Conducting a Risk Assessment

2007-03-16T05:24:00.000-07:00

A Risk Assessment is identifying, analyzing, and weighing all the potential risks, threats and hazards to the business’s internal and external environment. It discovers if a facility (building) is vulnerable to weather related events, HVAC failure, Internal/External Security vulnerabilities and local area hazards. It allows a business to document what mitigating actions have been taken to manage these exposures. By identifying the threats that currently are being mitigated verses threats that are not, a business can compile a list of recommendations for improvement.

To be successful, any risk assessment has to concentrate on the local identifiable issues relating to the business. Before exploring other concerns, concentrate on the most realistic risks and threats that currently exist in the business environment. This can include factors such as:

The Nature of the Business
Surrounding Area of Facility
The Construction of the Facility
Common Weather Patterns
Technology Dependencies

Objectives of the Risk Assessment

During the Risk Assessment, risks to the business will be identified and evaluated. The vulnerability of the business to these risks will be rated. You will also:

Identify what prevention practices are being used
Define and implement safeguards to mitigate risks
Conclude the overall risk to the business
Build a case for strategy selections

Once the assessment is completed, a business can make decisions regarding methods of mitigating risks. By completing a Risk Assessment and Business Impact Analysis, a business can implement the best strategies for Contingency Planning.

Risk Assessment Process

Despite the prevention practices utilized, potential hazards that are existent and could result in a loss to the business need to be considered. Even though the exact nature of these exposures and their consequences are tough to determine, it is valuable to conduct a risk assessment of all threats that can logically happen.

What should be included?

All locations and facilities should be included in the risk assessment. Surrounding businesses, local fire, police, and community utilities should also be included in the assessment. Any vendor provided service that is provided to the business should also be evaluated.

Steps to Follow

The following steps are necessary for completing a Risk Assessment.

Identify Threats/ Risk and Vulnerabilities
Analyze risks and determine vulnerability
Identify mitigation and recovery options
Evaluate and Choose Options
Evaluate and Choose Options

There are additional steps that need to take place during this process. Some of those actions are:

Review Internal Plans and Policies
Meet with Outside Groups
Identify Assets
Conduct an Insurance Review

Assessing Your Risk

The process of identifying risks/threats, probability of occurrence, the vulnerability to each risk/threat and the potential impact that could be caused, is necessary to prepare preventative measures and create recovery strategies. Risk identification also provides a number of other advantages including:

Exposes previously overlooked vulnerabilities that need to be addressed by plans and procedures
Identifies where preventative measures are lacking or need reevaluated
Can point out the importance of contingency planning to get staff and management on board
Will assist in documenting interdependencies between departments and increase communication between internal groups. Can also point out single points of failures between critical departments

For the ease of this process, categories of risk should be created to focus the thought process. In the Risk Assessment Survey, the main categories include, Natural Risks, Man-Made (Human) Risks, and Environmental Risks. These are certainly not requirements, and should not be considered to be constraining.

The nature of a risk/threat should be determined, regardless of the type. Factors to consider should include (but not limited to):

Geographic Location
Weather Patterns for the Area and Surrounding Areas
Internal Hazards (HVAC, Facility Security, Access, etc)
Proximity to Local Response/Support Units
External Hazards (neighboring Highways, Plants, etc)

Potential exposures may be classified as:

Natural Threats
Man-made (human) Threats
Environmental Threats

Other steps in conducting Risk Assessment are to review following points:

Probability of Occurrence
Vulnerability to Risk
Potential Impact
Preventative Measures in Place
Insurance Coverage
Past Experiences

Analyzing the Results

Analyzing the Results

Once the Risk Assessment Survey(s) and face to face interviews have been conducted, the next step is to analyze and present the results so that Executive Management can get most use of the data. Analysis can be a time-consuming and tedious process, especially with an enormous amount of data, but it is critical to the RA process.

The analysis will be the foundation for planning recommendations to senior management. The recovery strategies that need to be developed should be based on the findings of the Risk Assessment Survey and interviews, as well as the Business Impact Analysis findings

Final Report & Presentation

Begin your final report with an executive overview of the Risk Assessment Project. This will explain the objectives of the project, what was in scope, and what approach was used. Then provide a summary review of potential hazards.

Creation of Executive Report

The findings from the Risk Assessment will form the basis for the final report. The purpose is to provide senior management with enough information to make them comfortable in endorsing the recommending strategies, actions, budgets or to accept the level of risk by not implementing recovery strategies. The report should include graphs, which visually demonstrate the findings. Do not overuse the graphs. Too many graphs and reports can make reviewing the information confusing. Provide graphs for overall information on the departments, financial impact, etc.

The final report should include:

Previous Disruption History
Risks & Vulnerabilities
Preventative Measures
Presenting the Results
Next Steps

The Risk Assessment process is an essential phase of Continuity Planning. The possibility of a disaster impacting a business is unpredictable. The business should implement a comprehensive Continuity Planning Program and develop recovery plans that encompass all critical operations and functions of the business.

It is recommended the use the templates to jump start your Risk Assessment project. Benefits of using templates:

It saves a lot of time and money for user
You don't have to reinvent the wheel
Consistent look and feel
Can be easily edited to insert information and fine tune to meet organizations specific requirements.

Risk Assessment is the first step towards creating the Disaster recovery and Business Continuity plans. Organizations can use following templates for their projects:

Risk Assessment: http://www.training-hipaa.net/template_suite/Risk_assessment_bundle-data_analysis_policies.htm

Business Impact Analysis (BIA): http://www.training-hipaa.net/template_suite/Business_impact_analysis_bundle_policies.htm

Data Center Recovery Plan: http://www.training-hipaa.net/template_suite/data_center_template_bundles.htm

Disaster Recovery & Business Continuity Plan: http://www.training-hipaa.net/template_suite/Disaster_recovery_plan_template_sample.htm

Key Terminology

There can be terminology and definition differences in regards to risk assessment, business impact analysis, hazards, risks, etc. For the intent of this document, please apply the following definitions:

Business Impact Analysis: Process of identifying the critical business functions within the business and determining the impact of not performing those business functions.

Hazard/Threat: A situation that has the potential to cause injury to people, damage the property or damage to the environment.

Risk: Potential for exposure to loss. Risks can be man-made, natural or technology related.

Benefits Of HIPAA

Overview:

Risk Assessment: Process of identifying and evaluating the hazards and risks that are present and analyzing the vulnerabilities of the business to these threats.

Benefits Of HIPAA

Vulnerability: Having an exposure to a hazard or risk.