SCOPE OF RISK MANAGEMENT

As discussed earlier, when considering the basic elements of risk, the perspective and expectations of the individual or organization affected by the risks is important to understand. Consider the issue of critical infrastructure and who is responsible and accountable, both for individual service provision and in aggregate. In compari-son, if one asks a citizen who requires a specific good, commodity, or the service who is responsible for ensuring that the service is available and of expected quality and quantity, the reply will likely be “the company, of course”—the result of the service agreement between the individual and the company.

Regarding the provision of critical infrastructure services, the private company may fully understand and appreciate the expectations or, and service-level agree-ment with, governagree-ment if they are stated explicitly (which in many cases are not due to a lack of governmental oversight mechanisms). Companies, ever mindful of the financial bottom line, may prioritize how those services are to be achieved and to what extent they are achieved—particularly in the case of widely distributed services.

Finally, as noted earlier, the government may require that the company providing crit-ical infrastructure services comply with legislation and regulation to ensure that the

service is available to some quantifiable extent (typically a percentage of “up time”

and “quality of service”) and hopefully take steps to ensure that those criteria are met.

In each of these cases, the concept of scope factors significantly. Clear delineation of roles and responsibilities, agreed to by all stakeholders, is essential to agreement on scope of services provided, to provision of service, and to reducing any gaps in the protective posture of the NCI providing those services. The AP&S risk management program contributes to ensuring the provision of services and, ultimately, mission success of the NCI. Risks within the NCI and among NCIs (since they are interde-pendent in many cases) may be influenced significantly by the actual ability to meet enough of the mandated or expected (by government) demand for critical services for the organization to remain viable, if not profitable. Finally, from the government perspective, a risk has necessarily a much large scope, perhaps regional or national, in which case it may focus on and manage the ability of many companies to maintain an appropriate level of a critical service within a community—requiring the elimination of any one company as a single point of failure (SPOF) in the provision of an essential service to an individual, a community, a region, or a nation.

Thus it can be seen the extent to which scope can define how risk will be assessed and managed; scope becomes a limiting factor. From the corporate per-spective, it may be communicated that the risk is being assessed in relation to the ability of the corporation to remain viable, if not profitable, in meeting its service delivery mandates from government. From the government perspective, the risk may be assessed twofold: first, in relation to the trust of the community that a cer-tain service will be available on demand and to an appropriate quantity and quality to meet collective needs, and second, in relation to the ability of the government to ensure, through SLAs and oversight, to continuity of service in the expected quantity, time, and quality, to all citizens requiring it. From the individual’s per-spective, the risk may well be defined in relation to his or her trust in the delivery and quality of that service at the home. Each of these statements implies a reas-sessment of, and perhaps changes in, the company’s objectives to be met and the goals to be achieved.

The reason that scope and perspective has been emphasized to such an extent in any chapter on risk management is that inadequate consideration of these two elements by risk analysts, senior management, and other stakeholders has led to misunderstanding of risk management recommendations and subsequent decisions that did not protect adequately the assets supporting the provision of critical goods and services. In short, clearly understanding how perspective and scope shape the focus of any risk assessment will be a very positive and significant step toward being able to both present and argue a case for a protection posture—be it at more senior management tables, peers, other NCIs, government oversight bodies, or to the public being served. To assist in communicating or transmitting the existence of risks in the control system domain, four basic steps are offered:

1. Express the risk at the equipment level, describing the impacts in terms of the losses of its immediate functions. This level is perhaps best understood by the operators and engineers, both of whom must “buy-in” to the risk assessment in order to convince line managers/supervisors and senior management.

2. Extrapolate the assessed impacts associated with a specific loss of function in terms of how they would affect the local system. This will get the attention of line managers and regional managers, who are responsible to headquarters or the main office, for meeting AIC requirements.

3. Communicate how the local or individual system’s loss would translate to the larger system of systems at a corporate level. This moves the risk into the strategic level and by definition becomes a senior management concern from a purely business perspective.

4. Finally, identify any potential outside issues associated with impacts at the community, regional, or national levels. This will concern senior management from an ethical, moral, or societal perspective, which is also their responsibility as a good corporate citizen.

This layered, bottom-up approach to scoping and expressing risks to mission success capitalizes on many strengths, including the analytical skill of the AP&S practitio-ner based on his or her training, education, and experience coupled with a growing collection of like-minded stakeholders through the tactical (operator), operational (line or regional manager), and strategic (senior decision-maker) levels of activity.

An example of this approach when considering the valve that helps mix a certain chemical into paint to help it bond more effectively onto metal follows:

• Based on the assessment by capable engineering and design staff, there is a significant risk that this valve would not function as intended (integ-rity risk) and would likely not mix the needed chemical into the paint (availability risk). The engineer or operator would likely be the first to notice this.

• This loss of service would result in paint that would appear to be bonded appropriately to the metal during a quality assurance check but would become less bonded when exposed to water, thereby causing the paint to chip prematurely (integrity risk). This would not come to light until noticed after time by the consumer.

• The premature chipping of the paint would become a quality of vehicle issue in the eyes of the consumer, devaluing the company’s product in terms of being competitive against similar makes and models (a business risk). Social media and word of mouth would communicate this risk to the community, to the region, and perhaps to the nation.

• As a result of this, one could reasonably expect a drop-in sales (perhaps evolving into a business survival risk). However, it would not likely impact the safety systems on the vehicle and, therefore, would not likely gain the attention of the government regulator from a vehicle safety perspective.

Nonetheless, senior management quickly becomes implicated if a bottom-up approach is adopted to scope and communicate risk.

This approach is effective, applicable in any system, is repeatable, and gets a clear, validated message to senior management regarding key risks. It presents a clear and logical link that allows the individual conducting the risk assessment to

identify what was assessed and how findings relate to the local, system, corporate, and outside objectives and goals.