APPENDIX 4: RISK ASSESSMENT QUESTIONNAIRE

<Organization>

Risk assessment questionnaire

<Version>

<Date of approval and publishing>

Risk

Fire

Consideration points

  • Is the building built from combustible material?
  • Are the furniture and office preparations made from combustible material?
  • Are there dangerous activities in the surroundings of the building?
  • Are there fire alarm systems and smoke detectors installed?
  • Are there clear alarm triggers deployed within the building?
  • Do the fire alarm systems and smoke detectors go through periodical testing andmaintenance?
  • Are there sprinklers deployed across the building?
  • Are there fire extinguishers deployed over all locations in the building?
  • Do the deployed fire extinguishers go through periodical maintenance?
  • Is smoking and cooking allowed in the building? Is there a smoking room? Areashtrays available?
  • Do computer rooms and data centers have their own fire alarm and suppressingsystems?
  • Are there evacuation plans in place?
  • Are there multiple exits to the building?
  • Have the evacuation plans been communicated to employees?
  • Have the evacuation plans been tested in the past 12 months?
  • Have the employees been trained in first aid and fire fighting?
  • Are important documents held in fire-resistant safes and vaults? What are theirratings?
  • Are data tapes and backup media stored off site in vaults and safes?
  • Is there a 24/7 manned control and surveillance room?
  • Is there a hotline or known number to report fire in the building? Is this numbercontinuously communicated?
  • Are water storage units and supplies adequate for fire fighting?
  • Have there been major fire incidents before? What were their root causes? Havethese root causes been rectified?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Flooding/water leakage/severe weather conditions

Consideration points

  • Is the building close to rivers, water streams, and main water pipes?
  • Does the area suffer from heavy storms, high rainfall, or seasonal floods?
  • Does the surrounding environment have good sewage and drainage systems?
  • Are the building walls, floors, ceilings, and basement well isolated against waterleakage?
  • Is the computer room or data center located in the basement or on the groundfloor?
  • Does the computer room or data center have a raised floor?
  • Is the archiving room located in the basement or on the ground floor?
  • Does the archiving room have a raised floor?
  • Are electrical wiring and cables placed on specific trays and paths?
  • Is the computer room or data center equipped with fluid detection sensors andalarms?
  • Have there been serious flooding/water leakage incidents in the past? Were theroot causes defined? Were they rectified?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Earthquake/strong vibrations

Consideration points

  • Is the area known for having seismic activity? How frequently do earthquakeshit?
  • Does the surrounding area contain activities that generate strong vibrations likemining and heavy industries?
  • Is the building designed to resist earthquakes? Does it have dampers?
  • How many floors/stories does the building have?
  • Is the computer room located on the ground, middle, or higher floors?
  • Are safe areas within the building defined and known to people?
  • Does the surrounding environment contain high-rise or smaller buildings? Doesit contain parks, parking lots, courts, or open spaces where people canassemble?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Pandemics/virus or bacteria outbreak

Consideration points

  • Has the area, or other close areas, been reported to have confirmed cases ofinfection?
  • Are there hospitals in the surrounding areas?
  • Do you have disinfectant and hygiene equipment installed in the public areaslike toilets, restaurants, entries and exits?
  • Do you have succession plans in place?
  • Are workplaces organized as open spaces or separate offices?
  • Are toilets, smoking rooms, cafeterias, and gathering areas shared or isolated?
  • Is there a procedure in place for isolating contaminated areas?
  • Are there related awareness materials and messages issued to employeesregarding avoiding and protecting themselves from infection?
  • Is there a hotline for reporting suspected cases or outbreaks?
  • Are there alternative locations to use in case original locations are closed fordisinfection?
  • Are remote access solutions deployed?
  • Are there arrangements for an alternative workforce from outsourcing vendors?

Critical areas affected

<List the critical assets or processes that will be affected if case the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Disgruntled employees/high employee turnover/insufficient number of employees/low employee morale

Consideration points

  • Are there procedures for measuring employees’ satisfaction periodically?
  • Are there procedures for managing disgruntled employees?
  • Are there open communication channels between employees andmanagement?
  • Is there a root cause analysis for high turnover ratios?
  • Are there procedures for knowledge transfer?
  • Are there talent management, pooling, and distribution policies in place?
  • Are there well-documented procedures in place?
  • Is there proper capacity planning for the human resources needed?
  • Are vacation policies and plans enforced?
  • Are there succession planning policies in place? Are they enforced?
  • Are there policies for job rotation and cross-training in place? Are they enforced?
  • Does the management have active employee participation and morale lifting/loyalty enhancement programs in place?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Inaccessibility/riots/civil unrest/sabotage/theft/terrorist acts/poor physical security/bomb threats

Consideration points

  • Does the surrounding area have poor security levels?
  • Is the crime rate in the surrounding area higher than other areas?
  • Are there signs of political instability in the area?
  • Are there frequent demonstrations and assemblies of large numbers of people?
  • Do such demonstrations usually last for long periods? How do they break up?
  • Do authorities face such demonstrations with force or peaceful tactics?
  • Are these demonstrations or assemblies associated with sabotage and violentactivities?
  • Does the building have multiple exits?
  • Are there strong physical security preparations in place?
  • Are security staff and personnel trained and of a high caliber?
  • Are there police or law enforcement stations or centers nearby?
  • Are there known possible targets for terrorist attacks?
  • Have there been bomb threats or terrorist attacks made to the organization orother nearby premises?
  • Are there procedures in place to handle such threats and attacks?
  • Are computer rooms or data centers located in the same building or in differentlocations?
  • Is there insurance against sabotage and theft? Is the coverage adequate?
  • Are there intrusion alarms and hotlines to police or law enforcement authorities?
  • Are there frequent updates from the local authorities on the security situation inthe surrounding area?
  • Are there procedures for managing escalating events with intruders or burglars?
  • Are there access controls to the building?

Critical areas affected

<List the critical assets or processes that will be affected in case the risk realizes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Usage of hazardous materials

Consideration points

  • Are there hazardous materials stored and handled in the building or in thesurrounding areas?
  • Are the storage and handling areas isolated and access controlled?
  • Are the quantities stored and handled large or small?
  • Are there procedures to contain spilled or leaked materials?
  • Are the personnel involved getting periodic training and skills enhancement?
  • Are there hotlines to local authorities for serious incidents related to hazardousmaterials?
  • Are there alternative locations to use if original locations are contaminated orclosed?
  • Are storage and handling areas of hazardous materials close to computer roomsor data centers?
  • Are storage and handling areas of hazardous materials close to public areas likerestaurants and smoking rooms?
  • Are storage and handling areas of hazardous materials close to archiving roomsand warehouses?
  • Is there enough equipment to handle incidents related to storing and handlinghazardous material?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Bad reputation/poor customer service

Consideration points

  • Are corporate image and perception a consideration in new products andservices?
  • Are there specialized policies and procedures for handling interactions with themedia (traditional and online social networks)?
  • Is there a dedicated team responsible for monitoring the public image andperception of the organization?
  • Does the management get regularly briefed on developments related to theimage and perception of the organization?
  • Are there continuous public perception surveys and brand valuations?
  • Are continuous market research and competitors’ analysis performed andreported?
  • Is there a policy and procedure to respond to reputational risks and mediacampaigns?
  • Are there customer service quality policies and procedures?
  • Are customer service and customer-facing staff being continuously trained in effective customer service?
  • Are there relatively independent quality assurance teams that monitor and report the level of customer service?
  • Is the mystery shopper process implemented?
  • Are there customer surveys being initiated with the customers?
  • Are there hotlines or known contact information where customers can report their comments and complaints?
  • Are there complaint management and resolution policies and procedures inplace?
  • Are there complaint management and resolution teams in place? Is reporting to the management in place?
  • Is there a published escalation process through which the customer can resolve the complaint?
  • Are customer service criteria and performance levels considered in the annual appraisal and evaluation?
  • Are customer service levels being compared to market and industry norms? Are enhancement processes in place?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Non-adherence to laws and regulations

Consideration points

  • Are there relevant specific laws and regulations that govern the organization andits operations, products, and services?
  • Are these laws and regulations effectively communicated to all relevantstakeholders?
  • Are there regular training programs and awareness on how to comply with suchlaws and regulations?
  • Are the consequences of non-compliance known and communicated tomanagement, decision makers, and relevant stakeholders?
  • Are there specialized legal and compliance teams in place?
  • Are there proper communication channels with statutory and regulatory bodies?
  • Do internal and external audits include adherence to laws and regulations?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

IT systems failure/network and communications unavailability

Consideration points

  • Are there defined architecture policies and guidelines for the IT andcommunications setup?
  • Are systems located on dedicated servers inside a dedicated and closed space?
  • Are systems being maintained regularly and updates/fixes applied as needed?
  • Is the computer room monitored and access controlled?
  • Are systems being categorized according to criticality and importance?
  • Are assets related to systems like servers and licenses maintained in an assetmanagement system?
  • Are there systems hosted outside the organization?
  • Are there redundancies/clusters deployed?
  • Are there support agreements with vendors? Are those agreements reviewedand updated as needed?
  • Are there dedicated monitoring and support teams available for the IT systems?
  • Is there an IT audit performed regularly?
  • Is there a remote disaster recovery site? Is there a disaster recovery plan? Is theplan regularly tested?
  • Are data being backed up regularly?
  • Are there multiple vendors available in the market?
  • Do the vendors providing critical systems have disaster recovery sites andplans?
  • Are there multiple paths for networks and communications available? Are theyload-balanced or redundant?
  • Is there a capacity planning process in place for IT systems and networkbandwidth?
  • Have there been serious outages to the systems and network/communications?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Exposure of confidential data and information/security breach/loss of data

Consideration points

  • Is there a comprehensive information security program in place?
  • Is there a dedicated information security team that is responsible for setting uppolicies and procedures?
  • Are there security devises and applications deployed to protect access andusage of data?
  • Is there a 24/7 security monitoring and operation team?
  • Is there a communicated and approved access policy and matrix?
  • Is there regular back up of data? Is the backup encrypted? Is the backupregular?
  • Is there an asset classification process and reporting?
  • Are there policies and procedures for security incident handling, resolution, andreporting?
  • Were there serious security breaches that affected the organization?
  • Are remote access and public services encrypted and verified by an externalauthority?
  • Is there regular vulnerability assessment in place?
  • Is there external security audit and assessment in place?
  • Are there regular training and awareness campaigns in place?
  • Is anti-virus software deployed and continuously updated on connectedterminals?
  • Are critical records stored and protected in fire and water proof safes andvaults?
  • Do new employees review and sign the security policies in relation to theirtasks/responsibilities/job descriptions?
  • Is there a social media security policy in place?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Human error/negligence

Consideration points

  • Are there clear job descriptions for all staff?
  • Are there clear policies and roles and responsibilities?
  • Are there exception handling sections in all policies?
  • Do employees get trained on new products and services before launch?
  • Do employees get their annual vacations as required by law?
  • Are processes separated into parts (making/checking/approving)?
  • What is the percentage of automated processes compared to all processes?
  • Is there root cause analysis for incidents involving human error and negligence?
  • Are employees included within self-development programs and campaigns?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Power outage

Consideration points

  • Are there multiple generators available in the building? Are they tested underreal loads?
  • Are adequate fuel supplies available in the building or nearby areas?
  • Are there uninterruptible power supplies (UPSs) available for computer roomsand security systems?
  • Are there multiple power feeds connected to the building?
  • Is there a history of power outages in severe weather conditions?
  • Is proper capacity planning conducted for power needs?
  • Is power cabling regularly maintained?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

Risk

Poor vendor performance

Consideration points

  • Are there binding contracts with vendors? Are penalties enforced?
  • Is there a proper assessment of vendors before procurement?
  • Are there binding guarantees for proper performance of vendors?
  • Are there multiple vendors available for certain set of products or services?
  • Are contracts reviewed and enhanced?
  • Are vendors reviewed against adhering to relevant policies and guidelines?
  • Is a stock and supply chain management system implemented and reviewed?
  • Is there a clear policy on authorities for contracting with vendors?
  • Are vendor relations and performance under regular audit or review?

Critical areas affected

<List the critical assets or processes that will be affected if the risk materializes>

Risk probability rating

Low/medium/high

Risk impact rating

Low/medium/high

Risk rating (probability x impact)

 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.116.36.56