APPENDIX 5: RISK ASSESSMENT REPORT

<Organization>

Risk assessment report

<Version>

<Date of approval and publishing>

Introduction

In the course of its business, <organization> encounters different threats that affect its assets, services, assets, and work environment. Being part of the BCM life cycle, the goal of risk assessment is to identify, analyze, weigh, and prioritize potential risks and hazards that affect critical aspects where they exist in internal and external environments. By identifying these threats and hazards, <organization> can concentrate on developing and implementing strategies, plans, and tactics to mitigate and reduce their probabilities and/or related impacts.

Objectives

The objectives of the risk assessment phase in the BCM life cycle are to:

  • identify sources of risks;
  • identify the probability and impact related to each identified risks;
  • define treatment strategies and plans for each of the identified risks;
  • contribute to determining the overall risk profile of <organization> and the related treatment plans.

Approach

The risk assessment was performed through the following activity streams:

  • Questionnaires: Representatives or coordinators from various departments were provided with questionnaires listing the major risks that could affect the internal and external environments and that would introduce the severe negative impacts which typically characterize a crisis or serious incident. The representatives or coordinators provided their feedback on the probability and impact for each of these risks.
  • Interviews: Specific interviews were held with various stakeholders to identify ambiguous and incomplete aspects of risks.
  • Observations and site visits: Observations and site visits provided rich sources of information regarding the threats and hazards in the operating environment and premises.

Ratings of risks

The ratings (low/medium/high) given to risks are based on probability and impact. The probability identifies the chance of the realization of the risk in the current environment. The impact identifies the consequences and effects when these risks materialize. The risk rating is calculated as follows:

risk = probability x impact

When calculated, the risks are then qualified into three categories: low, medium, and high. The following table illustrates the qualification scheme.

 

Risk rating

Probability x impact

Explanation

Low

Low x low
Low x medium

A low risk rating indicates that the probability of its occurrence is low and the potential impact of the threat is insignificant.

Medium

Medium x low
High x low

A medium risk rating indicates that the probability of its occurrence is moderate and the potential impact of the threat may result in a disaster if it is not adequately controlled or addressed.

High

Medium x high
High x medium High x high

A high risk rating indicates that the probability of its occurrence is high and the potential impact is so significant that it may result in a disaster.

Risk management techniques

Risk management options fall into four categories: accept or take, monitor and avoid, monitor and transfer, and mitigate. Below is an explanation of each of these management techniques:

Technique

Explanation

Accept

The risk is accepted when the probability and impact are reasonably low or the cost of treating the risk is unreasonably high.

Monitor and avoid

This option is selected when the probability of occurrence is relatively high but the impacts are low or insignificant. As these risks need to be closely monitored for impact increases, their causes are avoided as much as possible in order to eliminate or reduce a high probability.

Monitor and transfer

Risks that are low in probability and high in impact are managed through the transfer of risk and responsibility. Insurance is a clear example of this option. These risks need to be closely monitored for probability increases.

Mitigate

Mitigation of a risk involves actions to reduce its probability and/or impact. These actions may be physical through hardware and resources or logical through policies and controls.

Summary of results

Image

Image

Image

Detailed risk information

<List information collected from questionnaires>.

Risk treatment plan

ID

Risk

Treatment actions

Review date

Targeted risk rating

RSK001

 

 

 

 

RSK002

 

 

 

 

RSK003

 

 

 

 

RSK004

 

 

 

 

RSK005

 

 

 

 

RSK006

 

 

 

 

RSK007

 

 

 

 

RSK008

 

 

 

 

RSK009

 

 

 

 

RSK010

 

 

 

 

RSK011

 

 

 

 

RSK012

 

 

 

 

RSK013

 

 

 

 

RSK014

 

 

 

 

RSK015

 

 

 

 

RSK016

 

 

 

 

RSK017

 

 

 

 

RSK018

 

 

 

 

RSK019

 

 

 

 

RSK020

 

 

 

 

RSK021

 

 

 

 

RSK022

 

 

 

 

RSK023

 

 

 

 

RSK024

 

 

 

 

RSK025

 

 

 

 

RSK026

 

 

 

 

RSK027

 

 

 

 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.106.176