For many years, I have been performing risk assessments of multiple large facilities. These risk assessments have ranged from major power plants to large substations to oil/gas pipelines to oil sands facilities to multistory office buildings. One thing I began to realize over the years is that each risk assessment had its own nuances; however, the approach I took was generally the same.
The assessments are generally conducted following three phases: pre-assessment/planning, on-site risk assessment, and reporting.
Admittedly, this looks rather simple. There are multiple elements in each of these blocks or phases, but generally the approach is the same.
Pre-Assessment/Planning
With pre-assessment and planning, you need to think about the desired outcome (i.e., identify the risks to the facility) and identify the necessary actions to mitigate or eliminate the risks and associated vulnerabilities.
The flow chart above is a detailed view of this phase and includes collecting and digesting documents, identifying the team members and the necessary skill sets, and getting ready for travel. Of course, contacting the "customer" and setting up the necessary on-site logistics are important.
On-site Activities
Now comes the fun part: Getting on-site and looking for threats and vulnerabilities.
Don't forget these threats and vulnerabilities can be cyber or physical. They can also be part of the site management and culture. What about training or lack thereof? They can all contribute to the risk profile of the facility.
The graphic above offers some elements of the on-site activities. Y ..
Support the originator by clicking the read the rest link below.
