Guide to Conducting a Risk Assessment

8/3/2019 Guide to Conducting a Risk Assessment

1/21

InPartnershipwith

SupremusGroup,LLC

RiskAssessmentTools|JamieVance,CBCP

GUIDETOCONDUCTINGARISKASSESSMENT SECONDEDITION


2/21

GuidetoConductingaRiskAssessment 2008

2008SupremusGroupLLCandContinuityResources

www.trainingHIPAA.net

Limitedrightsgrantedtolicenseeforinternaluseonly

Allotherrightsreserved

Page

2

LegalStatement

The business has purchased Contingency Planning Guides, Templates, and Reports from Continuity

Resources and Supremus Group, LLC. Templates and report documents are customizable with the

businesss information, logos, and confidential data. However, this statement and all copyright

information(in

footers)

must

remain

in

all

documents.

Supremus Group LLC (SG) and Continuity Resources (CR) disclaims liability for any personal injury,

property, or other damages of any nature whatsoever, whether special, indirect, consequential, or

compensatory,directlyorindirectlyresultingfromthepublication,useof,orrelianceonthisdocument.

In issuingandmakingthisdocumentavailable,SGandCR isnotundertakingtorenderprofessionalor

otherservicesfororonbehalfofanypersonorentity.NorareSGandCRundertakingtoperformany

dutyowedbyanypersonorentitytosomeoneelse.Anyoneusingthisdocumentshouldrelyonhisor

her own independentjudgment or, as appropriate, seek the advice of a competent professional in

determiningthe

exercise

of

reasonable

care

in

any

given

circumstance.

ThisproductisNOTFORRESALEorREDISTRIBUTIONinanyphysicalorelectronicformat.Thepurchaser

ofthistemplatehasacquiredtherightstouse itforaSINGLEenterpriseatonefacilityunlesstheuser

haspurchasedamultiuselicense.Anyonewhomakesunlicensedcopiesoforusesthetemplateorany

derivativeofitisinviolationofUnitedStatesandInternationalcopyrightlawsandsubjecttofinesthat

aretrebledamagesasdeterminedbythecourts.AREWARDofupto1/3ofthosefineswillbepaidto

anyonereportingsuchaviolationuponthesuccessfulprosecutionofsuchviolators.

Thepurchaseragrees thatderivativeofthis templatewillcontain the followingwordswithin the first

five pages of that document. Thewords are:Derived from the Contingency Plan Template Suite of

SupremusGroupLLCandContinuityResources.2008CopyrightSupremusGroupLLCandContinuity

Resources.

PurposeofGuide

The RiskAssessmentGuide is intended toprovidebusinesseswith thenecessary tools to conduct a

facilityriskassessment. Thisguidefocuseson identifyingrisksandthreats inthefollowingcategories:

Weather,ManMade,andTechnology. Thisguideistobeusedinconjunctionwiththeriskassessment

templatesandreportsofferedbyContinuityResourcesandSupremusGroup,LLC.


3/21






Page

3

KeyTerminology

There can be terminology and definition differences in regard to risk assessment, business impact

analysis,recoveryplanning,disasterrecovery,disasters,impacts,etc. Fortheintentofthisdocument,

pleaseapplythefollowingdefinitions:

BusinessImpactAnalysis: Processofidentifyingthecriticalbusinessfunctionswithinthebusinessanddeterminingtheimpactofnotperformingthosebusinessfunctions.

BusinessContinuityPlanning: Processofdevelopingadvancearrangementsandproceduresthatenableanorganizationtorespondtoanevent insuchamannerthatcriticalbusinessfunctionscontinuewith

plannedlevelsofinterruptionoressentialchange.

Customer/OperationalImpact: CustomerImpactmeasuresthepotentialfutureimpactofaserviceoroperational outage. Operational Impact is themeasure of loss to functions thatwould impact the

productionofproductsandservices.Disaster: Asudden,unplanneddevastatingeventcausingsubstantialdamageorlossDisasterRecoveryPlanning: The technological aspectofbusiness continuityplanning.Theadvanceplanningandpreparationthatisnecessarytominimizelossandensurecontinuityofthecriticalbusiness

functionsofanorganizationintheeventofdisaster.

Financial Impact: Financial impactmeasures the immediate revenue lossandcostexposures to theorganizationduringaperiodabusinesscannotperformtheirdailyoperationsandservicesLegal / Regulatory Impact: Legal and regulatory impact measures the legal ramifications andgovernmental

financial

and

operational

impact

from

service

and

operational

outages.

RiskAssessment: Process of identifying and evaluating the hazards and risks that are present andanalyzingthevulnerabilitiesofthebusinesstothesethreats.

RTO: Recovery TimeObjective. Themaximum allowable time a process can be down following adisruptiveevent.

RevisionHistory

Thetablebelowindicatesrevisions,deletions,additions,etc.thathasbeenmadetothisdocument.

Version DescriptionofChange Chap/Page RevisedBy Date2006.01 CreationofDocument Allsections JamieMcCafferty 02.20.2006SecondEdition Updateofformatandchapters AllChapters JamieVance 01.10.2008


4/21






Page

4

TableofContentsLegalStatement_______________________________________________________________________________2

PurposeofGuide______________________________________________________________________________2

KeyTerminology______________________________________________________________________________3

RevisionHistory_______________________________________________________________________________3

CHAPTER1: INTRODUCTION__________________________________________________________________6Compliance__________________________________________________________________________________6

Scope_______________________________________________________________________________________7

CHAPTER2: RISKASSESSMENT_______________________________________________________________8ObjectivesoftheRiskAssessment________________________________________________________________8

DevelopaProjectPlan_________________________________________________________________________8

Whatshouldbeincluded?_____________________________________________________________________10

CHAPTER3: PHASEONE(PROJECTDEVELOPMENT)_____________________________________11Scope______________________________________________________________________________________11

ObjectivesandDeliverables____________________________________________________________________11

MethodofCollection _________________________________________________________________________11

IdentifyPeople______________________________________________________________________________11

InterviewOrder______________________________________________________________________________12

CHAPTER4: PHASETWO(DATAGATHERING) ____________________________________________13Identifying

Risks

and

Threats

___________________________________________________________________

13

ProbabilityofOccurrence______________________________________________________________________14

VulnerabilitytoRisk__________________________________________________________________________14

PotentialImpact_____________________________________________________________________________14


5/21






Page

5

PreventativeMeasuresinPlace_________________________________________________________________14

InsuranceCoverage___________________________________________________________________________15

PastExperiences_____________________________________________________________________________15

CHAPTER5: PHASETHREE(ANALYZETHEDATA)________________________________________16ReviewSurveyandInterviewNotes _____________________________________________________________16

FollowupMeetings __________________________________________________________________________16

ReporttheResults____________________________________________________________________________17

CHAPTER6: PHASEFOUR(FINALREPORTANDPRESENTATION)______________________18Creation

of

Executive

Report

___________________________________________________________________

18

PresentingtheResults ________________________________________________________________________18

NextSteps__________________________________________________________________________________19

CHAPTER7: CONCLUSION_____________________________________________________________________20KeysforSuccess______________________________________________________________________________20


6/21






Page

6

Chapter1: IntroductionThe intentionofthisdocument istohelptheorganizationconductaRiskAssessment,which identifies

current risks and threats to the business and implement measures to eliminate or reduce those

potential

risks.

This

document

provides

guidance

on

how

to

conduct

the

Risk

Assessment,

analyze

the

informationthatiscollected,andimplementstrategiesthatwillallowthebusinesstomanagetherisk.

Thefollowingdocumentsareavailabletohelpthebusinesscompletetheassessment:

RiskAssessmentTemplate RiskAssessmentWorksheet FacilityRAFindingsReport ExecutiveRAFindingsReport ExamplesofPreventativeMeasures

The RiskAssessment is only part one of an overall BusinessAssessment. A Business Assessment is

separated into two constituents, Risk Assessment and Business Impact Analysis (BIA). The Risk

Assessmentis

intended

to

measure

present

vulnerabilities

to

the

businesss

environment,

while

the

Business ImpactAnalysisevaluatesprobable loss thatcouldresultduringadisaster. Tomaximize the

RiskAssessment,aBusinessImpactAnalysisshouldalsobecompleted.

For more information regarding the Business Impact Analysis, please use Guide to Conducting a

Business ImpactAnalysis. If thisdocumentwasnot includedwith thispackage, itcanbepurchased

fromhttp://www.traininghipaa.net.

Compliance

To protect shareholder confidence, customers, employees, and the organization; companies are

responsiblefor

implementing

preventative

and

protective

measures

to

safeguard

against

disasters,

business interruptions,andrisks.Many industriesaregovernedbydifferentrequirementssetforthby

regulatory bodies. This guidewill helpmeet the requirements for business continuity and disaster

recoveryplanning,implementedbythefollowingindustrystandards:

SarbanesOxley(SOX) ISO17799(Section11BusinessContinuityStandard) FFIECrequirementsforBusinessContinuityPlanning NISTforTechnologyRecoveryPlanning

Pleasenote:thisguideisnotallencompassingfortheaboveindustrystandards.Inordertomeetthese

requirements, theorganizationmust implementa fullymatureBusinessContinuityPlanningProgram.

However, conductingaRiskAssessment isoneof the first steps in implementingBusinessContinuity

Planning.


7/21






Page

7

Scope

TheRA isperformed to identifypotential risks, threats,and thevulnerabilityof thebusiness to these

risks. TheRiskAssessmentprocessprovidesthefoundationfortheentireContingencyPlanningeffort.

ThegoalofContingencyPlanning is to safeguard thebusiness in theevent thatallorportionsof its

operationsand/or

computer

services

are

rendered

unusable.

Each

facility

that

the

business

owns

or

operatesin,shouldbeanalyzedtodeterminethepotentialriskandimpactrelatedtovariousthreats.

Oncethedataiscollected,ananalysisofallfacilitiesrisks,threats,andvulnerabilitieswillbecompleted.

A final report will be developed with recommendations for mitigation activities and presented to

executivemanagement. If a Business Impact Analysis is conducted, the recovery strategieswill be

presented aswell. This will allow the business leaders to determine what recovery strategies and

solutionswillbeimplemented.


8/21






Page

8

Chapter2: RiskAssessmentARiskAssessment(RA)isidentifying,analyzingandweighingallthepotentialrisks,threats,andhazards

tothebusinesss internalandexternalenvironment. Theassessmentdiscovers ifafacility(building) is

vulnerable

to

weather

related

events,

HVAC

failure,

internal

or

external

security

vulnerabilities,

and

local

areahazards. Inaddition, theRAallowsabusiness todocumentwhatmitigatingactionshavebeen

takentomanagetheseexposures. By identifyingthethreatsthatcurrentlyarebeingmitigatedversus

threatsthatarenot,abusinesscancompilea listofrecommendationsfor improvement. Datacanbe

collectedbyutilizingquestionnaires(surveys)tools,interviews,anddiscussions.

Tobesuccessful,anyriskassessmenthastoconcentrateonthe local identifiable issuesrelatingtothe

business. Before exploring other concerns, concentrate on themost realistic risks and threats that

currentlyexistinthebusinessenvironment. Thiscanincludefactorssuchas:

Thenatureofthebusiness Surroundingareaoffacility Theconstructionofthefacility Commonweatherpatterns Technologydependencies

ObjectivesoftheRiskAssessment

During the RiskAssessment, risks and threats to the businesswillbe identified and evaluated. The

vulnerabilityofthebusinesstotheseriskswillberated. Additionally,theRAwill:

Identifywhatpreventionpracticesarebeingused Defineandimplementsafeguardstomitigaterisks Concludetheoverallrisktothebusiness Buildacaseforstrategyselections

Once theassessment iscompleted, thebusinesscanmakedecisions regardingmethodsofmitigating

risksorselectionofrecoverystrategies. BycompletingaRiskAssessmentandBusinessImpactAnalysis,

thebusinesscanimplementthebeststrategiesforContingencyPlanning.

DevelopaProjectPlan

The successofaRAwilldependonawelldefinedprojectplan. Theprojectplan shoulddefinekey

members,objectives,

and

the

steps

that

will

need

to

be

followed

for

the

success

of

the

project.

A

three

phasedapproachhasbeendefinedforthisguide. Duringthefirstphase,identifytheprojectteam,key

facilityrepresentatives,anddefinethescopeandobjectives.


9/21

2008Sup

www.train

Limitedrigh

Allotherrig

Inthese

thosewil

mitigatio

The third

determin

Thefourt

findings

resultsca

Thisdiag

becondu

thatneed

Pha

remusGroupLL

ingHIPAA.net

tsgrantedtolic

htsreserved

ondphase,

lbedonedu

activitiesd

phase is f

ingvulnerabi

hphaseiffor

illbedone

nbereporte

amshowst

cted ineach

totakeplac

eOne:

PhaseT

ndVul

Phadet

CandContinuit

enseeforinter

atacollectio

ring thispro

fined. Addit

r analyzing

lityfor

the

e

creatingthe

uringthisp

withtheR

ephasesne

phaseandr

duringPha

Review Meet Identif Condu

Project

o:Ide

erabilit

seThrermine

Phase

F

Guid

Resources

aluseonly

niscomplet

cess. Facilit

ionally,thel

the data, r

tirefacility.

finalfacility

aseaswell.

findingstog

cessaryforc

peatedat le

eTwo. Som

internalpla

ithoutside

assets

taninsuran

PlanDe

tifyRis

ies(gat

: Analyulnerab

our:

Re

toCond

d. Ifusing

risks, threa

velofpoten

viewing the

andexecutiv

IfaBusine

ether.

ompletinga

asteverytw

ofthoseac

sandpolici

roups

ereview

elopm

ks,Thre

erdata

zethedility

port

th

ctingaRi

questionna

tsandvulne

tialimpactto

findings wi

emanageme

s ImpactAn

RiskAssessm

oyears. Th

ionsare:

s

nt

ts,

)

ataand

finding

kAssess

ireandface

rabilitieswill

facilityisest

th the facili

ntreports. P

alysishasbe

ent.Theent

remaybea

s

ent 200

ofaceinter

be identifie

imated.

ty managers

resentation

ncomplete

ireprocesss

dditionalact

Page

9

iews,

and

, and

fthe

,the

hould

ivities


10/21






Page

10

Whatshouldbeincluded?

Despitethepreventionpracticesemployed,potentialhazardsthatareexistentandcouldresultinaloss

to thebusinessneed tobe considered. Even though the exactnatureof these exposures and their

consequencesaretoughtodetermine,itisvaluabletoconductariskassessmentofallthreatsthatcan

logicallyhappen.

Alllocationsandfacilitiesshouldbeincludedintheriskassessment. Surroundingbusinesses,localfire,

police, and communityutilities should alsobe included in the assessment. Additionally, any vendor

providedservicethatiscriticaltothebusiness,shouldbeevaluated.


11/21






Page

11

Chapter3: PhaseOne(ProjectDevelopment)Scope

Theprojectteamwillneedtodefinetheprojectscope. Thescopedeterminestherulesunderwhichthe

projectis

executed.

The

scope

can

include:

Whatfacilitieswillbeinvolved Whatdatawillbegathered Timeframeforcompletingtheproject Responsibilitiesforthoseinvolved Stepsnecessarytocompletetheproject

Thescopeshouldbeformallydocumentedinaprojectplananddistributedtoallkeyparticipantsofthe

project. Ahighleveloverviewoftheprojectplancanbecreatedandsenttoexecutivemanagement.

Objectivesand

Deliverables

Definingtheobjectivesanddeliverablesoftheproject isessential. Theobjectivesofariskassessment

thatwereidentifiedinthesectiontwocanbeusedasanexample.

MethodofCollection

TherearenumerouswaystocollectdataduringaRA. Thefirstmethodisbysendingoutquestionnaires

(surveys) foreach facilitymanager tocomplete. Thesequestionnaireswillaskquestions in regard to

facilityrisks,technologyrisks,potentialmanmaderisks,andweatherrelatedrisks.

The secondmethod is a facetoface interview. During the interview, theproject team canuse the

completedquestionnairetogetmoredetailed informationaboutthecriticalityofthefacility,potential

threatsandrisks,andvulnerabilities.

IdentifyPeople

ProjectTeamAprojectteammustbeestablishedtosupporttheRAprojectfrombeginningtoend. Thisteamwillbe

responsible for data gathering/collection, conducting facetoface interviews, analyzing the collected

data,creatingthefinalexecutivereportandmakingfinalrecommendationstoexecutivemanagement.

Aprojectmanagershouldbeidentified. Theprojectmanagerisresponsibleforcoordinatingdaytoday

activitiesandresourcesmanagementfortheproject.


12/21






Page

12

ProjectSponsorForthisprojecttobesuccessful,aprojectsponsormustbe identified. Theprojectsponsorsrole isto

makecertainthattheprojectparticipantsinthebusinessunitclearlyunderstandtheirresponsibilitiesto

theproject.

KeyFacilityLeadership(Participants)After identifyingtheprojectsponsor,projectmanagerandprojectteam;identifyallfacilitiesownedor

occupiedbythebusiness. Eachfacilityshouldprovideanexperiencedpersontocompletethesurveys

andattendtheinterviewsessions.

InterviewOrder

Usingthelistoffacilitiesandkeyparticipantsdefinedearlier,itisagoodideatoschedulethefacilitiesto

completetheRAprocess. BothclinicalandnonclinicalfacilitiesshouldbeinvolvedwiththeRAprocess.

Evenifthefacilityisnotcritical,aninterviewand/orquestionnairemustbeconducted.

Examples of facilities to Interview: Corporate Headquarters, Data Centers, Leased offices, RecordsStorageFacility,Administrationbuildings,etc.CreateScheduleA scheduleof interviews shouldbedevelopedaccording to the facilityparticipantsavailability. This

schedule will allow each participant to know the date and time to be present for the facetoface

interview. The questionnaire shouldbe sent out at leastonemonth in advance of the facetoface

interview. Areturndateshouldbeprovidedtothepersonresponsible forfillingoutthesurvey. This

willgive the responder time togather thedataandget itback to theproject team. Bydoingapre

interviewquestionnaire; theproject teamcancustomize thequestions for the facetoface interview,

basedon

the

information

provided

by

the

business

unit.

Once the questionnaire has been returned to the project team, a detailed list of questions can be

prepared for the facetoface interview. The interview process should be scheduled for one hour.

During the interview, it is important to take notes based on the interviewees responses to the

questions. Aftertheinterview;compileanynotestaken,therespondersquestionnaire,andsendback

totheintervieweetoensuretheaccuracyofthedatagathered.


13/21






Page

13

Chapter4: PhaseTwo(DataGathering)The process of identifying risks, threats, and the probability of occurrence is vital during the Risk

Assessmentprocess. Inaddition,identifyingthepotentialimpacttothebusinessisnecessarytoprepare

preventative

measures

and

create

recovery

strategies.

Risk

identification

also

provides

a

number

of

otheradvantagesincluding:

Exposes previously overlooked vulnerabilities that need to be addressed byplansandprocedures

Identifieswherepreventativemeasuresarelackingorneedreevaluated Can point out the importance of contingency planning to get staff and

managementonboard

Will assist in documenting interdependencies between departments andincreasecommunicationbetweeninternalgroups.

CanalsopointoutsinglepointsoffailuresbetweencriticaldepartmentsThis

Risk

Assessment

guide

focuses

on

three

categories

of

risk.

Restricting

the

categories,

allows

the

business to focuson identifying risks thatarecommon. In theattachedRiskAssessmentSurvey, the

categories include, Natural Risks, ManMade (Human) Risks, and Environmental Risks. These are

certainlynottheonlycategoriestoconsiderandshouldnotbeconstraining. Ifariskisnotavailablein

thetemplateadditionalcategoriescanbeadded.

IdentifyingRisksandThreats

Thenatureofariskorthreatshouldbedetermined,regardlessofthetype. Factorstoconsidershould

include(butnotlimitedto):

Geographiclocation Weatherpatternsfortheareaandsurroundingareas Internalhazards(HVAC,facilitysecurity,access,etc) ProximitytolocalresponseorsupportUnits Externalhazards(neighboringhighways,plants,etc

Potentialexposuresmaybeclassifiedasnatural,manmadeorenvironmental. Examplesinclude:

NaturalThreats: flooding,highwinds,severestorms,tornado,hurricane, fire,highwinds,snowstorms,icestorms,epidemic

Manmade (human) Threats: Bomb threats, vandalism, terrorism, civildisorder,

sabotage,

hazardous

waste,

work

stoppage

(internal/external),

computercrime

EnvironmentalThreats: HVAC failure,malfunction/failureofsystemsoftware,failureofapplications/hardware,telecommunicationsfailure,powerfailure


14/21






Page

14

ProbabilityofOccurrence

Typesofregularlyoccurringnaturaldisastersaretypicallywellknownwithinacommunityandcanoften

be researched easily. History of weather related events serve as a valuable resource for ranking

probabilityandrisk.

Possibilitiesofdisastersdue tomanmadeeventsaremanyandvaried. Eventsmaybeaccidentalor

planned incidentsdesigned towreakhavoc. Manmadeeventsmustbecarefullyconsideredandnot

dismissedbecauseithasneverhappenedhere.

Businesseshavebecomeincreasinglydependentontechnologytoprovidedailybusinessoperations. As

aresult, failure(s)of technologysystemscaneasilyputa facility intoan internalstateofdisaster. To

determinetheprobabilityoftheseevents,onemustexaminetheinternaltechnologycomponentsinthe

facilityandtheavailabilityofbackupsystemstocompensateforfailure.

VulnerabilitytoRisk

For each risk that has been identified, the vulnerability of the business to this threat must be

established. Identifyingthevulnerabilitytoariskdeterminestheadverseeffectsofagiventhreattothe

business. Theanalysisofthis informationhelpsdetermine;who ismost likelytobeaffected,what is

mostlikelytobedestroyedordamaged,andwhatcapacitiesexisttocopewiththeeffectsoftherisk/

threat.

PotentialImpact

Thepotentialimpacttothebusinessoperationsneedstobeestimatedforeachriskorthreat.Potential

impactcouldincludelostrevenue,disruptionofservices,threattolifeand/orhealthsafety,damageor

failureof

technologies,

legal

ramifications,

loss

of

community

trust,

etc.

PreventativeMeasuresinPlace

Anotherstepistoevaluatethebusinessscurrentlevelofmitigationactivitiesthatarecurrentlyinplace.

Mitigation is the act of implementing preventative measures or procedures to reduce or eliminate

potentialrisks. Someexamplesofpreventativemeasuresare:

Fire / Smoke detection and alarm systems are in place and aremonitored on acontinualbasis

Employeesaretrainedinevacuationprocedures Dataandvitalrecordsarebackupupandstoredoffsite Arrangeforsnowandiceremovalfromparkinglots,walkways,loadingdocks,etc.

Businesseshavedonedisasterplanning formanyyearsandmostarewellprepared tomanagemany

typesofemergencies. Thescopeofdisasterplanning iscontinuallychangingandthetypicalbusiness

willfindatleastsomerisksforwhichimprovementsarenecessary.


15/21






Page

15

InsuranceCoverage

Thebusinessmaycarry insurancetocompensate for lossessufferedasaresultofsomeemergencies.

Backup systems may also be thought of as insurance protecting against certain occurrences. The

availabilityof insurancecoverageorbackupsystemsshouldbe factored intothedeterminationofthe

currentrisk

assessment.

PastExperiences

Ahelpfultoolindeterminingpotentialrisksorthreatstothebusinessistoreflectonprevioushistoryof

disruptions,outages,productivity loss,etc. Anytypeof incidentthat impactedthedailyoperationsof

thebusinessshouldbedocumented. Thedateandoutagetimeshouldalsobeprovidedasreference.


16/21






Page

16

Chapter5: PhaseThree(AnalyzetheData)OncetheRiskAssessmentSurvey(s)andfacetoface interviewshavebeenconducted;thenextstep is

toanalyzeandpresenttheresultstoExecutiveManagement. Analysisofdatacanbeatimeconsuming

and

tedious

process;

especially

with

an

enormous

amount

of

data,

but

it

is

critical

to

the

RA

process.

The analysiswill be the foundation for planning recommendations to ExecutiveManagement. The

recoverystrategiesthatneedtobedevelopedshouldbebasedonthefindingsoftheRiskAssessment

Surveyandinterviews,aswellastheBusinessImpactAnalysisfindings.

ReviewSurveyandInterviewNotes

The facility(s)questionnaireandanynotestakenduring interviewsmustbeanalyzed. Thepurposeof

analyzingall thedata is tocreateanoverviewofall thebusinessspotential risks,vulnerabilities,and

preventativemeasuresthatarecurrently inplace. This isthe informationthat ismost importantand

willbereporteddirectlytoExecutiveManagement. Withoutthis information,thebusinesswillnotbe

abletomakeappropriatedecisionsconcerningcontingencyplanning.

FollowupMeetings

Whenreviewingthedatafromthesurvey(s)and/orfacetofaceinterviews,createalistofquestionsfor

followupmeetings. Eachrespondenttothesurveyshouldbescheduledforafollowupmeeting. These

meetings

should

not

require

more

than

an

hour

each.

Prior

to

the

meeting,

send

a

detailed

list

of

the

questionsconcerningtheindividualdepartment.

The followupmeetingprovidesanopportunitytomakesurethatalldatawascapturedandanalyzed

correctly. Iftherearegapsorquestions,usuallyafollowupmeetingcanobtaintheneededinformation

(toclosethegap)ortoprovidemoredetaileddata.


17/21






Page

17

ReporttheResults

Once the survey and interviews have been completed, issuing a report to each facility manager is

important.Thereportensuresthatthe informationgatheredduringthesurveyand interviewprocess,

hasbeeninterpretedanddocumentedaccurately.Thereportshouldcontainthefollowinginformation:

Respondentinformation Overviewofthefacilitysbusinessoperations Previousdisruptionhistory&details Risks&Vulnerabilities

o NaturalRiskso ManMadeRiskso EnvironmentalRiskso FacilitiesRisks

Preventivemeasuresthatareinplace Overallriskratingforeachfacility

Ifonlyonefacilitywassurveyedandinterviewed,theneedforanindividualfacilityreportprobablywill

notbenecessary. TheExecutiveRiskAssessmentReportwillworkforjustonefacility.


18/21






Page

18

Chapter6: PhaseFour(FinalReportandPresentation)Begin the final reportwithan executiveoverviewof the risk assessmentproject. Theoverviewwill

explaintheobjectivesoftheproject,scopeandapproachused. Attheend,provideasummaryreview

of

the

existing

potential

hazards.

CreationofExecutiveReport

Thedatagatheredduringtheriskassessmentwillformthefoundationforthefinalreport. Thepurpose

istoprovideexecutivemanagementwithenough informationtomakethemcomfortable inendorsing

the recommending strategies, actions, budgets or to accept the level of risk by not implementing

recovery strategies. The report should include graphs, which visually demonstrate the findings.

However,donotoverusegraphs. Toomanygraphscanmakethereportconfusing. Providegraphsfor

overallinformationonthedepartments,financialimpact,etc.

Previous

Disruption

History

Provide details about the previous disruptions that have been experienced by each facility. This is

informationthatwasobtainedduringthesurveyandinterviewprocess. Provideahighleveloverviewof

thedisruption,thedate(ifpossible)andafewdetailsaboutthedisruption.

RisksandVulnerabilities

Document the facility rankings for each risk or threat and vulnerabilities thatwere identified in the

survey. Documenttherankingforeachtypeofrisk. Stresstheimportanceofimplementingmitigating

measuresforthoserisksthatareinthehighorextremelyhighcategory.

PreventativeMeasures

Provide informationaboutthepreventativemeasuresthatarecurrently inplaceatthefacility. These

measuresreducetheamountofvulnerabilityorpotentialimpactfromassociatedrisksorthreats.

PresentingtheResults

Apresentationtoexecutivemanagementshouldbeheldtodiscussthefindingsoftheriskassessment.

IfaBusiness ImpactAnalysiswasperformed, it isdesirable tohold thepresentation for the findings

together. Generally, executivemanagement isnot interested in every specificdetail about the Risk

Assessmentprocessorentiresurveyresults,sokeeptheinformationhighlevel.


19/21






Page

19

NextSteps

Now that executive management has been presented the results of Risk Assessment (and BIA if

applicable),decisionsaroundthefollowingneedtobemade:

Mitigatepotentialhazardsandrisks(foundintheRiskAssessment) Select recovery strategies tominimize thepotential loss that could result from a

businessinterruption

Recovery strategies are the strategies selected to mitigate the potential impacts resulting from a

disruption to business operations. Once a recovery strategy is selected, business units can start

documentingrecoveryplans, implementingrecoveryprocedures,andeducatingemployeesonwhatto

doduringadisasteroremergency.


20/21






Page

20

Chapter7: ConclusionTheRiskAssessmentprocessisanessentialphaseofContingencyPlanning. Thepossibilityofadisaster

impactingabusiness isunpredictable. Thebusiness should implementacomprehensiveContingency

Planning

Program

and

develop

recovery

plans

that

encompass

all

critical

operations

and

functions

of

the

business.

KeysforSuccess

Tomake theRiskAssessmentprocess a success,executivemanagement commitment,effectivedata

gatheringtools,availabilityofkeyresources,andaccesstocriticaldataisrequired.

ExecutiveManagementSupport

If a lack of executive management commitment exists, it will be tough scheduling interviews and

obtaining the required information inanefficientmanner. Beforekickoffoftheriskassessment,get

executivemanagements

buy

in.

Put

together

apresentation

showing

the

benefits

of

the

risk

assessment and ultimately, the contingency planning program. By selling the benefits of the risk

assessmentandgettingmanagementonboard,theriskassessmentprocesswillflowmoreefficiently.

EffectiveDataGatheringTools

Usingeffectivedatagatheringtools(surveys,checklists,etc.),iscriticaltotheprocess. Ifsurveyscontain

questions that irrelevantorunrealistic,keypersonnelmaybecomedisengagedor losepatience. This

canleadtoanabruptendtotheprocess.

KeyResources

Allfacilitiesownedoroccupiedbythebusinessmustberepresented inthe interviewprocess,notjust

headquartersor themain facility. Inaddition,ensure interviewsaredonewith theappropriatestaff.

Eachfacilityshouldberepresentedbyaseniormemberwhohasthebestunderstandingofwhateach

facilitydoes,exposures,andvulnerabilities. This seniormember can includeother staffmembersas

partoftheprocess,butheorshemustbeinattendance.

CriticalData

Gathering critical data is crucial to the risk assessment process. If standard operating procedures

currentlyexist, review them first. Thiswillhelpsave timeandprovideabasicunderstandingofdaily

businessoperations. Most importantly,stressthatthe informationbeinggathered isonlyforthesake

ofthecontingencyplanningeffort,nothingelse.


21/21






Page

21

ExecutiveReport

Onceallthedataisgatheredandanalyzed,compileanexecutivemanagementreport. Thisreportmust

bereviewedwiththeexecutivemanagementteam,CEOorhighestexecutive(s)available. Basedonthe

commentsoftheexecutivestaff,thefindingsshouldbemodified.

Guide to Conducting a Risk Assessment

Documents

Transcript of Guide to Conducting a Risk Assessment