Frequently Asked Questions - FAQs
What is risk management?
What is a Threat and Risk Assessment (TRA)?
What is CRM – Canadian Risk Management Designation?
What is ISO 31000 :2009 ?
Are TRAs used for operations? (see “what are TRAs used for?”)
What is the difference between a threat and a hazard?
What is the difference between a Physical Security Survey (PSS) and a TRA.
Risk management terminology.
What is the CRM RIMS?
How do you establish the Threat/Risk levels?
Is this process not subjective?
What is an FTRA?
Are you contracting a consultant for a TRA?
What is the Harmonized Threat and Risk Assessment (HTRA) methodology?
Simply put, it is impossible and impractical to protect against (or foresee) everything and anything all the time without going bankrupt or not being able to do your job. It is important however, that someone (ie the designated risk owner) decides where to focus their assets and to spend them wisely. A proper TRA will help with this. It also acts as a record of the decisions and what information the risk owner knew that day (see “what ifs”?).
Risk management is basically the theory that we can, to some extent, manage/decide which risks we can/must take, avoid, reduce or let someone else handle. More formally:
The identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks. An organization may use risk assumption, risk avoidance, risk retention, risk transfer, or any other strategy (or combination) to manage future events.
We use risk management on a daily basis. When we cross the road against the light for example, there is an inherent risk that you will be hit by a car. In your mind, you very quickly think of dozens of issues; how bad is the traffic, whether someone has already been hit by a car at that intersection this week and if waiting and being late for work is worth getting into trouble with your boss? You then decide to make your move (or not). You are managing your risk(s).
This concept can be applied to many issues including, investing money, installing security equipment, project management etc. In fact this concept can be used for many day-to-day activities that you probably already do subconsciously.
There is currently a large following in the industry of Risk Management and in the Canadian Federal Government there are several areas that mandate the use of Risk Management (ie the Treasury Board Policy on Government Security).
What is a CRM designation – Canadian Risk Management Designation?
There is now a very large following in the field of risk management including a University designation “Canadian Risk Manager” (CRM) (see CRM Below – http://learn.utoronto.ca/courses-programs/business-professionals/acourses/risk-management-2). There is also a standing ISO which applies the concept of the basic risk management theory (see ISO 31000:2009):
What is ISO 31000 :2009 ?
There is a detailed International Standard (International Organization for Standardization) profile from 2009 outlining the principles and norms for risk management. The most important part of the document relates to the 7 methods of dealing with risk.
ISO 31000:2009 (https://en.wikipedia.org/wiki/ISO_31000 ). How to deal with risk:
- Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
- Accepting or increasing the risk in order to pursue an opportunity
- Removing the risk source
- Changing the likelihood
- Changing the consequences
- Sharing the risk with another party or parties (including contracts and risk financing)
- Retaining the risk by informed decision
What is a Threat and Risk Assessment (TRA)?
A TRA is a document/report that identifies threats, the associated risks and options on how to mitigate them. The goal is to provide these details in a form that will help the risk owner make decisions on which risks can be resolved/accepted or passed on to someone else.
There are many different formats of the TRA, often specific to a goal. For example there are formats for engineers to complete a TRA for a bridge or other structure. There are security related TRAs, Force Protection and project TRAs.
Also see “what should a TRA contain?”
What is the difference between a Threat Assessment (TA) and a TRA?
This is a critical issue! There is an important difference between them but they are fundamentally linked. The TA should be a standalone document that focusing only on the threats and hazards (see threats and hazards). It can include such issues as courses of action (COA) (ie of the threat or enemy) but it should not offer any resolution or direction to resolve risk.
In the DND world, the TA is a function of the Intelligence Community (CFINTCOM, J2 etc).
The process of requesting the threat information/analysis and the type of detail is an important first step of the TRA (see “how do I get the threat info?”).
This first step of acquiring the TA should not be the end of the Intelligence Communities’ involvement in the TRA process however – (see “how do you measure the risk?”).
Are TRAs used for operations? (see “what are TRAs used for?”)
This is an area where TRAs are extremely useful. It provides the Comd with a focused report as in many cases operational sites have uncommon situations that require thinking outside the standard box. These types of TRAs include such threats as CBRN, COMSEC etc. TRAs for missions should be conducted by your most experienced TRA analysts.
What is the difference between a threat and a hazard?
Most of the original TRAs were focused on security related elements and the term “threat” applied to the standard – terrorism, espionage, sabotage subversion etc. TRAs now include all types of potential situations that the term “hazard” is better served. For example; an earthquake or a medical virus could affect the mission in that the personnel could be prevented from doing their job. Although one might argue that it is a “threat”, over the past few years it has been customary to delineate those threats which are human made and those that are natural.
What is the difference between a Physical Security Survey (PSS) and a TRA.
DND has often used the term PSS to describe a report on the state of security of a facility. It is typically conducted by the MP or Commissionaire services. It is often tied to an inspection of the existing security equipment in place and recommendations for improvements. It is typically used for facilities/buildings and follows the direction provided by the TRA and the risk owner.
A TRA on the other hand reviews the threat and risks to facilities, projects missions etc. It provides details of the threat and to methods to reduce the risk. The risk owner then can make decisions on those risks that they have ownership of or ask for waivers from the owner.
Risk management terminology.
Although each field; engineering, security, project management etc will have their own unique TRA terminology, this website provides several common terms.
Definitions http://www.praxiom.com/iso-31000-terms.htm
What is the CRM RIMS?
(See what is a Canadian Risk Management Designation)
How do you establish the Threat/Risk levels?
It is very important that each TRA defines the use of terms such as High Medium or Low threat or risk. There should be a definition page that clearly outlines what is meant when these terms are used. For example; if Medium means there is a 50/50 chance of something occurring or that the threat agent must have demonstrated both the desire and the ability to conduct an action in order to be assessed as High.
In many cases the level of threat/risk is relatively subjective so there must be some type of baseline for the reader.
Is this process not subjective?
Yes there is a certain measure of subjectivity to TRAs as in most cases it is assessing a potential future event. However, it is the research that is conducted by the analyst that will offer ways to reduce or prevent a potential/expected event without merely providing motherhood options. It is for that reason that the experience of the analyst is critical. Unfortunately predicting the future is difficult.
What is an FTRA?
The Functional Threat and Risk Analysis is a product of DBHS Security Consulting Inc. In response to the demand for a practical elite TRA process, when the threat or risk is moderate to very high, DBHS created the Functional Threat and Risk Analysis (FTRA). A product of years of study providing an exceptionally focused and reasonably simple report format to assist those who must make challenging, genuinely informed decisions. It is especially useful for operations and projects with a moderate to high threat/risk potential or when the decision is critical.
Are you contracting a consultant for a TRA?
There are a number of things you should consider;
- what is the experience and qualifications of the people analyzing the threat or the risk?
- How many and what type of TRAs have they conducted?
- Are the qualified CRA?
- what access to classified information do they have?
What is the Harmonized Threat and Risk Assessment (HTRA) methodology?
The HTRA is a product of two former processes; one each from CSE for computer TRAs and the RCMP responsible for physical security. Until circa 2006 they each had their own approach to the TRA process. It became apparent however that to install a computer system using the Certification and Accreditation Program (C&A) you technically had to do two TRAs. One for the computer, and one for the location to put it in.
This prompted an amalgamation of the two processes and hence the creation of the CSE – RCMP HTRA methodology (https://www.cse-cst.gc.ca/en/system/files/pdf_documents/tra-emr-1-e.pdf ).