Risk Assessment and Mitigation

Enterprise Risks may be divided into the three main PERA components:

• Facilities (Physical process equipment, buildings, etc.), and
• People (Human and Organizaitonal aspects of the Enterprise),
• Systems (Control and Information Systems from regulatory control devices to Corporate IT).

The Enterprise Supply Chain may be considered as a fourth component.
Although it does not operate within the Enterprise, it may still have an impact on Enterprise operations.

As an Enterprise Integration website, PERA only addresses Risks related to Control and Information Systems

These Risks may be further categorized as follows:

1. Facility Risks
1. Perimeter security (fences, locks, guards)
2. Fire and Gas Explosion hazards (NEC, EX, etc.)
3. Physical Security Risks (SIS/SIL, HAZOP, etc.)
4. Equipment failures (including bell-curve and bathtub-curve Mean Time Between Failure)


2. People Risks (Training, Health, Safety and Environmental)
1. Inadequate operations training and work processes
2. Inadequate maintenance training and work processes
3. Health and personal safety (e.g., Poisonous gas, radiation, accidents)
4. Environmental Risks (e.g. Air and water pollution)
5. Weather (wind, floods, and lightning)


3. Control and Information System Risks
1. Consequence-based Cybersecurity Risk Assessment
2. PLC Cybersecurity Risks
3. Plant OT CybersecurityRisks
4. Remote support risks (for sophisticated equipment, analyzers, etc.)
5. Reliability and Security of Radio Networks
6. Corporate Cybersecurity Risks ( Plant Office IT , WANs and Corporate IT)
7. Corrupted updates and patching failures
8. Level 1 & 2 Architecture and network Design Failures
9. Failure of Plant AI Applications


4. Supply Chain Risks
1. Extended supply chains vulnerable to transport or political Risks
2. Inability to procure cybersecure devices and software.
3. Inability to securely ship replacement spares (requiring custody control from vendor to purchaser).


5. Project Risks
1. Currency Risk
2. Estimate or Price Risk
3. Schedule Risk

** Note: MLMs and Learning Maps are planned for each item above **

1. Generic Risks are those that are commonly found in many enterprises.
   For example, Corporate IT Systems tend to share similar risks across many Industries.
• Generic Risks associated with many different industry classes are classified as PERA Industry Class 0000.
• Generic Risks associated with one Industry Class begin with a single digit for the Industry class followed by four zeros. For example, Generic Process Industry Risks, are classified as PERA Industry Class 1000.


2. Industry-specific Risks are those that are common to an Industry or Industry Subclass.
• for example, Oil & Gas companies are Industry Sub-cLass 1060), and
• Oil Refineriew are Industry CLass 1061.

Similarly, applicable Risk Management standards and Mitigation Measures are often common to that industry.

PERA Enterprise Classification System.

This classification system is used througout PERA, especially in PERA Master Planning where it is used in a set of industry-specific "Master Planning User Guides" that guide users through the PERA Master Planning process for Enterprises, Programs or Projects.

It is recommended that a Master Plan be prepared to evaluate new industry standards for an Enterpise. Examples include Corporate Master Plans for Cybersecurity, Environmental, Equipment safety, and Control and Information Systems Architecture. Although these may be conducted separately, it may be benefiticial to combine several of these in a single Master Plan. For example, IEC TS 63069 Technical Specification is intended to interface the two "horizontal" safety and security standards series, IEC 61511 (Process Equipment Safety Instrumented Systems) and IEC 62443 (Cybersecurity Standard for Automation and Control Systems) - see MLM-020-A. Similarly, Cybersecurity and Artificial Intelligence Risks and Mitigations may be synergistic.

All of the above are typically managed by the Corporate Risk Manager. Whether risk is assigned (in whole or in part) to an insurer, the Corporate Risk Manager will evaluate all risks ON A COMMON BASIS. Risks such as cybersecurity, equipment dammage or operator errors must be assessed and mitigations recommended on a common basis.

• The main benefit of improved cybersecurity monitoring may turn out to be reduced equipment downtime.
• Better operator and maintenance procedures and training may be a better return on investment than adding complex and expensive systems and networks, and
• Better perimeter security (physical fences and locks) may be more effective than electronic "Zones and Conduits."

"Risk Summary Templates" are provided for Major Industry Classes and some subclasses. NOTE: Assistance with the development of these templates would be appreciated (and authors will be credited).
It should be noted that in each Risk Summary, the Professional Role responsible for managing that Risk, is indicated on the right.
These Professional Role assignments may be changed if necessary; however, consistency within an Industry or Enterprise is recommended.
Secondary Professional Roles (such as Procurement or H/R) may be identified by the responsible professional Role when appropriate.

The following are examples of Generic Risk Management Standards:

PEOPLE

• OSHA 29 CFR Most often cited Human safety standards.
• HACCP (Hazard Analysis, Critical Control Point). Used in Food and Beverage Industries to control risk of producing dangerous products.
• 40 CFR Part 68 EPARMP provides a systematic method for the analysis of risks associated with potential equipment and piping failures.

FACILITIES

• HAZOP (HAZard and OPerability Study). Used in chemical, petrochemical and other large scale continuous process industries to systematically evaluate and mitigate risk.
• SIS/SIL Safety Instrumented Systems for the process industry sector - Part 1: Framework, definitions, system, hardware and application programming requirements
• ISO 14000 defines the environmental risk mitigation required for all operating facilities.
• US Coast Guard Standards are used to assess and mitigate Offshore Platform Hazards (link to follow later).
• 40 CFR Part 63 Outlines key Emissions Standards established by the US Government which will require many refining and petrochemical facilities to reassess their flare systems. Pay special attention to National Emission Standards for Hazardous Air Pollutants for Source Categories.
• 40 CFR Part 68 EPA RMP provides a systematic method for the analysis of risks associated with potential equipment and piping failures.
• ISO Risk Management vocabulary document is ISO 73:2009
• ISO Risk Management Standard are ISO 31000 and ISO/IEC 31010

SYSTEMS

• Cybersecurity Classification System for Industrial Control Systems - ANSSI
• Risk Management Software (all Industries)
• Cyber Security Risk Management Specification is ISO/IEC 27000
  

SUPPLY CHAIN

• HACCP (Hazard Analysis, Critical Control Point). Used in Food and Beverage Industries to control risk of consumers receiving dangerous products.
• Material Safety Data Sheets describing the hazards associated with a large number of chemicals, provided by 3E Company.

In most cases, the first step in risk management involves finding all applicable standards for that particular industry and geographic (political) jurisdiction. If these standards are met, then at least regulatory requirements have been addressed.