A Risk Assessment is identifying, analyzing, and weighing all the potential risks, threats and hazards to the business's internal and external environment. It discovers if a facility (building) is vulnerable to weather related events, HVAC failure, Internal/External Security vulnerabilities and local area hazards. It allows a business to document what mitigating actions have been taken to manage these exposures. By identifying the threats that currently are being mitigated verses threats that are not, a business can compile a list of recommendations for improvement. To be successful, any risk assessment has to concentrate on the local identifiable issues relating to the business. Before exploring other concerns, concentrate on the most realistic risks and threats that currently exist in the business environment. This can include factors such as: 1) The Nature of the Business. 2) Surrounding Area of Facility. 3) The Construction of the Facility. 4) Common Weather Patterns. 5) Technology Dependencies. OBJECTIVES OF THE RISK ASSESSMENT During the Risk Assessment, risks to the business will be identified and evaluated. The vulnerability of the business to these risks will be rated. You will also: 1) Identify what prevention practices are being used. 2) Define and implement safeguards to mitigate risks. 3) Conclude the overall risk to the business. 4) Build a case for strategy selections. Once the assessment is completed, a business can make decisions regarding methods of mitigating risks. By completing a Risk Assessment and Business Impact Analysis, a business can implement the best strategies for Contingency Planning. RISK ASSESSMENT PROCESS Despite the prevention practices utilized, potential hazards that are existent and could result in a loss to the business need to be considered. Even though the exact nature of these exposures and their consequences are tough to determine, it is valuable to conduct a risk assessment of all threats that can logically happen. WHAT SHOULD BE INCLUDED? All locations and facilities should be included in the risk assessment. Surrounding businesses, local fire, police, and community utilities should also be included in the assessment. Any vendor provided service that is provided to the business should also be evaluated. STEPS TO FOLLOW The following steps are necessary for completing a Risk Assessment. 1) Identify Threats/ Risk and Vulnerabilities. 2) Analyze risks and determine vulnerability. 3) Identify mitigation and recovery options. 4) Evaluate and Choose Options. There are additional steps that need to take place during this process. Some of those actions are: 1) Review Internal Plans and Policies. 2) Meet with Outside Groups. 3) Identify Assets. 4) Conduct an Insurance Review. ASSESSING YOUR RISK The process of identifying risks/threats, probability of occurrence, the vulnerability to each risk/threat and the potential impact that could be caused, is necessary to prepare preventative measures and create recovery strategies. Risk identification also provides a number of other advantages including: 1) Exposes previously overlooked vulnerabilities that need to be addressed by plans and procedures. 2) Identifies where preventative measures are lacking or need reevaluated. 3) Can point out the importance of contingency planning to get staff and management on board. 4) Will assist in documenting interdependencies between departments and increase communication between internal groups. Can also point out single points of failures between critical departments. For the ease of this process, categories of risk should be created to focus the thought process. In the Risk Assessment Survey, the main categories include, Natural Risks, Man-Made (Human) Risks, and Environmental Risks. These are certainly not requirements, and should not be considered to be constraining. The nature of a risk/threat should be determined, regardless of the type. Factors to consider should include (but not limited to): 1) Geographic Location. 2) Weather Patterns for the Area and Surrounding Areas. 3) Internal Hazards (HVAC, Facility Security, Access, etc). 4) Proximity to Local Response/Support Units. 5) External Hazards (neighboring Highways, Plants, etc). Potential exposures may be classified as: 1) Natural Threats. 2) Man-made (human) Threats. 3) Environmental Threats. Other steps in conducting Risk Assessment are to review following points: 1) Probability of Occurrence. 2) Vulnerability to Risk. 3) Potential Impact. 4) Preventative Measures in Place. 5) Insurance Coverage. 6) Past Experiences. ANALYZING THE RESULTS Once the Risk Assessment Survey and face to face interviews have been conducted, the next step is to analyze and present the results so that Executive Management can get most use of the data. Analysis can be a time-consuming and tedious process, especially with an enormous amount of data, but it is critical to the RA process. The analysis will be the foundation for planning recommendations to senior management. The recovery strategies that need to be developed should be based on the findings of the Risk Assessment Survey and interviews, as well as the Business Impact Analysis findings. FINAL REPORT & PRESENTATION Begin your final report with an executive overview of the Risk Assessment Project. This will explain the objectives of the project, what was in scope, and what approach was used. Then provide a summary review of potential hazards. CREATION OF EXECUTIVE REPORT The findings from the Risk Assessment will form the basis for the final report. The purpose is to provide senior management with enough information to make them comfortable in endorsing the recommending strategies, actions, budgets or to accept the level of risk by not implementing recovery strategies. The report should include graphs, which visually demonstrate the findings. Do not overuse the graphs. Too many graphs and reports can make reviewing the information confusing. Provide graphs for overall information on the departments, financial impact, etc. The final report should include: 1) Previous Disruption History. 2) Risks & Vulnerabilities. 3) Preventative Measures. 4) Presenting the Results. 5) Next Steps. The Risk Assessment process is an essential phase of Continuity Planning. The possibility of a disaster impacting a business is unpredictable. The business should implement a comprehensive Continuity Planning Program and develop recovery plans that encompass all critical operations and functions of the business.
Related Articles -
Health, Safety, Health and Safety,
|