RM/RA CRAMM as the new quantitative method for risk management

Purpose – The aim of this paper is to introduce new risk management method based on quantitative approach. RM/RA CRAMM was designed by Slovak researchers as user-friendly method for Public institutions dealing with risk management, crisis planning, civil protection. It has a multipurpose use. 
Design/methodology/approach – Three-phase procedure is introduced, including risk identification, analysis and evaluation. The case-study of risk assessment as an example of the application is included.
Findings – Quantitative methods in risk management are rare due to the complex of factors influencing the risks being assessed. 
Research limitations/implications – A complex Area/Location risk assessment needs number of exact values and estimations for proper risk identification. Team-work is very welcomed but not necessary. 
Practical implications – Practical value of the method is incredible due to its applicability on the wide range of the research fields related to the risk management. 
Originality/Value – The method introduced is an original product of Slovak team of researchers led by author of this paper. 
Keywords: RM/RA CRAMM, risk management, risk assessment, quantitative, single equation method, case study.
Research type: case study.
JEL classification: 
C20 – General.


Introduction
Risk management should be an integral part of environmental management (Kabdi et al., 2013;Rusko et al., 2013). At the same time the quantitative analysis is preferred as a input for the further evaluation and reaction, as well (Majernik et al., 2013). RM/RA CRAMM is a comprehensive risk assessment methodology for crisis management, which consists of identifying, analyzing and assessing risks. Quantitative outputs serve as a basis for identifying risk management priorities, preparing preventive measures and responding to identified facts (Müllerová, 2014b).Quantitative management is also highly recommended by Ryabininin order to achieve the most accurate results. (Ryabinin, Strukov, 2018). The methodology is applicable to a wide range of types of risks, especially technological, natural risks, including fire risks, or criminal risks and other risks of a social nature (Mamojka M.&Müllerová, 2016) or . It was partially inspired by 10 step assessment introduced by Marguis who introduced the CRAMM modification for IT systems (Marguis, 7 2008). The method also meets the requirements for the environmental risk assessment tools (Majernik et al., 2017;Procházková et al., 2017). The core of the method is based on the Risk Management standard and its risk assessment process, which consists of the following five phases (ISO 31000): 1. Definition of risk assessment and assessment criteria, definition of scope; 2. Risk assessment (identification, analysis, evaluation); 3. Treatment of risk; 4. Monitoring and review; 5. A record of the risk management process. The ISO 31000 standard places emphasis on the process of identifying risks. It is a process of searching, recognizing and recording risks. It is at the beginning of the risk assessment process. "The goal of this step is to create a comprehensive list of risk-based events that could create, support, prevent, degrade, speed up, or delay the achievement of goals" (ISO 31000, 2011).
The schema ( Fig.1) begins by defining the process framework. Defining the scope of the risk management process involves defining the basic parameters of risk management, defining risk assessment criteria, determining the scope of the whole process and activities, assigning responsibilities, describing external and internal relationships. In this initiation phase, the methodology is defined, the evaluation criteria are set, the necessary activities are described, the time and space definition of the entire risk management process is determined. Last but not least, the objectives and subject of the studies to be carried out as well as the resources to cover the expenditure associated with them are defined. The communication and consultation process takes place in parallel with the phases of the criteria definition, risk assessment and risk management phases. The monitoring and review process also takes place in parallel. Outputs from these activities enter the initiation phase again, creating a closed cycle.
Source: according to ISO 31000 The risk management including risk assessment process is cyclic (Fig.2). The reason is the cycles or risk management is oriented on the emergency event prevention and readiness for the reaction in emergency events. During and after the reaction the monitoring phase is still active. The conclusions are made and new process of risk assessment starting with risk identification begins.
Source: according ISO guide 73

Figure 2. Risk management cycle according ISO 31000
The name of the method results from its link to the CRAMM method. The starting point for RM/RA CRAMM was its modification represented by three phases in ten steps (Marguis, 2008). Eight of the ten steps of the procedure are represented in the RM/RA CRAMM Score Table (Table 2). The first step of the Marguis process is the preparatory phase. The final step is the response phase to the identified risks according to the priorities.
From risk theory applies: Risk = consequences of extraordinary event x probability of occurrence. Consequence Measurement: Expected Max. damage to property, number of people at risk (Hi) (Müllerova, 2014a).

(1)
Hi Value/Damage = Expresses max.losses/damages due to emergency event. Place the absolute numbers instead of a qualified estimate on a scale of 0 -10, using a value matrix (Table 1).
Ii Integrity = importance of element/object for other elements. Assign 0-10, 10 = max. integrity (for example, the main access road to a house in the village may be I = 5-6 unless there is another approach, so I = 8-10). You need to determine your own scaling, for example. 0-2 very low I, 3-4 low I, 5-6 medium, 7-8 high, 9-10 very high I In assessing integrity, we ask: Pi Probability = expressed based on historical data. According to MU frequency for a certain period of time (one year, five years, one hundred years ...). When calculating it is the decisive magnitude (it most affects the resulting Ri value) a -the weight / importance of the value for the calculation. b -the weight / importance of integrity. c -the weight / importance of Indispensableness. Given the nature of the risks considered, this factor is more important than the coefficients b and c. When calculating Ri, we set the following honors: a = 2, b = 0.5, c = 0. 5 In our calculation, the likelihood of occurrence of the crisis phenomenon is determined for a period of five years. The magnitude of this period shows the probability value. Five-time events will be 100% (value 10), once every ten years 50% (value 5), once every twenty years 25% (value 2.5), etc. For events occurring more than once every five years, we will automatically assign a probability of 10 equals 100%.
Ri-can acquire values from 1 to 100. Risks Ri of 1-10 are called very low risks, 10 -35 low, 35 -65 medium, 65 -85 high, 85 -100 extremely high (Müllerova, 2014c).    Table 1 is an example of expressing the value of the threat, damage to property and life. Scaling can be varied depending on the nature of the risk assessment. We should put more emphasis on the value of human life as the value of the property.

Case study: Major natural risks in the location of Zilina
There are various methods specialized for flood assessments such introduced in Thangarajan & Vijay (2016) and Zhou et al. (2012).
In this case study the risk assessment includes floods and other natural risks such as landslides, forest fires and earthquakes in the selected location. The team chose the area of Contemporary Research on Organization Management and Administration 2018, 6 (1) ISSN (online) 2335-7959 risk and the territory on which the assessment is done. We have selected three city districts of Zilina and six municipalities around. In the first stage, we identified the dominant crisis phenomenon at the identification stage, based on available historical information and data. There are crises related to crash activity, respectively.
In the next phase, it was necessary to determine the analytical values of damage indicators, integrity and degree of irreparable quality. In the evaluation phase, the value of the risk is calculated according to the relationship (1). To calculate the risk, it is necessary to determine the probability value as accurately as possible. The risk assessment phase represents a rating table. The values in the analytical part (Table 2) are qualified estimates. They are based on risk identification, deduction, and environmental knowledge. The resulting risk values were calculated from the above relationship (1). Results of the scoreboard show the greatest risk for the village of Lietavska Lučka (Code 3) which is threatened by flash floods. Other municipalities' resp. urban areas have low risk levels. Competent authorities of crisis management, Fire & Rescue System and IZS should prioritize the above-mentioned municipality in response to the identified results.
There are following natural threats related to the location observed: i) land slide, ii) land fall, iii) cavity overflow (stone avalanches).
Real hazards are landslides mainly due to torrential rain or seismic activity. Types of landslide: dropping rocks, slope of rocks and rocks, streams of mud and rocks. The most effective prevention against landslides is:  well-managed, mixed forest vegetation;  reduction of top soil weight by dredging a steeper slope;  by alleviating slope by construction of terraced grates or compartments;  trenching and planting of new forest stands. In the following section, the risk assessment for the different types of emergencies is carried out, as well as the extreme rainfall that causes flash floods, landslides, and secondary slopes, as well as the risk of escape of dangerous substances, subsequent fire and explosion in two businesses.
The following Table 2, which summarizes vulnerable areas, crisis situations, the source of risk, the frequency over the period, the number of people at risk, the threat area and the most important secondary phenomena within the Zilina district, will be based on the following analysis and risk assessment.
 Seismic activity The area of the district is seismically active especially in the area between Dolny Hricov, Zilina and Teplicka. So far, however, earthquakes have only reached the intensity observed by people and registered by devices, but without causing material damage. The occurrence of an earthquake that could endanger the life and property of the population is not expected.
 Volcanic activity There is no source of volcanic activity in the district.  Floods and floods from surface watercourses There are no large watercourses or large water reservoirs in the Zilina district that could pose a threat to a larger area and population of municipalities within the district. Increased intensive rainfall may result in flooding. Each column represents one step of the assessment. It started with the values to answer what is the maximal damage both material and human lives. One real number need to be put in with respect in comparison to other objects being assessed. Therefore the scaling is very helpful similarly with integrity and indispensability. At the end the likelihood value is put in. These data are very important for determining the likelihood of occurrence of an extraordinary event. If the probability of occurrence of an extraordinary event relates to a one-year period, then the probability value for two-year occurrences will be 50% (Table1 value 5), we will assign a 5-year event to a table value of 2, events occurring every four years we will assign a value of 2.5. For events occurring more than once a year, we will automatically assign a probability of 10 t.j. 100%. Risks of Ri<0.10> are referred to as very low risks, <0.35> low, <35.65> medium, <65.85> high, <85.100> extremely high. These steps are well described by Nejedly who introduced complex risk assessment for the district of Pezinok within his conception of risk management (Nejedly, 2016) For the analysis and evaluation of secondary phenomena, it is necessary to know the probability with which the event occurs. This probability of Pi2 will be based on the number of cases of the most relevant events. These data are not available and are therefore not computed. Valid if the probability of the crisis event is Pi1 and the probability of the secondary crisis Pi2, then Pi2 ≤ Pi1.
The brief case study was to show the simple and user friendly attitude towards risk assessment which might be done not only in professional level but also in a personal level to manage own personal risks as introduced in Culture of Security by Piwowarski (Piwowarski, 2018) which is based on three basic pillars (Piwowarski, 2015).

Conclusions
The case study of RM/RA CRAMM application points to the territory of Zilina focuses on risks of natural character. According to the findings of the authors' collective in the given area, natural hazards are dominated by floods, flash floods, landslides and forest fires. All three phases of the risk assessment are in the scoreboard. The values in the table represent qualified estimates based on available information. For the accuracy of the estimates, it is important to scale the values represented by Table 1 as well as to compare the same indicators for the entities under consideration. Similarly to the case study, we can also assess the risks of technological nature, leakage of hazardous substances, traffic accidents, criminal risks and other social risks.
Risk assessment by RM/RA CRAMM is a comprehensive basis for relevant information input aimed to plan of forces and means within the Integrated Rescue System components, in particular Fire and Rescue Forces units, which will be prepared to intervene mainly in locations with increased risk of occurrence of an extraordinary event.