Developing Risk Assessments

The ability to illustrate and articulate Risk Assessments is a critical factor in leveraging limited resources. The following will help in building a Risk Assessment (RA) Profile.

Jonathan Greenstein (jonathan.greenstein@leo.gov)


• This information is UNCLASSIFIED. The processes and procedures utilized are also UNCLASSIFIED. • When conducted, RA’s are classified SENSITIVE to a higher level. Ensure working documents and supportive information is appropriately marked and protected.


Step 1: Identify Threats
• Identification of threats is the first step in the RA process. Through reviews of classified, law enforcement sensitive and open source intelligence, the threats facing your enterprise will be identified. • The potential to become an overly extensive list of every possible threat exists, as such, it may be best to limit the threats to a top 5.


• When conducting threat research, ensure you are able to cite authoritative references used to quantify the top threats used in the RA. • It may be helpful to devote a stand-alone file to maintain copies of threat reporting and intelligence.


Quantifying Threats
• For the purpose of this training, focus on criminal/terrorism based threats. • While other threats exist, to maintain focus; this RA should be based on the these.


Step 2: Assess Vulnerability
• As part of a regular vulnerability assessment, there should be process in which the activity is assessed for vulnerabilities. • These vulnerabilities are identified through systematic assessments.


Vulnerability to Threat
• Once the Threat Assessment is completed, match those threats against Vulnerabilities. • What threat has the greatest probability of success against an identified vulnerability.


Step 3: Determine Criticality
• As part of the overall RA process, the criticality of a particular asset must be determined. In general, criticality applies to the impact on overall operations that would occur if that asset was impacted to the point of failure. • Short-term or minor impact would lower criticality rating, while long-term or major impact would raise the criticality rating.


Step 3: Computation
• Once the Threat Probability (TP), Vulnerability (V) and Criticality (C) are quantified, the next step in the Risk Assessment process is the computation of the Relative Risk. • Multiply TP x V x C to resolve the Relative Risk

TP (times) V (times) C = RR


Illustrating the Risk Assessment
Threat Probability (TP) 1-5 1-5 1-5 1-5 1-5 Vulnerability (V) 1-5 1-5 1-5 1-5 1-5 Criticality (C) 1-5 1-5 1-5 1-5 1-5 Relative Risk Sum Value Sum Value Sum Value Sum Value Sum Value

Threat Probability (Numeric Value) 1-5: Lower the value, higher the threat Vulnerability (Numeric Value) 1-5: Lower the value, higher the vulnerability Criticality (Numeric Value) 1-5: Lower the value, higher the criticality Relative Risk (Computation of TP (times) Vulnerability (times) Criticality.

TP x V x C= Relative Risk.

Threat Probability (TP) Threat of XYZ (3) Threat of WYR (2) Threat of TRW (1) Threat of HGT (4) Threat of UFO (5) Vulnerability (V) 1 2 3 4 5 Criticality (C) 1 2 3 4 5

Relative Risk (TP x V x C) 3 8 9 64 125

In the example depicted above, the threat probability(TP) with the greatest vulnerability (V) that shares the highest criticality (C) and which equates to the greatest relative risk (RR) is listed first. This method easily illustrates the Probability, Vulnerability, Criticality and overall Relative Risk in an easy to follow format, while not revealing details related to specific vulnerabilities or criticality. When articulating the Threat Probability, you may want to consider a generic statement such as : VBIED versus a detailed definition of the particular threat.


Threat 5

Based on IIR 123.21, 435.998

Threat 4


Based on IIR 948363.093

Threat 3

Based on IIR 4532.3937

Threat 2

Based on IIR Based on IIR 12345.342 12345.342 Threat 1







• Ensure your Threat Probability is supported by authoritative references; • Vulnerability should be based on current assessments; • Criticality is the relative impact to mission; • Relative Risk is the sum of TP, V and C;


• When articulating threat, vulnerability and criticality, attempt to keep the information at the lowest level of classification. This will ensure dissemination is not unduly hampered; • Keep definitions and illustrations as simple as possible, while conveying clear information.



• This product was developed as part of a professional development exercise. It is being freely distributed for the benefit of the law enforcement and force protection community. • Commercial use, application or distribution without the authors express consent is prohibited.


Questions / Comments
Please direct questions or comments to:
Jonathan Greenstein
Creator and Author


Sign up to vote on this title
UsefulNot useful