1 / 73

Risk Assessment

This article explores the process of risk assessment in business continuity management (BCM), including how threats are identified, controls are evaluated, and impact is estimated. It also highlights the importance of risk management in decision making regarding the treatment of risks.

mmonday
Download Presentation

Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Assessment

  2. Objectives • Define risk terminology • Define the purpose of Risk Assessment (RA) • Review the RA process • Review how threats to an organization are identified • Identify and evaluate controls • Explore event probability estimation • Identify methods of impact estimation • Analyze risk measurement • Identify the risks of greatest concern • Examine the options to manage risks.

  3. Risk • Risk management is the basis of BCM and provides an analytical foundation for decision making regarding the treatment of risk.

  4. A key tenet of risk management is that risk cannot be eliminated but that it can be controlled.

  5. Risk ManagementApproach • Identify what can go wrong by analyzing underlying threats and possible crises • Identify what controls are currently in place • Evaluate current exposure to organization • Identify new controls to reduce exposure • Evaluate whether these controls should be implemented by investigating costs and benefits

  6. An event (incident) is an occurrence that could have an impact upon the organization.

  7. A threat (hazard) is asource of potential negative impact.

  8. A crisis (crisis event) is a manifestation of a threat. • If not handled properly, a crisis may have a severe negative impact.

  9. A minor crisis has limited impact and does not affect the overall functioning capacity of an organization

  10. A major crisis has thepotential to seriously disrupt the overall operation of an organization.

  11. A disruption is an interruption of operations.

  12. A disaster is a major crisis event which imperils an organization.

  13. A catastrophe is an extreme disaster.

  14. Risk is thepossibility of experiencing an event, measured in terms of probability and impact.

  15. Probability is a measure of the likelihood of an event.

  16. A risk event chain describes the transition from threat to crisis to disruption to impact.

  17. Risk Event Chain

  18. Controls can reduce the probability of transitioning through the risk event chain and can mitigate the resultant impact. • It is possible for different crises to result in the same disruption.

  19. Risk analysis is the process of identifying events, determining causes, and estimating probabilities and impact.

  20. Risk evaluation is the process of comparing risk levels with established risk criteria.

  21. Risk Assessment(RA) is the process of risk analysis and risk evaluation.

  22. Vulnerability is a measure of exposure to a threat that increases as the probability and impact of the event increases.

  23. Risk tolerance is the amount of risk that an organization is prepared to accept.

  24. Risk management is comprised of the processes of risk assessment, risk communication and risk treatment.

  25. RAis used to determine the most significant threats to the organization and to direct hazard-specific planning to address these threats by prioritization.

  26. RA activity should be focused on the most urgent business functions identified during the BIA process.

  27. The Steps of RA • Identify significant threats to critical operations • Identify and evaluate controls • Estimate event probabilities • Estimate impacts • Determine a risk measure combining impact and probability • Prioritize risks

  28. Threat Identification • Natural • Accidental • Man-made

  29. Generic threats • Acts of war • Armed attack • Blackmail • Blizzard • Chemical spill • Contamination • Earthquake • Fire

  30. Generic threats • Flood • Freeze • Hostage situation • Hurricane • Insurrection • Kidnapping • Power outage • Product defect

  31. Generic threats • Radiation leak • Riot • Terrorism • Tornado • Transportation disruption • Tsunami • Volcano eruption • Workplace violence

  32. A systematic way to collect and analyze threat data is to begin with a broad view and then continue to a detailed view.

  33. Gathering Data • Use a blend of objective data and judgment • Much data is available on the Internet • Assessing certain hazards is difficult because of a large number of controls, exposures and variables

  34. Threat Identification • Identify hazards in the general region, immediate area, and local area. • Hazards are natural, man-made, and accidental. • Other threats include financial risk, credit risk, economic risk, market risk, country risk, and mismanagement.

  35. Some outages to address • Destruction of a processing area due to fire or bomb. • Destruction of a building by fire, bomb or earthquake. • Flooding of a processing area or adjacent areas due to hurricane, storm or rupture of water pipe. • Inaccessibility to a building due to fire or bomb threats. • Outages in communications, electric power, steam supply or air conditioning due to fire or flood. • Lack of processing personnel due to a strike, transportation problems or snowstorm.

  36. Example 1 – An organization with a technology department that has an IT alternate site plan and backup data center that can be activated rapidly will be able to recover quickly from a major crisis.

  37. Example 2 – An organization with good security controls (e.g. proper procedures, monitored security system, dedicated security personnel) can avoid many security breaches.

  38. Example 3 – A manufacturing organization that requires the use of hazmat materials can reduce the likelihood of a hazardous release and can contain a release better if a good hazard response plan is in place.

  39. Example 4 – The RA of a terrorist attack is most difficult to make. The type, level and location of the event will all be factors that are hard to pinpoint.

  40. Controls Identification and Evaluation • Devices and procedures • Reduce the probability of a crisis event • Mitigate the impact of a crisis event

  41. Types of Controls • Physical security • Procedures • Information security • Preventive maintenance

  42. Existing Controls • Evaluate effectiveness • Determine benefits • Identify costs • Develop options • Improve controls

  43. Additional Controls • Determine outstanding risks to the organization • Identify potential controls • Identify cost effective controls • Select and recommend controls • Obtain management approval

  44. Safety and Security Issues • Building Evacuation • Hazardous Materials • Personnel Issues • Security

  45. Building Evacuation and Safety Procedures • Plans address both building evacuation and shelter-in-place. • Plans include routes to gathering areas and headcount procedures. • Communicating emergency instructions is crucial. • Alarms signal a building evacuation. • A siren signals a shelter-in-place for a dangerous condition. • Utilize an intercom in addition to a siren. • Information regarding hostile intruder or hazardous release cannot be communicated by siren alone.

  46. Hazardous Materials • Businesses likely have some hazardous materials (hazmat). • All hazardous materials need to been identified. • There should be an MSDS (Material Safety Data Sheet) for every hazardous material. • All employees should be trained in utilizing emergency action plans, evacuation routes and alarm activation. • Hazardous Response Teams should be trained in compliance with federal and state Hazardous Materials First Responder regulations.

  47. Hazardous Materials • Personal protection equipment (PPE) such as respirators, boots, whole body coverings for adverse environmental conditions may be needed. • On-site personnel may need first aid training. • Hazardous materials should be stored in approved containers and in properly ventilated areas. • Hazardous wastes should be disposed of properly. • Every incident should be investigated.

  48. Hazardous Materials A manufacturing business that requires the use of hazardous materials can reduce the likelihood of a hazardous release and can contain a release better if a good hazard response plan is in place. Many other factors are important. Has the hazmat team been properly trained and properly equipped? What types of chemicals are used? How are the chemicals stored?

  49. PersonnelConcerns • After a community-wide crisis, employees may not be able to work. • Transportation may be very difficult. • Back to work policies and payroll policies need to be developed. • Can the business function with a skeleton staff? • Can temporary replacement workers be found and quickly trained? • Is cross-training being performed? • A labor action can shutdown operations.

  50. Security Controls • A business with good security controls (e.g. proper procedures, monitored security system, dedicated security personnel) can avoid many security breaches. • Security will also be impacted by the general crime rate in the area and the exact nature of the business.

More Related