importance of risk analysis

7/31/2019 Importance of Risk Analysis

http://slidepdf.com/reader/full/importance-of-risk-analysis 1/13

Risk Assessment in a project is the most difficult phase of all to carry out. From the definition we gave

elsewhere, a risk is a combination of uncertainty and constraint. Constraints are usually difficult to remove,

though they are important to understand. For instance, a constraint that the project must be finished in time to

reflect a new piece of legislation is easy to understand. Manpower constraints are often more uncertain, such as

the availability of skilled staff at the critical phase of the project. But, you say, you are just defining a constraint

as an uncertainty.

One important step in assessing your project ideas is risk analysis or risk assessment, and the best thing

to do about it is when you comply with the law. This helps you focus on the risks and what matters in your

workplace, especially the ones that can potentially cause harm to your project proposal. We propose a project

and analyzed it with a projection to earn profit, but the question is “how if the project we propose in the

future delivers only losses instead of profit that we expect?” So risk analysis will answer this critical question.

We all know that risk cannot be avoided but it can be decrease the occurrence by applying risk analysis.

Although the law does not expect business owners to totally eliminate all the risks, it pushes them to protect

people from accidents as much as possible. There are various methods that work well with risk management

systems, particularly for more complex risks and circumstances.

A risk assessment is a careful examination of what can possibly cause harm. It makes the owner of the project

aware whether or not he has taken enough precautions and what to do to prevent accidents like losses.

How to assess the risks in your workplace

Follow the five steps in our leaflet: Five steps to risk assessment .

1. Identify the hazards

2. Decide who might be harmed and how

3. Evaluate the risks and decide on precaution

4. Record your findings and implement them

5. Review your assessment and update if necessary

Don’t overcomplicate the process. In many organisations, the risks are well known and the necessary

control measures are easy to apply. You probably already know whether, for example, you have

employees who move heavy loads and so could harm their backs, or where people are most likely to

slip or trip. If so, check that you have taken reasonable precautions to avoid injury.

If you run a small organisation and you are confident you understand what’s involved, you can do the

assessment yourself. You don’t have to be a health and safety expert.

Download the Risk Assessment and Policy Template. This template brings together your risk

assessment, health and safety policy, and record of health and safety arrangements into one document

http://www.hse.gov.uk/pubns/indg163.pdf



http://www.hse.gov.uk/risk/step1.htm










http://www.hse.gov.uk/risk/guidance.htm












to help you get started and save time. If you already have a health and safety policy, you may choose

to simply complete the risk assessment part of the template. We also have a number of example risk

assessments to show you what a risk assessment might look like. Choose the example closest to your

own business and use it as a guide for completing the template, adapting it to meet the needs of your

own business.

If you work in a larger organisation, you could ask a health and safety adviser to help you. If you are not

confident, get help from someone who is competent. In all cases, you should make sure that you

involve your staff or their representatives in the process. They will have useful information about how

the work is done that will make your assessment of the risk more thorough and effective. But

remember, you are responsible for seeing that the assessment is carried out properly.

When thinking about your risk assessment, remember:

a hazard is anything that may cause harm, such as chemicals, electricity, working from ladders, an

open drawer, etc; and

the risk is the chance, high or low, that somebody could be harmed by these and other hazards,

together with an indication of how serious the harm could be.

Risk assessment is the process by which businesses and organizations focus on critical areas of concernand prioritize their use of resources in order to maximize response and recovery efforts. In makingstrategic decisions, business and government leaders routinely try to predict the benefits and/or harmthat might be caused by implementing or failing to implement those decisions. The Risk AssessmentMatrix (RAM) can be viewed as a logical extension of that process.

Through this process, companies and agencies:

Identify their most important (critical) processes and functions;

Identify threats most likely to impact those processes and functions;

Determine the vulnerability of critical functions and processes to those threats; and

Prioritize deployment of personnel and resources in order to maintain continuous operation of critical functions and processes.

An accurate risk assessment can reveal operations that are subject to a “single point of failure.”

Implementation of effective prevention measures will eliminate some threats and significantly reducethe impact of others. It has been reported that, for every $1.00 spent on prevention, there is a potentialsavings of $7.00.

Information collected using the RAM model will enable a business or agency to identify:

http://www.hse.gov.uk/risk/casestudies/index.htm








Functions and processes critical to maintaining continuous operation;

Threats most likely to disrupt those identified, critical functions and processes;

Personnel and expertise required to handle critical incidents that impact the continuity of business

and/or agency operations.

Areas to be considered include:

Company/agency products and services and the facilities and equipment needed to produce them;

Products and services provided by suppliers, especially sole source vendors; and

Lifeline services such as electrical power, water, sewer, gas, telecommunications, and transportation.

Some of the data collected during the RAM process should be shared between public and private entities in

order to facilitate effective public and private response. Ineffective response results in unintended impacts such

as:

Loss of business and tax revenue;

Loss of customer and citizen confidence;

Exposure to litigation;

Bankruptcy; and

Damage to business and community reputation/image.



Risk Assessment Matrix: A Flexible Tool

The RAM format is intended for use by private and public organizations of varying sizes and configurations. It is a

concise, user-friendly tool for gathering information to prioritize assets, identify mitigation needs and develop

preparedness, response, and recovery plans.

The six (6) steps in the RAM process are:1. Identify business functions and processes.

2. Rank functions and processes according to criticality.

3. Determine recovery time required to sustain critical functions and processes.

4. Identify threats that impact each critical business function and process.

5. Determine the vulnerability of each critical business function and process.

6. Confirm that appropriate personnel, plans, and resources are in place to respond. If gaps exist, identify

relevant solution areas1 to address shortcomings.

The manner in which the RAM is completed will vary according to circumstances. A small business or agency

may assign one individual to complete the process for the entire organization. A large, multi-divisional

organization (shipping, human resources, operations/manufacturing, etc.) may wish to task an individual in each

division or unit with assessing that part of the operations. Data collected is then used to establish critical

incident response priorities.

Preliminary Information

Before focusing on specific functions, it is important to make sure that everyone in the organization sees the

“big picture.” Those responsible for specific areas need to have a clear understanding of how their areas

contribute to the bottom line of the organization. Corporations and agencies with a well-defined vision, mission

statement and strategic plan are ready to initiate the RAM process. Other groups may need to spend some time

in this area.

Following are the six (6) steps of the RAM model. Within the steps are “values” or explanations. Use the RAM

worksheet to capture pertinent information

2

.

Step One: Identify Functions and Processes

1 Planning, Organization, Facilities, Equipment, Training and Exercising.2 Detailed instructions are printed on the back side of each RAM form. A copy of the RAM is attached to this document.



List the separate functions and processes required to create a product or provide a service. Typical business

functions/procedures include:3

Shipping & Receiving Communications

Inventory Production

Service Finance

Human Resources Training

Marketing Facility Management

Sales Information Technology

3 This list is not all-inclusive. Make adjustments as necessary.



Step Two: Determine Criticality

Of the business processes listed in Step #1, which are the most critical to the continual operation of the business

or agency? In determining criticality, consider the following:

Does this business function affect the safety of employees or the general public?

How important is this business function to the mission of the agency/business?

How important is this function to the continuity of business operations?

How would a loss or disruption affect the “bottom line?”

The following definitions may be used as a general guide and should be modified to meet the requirements of

each specific process or function:

Critical – necessary and/or vital. May pose a life-safety risk to employees and/or general public.

Essential – important but not critical. Disruption would cause difficulties. Non-Essential – disruption is merely inconvenient.

Step Three: Determine Recovery Time

Determine the recovery time for each critical business function listed in Step #2. In determiningrecovery time, consider the following:

Time from loss or disruption of process to the point when continued disruption or loss is detrimental to

the mission of the business;

Special circumstances that may delay or prevent recovery actions, i.e., designation of an area as a crime

scene or contamination by a dangerous chemical;

Impact on public confidence if response is perceived to be too slow.

In determining recovery time the following guide may be considered:4

Immediate – 0 to 24 hours;

Delayed – 24 hours to 7 days;

Deferred – beyond 7 days.

Step Four: Identify Threats

Identify threats that may halt or disrupt each of the critical business functions identified in Step #3.This will likely require input from public agencies (law enforcement, fire services, emergency medicalservices, public works, local emergency management officials, etc.). Consider those threats that have

4 Each business must determine their appropriate recovery criteria.



occurred and those that may be likely to occur. Multiple threats may impact a single function ormultiple functions. In identifying threats consider:

Natural disasters (tornados, floods, severe weather);

Human-caused events (workplace violence, terrorist attack, sabotage, critical information theft);

Facility-related emergencies (hazardous materials, loss of utilities, proximity to other threats);

Asset protection incidents (inadequate systems, untrained personnel);

Information systems difficulties (lack of backup);

Employee-related problems (training, attitude, misconduct/grievances);

Other events and incidents (nearby threats, political activities).

When assessing the various threats it is important to consider:1) What can occur;

2) The damage it is likely to cause.

Step Five: Determine Vulnerability

Determine which of the threats identified above have the greatest likelihood of disrupting or attacking eachcritical business function. When assessing how vulnerable a process or function is to the various threats, it is

important to consider:

1) How likely it is that a threat will occur;

2) How often a threat is likely to occur.

The following descriptions are suggested as a guide:

Highly Vulnerable – business functions that are most likely to experience threat.

Vulnerable – may experience the threat or threat.

Not Vulnerable – not likely to experience the threat or threat.

Step Six: Select Action Plans

Determine if there are appropriate plans5 and resources to address the threats that are most disruptive to the

critical business functions. It is imperative that these plans and capabilities are current and adequate6. If gaps or

shortcomings are discovered, determine:

What do I have and what do I need? Solution areas include:o Planning. o Organization. o Facilities o Equipment. o Training. o Exercising.

Can the issues be addressed using available company personnel and resources or will outside personnel

and/or resources be required of other businesses and/or public organizations?

5 This includes both private, business plans and public, emergency operations plans.6 Plans and resources must be tested regularly by conducting tabletop, functional and full-scale exercises.



If solutions require coordination with public agencies, do the businesses and public agencies involved

need to develop or enhance a public-private partnership?

Risk Assessment Matrix Form

A copy of the Risk Assessment Matrix Form is attached. There are further instructions for completingthe RAM on the back side of the document.

Summary

The above process should result in a determination of 1) what is critical to the continual operation of the

business or agency, 2) what is most likely to disrupt those critical business functions, and 3) if there are current

and adequate response plans in place. The process involves determining priorities and allocating resources to

assure continuity of critical operations.



Business:Address:

Telephone:

1 Function or Process 2 Crit. 3 Rec. 4 Threat 5 Vul. 6 Action Plan Priority



Form Completed By: Date:

INSTRUCTIONS FOR COMPLETING THE RAM PRIORITY LISTING FORM (See illustration at bottom of form.)

1. List all business functions and processes on

a sheet of paper.

3. Determine recovery time for each function. 5. Determine vulnerability. Establish priority

ranking for follow-up actions.

2. Determine criticality and list the top 1-3

function(s) on the RAM form.

4. Identify threats that impact critical functions. 6. Develop action plan to prioritize

personnel response & resource use.

1 Functions and processes:

Communications

Customer Service

Facility Management

Finance

Human Resources

Information Technology Inventory

Marketing

Production

Sales

Shipping/Receiving

Training

2 Criticality:

C: Critical – Necessary. Life safety risk.

E: Essential – Important, but not immediately

critical. Critical over time.

NE: Non-essential – Merely inconvenient.

3 Recovery Time:

I: Immediate 0 – 24 hrs

Del: Delayed 24 hrs to 7 days

Def : Deferred Over 7 days

4 Threats (Natural/Human-Caused):

Civil disturbance Communications Failure

Earthquake Explosion

Fire

Flood and Flash flood

4 Threats (continued):

Hazardous Materials Incident

Hurricane

Loss of Key Supplier or Customer Severe Winter Storm

Technological Emergency Terrorist Attack

Tornado

5 Vulnerability:

H: Highly Vulnerable – Business function i

highly susceptible to the threat.

V: Vulnerable – Business function is somewha

susceptible to the threat.

NV: Not vulnerable – Business function is no

likely to be affected by the threat.



6 Action Plan:

Planning. Review and update:

Plant Closing Policy Evacuation Plan

Fire Protection Plan

Mutual Aid Agreements

Hazardous Materials Response Plan

Vital Records Protection Plan

Security Procedures

Insurance Programs Employee ManualsOrganization. Review need for:

Emergency Response Team

Emergency Medical Services

Security

Organization (continued):

Emergency Management Group

Evacuation Team

Public Information OfficerFacilities. Determine the need for:

Emergency Operating Center

Media Briefing Area

Shelter Areas

First-Aid Stations

Sanitation Facilities.Equipment. Determine the need for:

Fire Protection/Suppression Equipment

Communications Equipment

First Aid Supplies Emergency Supplies Warning Systems

Emergency Power Equipment

Decontamination EquipmentTraining. Determine need for:

Sessions To Review Procedures Technical Training For ErtExercising. Conduct Regular Exercises:

Tabletop, Functional, and/or Full-Scale

Natural & Human-Caused Scenarios

For more planning guidance, see Emergency

Management Guide for Business and In-

dustry @ http:/ /www.fema.gov /pdf/library/

bizindst.pdf published by the Red Cross.

RAM Illustration

Business:Sample Illustration Address: Sample Illustration

Telephone: Sample Illustration Sample Illustration

1 Function or Process 2 Crit. 3 Rec. 4 Threat 5 Vul. 6 Action Plan Priority

http://www.fema.gov/






Shipping & Receiving C I Equipment failure H Lease agreement 1

Shipping & Receiving C I Fire H Sprinklers; fire inspection; fire response 1

Inventory C I Sole-Source Supplier H Agreement with alternate supplier 1

importance of risk analysis

Documents