Appendix C
Two Approaches to Risk Assessment for Dams

OCCURRENCE/VULNERABILITY/IMPORTANCE APPROACH

The risk assessment method described below is intended to identify in detail vulnerabilities of individual dams. In this step, components of the dam—intake towers, spillways, turbine generators—are considered, as are countermeasures to deter attack on and/or mitigate damage should an attack occur. Three factors are paramount in this risk assessment approach:

  • Occurrence (O), also referred to as the threat likelihood or threat rating (T), is the likelihood that terrorists will attack the dam under consideration. It includes target attractiveness, perceived level of security, access to the site, publicity accruing to the attacker, number of prior attempts to damage the dam, and other factors. It is in this factor that the risk assessment for terrorist hazard differs most from natural hazards, for unlike natural hazards such as earthquake and flood for which the history of independent events is well-documented, the history of terrorist events is brief. As a substitute for quantitative knowledge of recurrence intervals of earthquakes or floods, expressible in probabilistic terms, we must work with relative likelihood of occurrence. Input to this factor may come from intelligence sources.

  • Vulnerability (V) indicates how much the facility or population would be damaged or destroyed based on the structural response to a terrorist act. It is the likely damage resulting from various



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 120
Appendix C Two Approaches to Risk Assessment for Dams OCCuRRENCE/VuLNERABILITy/IMPORTANCE APPROACH T he risk assessment method described below is intended to identify in detail vulnerabilities of individual dams. In this step, components of the dam—intake towers, spillways, turbine generators—are considered, as are countermeasures to deter attack on and/or mitigate damage should an attack occur. Three factors are paramount in this risk assessment approach: • Occurrence (O), also referred to as the threat likelihood or threat rating (T), is the likelihood that terrorists will attack the dam under consideration. It includes target attractiveness, perceived level of security, access to the site, publicity accruing to the attacker, number of prior attempts to damage the dam, and other factors. It is in this factor that the risk assessment for terrorist hazard differs most from natural hazards, for unlike natural hazards such as earthquake and flood for which the history of independent events is well-documented, the history of terrorist events is brief. As a substitute for quantitative knowledge of recurrence intervals of earthquakes or floods, expressible in probabilistic terms, we must work with relative likelihood of occurrence. Input to this factor may come from intelligence sources. • Vulnerability (V) indicates how much the facility or population would be damaged or destroyed based on the structural response to a terrorist act. It is the likely damage resulting from various 0

OCR for page 120
 APPENDIX C terrorist threats (weapon type and location) and measures expected damage, outcome of the event, expected casualties and loss of use. Input to this factor typically comes from engineering analysis and expertise. • Importance (I), also referred to as the consequences (C) or asset value (A), is a characteristic of the facility, and is the same for any hazard. It indicates consequences to the region or nation in the event a dam is destroyed or out of service. Input to this factor comes from the Bureau, from the water and power districts, and from public safety officials. Following a well-established technology for natural hazards risk assessment, these factors are combined in the form of a triple product to calculate a quantitative risk index as follows: Risk = O × V × I This triple-product approach is described in Recommendations for Bridge and Tunnel Security (DOT, 2003), in The National Infrastructure Protec- tion Plan (DHS, 2006),and in Risk Analysis and Management for Critical Asset Protection (RAMCAP) (ASME/DHS, 2005), using the T, V, C approach. It is also described in Risk Assessment: A How-To Guide to Mitigate Poten- tial Terrorist Attacks Against Buildings (FEMA, 2005), using the T, V, A nomenclature. The following illustrates application of the risk formulation shown above. It is intended as a quantitative illustration only, with numerical fac- tors to show how the method works. The values assumed in the example do not apply to any particular dam. Figure C-1 illustrates a typical concrete gravity dam (Gravity Dam A) and its components. For each of the nine components, credible means of weapon delivery for attack are identified e.g., pedestrian, vehicleborne, and waterborne. The likelihood (O) of each threat occurring is assessed and quantified on a scale of 0 to 1 as a function of four variables: access to the dam component for the attack to be carried out; security at the dam component against the attack; attractiveness of the target for attack of this type; and ability of aggressor to carry out the attack against the dam component. The vulnerability (V) of each of the nine components identified to each identified attack type is quantified on a scale of 0 to 1 as a function of three variables: expected damage to the dam component if the attack occurs; expected closure of the dam if the attack occurs; and expected casualties if the attack occurs. Finally, the importance (I) of the dam is quantified on a scale of 0 to 1 as a function of eight variables: exposed population;

OCR for page 120
 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Upstream Face Outlet System Spillways Abutment B Powerhouse A Powerhouse B Downstream Face Abutment A Powerhouse C FIGURE C-1 Hypothetical concrete gravity dam (Gravity Dam A) and its components. Figure C-1 b&w historical/symbolic importance; replacement value; importance to the regional economy; importance to the irrigation system; importance for power generation; importance to the transportation network; and annual revenue. For each dam component-threat pair, the risk is quantified as the triple product of O × V × I. The risk to Gravity Dam A as a whole is quan- tified as the sum of the individual component-threat pair risk values. This is illustrated in Figure C-2, showing hypothetical values for Gravity Dam A and how they can be used to compare the risk for several dams assessed with the same process. Quantifying risk in this manner allows for cost-benefit comparisons of alternative mitigation options. The benefit of each mitigation option is the reduction in the quantified risk for one or more dam component-threat pairs given the mitigation measures in place. For example, operational and electronic security measures reduce the likelihood of threat occurrence (O), while physical hardening reduces vulnerability (V), and changes in downstream exposed population can reduce or increase importance (I). Figure C-3 compares project costs and benefits for six mitigation alterna- tives at Gravity Dam A.

OCR for page 120
14.00 12.00 10.00 Facility Risk Score 8.00 Gravity Dam B Buttress Dam A Gravity Dam A Buttress Dam B Arch Dam A FIGURE C-2 Quantification of risk for the hypothetical Gravity Dam A compared with the risks for other hypothetical dams.  Figure C-2

OCR for page 120
 12.00 10.00 8.00 Facility Risk Score 6.00 Pre- Powerhouse Powerhouse Outlet Upstream Powerhouse Abutments Mitigation A B System Face C A&B FIGURE C-3 Cost and benefit (reduction in risk) of six mitigation actions at hypothetical Gravity Dam A. Figure C-3

OCR for page 120
 APPENDIX C CRITICAL ASSET AND PORTFOLIO RISK ANALySIS APPROACH An alternative approach is the Critical Asset and Portfolio Risk Analysis (CAPRA) methodology, applied at the level of individual dams (Figure C-4). CAPRA was developed for the Department of Homeland Security and the Maryland Emergency Management Agency and has been used by the U.S. Army Corps of Engineers for the risk analysis of dams, office buildings, bridges, sports arenas, and regional protection. It is based on RAMCAP of ASME (2005) and is described by McGill et al. (2007) and Ayyub et al. (2007). Similar to the OVI method, it surveys the dam’s critical elements and couples them with knowledge of the consequences of disruption; physi- cal and security vulnerabilities to a wide range of threats; and attractive- ness, providing insight into actions an owner can take to reduce risk to a particular dam. CAPRA results are usually provided in the form of loss exceedance curves. The primary benefit of expressing results in this way is consistency with the way results obtained for natural hazards are cur- rently expressed, enabling an all-hazards assessment. According to the CAPRA methodology, risk is quantified and man- aged for critical infrastructure and key resource protection at two levels— the asset level and the portfolio level, including regional studies. An asset in this context is anything of value to its owner, such as a monument, vehicle, or facility. • At the asset level, a survey of an asset’s mission-critical elements coupled with knowledge of the consequences of disruption, physical and security vulnerabilities to a wide range of hazards and threats, and asset attractiveness provides insight into actions an asset owner can take to reduce an asset’s overall risk exposure. • The total risk associated with a portfolio or system of assets (such as those associated with a region, a jurisdiction, or an infrastructure sector) can be assessed in order to compare investment alternatives that aim to reduce overall portfolio risk. A portfolio in this sense is a collection of assets with common attributes or linkages. Regional analysis, for example, would define a portfolio top-down by first identifying the critical functions and services of the region and then assigning membership to regional assets that contribute directly to these mission areas. In contrast, a portfolio can be built bottom-up by first defining a set of assets, then examining how they relate to one another. In both the top-down and bottom-up cases, knowledge of the physical, geographic, cyber, and logical interdependencies among assets is important for assessing the potential for cascading consequences initiated by a hazard event.

OCR for page 120
 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Asset or Facility Mission Analysis Portfolio Analysis Scenario Scenario Asset or Threat Scenarios Portfolio Characteristics Threat Scenarios Facility Characteristics Identification Identification Consequences - Loss Results from Consequences Maximum Possible Loss Maximum Possible Loss, , Portfolio Loss Given Mission Analysis Loss Given Success Loss Given Success Physical Vulnerabilities and Criticality Physical Vulnerabilities Success Success and Criticality - Internal External Internal/External / (e.g.,., $ ( e $ loss from successful attack) .g ) Mitigation Capabilities (e.g., $ loss from successful attack ( e ., $ loss from successful attack) .g ) Dependencies (with Interdependence ) Interdependence) NO NO Are Are STOP Screening Criteria for Screening Criteria for STOP Consequences Consequences Mission Loss Portfolio Loss Significant? Significant ? Significant? Significant ? YES YES Security Security Probability of Probability of Probability of Security Probability of Success Adversary Success Adversary Success Adversary Success Vulnerabilities Vulnerabilities Countermeasures from Mission Analysis (probability of a successful attack) ( ) (probability of aa successful attack p ( robability of successful attack) ) Threat Threat Asset and Scenario Asset and Scenario Asset and Scenario Asset and Scenario Adversary Perceptions Adversary Perceptions Attractiveness Attractiveness Attractiveness Attractiveness Likelihood Hazard Data Hazard Data Likelihood (number ofof attacks per year (number attacks per year)) (number ofof attacks per year (number attacks per year)) Benefit /Cost Benefit /Cost Decision Options: Options : Decision Options: Options : Risk Profiles by Risk Profiles by Risk Profiles Risk Profiles Countermeasures & & Countermeasures & & Portfolio Analysis Analysis (e.g., $ per year) (e ., $ .g Mitigations Mitigations (e.g., $$per year)) (e .g per year ., Risk Informed Risk Informed Decisions Decisions (a) For an Asset (b) For a Portfolio and a Region FIGURE C-4 Critical Asset and Portfolio Risk Analysis (CAPRA). SOURCE: Ayyub et. al. (2007). Figure C-4 CAPRA is a phased process (Figure C-5) that systematically identifies hazard and threat scenarios that are relevant to the region or asset of inter- est; assesses the losses associated with each of these scenarios, allowing for consequence-based screening; assigns a probability of success; assesses the annual occurrence rate for each scenario; and provides results suitable for benefit-cost analysis. CAPRA produces actionable risk assessments that inform a stake- holder of potential risks through custom-tailored risk communication reports and offers suggestions on what to do about them. These sugges- tions can help to identify alternative risk mitigation strategies and evalu- ate them for their cost-effectiveness, affordability, and ability to meet risk reduction objectives. The phases may be described as follows: • Scenario identification. Characterizes the missions applicable to an asset, portfolio, or region and identifies hazard and threat scenarios that could cause significant regional losses should they occur. For natural hazards, this phase considers the estimated annual rate

OCR for page 120
Consequence Security Hazard Risk Informed Scenario Benefit/Cost and Criticality Vulnerability Likelihood Decisions Identification Analysis Assessment Assessment Assessment FIGURE C-5 Phases of the CAPRA process. Figure C-5 

OCR for page 120
 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM of occurrence and screens out infrequent scenarios. For security threats, this phase identifies relevant scenarios based on the inherent susceptibilities of a region’s mission and lifeline services to a wide spectrum of threat types. The product of this phase is a complete set of hazard and threat scenarios relevant to the region under study. • Consequence and criticality. Assesses the loss potential for each scenario identified for the region by considering the maximum credible loss, fragility of the target elements, effectiveness of mitigation strategies, and effectiveness of consequence-mitigation measures to respond to and recover from the loss. These assessments of potential loss are used to screen scenarios and identify those that warrant further analysis. • Security vulnerability. Assesses the effectiveness of measures to deny, detect, delay, respond to, and defeat an adversary determined to cause harm to a region. This phase estimates the probability of an adversary’s success for each threat scenario—which combined with loss—yields an estimate of conditional risk. This phase applies only to security threats; for natural hazards, the probability of adversary success is set to a default value of one. • Hazard likelihood. Assesses scenario “attractiveness” from the adversary’s point of view. The results from this phase provide estimates of the annual rate of occurrence for each threat scenario. For natural hazards, the results from this phase yield an annual rate of occurrence for a hazard affecting the asset. • Benefit-cost analysis. Compares the cost of countermeasures and consequence mitigation with the benefit in terms of risk mitigation. The results of this analysis are used to inform resource allocation decisions. REFERENCES ASME/DHS (American Society of Mechanical Engineers/U.S. Department of Homeland Security). 2005. Risk Analysis and Management for Critical Asset Protection (RAMCAP). Washington, D.C. Ayyub, B.M., W.L. McGill, and M. kaminsky. 2007. Critical Asset and Portfolio Risk Analy- sis for Homeland Security: An All-Hazards Framework. International Journal of Risk Analysis. Vol. 27. No. 3. pp. 789-801. DHS (U.S. Department of Homeland Security). 2006. National Infrastructure Protection Plan, Washington, D.C. DOT (U.S. Department of Transportation).2003. Recommendations for Bridge and Tunnel Security. Blue Ribbon Panel on Bridge and Tunnel Security. FEMA (Federal Emergency Management Agency). 2005. Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings. FEMA 452, Washington, D.C. McGill, W.L., B.M. Ayyub, and M. kaminsky.2007. A Quantitative Asset Level Risk Assess- ment and Management Framework for Critical Asset Protection. . International Journal of Risk Analysis. Vol. 27. No. 3.