A Risk Assessment is identifying, analyzing, and weighing all the potential risks, threats and hazards to the business’s internal and external environment. It discovers if a facility (building) is vulnerable to weather related events, HVAC failure, Internal/External Security vulnerabilities and local area hazards. It allows a business to document what mitigating actions have been taken to manage these exposures. By identifying the threats that currently are being mitigated verses threats that are not, a business can compile a list of recommendations for improvement.
To be successful, any risk assessment has to concentrate on the local identifiable issues relating to the business. Before exploring other concerns, concentrate on the most realistic risks and threats that currently exist in the business environment. This can include factors such as:
- The Nature of the Business
- Surrounding Area of Facility
- The Construction of the Facility
- Common Weather Patterns
- Technology Dependencies
Objectives of the Risk Assessment
During the Risk Assessment, risks to the business will be identified and evaluated. The vulnerability of the business to these risks will be rated. You will also:
- Identify what prevention practices are being used
- Define and implement safeguards to mitigate risks
- Conclude the overall risk to the business
- Build a case for strategy selections
Once the assessment is completed, a business can make decisions regarding methods of mitigating risks. By completing a Risk Assessment and Business Impact Analysis, a business can implement the best strategies for Contingency Planning.
Risk Assessment Process
Despite the prevention practices utilized, potential hazards that are existent and could result in a loss to the business need to be considered. Even though the exact nature of these exposures and their consequences are tough to determine, it is valuable to conduct a risk assessment of all threats that can logically happen.
What should be included?
All locations and facilities should be included in the risk assessment. Surrounding businesses, local fire, police, and community utilities should also be included in the assessment. Any vendor provided service that is provided to the business should also be evaluated.
Steps to Follow
The following steps are necessary for completing a Risk Assessment.
- Identify Threats/ Risk and Vulnerabilities
- Analyze risks and determine vulnerability
- Identify mitigation and recovery options
- Evaluate and Choose Options
- Evaluate and Choose Options
There are additional steps that need to take place during this process. Some of those actions are:
- Review Internal Plans and Policies
- Meet with Outside Groups
- Identify Assets
- Conduct an Insurance Review
- Exposes previously overlooked vulnerabilities that need to be addressed by plans and procedures
- Identifies where preventative measures are lacking or need reevaluated
- Can point out the importance of contingency planning to get staff and management on board
- Will assist in documenting interdependencies between departments and increase communication between internal groups. Can also point out single points of failures between critical departments
For the ease of this process, categories of risk should be created to focus the thought process. In the Risk Assessment Survey, the main categories include, Natural Risks, Man-Made (Human) Risks, and Environmental Risks. These are certainly not requirements, and should not be considered to be constraining.
The nature of a risk/threat should be determined, regardless of the type. Factors to consider should include (but not limited to):
- Geographic Location
- Weather Patterns for the Area and Surrounding Areas
- Internal Hazards (HVAC, Facility Security, Access, etc)
- Proximity to Local Response/Support Units
- External Hazards (neighboring Highways, Plants, etc)
Potential exposures may be classified as:
- Natural Threats
- Man-made (human) Threats
- Environmental Threats
Other steps in conducting Risk Assessment are to review following points:
- Probability of Occurrence
- Vulnerability to Risk
- Potential Impact
- Preventative Measures in Place
- Insurance Coverage
- Past Experiences
Analyzing the Results
Once the Risk Assessment Survey(s) and face to face interviews have been conducted, the next step is to analyze and present the results so that Executive Management can get most use of the data. Analysis can be a time-consuming and tedious process, especially with an enormous amount of data, but it is critical to the RA process.
The analysis will be the foundation for planning recommendations to senior management. The recovery strategies that need to be developed should be based on the findings of the Risk Assessment Survey and interviews, as well as the Business Impact Analysis findings
Begin your final report with an executive overview of the Risk Assessment Project. This will explain the objectives of the project, what was in scope, and what approach was used. Then provide a summary review of potential hazards.
Creation of Executive Report
The findings from the Risk Assessment will form the basis for the final report. The purpose is to provide senior management with enough information to make them comfortable in endorsing the recommending strategies, actions, budgets or to accept the level of risk by not implementing recovery strategies. The report should include graphs, which visually demonstrate the findings. Do not overuse the graphs. Too many graphs and reports can make reviewing the information confusing. Provide graphs for overall information on the departments, financial impact, etc.
The final report should include:
- Previous Disruption History
- Risks & Vulnerabilities
- Preventative Measures
- Presenting the Results
- Next Steps
The Risk Assessment process is an essential phase of Continuity Planning. The possibility of a disaster impacting a business is unpredictable. The business should implement a comprehensive Continuity Planning Program and develop recovery plans that encompass all critical operations and functions of the business.
It is recommended the use the templates to jump start your Risk Assessment project. Benefits of using templates:
- It saves a lot of time and money for user
- You don't have to reinvent the wheel
- Consistent look and feel
- Can be easily edited to insert information and fine tune to meet organizations specific requirements.
Risk Assessment is the first step towards creating the Disaster recovery and Business Continuity plans. Organizations can use following templates for their projects:
Risk Assessment: http://www.training-hipaa.net/template_suite/Risk_assessment_bundle-data_analysis_policies.htm
Business Impact Analysis (BIA): http://www.training-hipaa.net/template_suite/Business_impact_analysis_bundle_policies.htm
Disaster Recovery & Business Continuity Plan: http://www.training-hipaa.net/template_suite/Disaster_recovery_plan_template_sample.htm
Key Terminology
There can be terminology and definition differences in regards to risk assessment, business impact analysis, hazards, risks, etc. For the intent of this document, please apply the following definitions:
Business Impact Analysis: Process of identifying the critical business functions within the business and determining the impact of not performing those business functions.
Hazard/Threat: A situation that has the potential to cause injury to people, damage the property or damage to the environment.
Risk: Potential for exposure to loss. Risks can be man-made, natural or technology related.
Benefits Of HIPAA
Overview:
Risk Assessment: Process of identifying and evaluating the hazards and risks that are present and analyzing the vulnerabilities of the business to these threats.
Benefits Of HIPAA
Vulnerability: Having an exposure to a hazard or risk.
