By /

Back to: ASIS PSP – Preparation Course

0

Lesson 2.1: Risk Management Concepts

Objective: By the end of this lesson, you will be able to define the core components of risk (Asset, Threat, Vulnerability), differentiate between Qualitative and Quantitative analysis, and apply the four primary risk treatment strategies.

1. The Security Trinity: Assets, Threats, & Vulnerabilities

You cannot design a security system until you define these three variables. The exam will often present a scenario and ask you to identify which part of the scenario represents the “Vulnerability” versus the “Threat.”

A. Assets (What we protect)

An asset is anything that has value to the organization.

  • People: Employees, visitors, contractors (Always the #1 priority).
  • Property: Buildings, equipment, inventory, cash.
  • Information: Intellectual property, customer data, trade secrets.
  • Reputation: Brand image (hardest to measure, often hardest to recover).

B. Threats (What hurts us)

A threat is an indication of potential harm. It is the adversary or the event.

  • Natural: Floods, earthquakes, hurricanes.
  • Man-made (Intentional): Theft, sabotage, terrorism, active shooter.
  • Man-made (Accidental): Power failure, water pipe burst, human error.

C. Vulnerabilities (Where we are weak)

A vulnerability is a physical, procedural, or technical weakness that allows a threat to cause harm to an asset.

  • Example: A door is not a threat. A broken lock on the door is a vulnerability.
  • Example: An earthquake is a threat. A building not retrofitted for seismic activity is a vulnerability.

2. The Risk Equation

While there are complex mathematical models (like the Carnahan formulas), the conceptual equation you must internalize is:

Risk = Threat x Vulnerability x Consequence

  • Logic: If any of these three factors is Zero, the Risk is Zero.
    • If you have a Threat (Thief) and a Vulnerability (Open door), but no Asset (Empty room) = No Risk (Consequence is zero).
    • If you have an Asset (Gold) and a Threat (Thief), but no Vulnerability (Impenetrable vault) = No Risk.

3. Measuring Risk: Qualitative vs. Quantitative

The PSP exam expects you to know when to use which method.

A. Quantitative Analysis (The “Math” Approach)

Assigns specific monetary values to risk. Used when you need to justify budgets to CFOs using ROI (Return on Investment).

  • Key Metrics:
    • SLE (Single Loss Expectancy): Asset Value x Exposure Factor.
    • ALE (Annual Loss Expectancy): SLE x ARO (Annual Rate of Occurrence).
  • Pros: Objective, financial language.
  • Cons: Time-consuming, difficult to assign exact dollar values to “human life” or “reputation.”

B. Qualitative Analysis (The “Matrix” Approach)

Uses descriptive categories (Low, Medium, High) to rank risks. This is the most common method for Physical Security Professionals.

  • Method: You assign a rating to the Probability of an event and the Severity (Impact) of that event.
  • Pros: Faster, easier to communicate to non-technical stakeholders, good for prioritization.
  • Cons: Subjective (One person’s “High” might be another’s “Medium”).

Exam Tip: If a question describes a scenario where “exact data is unavailable” or “time is limited,” the correct answer is usually Qualitative Analysis.

4. Risk Treatment Strategies

Once you have identified a risk, you must decide what to do about it. There are only four options (remember the acronym T.A.R.P. or A.T.M.A.).

1. Avoidance

Eliminating the risk entirely by discontinuing the activity or removing the asset.

  • Example: The risk of having cash stolen from a retail store is too high, so the store switches to “Credit Card Only” (removing the asset).

2. Transfer (Spreading)

Shifting the financial impact of the risk to a third party.

  • Example: Purchasing insurance.
  • Example: Outsourcing the transport of cash to an armored car service (Contractual transfer).
  • Note: You can transfer the financial risk, but you usually cannot transfer the reputational risk.

3. Mitigation (Reduction)

Taking steps to reduce the Probability or the Impact of the risk. This is where PSPs do 90% of their work.

  • Example: Installing CCTV, hiring guards, reinforcing doors.

4. Acceptance

Acknowledging the risk and choosing to do nothing because the cost of countermeasures exceeds the value of the asset.

  • Example: Leaving a garden hose outside unsecured because a fence costs $500 and the hose costs $20.
risk management