All facilities face a certain level of risk associated with various threats. These threats may be the result of natural events, accidents, or intentional acts to cause harm.
The first step in a risk management program is a threat assessment. A threat assessment considers the full spectrum of threats (i.e., natural, criminal, terrorist, accidental, etc.) for a given facility/location.
Once the plausible threats are identified, a vulnerability assessment must be performed. The vulnerability assessment considers the potential impact of loss from a successful attack as well as the vulnerability of the facility/location to an attack. Impact of loss is the degree to which the mission of the agency is impaired by a successful attack from the given threat. A key component of the vulnerability assessment is properly defining the ratings for impact of loss and vulnerability.
A combination of the impact of loss rating and the vulnerability rating can be used to evaluate the potential risk to the facility from a given threat.