Before September 11, 2001, President Clinton signed Presidential Directive 63, the Policy on Critical In-
frastructure Protection. It identified eight (now 11) sectors of the economy considered critical to national security. Included are telecommunications, transportation, water supply, oil and gas production, banking and finance, electrical generation, emergency services and essential government functions. This directive, along with the Bio-terrorism Act and other implementing policies, assigned oversight of each function to a separate governmental agency. The protection of the water supply is the responsibility of the Environmental Protection Agency (EPA) and the protection of the food supply is the responsibility of the Food and Drug Administration (FDA). These agencies are assigned the task of developing risk assessment and security protocols for the protection of the assets under their purview, with many using a different risk assessment methodology.
Many risk and vulnerability analysis methods exist. Although similar in nature, security professionals should be aware of the basics of these differing methodologies even if they are not involved directly in the function they assess.
Operational Risk Management
The FDA is responsible for the security of food production, importation, warehousing, transportation and distribution in the United States. This agency has adopted the Operational Risk Management (ORM) method to help ensure that food assets remain safe from attack.
ORM is an engineering-based risk management system used by the Federal Aviation Administration and the military to examine the safety and risk to existing systems. It is a tool designed to help identify operational risks and benefits to determine the best course of action for any given situation. It is defined as the risk of loss resulting from inadequate or failed processes, people and systems, or from external events. It is similar to other risk management methods in that it identifies hazards and determines the impact of food safety through estimating the probability and severity of an attack, allowing those responsible to focus on the worst hazard first. The FDA defines it as a defensive vulnerability assessment tool to identify points in a system that are most susceptible to terrorist attack and to design preventative measures to reduce risks. It uses a six-step process that includes identifying the hazards, assessing the risk, analying risk control measures, making control decisions, implementing risk controls, and supervising and reviewing.
Identify the Hazards–The first step examines each activity in a process or flow of actions and events and identifies the associated hazards. ORM defines a hazard as any real or potential condition that can cause degradation, injury, illness, loss of equipment, or property damage. In the case of restaurant food security, a process may include the placement of food in a salad bar. The associated hazards include intentional contamination with bacteria, the placement of sharp objects inside the food, or the introduction of a poison.
Assess the Risk–Hazard probability, severity, and exposure (the number of people or resources affected by a given event or cumulative events) are determined in terms of their impact on people and food security. ORM uses the probability categories of frequently, likely, occasional, seldom and unlikely. In the context of food security, each probability term has a definition. Frequently takes place often, and persons are continuously exposed. Likely takes place several times, and persons are regularly exposed. Occasional will happen, and exposure is sporadic. Seldom may happen, and exposure is infrequent. Unlikely likelihood and exposure are rare. Severity is categorized as catastrophic, critical, moderate or negligible. Catastrophic is a complete business failure or loss of facility asset due to attack resulting in fatalities. Critical is major business impact resulting from severe illnesses or incident. Moderate is minor business impact resulting from minor illnesses or incident. Negligible is less than minor business impact or illness. Risks are then ranked using a matrix.
Analyze Risk Control Measures–This step represents the development of risk control measures to mitigate, prevent, control, or eliminate the hazard or reduce its probability or exposure.
Make Control Decisions–In the ORM methodology, decision makers who can implement the control measures are identified. ORM does not assume this is a singular person or department.
Implement Risk Controls–Once the controls and those responsible for the implementation of the controls are identified, the process of executing protective measures begins. Implementation strategies are developed that define individual responsibility, accountability, and involvement. ORM allows for different people to implement the controls based on severity.
Supervise and Review–Once controls are in place, their effectiveness is examined and reevaluated. Additional assessment is completed as the system changes. The following principles apply to all stages of the ORM process: Accept no unnecessary risk. Unnecessary risk comes without a commensurate return in terms of benefits or opportunities.
Make risk decisions at the appropriate level. Making risk decisions at the appropriate level establishes clear accountability. The decision maker is the person who can allocate the resources necessary to implement controls or is authorized to accept risk.
Accept risk when the benefits outweigh the costs. All identified benefits should be compared with all identified costs. Balancing costs and benefits can be a subjective process.
Integrate ORM into planning at all levels. The later changes are made in a process of planning and executing an operation, the more expensive and time-consuming they can become.