Product SiteDocumentation Site

A.5. Risk Management

ComE 1 Develop Risk Framework
ComE 1.1 Ensure senior leadership communicates in writing the risk framework and intent to use risk analysis to all stakeholders
ComE 2 Assess Risks
ComE 2.1 Conduct criticality analysis (also known as screening) to identify potential targets
ComE 2.2 Conduct vulnerability assessments to assess vulnerability of potential targets to identified threats
ComE 2.3 Conduct consequence analysis of critical targets
ComE 2.4 Conduct threat assessment of potential targets
ComE 2.4.1 Conduct or obtain intelligence community threat/hazard analysis through State or local Interagency Working Groups (Joint Terrorism Task Force) to identify threats to potential targets
ComE 2.4.2 Obtain intelligence reporting and the receipt of the threat data through the Department of Homeland Security’s Homeland Infrastructure Threat and Risk Analysis Center (HITRAC)
ComE 2.5 Calculate risk to potential targets based on threat, vulnerability, and consequence
ComE 2.6 Establish relative order of priorities for risk mitigation among risk portfolio
ComE 2.7 Conduct response and recovery capabilities analysis to determine capability to respond to and recover from the occurrence of identified risks
ComE 3 Prioritize Risks
ComE 3.1 Identify potential protection, prevention, and mitigation strategies for high-risk targets
ComE 3.2 Prioritize identified strategies by risk reduction expected outcomes appreciating the various threat, vulnerabilities, and consequences that affect that community, system or asset
ComE 4 Develop Business Case
ComE 4.1 Select risk reduction solutions for implementation based on risk reduction strategies
ComE 5 Manage Risk
ComE 5.1 Monitor the progress of solution implementation
ComE 5.1.1 Undertake corrective actions
ComE 6 Conduct Risk Communication
ComE 6.1 Share the assessment of sector-specific infrastructure risk with interdependent entities within appropriate sectors
Table A.5. Common E - Risk Management