The goal of a risk assessment (RA) is to calculate risk as it relates to threats, probabilities, impacts and vulnerabilities. If you think creatively, the risk assessment can also tip you off to business opportunities and revenue generators! This post provides one framework for developing a risk assessment. There are many ways it can be performed. There are entire books written on assessing risk.
As with BIA components assessing threats and understanding risk is an ongoing process. It is not a onetime annual or even monthly event. Using the correct situational awareness, database management tools and algorithms you can build an automated risk monitoring engine! This can provide you and management with an understanding of risks and opportunities on a daily and minute-by-minute basis. In some cases risk alerts will be generated in near real-time. I will dig deeper into ideas for automating your program in the ‘Automating Assessments’ and technology posts on UltimateBusinessContinuity.com. For now, let’s chat about fundamentals. As always, I encourage you to modify the information I provide to meet the needs of your organization.
The components of a risk assessment include:
- Threats – What can potentially hurt us?
- Probabilities – How likely is it that those threats will impact our assets? What is the probability of each of the threats becoming a reality?
- Vulnerabilities – What controls do we have in place to deal with the threats?
- Impacts – If it does happen, what are the consequences?
- Risks – take all of the above into consideration to identify risks and opportunities
- After we compile the information we list the risks and often graph them!
The risk assessment plus the BIA help us understand:
- What assets require protection
- What level of protection is required
- How an asset may be compromised
- What is the impact if protections fail
Tip – As you are developing your risk assessment research historical and geographical impacts to the areas your locations are situated in. For example, have there been annual floods or tornadoes impacting your location or the general region?
Tip – As more and more building is being done in coastal areas or near lakes, additional risks arise. If you are located near the ocean consider global warming, rising sea levels, hurricanes and tsunamis. Make sure you have mitigation plans in place. Katrina is a classic example of what can go wrong. I recommend you consider reading Fives Days at Memorial by Sheri Fink. She offers a chilling account of what can go wrong and discusses how emergency planning should not be done.
Tip – In addition to partial loss I suggest you always include worst case scenario impacts in your risk assessment, recovery strategies, plans and testing. For example, consider a direct impact completely destroying your hospital, factory, warehouse, securities trading exchange. I realize this is difficult to plan for, as I have done it, but I envy people faced with this sort of challenge. Embrace it! When you figure out the solution, and I know you will, you should rightfully feel proud.
Tip – Make sure you consider the threat of executive leadership not being available at the time of disruption. Plan for succession of ALL key executives.
But wait, there is a bit of controversy regarding business continuity related risk assessments:
I am confident we all can agree it is critical to perform a BIA, which we discuss in other posts. Although there are not too many hard-and-fast standards yet in business continuity, performing a BIA is as close as you will get to a standard. There are companies that skip the BIA and go right to Business Continuity Plans but that is not advised.
What is more controversial is whether we should perform a thorough Risk Assessment, a Risk List or neither.
Many companies do a simple Risk List and some do nothing. In fact, some very influential people in the business continuity profession have published articles on how the Risk Assessment has outlived its usefulness and is a waste of time and effort. Google it, you will see for yourself. You know what? If it works for them that is fine. But I would disagree with them. I am convinced a thorough Risk Assessment can provide great value and will enable you to build a stronger program.
Why we need a Risk Assessment:
I realize there are thousands of threats in the world and it would not make sense to create detailed plans for all of them. For example, a volcano is a threat – but is it a risk to my location in Manhattan? I don’t think there is a volcano within 1,000 miles of Manhattan, so if I suggest to management we spend money to mitigate the threat of lava flowing down 42nd Street in Manhattan and develop a volcano specific response strategy, it might seem a bit ridiculous. Also, as Nicholas Taleb discussed in his book, ‘The Black Swan ‘, no matter how many threats we consider, there are events we would not even think of planning for – until after they occur – and in hindsight we needlessly beat ourselves up for not considering that Black Swan.
Many companies will conduct basic impact planning and simply break down impacts into 3 or 4 high-level buckets such as impacts to people, locations and/or systems. Before we get too far I will go on record that I agree with impact planning and I bake it into my response strategies and plans BUT I also believe we can create so much more value by digging deeper to understand what specific threats have a high probability of occurring (based on data), what the impact would be if they occurred and what we can do to reduce the risk.
For example, performing a thorough risk assessment might make it apparent that your security traders are located on an earthquake fault line, or the geo-location latitude-longitude places your major distribution center in the middle of a flood-zone. Perhaps some of your sites are in a high-crime area… you get the picture. This type of situational awareness is very important to you.
Mapping the probability of certain disruptive events occurring (earthquake on a fault line) to the impacts identified in your recently completed BIA will help you focus on whether it makes business sense for you to do mitigation, risk transfer or at least discuss the risk with management. If they decide to do nothing, well at least you did your due diligence and you will sleep better. Also, when that next earthquake, flood or fire does occur you will have ‘covered your butt’, as we say in the profession.
After you identify and categorize risks, you can then implement controls. The final decision for the type of controls that are needed lies with management as a result of your professional guidance. During the risk assessment your job is to identify and quantify the risks. Some risks you may try to prevent, mitigate or transfer. Others you may decide to accept, if the impact is low and the cost to mitigate is high.
Tip – During the Risk Assessment you will be researching and gathering data. It is also fruitful to brainstorm what-if scenarios with your teams. Discuss possible scenarios. Gather ideas from different people. Encourage them to speak up! Diversity of views is critical to a resilience program. It was a lack of communicating diverse views and everyone simply agreeing that allowed a generator needed to cool nuclear reactors to be placed in the basement in Fukushima, which ultimately contributed to the melt-downs.
- What-if there was an active shooter in the building?
- What-if there was a pandemic and people could not travel?
- What-if you are a logistics company and a major thoroughfare is closed?
- What-if a dirty bomb went off on your block?
- What-if there was a Pandemic?
- What-if there was a plane crash or a railroad derailment adjacent to your location?
If any of these threats can impact your employees or business you can build them into your analysis, controls, planning and tabletop tests.
Threat examples:
- Natural – Flooding, Dam/Levee Failure, Severe Thunderstorms (Wind, Rain, Lightning, Hail), Tornadoes, Wind storms, Hurricanes, Tropical Storms, Winter Storms (Snow/Ice), Earthquakes, Tsunamis, Landslides, Volcanos
- Biological – Pandemic Disease, Foodborne Illnesses
- Human – Accidents -Workplace Accidents, Transportation Accidents (Motor Vehicle, Rail, Water, Air), Structural Failure/Collapse, Mechanical Breakdown
- Human – Intentional Acts – Active Shooter, Labor Strike, Demonstrations, Civil Disturbance (Riot), Bomb Threat, Lost/Separated Person, Child Abduction, Kidnapping/Extortion, Hostage Incident, Cyber/Information Technology (Malware Attack, Hacking, Fraud, Denial of Service, etc.), War, Geopitical, Workplace Violence, Robbery, Sniper Incident, Terrorism (Chemical, Biological, Radiological, Nuclear, Explosives), Arson
- Cyber Security – Ransomware, Virus, Worm, Malware, data theft, Internet of Things
- Information Technology – Loss of Connectivity, Hardware Failure, Lost/Corrupted Data, Application Failure
- Utility Outage – Telecommunications, Electrical Power, Water, Gas, Steam, Heating/Ventilation/Air Conditioning, Pollution Control System, Sewage System
- Fire/Explosion – Fire (Structure, Wildland), Explosion (Chemical, Gas, or Process failure)
- Hazardous Materials -Hazardous Material spill/release, Radiological, Accident, Hazmat Incident off-site, Transportation Accidents, Nuclear Power Plant Incident, Natural Gas Leak Supply
- Supply Chain Interruption– Supplier Failure (Ties 1, 2 or 3), Transportation Interruption
- Environment –Commercial or Commuter Railroad derailment behind the parking lot, Proximity to Airport crash or equipment dropping from sky (it happens), Dangerous Neighbors (chemicals, fireworks)
- Black Swans – scenarios we cannot imagine until they occur and then we sort of connect the dots (after the fact) and think we should have thought of them (Taleb)
It is critical to know your assets:
- People
- Locations
- Systems
- Supply Chain
- Equipment
Probabilities (what is the likelihood of our assets being at risk):
This is where it starts to get really interesting and where we can go above and beyond by doing some analysis and data mining. There are many public and commercial data repositories you can data mine. I mention some of my favorites in the technology posts on UltimateBusinessContinuity.com.
Never say never! Even if the probability is low – high impact events can and do occur:
- NY Earthquake – Manhattan has experienced earthquakes. There is a fault line in Manhattan. Manhattan is overdue for a significant earthquake. If it should occur the impact could be high. Structures in Manhattan are often very close together. I have measured inches between some building and 20-30 feet between them is not unusual. New York buildings are not designed to earthquake resistant specifications, as they are in San Francisco.
- 100-year hurricane. In reality, it happens more often than every 100 years. New Orleans levees and a sea wall were built to withstand any hurricane…Until they encountered Katrina.
- Floods in the desert – Las Vegas and many other cities have had their share of severe flooding.
- Japan had sea walls prior to the Fukushima earthquake / tsunami. It gave people a false sense of complacency. That can cause people to build near the ocean.
- Nuclear and Dirty Bomb’s – Plan for worst case! Many cities are now doing emergency response exercises for full scale nuclear and dirty bomb events. Either can happen but a dirty bomb is easier than a nuclear weapon for terrorists or rogue nations to acquire or build and activate.
- Elecro Magnetic Pulse (EMP) device – could take out significant portions of the electrical grid. Easier than a nuclear weapon for terrorists or rogue nations to build and activate.
Tip – A GREAT SOURCE for hazard information including in many cases, hazard maps, mitigation strategies, planning, success stories and more is FEMA’s Directory of Emergency Management Agencies (https://www.fema.gov/emergency-management-agencies). In addition to every state in the United States it lists Guam, Commonwealth of the Northern Mariana Islands, Majuro, Republic of the Marshall Islands, Federated States of Micronesia, American Samoa, Koror, Republic of Palau, Puerto Rico and the Virgin Islands. It has a wealth of value.
Vulnerabilities (what are our weaknesses that can increase the impact more than necessary):
For each threat list your vulnerabilities (weaknesses) that would make an asset more susceptible to damage. Vulnerabilities include deficiencies in building construction, process systems, systems security, protection systems and loss prevention programs. They contribute to the severity of damage when an incident occurs. For example, a building without a fire sprinkler system could burn to the ground while a building with a properly designed, installed and maintained fire sprinkler system would suffer limited fire damage. Also, systems that have no login security or employees that are not required to change their login password or laptops that are not encrypted are vulnerabilities. These can lead to cyber security issues. Fortunately, there are simple controls that can be put in place to reduce the risk. I speak to some of those controls in the cyber security posts on UltimateBusinessContinuity.com.
Impacts:
Understanding the impact if a threat becomes a reality can be derived from the results of your business impact analysis. Look at all factors when considering impacts including:
- Casualties
- Business Interruption
- Location damage
- Loss of customers
- Financial loss
- Fines and penalties
- Lawsuits
Risk Calculation Formula:
When you have identified the threat level, vulnerabilities and impacts (from the BIA), you can plug those into the following risk formula or you can use your own preferred formula:
Risk=Threat x Vulnerability x Impact
Risk Profile Chart Examples:
After you calculate the threats, impacts and vulnerabilities you can rate and profile your risks based on probabilities vs. impacts. Here are a couple of the many types of charts commonly used to visually display risk impact. A simple search on the Internet will provide many additional examples. Usually the upper right portion displays the highest impact risks and the lower left displays the lowest impact risks.
Risk Reduction Strategies:
When you understand your risks and rank them you can then apply the appropriate controls. I provide risk reduction ideas in other cyber-related posts on Ultimate Business Continuity.
Prevent or Mitigate the Risk
There are many mitigation strategies you can implement that can reduce damage from threats. Site selection is one such strategy. Natural disasters are not usually caused by nature, often they are caused by humans. Selecting a site that is not subject to flood, storm surge, significant ground shaking from earthquakes or in proximity to hazardous facilities is a first consideration. Building construction must meet applicable building codes that include requirements for fire protection and life safety. Carefully review high valued assets including data centers, expensive production equipment and hazardous processes to determine the most appropriate protection in accordance with national standards. Computer security should be evaluated on an ongoing basis to determine whether electronic information is secure. New cyber threats arise on a regular basis.
Implement strategies to mitigate electrical power loss include providing uninterruptible power supplies (UPS) and an emergency standby generators for critical equipment. Your business continuity plans with recovery strategies is a key tool for risk mitigation.
You should research applicable fire prevention regulations, national standards and best practices to identify mitigation opportunities and requirements. Confer with your insurance agent, underwriter or broker to determine if they provide consultation services to assist with the development of customized protection specifications for a new or renovated facility. Highly protected facilities may be eligible for reduced insurance premiums. Always work with a respected professional.
Transfer the risk:
Purchasing insurance is a way to reduce the financial impact of a business interruption or loss/damage to a facility or critical equipment. Insurance companies provide coverage for property damage, business interruption, workers’ compensation, general liability, automobile liability and many other losses. Losses caused by flood, earthquake, terrorism or pollution may not be covered by standard property insurance policies. Flood insurance coverage for a facility located within a flood zone may possibly be purchased through the National Flood Insurance Program.
Earthquake, terrorism and pollution coverage may be purchased separately or as an endorsement to an existing policy. Coverage for other hazards such as mold may be provided as part of the basic property insurance, but the amount of loss payable under the policy may be limited.
Business interruption coverage is available to reimburse profits during the business shutdown and certain continuing expenses. Contingent business interruption coverage is available to reimburse losses caused by a supplier failure. Endorsements to standard policies can cover extra expenses, such as the additional costs for expedited delivery of replacement machinery following an insured loss.
Review your insurance policies with your agents, brokers or directly with your insurers to determine whether your insurance policies adequately cover your potential losses. Consider the following recommendations.
An acceptable risk is a risk that is understood and tolerated. Generally, it is tolerated because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss.
Include the supply chain as part of your risk assessment:
A worthwhile exercise is to do an analysis of all of your suppliers and vendors. If a critical supplier failed, would that impact your business? For each entity collect all information that is important to your organization including:
- Their level of criticality
- Are they a single point of failure?
- Do you have alternate suppliers or vendors if the primary one is not available?
- Do they have a tested business continuity plan in place? Can you review results of recent tests?
- Have they been audited by an outside audit company? Can you review the results?
- Can they provide you with a SAS 70 or another certification? I would also recommend an in-person walk through of critical vendor facilities such as data centers
The results of the BIA and the RA will enable you to understand your organization and produce a consolidated report for management. We will discuss the executive report in the next post.