A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.
There are numerous hazards to consider. For each hazard there are many possible scenarios that could unfold depending on timing, magnitude and location of the hazard.
A Hurricane forecast to make landfall near your business could change direction and go out to sea. The storm could intensify into a major hurricane and make landfall.
There are many “assets” at risk from hazards. First and foremost, injuries to people should be the first consideration of the risk assessment. Hazard scenarios that could cause significant injuries should be highlighted to ensure that appropriate emergency plans are in place. Many other physical assets may be at risk. These include buildings, information technology, utility systems, machinery, raw materials and finished goods. The potential for environmental impact should also be considered. Consider the impact an incident could have on your relationships with customers, the surrounding community and other stakeholders. Consider situations that would cause customers to lose confidence in your organization and its products or services.
As you conduct the risk assessment, look for vulnerabilities – weaknesses – that would make an asset more susceptible to damage from a hazard. Vulnerabilities include deficiencies in building construction, process systems, security, protection systems and loss prevention programs. They contribute to the severity of damage when an incident occurs. For example, a building without a fire sprinkler system could burn to the ground while a building with a properly designed, installed and maintained fire sprinkler system would suffer limited fire damage.
The impacts from hazards can be reduced by investing in mitigation. If there is a potential for significant impacts, then creating a mitigation strategy should be a high priority.
- Meteorological -Flooding, Dam/Levee Failure, Severe Thunderstorm (Wind, Rain, Lightning, Hail), Tornado, Windstorm, Hurricanes and Tropical Storms, Winter Storm (Snow/Ice)
- Geological -Earthquake, Tsunami, Landslide, Subsidence/Sinkhole, Volcano
- Biological – Pandemic Disease, Foodborne Illnesses
- Accidents -Workplace Accidents, Entrapment/Rescue (Machinery, Water, Confined Space, High Angle), Transportation Accidents (Motor Vehicle, Rail, Water, Air, Pipeline), Structural Failure/Collapse, Mechanical Breakdown
- Intentional Acts – Labor Strike, Demonstrations, Civil Disturbance (Riot), Bomb Threat, Lost/Separated Person, Child Abduction, Kidnapping/Extortion, Hostage Incident, Workplace Violence, Robbery , Sniper Incident, Terrorism (Chemical, Biological, Radiological, Nuclear, Explosives), Arson, Cyber/Information Technology (Malware Attack, Hacking, Fraud, Denial of Service, etc.)
- Information Technology – Loss of Connectivity, Hardware Failure, Lost/Corrupted Data, Application Failure
- Utility Outage – Communications, Electrical Power, Water, Gas, Steam, Heating/Ventilation/Air Conditioning, Pollution Control System, Sewage System
- Fire/Explosion – Fire (Structure, Wildland), Explosion (Chemical, Gas, or Process failure)
- Hazardous Materials -Hazardous Material spill/release, Radiological Accident, Hazmat Incident off-site, Transportation Accidents, Nuclear Power Plant Incident, Natural Gas Leak Supply
- Chain Interruption – Supplier Failure, Transportation Interruption
Risk Assessment Resources
- Multi-hazard Mapping Information Platform – Federal Emergency Management Agency (FEMA)
- Flood Map Service Center – FEMA
- Earthquake Hazards information – United States Geological Survey (USGS)
- Rapid Visual Screening of Buildings for Potential Seismic Hazards: A Handbook. Second Edition – FEMA
- Hurricane – FEMA
- Landslide Hazards Program – USGS
- Volcano Hazards Program – USGS
- Protecting Workers from Heat Illness – Occupational Safety and Health Administration (OSHA)
- Survey Your Workplace for Additional Hazards – OSHA Compliance Assistance Quick Start for General Industry
- Methodology for Preparing Threat Assessments for Commercial Buildings – FEMA
- Workplace Violence—Issues in Response – Federal Bureau of Investigation
- Risk Assessment Portal, EPA tools, guidance and guidelines – U.S. Environmental Protection Agency
- Computer Security Resource Center, Special Publications, National Institute of Standards and Technology, Computer Security Division
- IT Security Essential Body of Knowledge, United States Computer Emergency Readiness Team