Question

What is the bottom-up and top-down method to risk management?

Discuss the danger, risk, weakness, and consequence in relations to critical infrastructure. (i.e. natural/manmade/individual disasters/public health/safety/economic-direct,indirect)

Answer 1

Bottom-up and top-down method to risk management:

There are two approaches to risk management which are widely practiced: top down and bottom up

Bottom up approach takes the philosophy that an organisation need to identify risk in following level:

Process Level - Project/Department Level - Vertical/Functional Level- Business Unit Level-Organisation Level

Bottom-up approach could completely consume all resources and take all your time, but it would represent the most precise picture of the risk and could be completely quantified.

Bottom up risk management is generally practiced where risk is rarely viewed at enterprise level as of strategic importance. It may also lead to proliferation of efforts , multiple channels which are often competing with each other for credit , lack of sufficient focus on emerging risks, etc.

Bottom-up approach is used rarely these days if ever. But it may have its valid place some place where a tight control over spending is needed, like in government organizations. It is feasible if the discipline in the organization is high and it is possible to systematically collect risk data from the lowest levels of the organization.

For-profit organizations cannot afford to spend that much time and resources to conduct bottom-up risk assessment. So they have to manage risk specific to the business objectives and possible threats to their achievement.

Top-down approach on the other hand may lead to sub-optimal solutions as insufficient data is in hand to identify the exact nature of risks and what should be its mitigation exercise. Board articulation of risk and followup mechanism may not always be rigorous without which the entire exercise may ail as people down the line get the message that management is not really serious about risk management.

However the best approach is to combine the two .

Risk Assessment starts from the top according to the business objectives; and when the risk awareness among the personnel riches mature level, then it is possible to rely on self assessments conducted bottom-up to perform continuous risk monitoring after a year or two.

Combining top-down with bottom-up approach is necessary where business environment is continuously changing and consequently organisations risk map is shifting. In those circumstance top-down would give risk management the necessary strategic mooring whereas bottom-up given it the flexibility with a given set of strategic imperatives.Combination also keeps everybody in organisation involved in risk management process and ensures accountability and improves compliance to risk reduction processes

List of Hazards and Threats

Note: No list of threats and hazards is ever complete. Below is a list of common threats and hazards that could affect critical infrastructure. It is anticipated that this list will evolve.

Natural Hazards:

Meteorological:

• Windstorm, tropical cyclone, hurricane, tornado
• Thunderstorm
• Snow, ice, hail, sleet storm
• Flood
• Storm surge
• Extreme weather
  • Heat wave
  • Cold wave
  • Drought

Glacier, iceberg

Geophysical:

• Earthquakes
• Tsunami
• Volcanic eruptions
• Landslide, mudslide, subsidence
• Geomagnetic storm

Fire:

• Forest, wildland
• Urban
• Fire following earthquake

Biological:

• Diseases that affect humans
• Diseases that affect animals
• Diseases that affect plants
• Animal or insect infestation or damage

Intentional / Deliberate threats:

Attacks:

• Chemical attack
• Biological attack
• Radiological attack
• Nuclear attack
• Explosive attack
• Cyber attack
• Conventional arms attack

Enemy attack / war Electromagnetic pulse

• Sabotage
• Espionage (industrial and otherwise)
• Crimes (e.g., theft, kidnapping, arson, extortion)
• Social unrest (riot, lawful / unlawful protest, disruption)
• Strike or labour disruption
• Other intentional actions that can affect critical infrastructure (non-malicious):
  • Border closure
  • Regulation change

Accidental / Technical Hazards:Accident

• Transportation accident
• Hazardous material spill or release (explosive, flammable liquid, flammable gas, flammable solid, oxidizer, poison, biological, radiological)
• Fire
  • Urban fire
  • Industrial fire
  • Chemical fire
• Accidental explosion

Failure / Technical

• Technical failure
• Mechanical failure
• Software failure
• Operator error
• Process / procedure failure
• Structural failure (e.g., Bridge collapse, Mine collapse, Dam collapse / failure, Water main failure)
• Dependent CI disruption / failure (i.e. failure in provision of critical services or products in the information & communication technology, finance, energy, food, safety, government, health, manufacturing, transportation or water sectors)