SRM is a logical process that may be used to assess and quantify risk, and provide management with cost-effective solutions to security risk reduction using available resources. SRM starts at program inception and is applied throughout the life cycle. It is designed to:

• identify and quantify assets to be safeguarded;
• measure the criticality of each asset by determining the impact of loss of each asset;
• address the threat taxonomy that applies;
• identify and quantify the vulnerabilities associated with each asset when matched with each identified threat, and
• analyze the costs and benefits associated with risk mitigation.

1.1. When referring to SRM it is necessary to define what type of risk is being addressed and it is necessary to be clear concerning what type of risk is being managed. By leaving the word "security" out of the term risk management it restricts the venue to "speculative" and "program" risk almost exclusively.

1.1.a. Program risk: In any program developmental scenario somewhere there will be a reference to a risk assessment. The concern is with which factors apply to determining whether or not the program will achieve its intended goal within budget, on schedule, and within specification. This is certainly a form of risk management but it is not "pure risk".

1.1.b. Speculative risk: Finds its venue most often on the stock market and at the racetrack.

1.1.c. Pure risk: Pure Risk is defined as "the probability that if a threat occurs it will be successful in causing a loss event." The concept of loss event is defined as "physical loss of, or damage to an asset."

2. SRM TEAM.

The SRM team is composed of program managers, Facility managers, Integrated Product Team (IPT) leaders, SRM security representatives, and others working with programs, projects, operations, systems, or facilities.

3. ASSET IDENTIFICATION.

3.1. Identification of the assets to be safeguarded is a fundamental requirement of the SRM process. The term asset is defined as any person, place, thing, or commodity, for which there is a safeguarding requirement.

3.2. Each asset must be identified and quantified in dollars as to its value.

3.3. Until all assets have been identified and quantified the program, project, operation, system, or facility design cannot be properly assessed.

3.4. The SRM team determines the specific assets that need to be considered when evaluating risk, and the priority in which those assets should be addressed.

4. DETERMINATION OF THE ASSET CRITICALITY.

Criticality is defined and quantified in terms of Impact of Loss. Impact of Loss is measured in terms of four specific quantifiable areas. The result is expressed in dollars. Each asset that needs to be safeguarded is evaluated in terms of its impact of loss (value in dollars). Its initial costs, temporary replacement cost, permanent replacement costs and the remaining related costs to include impact in dollars that would result from loss or damage of the asset.

4.1. Human life - employees, contractors, the flying public, is always assigned the highest criticality rating of "1". In order to maintain the quantifiable continuity of the process, human life is assigned a dollar value of $2.7 million.

4.2. Specific cost factors are used in determining asset criticality:

4.3. The "Impact of Loss" formula for a single loss event impacting on an asset is expressed as follows:

4.4. The individual weighting factors that determine the impact of loss of an asset as shown above are further expanded using the criteria listed below.

STEP 3

 5.  ASSIGNING A CRITICALITY RATING.

Criticality ratings are indicated by assignment of numerical values from 1 through 4. The significance of each rating is indicated in the table below.

CRITICALITY RATINGS BASED ON IMPACT OF LOSS

5. IDENTIFICATION OF THE THREATS ASSOCIATED WITH EACH ASSET.

5.1. All threats to an asset must be identified.

5.2. Every threat associated with an asset, if it occurs, does not necessarily result in a loss event.

5.3. When a loss event does occur however, it always results in quantifiable physical damage to, or destruction of the asset.

5.4. The threat identification process incorporates the elements of a traditional threat assessment. Any information or data that indicates the probability that a particular threat will occur must be incorporated into the overall analysis.

6. IDENTIFICATION AND ASSESSMENT OF EXISTING COUNTERMEASURES WITH REFERENCE TO THE IDENTIFIED THREATS.

6.1. Countermeasures are those actions taken to eliminate, reduce, or control vulnerabilities to specific threats. In most instances countermeasures require the expenditure of funds as well as the allocation of resources.

6.2. Existing countermeasures must be identified and assessed to determine the extent to which they are providing the intended vulnerability reduction.

7. ASSIGNMENT OF AN ASSET VULNERABILITY RATING.

7.1. Each asset which has been prioritized according to criticality, is now evaluated to determine the extent to which it is vulnerable to identified threats.

7.2. Vulnerabilities are those physical, technical, administrative, procedural, or human characteristics of an asset that constitute quantifiable weaknesses. If a threat occurs, these weaknesses increase the probability that it will be successful in causing a loss event. Vulnerability is defined as "a weakness associated with any condition or attribute of an asset whether technical, administrative, or human, which facilitates or increases the probability that a threat will result in a loss event."

7.3. With regard to any asset the level of risk is directly related to the magnitude of the vulnerabilities. Associated with the asset the greater the number and magnitude of vulnerabilities, the greater is the probability or risk that a loss event will occur. Vulnerabilities constitute a measure of the probability that an identified threat occurs it will be successful in causing a loss event.

7.4. An alphabetical rating from "A" through "D" is assigned to each asset reflecting the vulnerability level. The "A" rating designates the highest vulnerability, and the "D" rating the lowest as shown in the table below.

VULNERABILITY AND PROBABILITY OF LOSS RATINGS

8. DETERMINE THE LEVEL OF RISK, (RISK LOGIC).

8.1. At this point in the SRM process each asset has been assigned two designators.

8.1.a. The first designator, numerical designator indicates the criticality of the asset.

8.1.b. The second designator, letter designator indicates the vulnerability of the asset to a loss event.

8.1.c. The combinations of the two designators (Criticality and Vulnerability) represent the level of Risk.

8.1.d. The assets are reprioritized, those assets having the highest Risk level being given the highest priority.

8.2. Using the Risk Level Values assigned, each asset is entered into a risk logic matrix as shown below

RISK LOGIC MATRIX

8.3. Unacceptability and Acceptability – Risk

Normally, all risks can not be controlled or eliminated; for assets that are controlled, as a minimum, however, it is important to control or reduce extremely high and very high levels of risk to a moderate or low level of risk.

9. DECISION MAKING.

9.1. The goal of the SRM process is to provide the SRM team and other decision makers with a means to logically quantify and group assets according to criticality and vulnerability.

9.2. The risk logic matrix presentation permits extrapolating risk information pertaining to assets in such a way that management has a clear perception of where the critical decision boundaries are to be found.

9.3. For example, the risk levels reflected in the risk logic table above for each asset are interpreted for purposes of decision making as shown in the table below.

10. USING THE MATRIX.

10.1. The term managing risk is significant. The entire thrust of the SRM process is to provide a logical and comprehensive set of procedures for determining where resources must be expended to reduce unacceptable risks, and what options the decision maker has in terms of directing resources toward the remaining risk categories.

10.2. The process can be applied equally effectively to any asset provided the value of the asset in terms of impact of loss can be quantified in dollars.

10.3. When the process has been completed to the stage where the risk logic matrix is complete the decision maker can readily identify those vulnerabilities that must be given the highest priority for elimination or control because of the catastrophic consequences of the impact of loss.

10.4. This process ensures that the criticality and impact of loss concerns for the assets together with their associated overall risk levels have been identified and prioritized.

10.5. Decision makers will be able to use the most cost effective measures that can be employed to address the risks in priority order and to reduce those vulnerabilities associated with risks that are unacceptable to an acceptable level.

10.6. Risk reduction measures include physical modification, procedural changes, or other measures that will reduce the risk to an acceptable level.

10.7. Decision makers shall ensure that established minimum FAA security standards are included in the process of identifying and quantifying risk reduction strategies.

10.8. The overall risk severity for a given threat or loss event is normally taken to be a judgmental-defined credible "worst case".

11. DETERMINE APPROPRIATE RISK REDUCTION METHODS AND THEIR ASSOCIATED COSTS.

11.1. Identify all required countermeasures, and their costs, necessary to reduce identified risk to an asset to an acceptable level.

11.2. Identify cost effective countermeasure alternative approaches.

12. COST BENEFIT ANALYSIS (CBA).

12.1. All of the essential elements in the SRM process are quantified in terms of dollar value.

12.2. CBA shall be applied to the results of the SRM process, as well as to any stage of the process, to ensure that risk reduction strategies are cost beneficial.

12.3. Decision makers use the results of CBA as necessary to assist them in making decisions by clearly indicating the advantages and disadvantages of alternative approaches to a given risk reduction situation and weighing the comparative costs for each advantage.