Towards comparable cross-sector risk analyses: A re-examination of the Risk Analysis and Management for Critical Asset Protection (RAMCAP) methodology

Concerns about the American drinking water infrastructure prompted the U.S. Department of Homeland Security to revisit the Risk Analysis and Management for Critical Asset Protection (RAMCAP) methodology. The Drinking Water Resilience Project undertaken by the U.S. Department of Homeland Security sought to evaluate RAMCAP for prioritizing risk to water utilities and the lifeline infrastructures in the wastewater, energy, transportation and communications sectors. Developed shortly after the terrorist attacks of September 11, 2001, RAMCAP employs 41 reference scenarios to uniformly assess component values for consequence, threat and vulnerability in the standard risk formulation. Released as part of the 2006 National Infrastructure Protection Plan Risk Management Framework, RAMCAP today serves as the American Water Works Association J100-10 Standard for Risk and Resilience Management of Water and Wastewater Systems. The RAMCAP analysis was conducted in three successive tasks, Task 1: threat analysis; Task 2: performance analysis; and Task 3: requirements analysis. This paper presents the results of Task 3, which found the basic RAMCAP design sound, but the implementation details too broad to provide consistent results across infrastructure assets and sectors. Moreover, RAMCAP does not account for mobile assets, making it problematic for use in the transportation sector. In order to substantively address these problems, a prototype Lifeline Infrastructure Risk Analysis (LIRA) methodology was developed. LIRA employs the same basic design as RAMCAP, but has significant differences. In particular, LIRA is a top-down risk analysis methodology that analyzes system functionality for fixed and mobile assets. The central design concept reduces variability in the results by clearly specifying calculations and providing default values based on historical data. The LIRA risk results are not only more stable, but they are also applicable at the local, regional and national levels. This paper describes LIRA and compares it with RAMCAP, demonstrating that the new LIRA methodology is an appealing alternative for assessing risk across infrastructure assets and sectors. The methods and results described in the paper have key implications for critical infrastructure risk methodologies that are based on consequences, threats and vulnerabilities.