get me wrong, these are great methodologies, but the problem is that there never seems to be a perfect fit.
What many risk assessments fail to comprehend is that the methodology needs to be customised, designed and aligned to the business or operational goals. You cannot force a square peg into a round hole, take for example, by using a TVRA methodology designed for a terrorist attack against a government building to conduct risk assessment for say, a supply chain and logistics company. Although the underlying principle of Risk = Threat X Vulnerability X Consequence is the same, the risk parameters are most definitely not.
Qualitative VS Quantitative
This might deserve an entire post on its own, given the number of hours I have spent pondering over it. In summary, the quantitative approach is usually let down by the lack of data, and I find the qualitative approach sometimes leads to more questions than answers as it is subjective (e.g. your Medium might be someone else’s Medium-Low).
As someone who is more comfortable with numbers, I am definitely biased towards the quantitative approach but ultimately, I believe that combining the two can benefit most risk assessments by establishing a common understanding. You will see how this is done later on.
Convince, Don’t Confuse
Some might be ‘convinced’ by TVRAs that are done very impressively, think long, thick and wordy reports with massive risk matrices and varying shades of red/yellow/green. Looking at the diagram above, there is nothing fundamentally wrong with it but:
- ‘Rubbish in, rubbish out’ — It might make little or no sense if the initial intent is not aligned to your business or operational goals.
- ‘Less is More’ — If you find yourself spending an unnecessary amount of time trying to fill in the required fields or explain your TVRA to your stakeholders, make it simpler.
So how do you contextualise and condense the parameters? I’ll also build on this more in the later sections.
The KISS Principle
KISS, an acronym for Keep It Simple, Stupid, is a design principle noted by the U.S. Navy in 1960. The KISS principle states that most systems work best if they are kept simple rather than made complicated. This applies to how I evaluate and score my risk parameters. Let me bring you through my thought process when developing the threat, vulnerability and consequence assessments whilst incorporating KISS alongside a combined qualitative-quantitative approach.
Threat Assessment
First and foremost, the threat scenarios have to be formed. This should be easily done via a thorough site survey and pairing up with relevant threats. Next, condense the threat criteria — I feel the more universally applicable ones are Access to Agent, Knowledge/Expertise and History of Threats. If you refer to the example in FEMA 452, you will notice that the other criteria score uniformly and do not really impact the rating.
Moving on to the threat ratings, these are based on a qualitative approach, ranging from Very Low to Very High. By reading the definitions, I think you can understand how the subjectivity can lead to a lot of confusion — how can you clearly distinguish the difference between possible and probable?
Therefore, I tried to make the threat assessment as concise (just Low, Medium and High) and quantitative as possible (by introducing conditions highlighted in bold). For example, ‘Access to Agent’ can be rated based on the following:
- High (Score of 3) — Readily available commercially off the shelf
- Medium (Score of 2) — Difficult to produce or acquire, such as controlled substances governed by laws on procurement and distribution
- Low (Score of 1) — Very difficult to produce or acquire, such as banned or illegal substances
This is similarly done for ‘History of Threats’, where the criteria is introduced in bold:
- High (Score of 3) — Occurred in the last 5 years
- Medium (Score of 2) — Occurred in the last 5 to 10 years
- Low (Score of 1) — Did not occur in the past 10 years
You might argue that this might not hold in bigger countries than Singapore, which I agree — that is why earlier I mentioned there is really no right or wrong for TVRA, as long as it is justifiably contextualised and easily understood. Lastly, another quick tip is to only keep the top 3–5 threat scenarios and discard the rest, which should be of low risk.
Vulnerability Assessment
A similar approach is used for my vulnerability assessment, with 3 universally applicable criteria for the average building being ‘Major Weaknesses Identified’ / ‘Redundancy’ / ‘Recovery of Building Function’, and rated as such
- High (Score of 3) — More than 1 weakness identified / No redundancy / At least 1 month or more
- Medium (Score of 2) — 1 weakness identified / N+X model / At least 1 week or more
- Low (Score of 1) — No weaknesses identified / 2N model / Less than 1 week
Again, only relevant criteria is selected and rated based on clearly defined and somewhat quantitative conditions. Information required should also be already available as part of the initial site survey.
Consequence Assessment
This is the most important parameter in terms of aligning to the business or operational goals. What I like to do here is to reference this to the Enterprise Risk Matrix, something most companies should possess, that reflects their goals and objectives accurately. For example, a reputable landlord leasing space for industrial operations could be concerned with ‘Media Coverage’, ‘Inconvenience to Tenant Operations’ and ‘Injury to Tenants’. In comparison, a bank might look at something different, such as ‘Return to Office for Employees’ (banks need tellers and staff in their banks to generate revenue) or ‘Recovery Time for Critical Functions’ (e.g. trading and treasury operations).
Closing Words: Risk or Rubbish?
There are many ways to skin a cat, likewise for risk assessment. This post mainly summarises my thought process on conducting a TVRA by customising and aligning to the business and operational goals, combined with a concise qualitative-quantitative approach. My preference is to select 3 criteria and 3 distinctive ratings for each assessment, so as to make your findings be easily understood and less disputable by stakeholders, therefore making your job much easier as a security professional.
In one of my future posts, perhaps I shall delve deeper into the area of risk assessment in terms of adding or multiplying risk scores. Till then!
