Purely quantitative risk assessment is a mathematical calculation based on security metrics on the asset system or application. For each risk scenario , taking into consideration the different risk factors a Single loss expectancy SLE is determined. For example, if you consider the risk scenario of a Laptop theft threat, you should consider the value of the data a related asset contained in the computer and the reputation and liability of the company other assets deriving from the lost of availability and confidentiality of the data that could be involved. It is easy to understand that intangible assets data, reputation, liability can be worth much more than physical resources at risk the laptop hardware in the example.
Qualitative risk assessment three to five steps evaluation, from Very High to Low is performed when the organization requires a risk assessment be performed in a relatively short time or to meet a small budget, a significant quantity of relevant data is not available, or the persons performing the assessment don't have the sophisticated mathematical, financial, and risk assessment expertise required.
Qualitative risk assessments are typically performed through interviews of a sample of personnel from all relevant groups within an organization charged with the security of the asset being assessed. Qualitative risk assessments are descriptive versus measurable. Usually a qualitative classification is done followed by a quantitative evaluation of the highest risks to be compared to the costs of security measures. Risk estimation has as input the output of risk analysis and can be split in the following steps:. The output is the list of risks with value levels assigned. It can be documented in a risk register.
Risks arising from security threats and adversary attacks may be particularly difficult to estimate. This difficulty is made worse because, at least for any IT system connected to the Internet, any adversary with intent and capability may attack because physical closeness or access is not necessary. Some initial models have been proposed for this problem. During risk estimation there are generally three values of a given asset, one for the loss of one of the CIA properties: Confidentiality , Integrity, Availability.
The risk evaluation process receives as input the output of risk analysis process. It compares each risk level against the risk acceptance criteria and prioritise the risk list with risk treatment indications. To determine the likelihood of a future adverse event, threats to an IT system must be in conjunction with the potential vulnerabilities and the controls in place for the IT system. The level of impact is governed by the potential mission impacts and produces a relative value for the IT assets and resources affected e. The risk assessment methodology encompasses nine primary steps: .
Risk mitigation, the second process according to SP , the third according to ISO of risk management, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.
There are some list to select appropriate security measures,  but is up to the single organization to choose the most appropriate one according to its business strategy, constraints of the environment and circumstances. The choice should be rational and documented. The importance of accepting a risk that is too costly to reduce is very high and led to the fact that risk acceptance is considered a separate process. Risk transfer apply were the risk has a very high impact but is not easy to reduce significantly the likelihood by means of security controls: the insurance premium should be compared against the mitigation costs, eventually evaluating some mixed strategy to partially treat the risk.
Another option is to outsource the risk to somebody more efficient to manage the risk. Risk avoidance describe any action where ways of conducting business are changed to avoid any risk occurrence. For example, the choice of not storing sensitive information about customers can be an avoidance for the risk that customer data can be stolen. The residual risks , i. If the residual risk is unacceptable, the risk treatment process should be iterated.
Risk mitigation is a systematic methodology used by senior management to reduce mission risk. Address the greatest risks and strive for sufficient risk mitigation at the lowest cost, with minimal impact on other mission capabilities: this is the suggestion contained in . Risk communication is a horizontal process that interacts bidirectionally with all other processes of risk management. Its purpose is to establish a common understanding of all aspect of risk among all the organization's stakeholder.
Establishing a common understanding is important, since it influences decisions to be taken.
- Landforms of the World with Google Earth: Understanding our Environment.
- Measurement Evaluation.
- The Rough Guide to New Zealand 6 (Rough Guide Travel Guides);
- Navigation menu.
- Microsoft Office Excel 2003 Inside Out.
- The Statistical Sleuth: A Course in Methods of Data Analysis - Solutions Manual;
The Risk Reduction Overview method  is specifically designed for this process. It presents a comprehensible overview of the coherence of risks, measures and residual risks to achieve this common understanding. Risk management is an ongoing, never ending process. Within this process implemented security measures are regularly monitored and reviewed to ensure that they work as planned and that changes in the environment rendered them ineffective.
Business requirements, vulnerabilities and threats can change over the time. Regular audits should be scheduled and should be conducted by an independent party, i. Security controls should be validated. Technical controls are possible complex systems that are to tested and verified. The hardest part to validate is people knowledge of procedural controls and the effectiveness of the real application in daily business of the security procedures.
Call for submissions:
Vulnerability assessment , both internal and external, and Penetration test are instruments for verifying the status of security controls. Information technology security audit is an organizational and procedural control with the aim of evaluating security. The IT systems of most organization are evolving quite rapidly. Risk management should cope with these changes through change authorization after risk re evaluation of the affected systems and processes and periodically review the risks and mitigation actions. Monitoring system events according to a security monitoring strategy, an incident response plan and security validation and metrics are fundamental activities to assure that an optimal level of security is obtained.
It is important to monitor the new vulnerabilities, apply procedural and technical security controls like regularly updating software , and evaluate other kinds of controls to deal with zero-day attacks. The attitude of involved people to benchmark against best practice and follow the seminars of professional associations in the sector are factors to assure the state of art of an organization IT risk management practice. Effective risk management must be totally integrated into the SDLC.
The risk management methodology is the same regardless of the SDLC phase for which the assessment is being conducted. Risk management is an iterative process that can be performed during each major phase of the SDLC.
Risk Impact Assessment and Prioritization
Early integration of security in the SDLC enables agencies to maximize return on investment in their security programs, through: . This guide  focuses on the information security components of the SDLC. First, descriptions of the key security roles and responsibilities that are needed in most information system developments are provided. The document integrates the security steps into the linear, sequential a. The five-step SDLC cited in the document is an example of one method of development and is not intended to mandate this methodology.
Lastly, SP provides insight into IT projects and initiatives that are not as clearly defined as SDLC-based developments, such as service-oriented architectures, cross-organization projects, and IT facility developments. Security can be incorporated into information systems acquisition, development and maintenance by implementing effective security practices in the following areas. Information systems security begins with incorporating security into the requirements process for any new application or system enhancement. Security should be designed into the system from the beginning.
Security requirements are presented to the vendor during the requirements phase of a product purchase. Formal testing should be done to determine whether the product meets the required security specifications prior to purchasing the product. Correct processing in applications is essential in order to prevent errors and to mitigate loss, unauthorized modification or misuse of information. Effective coding techniques include validating input and output data, protecting message integrity using encryption, checking for processing errors, and creating activity logs.
Applied properly, cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information. An institution should develop policies on the use of encryption, including proper key management. Disk Encryption is one way to protect data at rest.
Data in transit can be protected from alteration and unauthorized viewing using SSL certificates issued through a Certificate Authority that has implemented a Public Key Infrastructure. System files used by applications must be protected in order to ensure the integrity and stability of the application. Using source code repositories with version control, extensive testing, production back-off plans, and appropriate access to program code are some effective measures that can be used to protect an application's files.
Security in development and support processes is an essential part of a comprehensive quality assurance and production control process, and would usually involve training and continuous oversight by the most experienced staff. Applications need to be monitored and patched for technical vulnerabilities. Procedures for applying patches should include evaluating the patches to determine their appropriateness, and whether or not they can be successfully removed in case of a negative impact.
Risk management as a scientific methodology has been criticized as being shallow. By avoiding the complexity that accompanies the formal probabilistic model of risks and uncertainty, risk management looks more like a process that attempts to guess rather than formally predict the future on the basis of statistical evidence. It is highly subjective in assessing the value of assets, the likelihood of threats occurrence and the significance of the impact.
However, a better way to deal with the subject has not emerged. It is quite hard to list most of the methods that at least partially support the IT risk management process. Efforts in this direction were done by:. Enisa report  classified the different methods regarding completeness, free availability, tool support; the result is that:.
In order to effectively depict the cycle, the four seasons are placed in a wheel diagram showing how spring, summer, fall, and winter are interconnected and continuously flow into one circle. Each season has its own wheel quadrant describing the activities usually undertaken in each month of the year. The process comprises five comprehensive steps, as follows:. Each step identifies inputs or considerations at the outset and concludes with the associated outputs.
Inputs should ideally be assembled, reviewed and well understood prior to engaging in each distinct planning activity as they form an important foundation for the work to be completed. This step involves starting the formal planning process in recognition of the responsibility to prepare a SEMP. The SEMP should be central to the federal government institution's EM activities and provide clear linkages for integrating and coordinating all other intra-departmental and inter-departmental emergency management plans.
Planning can be triggered by the EM planning cycle or it can be initiated in preparation for, or in response to, an event that is induced either by nature or by human actions. The first activity is to form the EM planning team. The size and composition of the team may vary between federal government institutions; however, the planning team should ideally have the skill and experience necessary to develop the SEMP.
The activities below can assist in the success of the planning team. Consider having members of the EM planning team designated by your institution's senior management. One of the most crucial steps in the EM planning process is to identify appropriate members for the EM planning team. This team should be established under the authority of the institution's governance framework and have clear directions, including objectives.
Consideration should be given to having representation from several program and corporate areas, including if applicable regional representation. The aim is to establish a multi-disciplinary planning team to provide optimal input. Consider including a member of your institution's corporate planning area on the EM planning team in order to help align the EM planning cycle with the institution's overall business planning cycle. Federal government institutions should consider identifying the range of experience and skill sets required in the EM planning team.
In turn, institutions should provide training and education for the development of the SEMP. The team members should have the skills and training required to adequately carry out their assigned duties. The composition of the EM planning team will vary depending on institutional requirements; however, it is important that clear terms of reference TOR for the team be established and that individual assignments be clearly defined. These TOR can identify the responsibilities assigned to each team member and the requirements to allow that member to carry out the assigned function.
After the EM planning team has clear authority and direction, the next step is to review any relevant existing legislation and policies. This is also an ideal time to involve institutional legal advisors to determine whether legislative requirements are being met. Consider giving a team member the responsibility of analyzing the legislative and policy obligations applicable to the development of the SEMP. Update the analysis regularly, as legislation and policies can change and have an influence on the scope of your SEMP.
The next step is to review any existing EM plans or other applicable documents. The review should ideally include any partner agency EM plans. Those federal government institutions that have mandated emergency support functions ESFs under the FERP should have these clearly identified. As noted in Section Two, the EM planning process should be carried out as part of an institution's overall strategic and business planning processes—this will support their alignment. You may then wish to consider how best to align both processes.
Developing the SEMP can be supported by a formal work or project plan to ensure that established timelines for plan development are met. After completing the above steps, the planning team should consider developing a detailed work plan that includes a schedule with realistic timelines, milestones that reflect the institutional planning cycle, and a responsibility assignment matrix with assigned tasks and deadlines.
Specific timelines should be modified as priorities become more clearly defined. This is also an ideal time to develop an initial budget for such items as training, exercises, research, workshops and other expenses that may be necessary during the development and implementation of the SEMP. As a next step, federal government institutions should consider developing a comprehensive understanding of the planning context.
This step is often the most comprehensive and complex. Notwithstanding the blueprint provided, this step is not proposed as a linear process, but rather as a set of related components and activities that can be undertaken in the sequence that best suits the institution. Additional supporting planning tools and templates as well as an EM glossary are provided in Annexes C and D, respectively. An environmental scan involves being aware of the context in which an institution is operating so as to understand how it could be affected. It entails a process of gathering and analyzing information and typically considers both internal and external factors see Figure 3: The Planning Context for additional information on the factors to consider.
Scanning can be done on a regularly scheduled basis, such as annually, or on a continuous basis for environmental factors that are dynamic or that are of greatest interest to the institution. As part of the environmental scan, the institution defines the internal and external parameters to be taken into account when managing the risk and setting the scope and risk criteria for the remaining risk assessment process. It sets the time, scope and scale and contributes to adopting an approach that is appropriate to the situation of the institution and to the risks affecting the achievement of its objectives.
Additionally, federal government institutions are responsible for conducting mandate-specific risk assessments, including risks to critical infrastructure. The key to any emergency planning is awareness of the potential situations that could impose risks on the organization and on Canadians and to assess those risks in terms of their impact and potential mitigation measures. The following diagram illustrates the external and internal environmental factors to consider. The Planning Context is represented in a target diagram that consists of three circles representing the factors federal institutions should consider in order to understand the context in which it operates and how it could potentially be affected.
The outer and middle circles represent the external context in which the institution seeks to achieve its objectives. The external context includes the following elements:. The inner circle is depicted as a radial diagram with the federal institution undertaking an environmental scan as its core internal factors that influence its work. These are arranged in small circles around the centre and are directly linked to the centre, the institution.
The internal factors that all have an influence on the institution are:. Understanding the internal context is essential to confirm that the risk assessment approach meets the needs of the institution and of its internal stakeholders. It is the environment in which the institution operates to achieve its objectives and which can be influenced by the institution to manage risk. The internal context may include:. Understanding the external context is important to ensure that external stakeholders, their objectives and concerns are considered.
The external context is the environment in which the institution seeks to achieve its objectives and may include:. There are several approaches to developing an institutional environmental scan. Consider reviewing your federal government institution's most current environmental scan, as well as the most current RCMP Environmental Scan which can be found on the RCMP Web site , in order to develop a better understanding of pressures and issues facing your institution.
Once all documentation is identified, consider conducting a gap analysis to determine whether the institution is currently meeting its obligations as identified in Step 1. If gaps are identified, these should ideally be gathered and presented as part of Step 3 when developing the EM Planning Framework and confirming the institution's strategic EM priorities. During this process, consider conducting a full review and analysis of stakeholder documentation and reports. Where possible, input from external partners should be sought.
Establishing The Value Of All Hazards Risk Mitigation. Proven Practices
This process will add the extra assurance that your institution is linked in with partner agencies and others to assist in developing the broader environmental picture and in identifying EM-related interdependencies. Stakeholders may include First Nations, emergency first responders, the private sector both business and industry , and volunteer and non-government organizations. An inventory of critical assets and services will assist the planning team in identifying the associated threats, hazards, vulnerabilities and risks unique to their institution.
This activity may be accomplished as follows:. It is important to identify, appraise and prioritize all institutional assets. Assets can be both tangible and intangible and can be assessed in terms of importance, value and sensitivity. This assessment should ideally consider the entire institution i. If a business impact analysis BIA has already been completed for your federal government institution's BCP, this analysis can greatly inform your criticality assessment. When conducting a criticality assessment, it is important to be objective when prioritizing the importance of institutional assets, as not all assets are critical to an institution's operations.
Adopting the current Treasury Board Policy related to material and asset management and coding criteria will help structure an effective approach. Federal government institutions may wish to list potential "external" hazards and threats i. All available threat assessments should ideally be reviewed by analyzing the assessment's evaluation of hostile capability, intentions and activity, the environment influencing hostile and potentially hostile groups, and environmental considerations, including natural, health and safety hazards. A comprehensive but non-exhaustive list of hazards and threats relevant to the Canadian context can be found in Annex C, Appendix 3.
For further information, you may wish to consult the Canadian Disaster Database, which contains detailed disaster information on over natural, technological and conflict events excluding war that have directly affected Canadians over the past century. The database can help federal government institutions to better identify, assess and manage risks, and can be accessed by sending a request to Public Safety Canada at cdd-bdc ps-sp.
Traditionally, a threat assessment is an analysis of intent and capabilities in the occurrence of a threat. It should:. The all-hazards risk assessment, presented below, can use information contained in institutional threat risk assessment TRA reports or information from other sources such as the Integrated Threat Assessment Centre ITAC. A threat awareness collection process should ideally link to the federal institution's information requirements and available resources.
As appropriate, more specific terrorist threat and hazard information can be obtained from ITAC. They can also add your federal government institution to a distribution list that contains unclassified information. ITAC can be contacted at itac1 smtp. A vulnerability assessment looks at an inadequacy or gap in the design, implementation or operation of an asset that could enable a threat or hazard to cause injury or disruption.
In order to identify vulnerabilities, an institution should first identify and assess existing safeguards associated with critical assets and activities. With respect to known threats and hazards, a vulnerability exists when there is a situation or circumstance that, if left unchanged, may result in loss of life or may affect the confidentiality, integrity or availability of other mission-critical assets.
Risk assessment is central to any risk management process as well as the EM planning cycle. It is a formal, systematic process for estimating the level of risk in terms of likelihood and consequences for the purpose of informing decision-making. Each institution has its own strategic and operational objectives, with each being exposed to its own unique risks, and each having its own information and resource limitations.
Therefore, the risk assessment process is tailored to each institution. Institutions may choose to assess a portfolio of risks, as opposed to specific individual risks, which enables a holistic review of risk treatment decisions. The output of the risk assessment process is a clear understanding of risks, their likelihood and potential impact on achieving objectives. It provides improved insight into the effectiveness of risk controls already in place and enables the analysis of additional risk mitigation measures.
An all-hazards approach to risk management does not necessarily mean that all hazards will be assessed, evaluated and treated, but rather that all hazards will be considered. This part of the process consists of three main activities: risk identification, risk analysis and risk evaluation. The outputs of these three steps provide decision-makers with an improved understanding of the relevant risks that could affect objectives as well as the effectiveness of risk controls already in place.
A risk assessment should generate a clear understanding of the risks, including their uncertainties, their likelihood and their potential impact on objectives. The all-hazards risk assessment AHRA process should be open and transparent while respecting the federal institution's context.
It should be tailored to the institution's needs and should identify any limitations such as insufficient information or resource constraints. Third-party review may be used to confirm the integrity of the AHRA process. In this section, risks translate into events or circumstances that, if they materialize, could negatively affect the achievement of government objectives. The hazard risk domain is covered by the AHRA process.
However, the strategic risk domain e. The AHRA process focuses on risks that may occur in the medium term generally years. It also encourages an all-hazards approach when considering risks to be assessed. Once the institution's context is clearly understood refer to the environmental scan in Step , the next step is to find and recognize hazards, threats and possibly trends and drivers, and to describe them in risk statements. Risks should be described in a way that conveys their context, point of origin and potential impact.
The aim is to generate a comprehensive list of risks based on those events that might prevent, degrade or delay the achievement of objectives. It involves the identification of risk sources, areas of impact, events and their causes, as well as potential consequences. Information can be gleaned from historical data, theoretical analyses, and informed and expert judgements.
Risks can be identified though several mechanisms: structured interviews, brainstorming, affinity grouping, risk source analysis, checklists and scenario analysis. Characterization of risks should use an appropriate breadth and scope; it can be difficult to establish a course of action to treat risks if the scope is too broad, while a scope that is too narrow will create too much information, thereby making it difficult to establish priorities.
Risks should be realistic, based on drivers that exist in the institution's operating environment.
Establishing The Value Of All Hazards Risk Mitigation. Proven Practices 2013
Risks are not to be confused with issues. Issues are events that may drive risks, but are not risks in themselves. A risk register or log is used to record information about identified risks and to facilitate the monitoring and management of risks. A risk register will typically describe each risk, assess the likelihood that it will occur, list possible consequences if it does occur, provide a grading or prioritization for each risk, and identify proposed mitigation strategies.
It can be a useful tool for managing and addressing risks, as well as facilitating risk communication to stakeholders. A risk portfolio or profile can be created from the register, helping to compile common risks in order to assess interdependencies and to prioritize groups of risks. The risk register will likely be adjusted as risk assessment results change. The objective of risk analysis is to understand the nature and level of each risk in terms of its impact and likelihood.
It provides the basis for risk evaluation and decisions about risk treatment. Probabilistic methods provide more information on the range of risks and can effectively capture uncertainty, but require more data and resources. Qualitative analysis is conducted where non-tangible aspects of risk are to be considered, or where there is a lack of adequate information and the numerical data or resources necessary for a statistically significant quantitative approach.
It is usually used for analyzing threats with less tangible intent judgements on terrorism, sabotage, etc. Descriptive scales can be formed or adjusted to suit the circumstances, and different descriptions can be used for different risks. Qualitative data can often be estimated from interviews with experts. Qualitative analysis is often simpler, but also results in high uncertainty in the results. Consider consulting your institution's subject matter experts when evaluating quantitative likelihood through historical data, simulation models and other methods.
Subject matter experts can also assist in evaluating likelihood from a qualitative perspective, for instance by using a Delphi technique a group communication process for systematic forecasting. For instance, a pre-determined set of impact questions can be used to better assess risk consequences, such as:. Consequences can be expressed in terms of monetary, technical, operational, social or human impact criteria. They can be evaluated against predetermined segments of interest to the institutions e.
Additional information on analyzing likelihood and impact is provided in the Treasury Board Integrated Risk Management Framework Guidelines. The purpose of risk evaluation is to help make decisions about which risks need treatment and the priority for treatment implementation. This also provides a baseline as to risks without any management measures.
Risk evaluation is the process of comparing the results of the risk analysis against risk criteria to determine whether the level of risk is acceptable or intolerable. Existing controls, the cost of further risk treatment and any policy requirement implications are considered when deciding on additional mitigation measures. Risk criteria are based on internal and external contexts and reflect the institution's values, objectives, resources and risk appetite over-arching expression of the amount and type of risk an institution is prepared to take.
Risks can be prioritized by comparing risks in terms of their individual likelihood and impact estimates. Prioritization can be shown graphically in a logarithmic risk diagram, risk-rating matrix or other forms of visual representations. The one most commonly used is the risk matrix Figure 4 , which normally plots the likelihood and impact on the x- and y-axes the measured components of risks.
Based on a risk diagram or rating matrix, a clustering of risks can be shown, leading to decisions on priorities. Such a plot can help establish acceptable or intolerable risk levels, and establish their respective actions. The risk-rating matrix allows for decisions to be made about which risks need treatment and the priority for treatment implementation.
- The role of the board and senior executives.
- Early Enfield Arms.
- Texas Division of Emergency Management;
- An Introduction To The Theory Of Multiply Periodic Functions.
In order to prioritize risks, comparison is made based on their likelihood and impact estimates. The risk-rating matrix plots the likelihood on the x-axis and the impacts on the y-axis. Then, by measuring those components of risks, a clustering of risks can be shown and help establish acceptable or intolerable risk levels leading to decisions on priorities. Risk treatment is the process of developing, selecting and implementing controls. Treatments that deal with negative consequences are also referred to as risk mitigation, risk elimination, risk prevention, risk reduction, risk repression and risk correction.
Treatment options can include, but are not limited, to:. Risk treatment options can be prioritized by considering risk severity, effectiveness of risk controls, cost and benefits, the horizontal nature of the risk, and existing constraints. These treatment options, forming recommendations, would be used to develop the risk treatment step in the risk management or emergency management cycle.
Consider gathering a list of institutional risks and cross-referencing the existing plans as identified in Step c that address each risk. A sample cross-reference table of existing plans by identified institutional risks is provided in Annex C, Appendix 4. The outputs from the activities associated with Step 2 contribute directly to the development of the SEMP building blocks, as well as the SEMP itself, and can include:.
This step will contribute to the concept that sound EM decision-making can be based on an understanding and evaluation of hazards, vulnerabilities and related risks. This step focuses on developing an informed EM approach for your institution based on the four pillars of EM. The resulting SEMP building blocks will reflect strategic priorities—the desired balance between developing measures that respond to emergencies versus mitigating the risk. Often, the risk tolerance of an institution influences the direction of the SEMP. Inputs to the development of the SEMP building blocks should include senior management guidance as well as the following:.
To help the planning team develop the SEMP building blocks, the following activities are suggested:. Each institution should establish an EM governance structure to oversee the management of emergencies. The EM planning governance structure may include representatives of an institution's senior management team, from all functional areas such as programs and all corporate areas including communications, legal services and security.
It is important to ensure that your institution's EM governance structure is aligned with other whole-of-government EM governance structures e. It is also crucial that roles and responsibilities, lines of accountability and decision-making processes be aligned and well understood by all concerned.
In identifying members of your institution's EM governance structure, keep in mind the relationship between your institution's mandate and the four pillars of EM. It is important that the planning team confirm the strategic priorities of the institution and of senior management so that they can be reflected in the SEMP. Consider developing an overview of these priorities and identifying potential areas for attention given risk probabilities and vulnerabilities.
The planning team should aim to clearly identify the planning constraints and institutional limitations that will influence the SEMP building blocks and the subsequent development of the SEMP. For example, an institution can be constrained by the availability of training for EM planning team members and by the number of EM positions they have staffed. Similarly, certain assumptions will be made that influence the development of the SEMP building blocks. For example, an assumption might be made that the resources required to develop the SEMP will be paid out of the current fiscal year's budget.
Each federal government institution is unique. When developing the SEMP, numerous planning considerations can be addressed. Although planning considerations will vary from institution to institution, the following identifies the most common planning considerations associated with the four pillars of EM planning.
These are in large part taken from the Federal Policy for Emergency Management. The cross-reference table of existing plans by identified institutional risks provided in Annex C, Appendix 4, can assist in cross-referencing your most prevalent risks and the tools in place to address them such as existing plans. A further cross-referencing can then be undertaken with the four pillars of EM to help target specific activities in one or more of the following areas. A SEMP should inform each federal government institution's overall priorities and tie into its business and strategic planning activities.
This will allow greater integration of the SEMP into existing resource allocation mechanisms within federal government institutions. The objective of planning activities associated with prevention and mitigation efforts is to reduce risk. Accordingly, the planning team may wish to consider:.
Related Establishing the Value of All-hazards Risk Mitigation. Proven Practices
Copyright 2019 - All Right Reserved