 |
|
International risk management standards require you / your "entity" to adopt a defined and documented process for risk assessment
that will enable you / the entity to understand the threats to and vulnerabilities of its critical activities.
NB While EPCB uses a comprehensive and integrated risk management approach, the examples used throughout this site are associated with natural hazards:
1. Because all entities share that exposure - therefore the examples are transferable; and
2. To a degree the risks are non-political - therefore the examples do not breach confidentiality or sensitivity issues.
EXAMPLE: "The entity shall identify hazards, monitor those hazards, the likelihood of their occurrence, and the vulnerability of people, property, the environment, and the entity itself to those hazards". (Ref Section 5.3.1 of NFPA 1600)
The risk assessment steps can be outlined as:
1. Identify the range of hazards, threats, or perils that impact or might impact:
• your organization.
• your infrastructure.
• the surrounding area.
2. Determine the potential impact of each hazard, threat, or peril by estimating the:
• relative severity of each hazard, threat, or peril.
• relative frequency of each hazard, threat, or peril.
• vulnerability to each hazard, threat, or peril of your people, your operations, your property, and your environment
3. Categorize each hazard, threat, or peril according to how severe it is, how frequently it occurs, and how vulnerable you are.
4. Develop strategies to deal with the most significant hazards, threats, or perils. Develop strategies (risk treatments) to:
• prevent,
• mitigate,
• prepare for,
• respond to, and
• recover from hazards, threats, or perils that impact or might impact your organization and its people, operations, property, and environment.
(Ref NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs)
Risk Assessment Methods.
Click here for an outline of EPCB's approach to Security Risk Assessment and Information Security (pdf)
The following methods can be used to carry out a risk assessment:
• Use a what-if analysis to identify specific hazards and hazardous situations. What-if questions are asked about what could go wrong and hazardous consequences are identified and analyzed. This type of analysis is a brainstorming activity and is carried out by people who have knowledge about the areas, operations, and processes that may be exposed to hazardous events and conditions.
• Use a checklist of known hazards to identify your hazards and hazardous situations. The value of this type of analysis
depends upon the quality of the checklist and the experience of the user.
• Use a combination of checklists and what-if analysis to identify your hazards and hazardous situations. Checklists are used to ensure that all relevant what-if questions are asked and discussed, and to encourage a creative approach to risk assessment.
• Use a hazard and operability study (HAZOP) to identify your hazards and hazardous situations. If you need to do a very thorough analysis, this method is for you. However, it requires strong leadership and is costly and time consuming. It also assumes that you have a very knowledgeable interdisciplinary team available to you, one with detailed knowledge about the areas, operations, and processes that may be exposed to hazardous events and conditions.
• Use a failure mode and effect analysis (FMEA) to identify potential failures and to figure out what effect failures would have. This method begins by selecting a system for analysis and then looks at each element within the system. It then tries to predict what would happen to the system as a whole when each element fails. This method is often used to predict hardware failures and is best suited for this purpose.
• Use a fault tree analysis (FTA) to identify all the things that could potentially cause a hazardous event. It starts with a particular type of hazardous event and then tries to identify every possible cause.
FEMA Vulnerability Assessment Methodology
Click here for a free, easy to use, Risk Assessment Tool supporting the above approach.(xls)
Scenario modelling (of interactions between hazards, vulnerabilities and exposures) is a crucial step which informs sound risk ranking and planning considerations.
Results from recent analyses and performance reviews recognize that “comprehensive planning, including using the results of disaster simulations, can help organizations better prepare for potential disasters and thereby mitigate their effects”. (Ref: GAO-07-114 SBA Disaster Preparedness, Feb 2007, p. 3-4)
Generate and model scenarios by identifying what, why, where, when and how events could effect the entity (business).
Premise predicaments - and tease out issues for prevention, preparedness, response and recovery.
Click here to download a presentation on context mapping and risk assessment (pdf 1.13 MB pdf)
Scenarios provide an excellent platform to engage stakeholders, assess risks and exercise key management competencies.
EPCB use quality planning processes (such as those outlined in the table below) to ensure tailored outcomes are achieved.
EPCB's quality controlled approach to developing and delivering scenario based exercises (pdf).
For less than forty dollars, EPCB's Continuity Toolkit will meet the needs of most small to medium sized enterprises.
Software to support your planning. |
| |
|
Description |
Price |
1. |
|
Complete Continuity Toolkit - for small businesses
Fourteen (14) Microsoft files (Word™ Excel™ and PowerPoint™) supporting the needs of Small to Medium Business available for immediate download. Unsolicited Feedback: "Many thanks. This toolkit is brilliant!" (From Mr. Doug Nelson, MBCI, CBCP, Business Continuity Manager, CHIRON, Emeryville, California.) |
$24.95
$38.00 |
2. |
|
Buttress® Consulting Module
Buttress® Consulting Module delivers enhanced business continuity and crisis management capability to clients. What differentiates Buttress® from other business continuity and crisis management products is that it will support you to understand your risks, evaluate your exposures, and take action to: (a) mitigate your vulnerabilty before an incident - and (b) manage the consequences after an incident. |
$1.00 |
The guidelines, tools and templates in our pages will both support your planning processes and strengthen your preparedness outcomes. Using familiar software (Microsoft Word, Excel and PowerPoint), we focus on quality processes within a risk management framework. The approaches we provide serve as best practice models - they should not just be used as "templates for duplication" with a few global word changes. You should evaluate the significance of any specific requirements particular to your context (legal, political, cultural, commercial etc) - then tailor your approach and documentation accordingly.
|
|