Track in Risk Register

Reference -Issue No. : and/or Issue Date: Future Review date: Identified Risks Accept Risk (Yes or No) Further Action Needed & Opportunities for improvement -Include milestone(s) & target date(s) Assigned To Opportunities for Record by rows and cells as necessary. VH No VH VH No VH VH No VH VH No VH H No H H No H H No H M Yes M M Yes M M Yes M L Yes L L Yes L L Yes L XYZ SITE /PROJECT Risk Register Risk Statement (e.g. description of each specific risk scenario with regard to people, information, physical assets, finances, reputation, and any other "things you value") Consequence (1, 2, 3, 4, or 5 -see Sheet 1) Likelihood (A, B, C, D or E -see Sheet 1) Risk level (L, M, H or VH -see Sheet 1) Revised Risk level (L, M, H or VH -see Sheet 1) Analysis & Evaluation Existing controls described & evaluated Further Actions Effectiveness of our strategies (N = Not generally applied or only applied in isolated situations for example in less than 20% of cases; P = Partially applied, not usually documented or applied in less than 50% of cases; L = Largely applied, formally documented and largely repeatable or applied in up to 85% of cases; F = Fully applied, formally documented and fully repeatable or applied in more than 85% of cases.) What we are doing now to manage this risk. Page 1 of 14This worksheet can be used to identify the level of risk and help to prioritize any interventions or control measures. 1 – Insignificant 2 – Minor 3 – Moderate 4 – Major 5 – Catastrophic Dealt with by in-house first aid, etc Medical help needed. Treatment by medical professional/hospital outpatient, etc Significant non-permanent injury.Overnight hospitalisation (inpatient) Extensive permanent injury (eg loss of finger/s) Extended hospitalisation Death. Permanent disabling injury (eg blindness, loss of hand/s, quadriplegia) A -Almost certain to occur in most circumstances Medium (M) High (H) High (H) Very High (VH) Very High (VH) B -Likely to occur frequently Medium (M) Medium (M) High (H) High (H) Very High (VH) C -Possible and likely to occur at some time Low (L) Medium (M) High (H) High (H) High (H) D -Unlikely to occur but could happen Low (L) Low (L) Medium (M) Medium (M) High (H) E -May occur but only in rare and exceptional circumstances Low (L) Low (L) Medium (M) Medium (M) High (H) Consider the consequences and likelihood for each of the identified risks and use the matrix* below to establish a risk level. Matrix* from page 55 of HB 436:2004 issued by Standards Australia to support the Australia /New Zealand Standard for Risk Management (AS/NZS 4360) Consequence Criteria NB: This workbook will record the quality of your planning process -it will not ensure it. Determining the Level of Risk Risk Assessment Step 1. Determine your “risk appetite” – establish your areas of consideration ("things you value") & your “acceptability” thresholds. Likelihood You should copy this template and adjust these criteria for each "thing you value". The "area of consideration" example used below is injury to people.N.B. This document is a sample Vulnerability Assessment tool. It is not a substitute for a comprehensive emergency preparedness program. Individuals or entities using this tool are solely responsible for any hazard assessment and compliance with applicable laws and regulations. Instructions Evaluate potential for event & response among the following categories using Issues to consider for chance of occurrence include, but are not limited to: 1 Known risk 2 Historical data 3 Manufacturer/vendor statistics Issues to consider for response include, but are not limited to: 1 Time to marshal an on-scene response 2 Scope of response capability 3 Historical evaluation of response success Issues to consider for human impact include, but are not limited to: 1 Potential for staff death or injury 2 Potential for public death or injury Issues to consider for property impact include, but are not limited to: 1 Cost to replace 2 Cost to set up temporary replacement 3 Cost to repair 4 Time to recover Issues to consider for business impact include, but are not limited to: 1 Business interruption 2 Employees unable to report to work 3 Customers unable to reach facility 4 Company in violation of contractual agreements 5 Imposition of fines and penalties or legal costs 6 Interruption of critical supplies 7 Interruption of product distribution 8 Reputation and public image 9 Financial impact/burden Vulnerability Assessment Workbook Sheet 2b informs Business Impact considerations. Please note specific score criteria on each work sheet to ensure accurate recording. This document is a sample Vulnerability Assessment Tool. It is not a Print this sheet (two pages) and use when completing sheets 2, 3 & 4. the hazard specific scales in sheets 2c & 2d of this Workbook. Assume each event incident occurs at the worst possible time.Issues to consider for preparedness include, but are not limited to: 1 Status of current plans 2 Frequency of drills 3 Training status 4 Insurance 5 Availability of alternate sources for critical supplies/services Issues to consider for internal resources include, but are not limited to: 1 Types of supplies on hand/will they meet need? 2 Volume of supplies on hand/will they meet need? 3 Staff availability 4 Coordination & Communication capability 5 Availability of back-up systems 6 Internal resources ability to withstand disasters/survivability Issues to consider for external resources include, but are not limited to: 1 Types of agreements with community agencies/drills? 2 Coordination with local and state agencies 3 Coordination with proximal health care facilities 4 Coordination with treatment specific facilities 5 Community resources Complete worksheets for all Hazards. The summary section will automatically provide your specific and overall risk profile. Notes developed from work by Kaiser Permanente.This form captures a summary of the organisation's key functions, the things which rely on those functions and the things upon which those functions rely. The information will provide input to our enterprise wide Business Impact Assessment (BIA) considerations. Title: Phone: 123456 I or E Internat'l (Y or N) 123456 Peaks: Annually Quarterly Monthly Weekly Daily Request Date Reviewed: Questionnaire: Mapping Business Impact Vulnerability 1) Business Unit: 3) Mission Critical Business Processes: Completed by: Date Received: A business process is a set of tasks that contribute to the operation of your business function. Please list the primary and most critical processes that are performed by your business function. 4) Business Function Dependencies: List the areas, business units, or customers, in priority order, that your critical processes support. Indicate if they are Internal or External to the organisation. Indicate if the customer dependency is outside the Region or Country. Reviewed by: Total Number of Personnel Supporting this Function 2) Business Function: Hours of Operation: 5) Operational Detail: Describe Peak Periods Number of People Needed for Critical Business Processes Page 6 of 1412 Are there written procedures for operating in a manual mode? 3 When were the procedures for operating in a manual mode last updated? 4567 Are there written procedures for recovering lost data? 8 When were the procedures for recovering lost data last updated? 9 10 Are there data integrity or specific balancing procedures to verify the integrity of the restored and/or reconstructed data? 11 Do you store critical data or information on your desktop or laptop? 12 How is this critical data backed up? 13 How often is the backup sent offsite? 14 Do you rely on data (information) that is not electronic? Specify the data and the type of media (ie. contracts, forms, personnel records, etc.)? 15 Is the non-electronic data backed-up (copied) and stored offsite? 16 Are documented procedures for business function processes, recovery of lost data and balancing stored offsite? 17 18 If lost data could not be recovered, what is the potential impact to your business function and on the entire company? In the event of a disruption , there would be some "lost data or transactions". Describe the data loss for this function. Could lost data or "work in progress" transactions be recovered? How will lost data be recovered? Do you rely on specialised or unique equipment to perform your critical processes? If yes, list equipment. Summarise exposures and risks that management should be aware of in the event of a disruption: In the event your business function experiences an interruption (e.g. work area, phones, systems and software applications become suddenly unavailable) what manual processes or 'work around' procedures could be performed, if any, until systems are restored? 6) Business Function Information: How long could you operate in a manual mode before systems become available? (Consider the amount of backlogged and missing data.) What additional resources are needed to perform your mission critical business processes manually? (I.E. additional staff, forms, phone, manual accounting, log sheets, etc.?) Page 7 of 141 2 345 In your opinion, what is the MTO for this business function? Please insert MTO in one box below. < 1 Day < 2 Days < 5 Days < 10 Days 30 Days + What operations do outside resources perform to assist this function (e.g. do you outsource cheque printing, report distribution, nightly processing, batch processing, master CD production, etc.)? 8) Timeframe for Recovery Compliance Contractual How is data received? (fax, phone, electronic) Specify (IT, Internal dept, or External/3rd Party Name) How is data received? (fax, phone, electronic) Internat'l (Y or N) Who do you rely on for input? List the type of data and where it comes from (i.e. Sales invoices from Sales, internal, fax & mail) Consider the inputs and outputs while documenting this section. What business departments or third-party resources do you rely on and which ones rely on you to complete this function? Specify (IT, Internal dept, or External/3rd Party Name) 7) Process Flow Information: Who relies on you for output? Legal List the type of data and where you are sending it to. (e.g. Sales Revenue to Banks) How often? (i.e. hourly, daily, monthly, etc.)? Internat'l (Y or N) A Recovery Point Objective is defined as the maximum data loss this application or process can sustain and still be satisfactory (for the corporate business goals). RPO MTO Identify and explain any specific legal, regulatory, contractual, and compliance issues or consequences (e.g. government agency obligations, customer contracts, Service Level Agreements etc.): A Maximum Tolerable Outage is defined as the maximum elapsed time an application or process can sustain an interruption from the time a crisis is identified to the restoration of service. Regulatory Do you rely on computers only? Do you rely on computers and telephone? Page 8 of 14Score in each of the cells for each relevant hazard based on a scale of 0 to 5 -with 5 being the highest. The more you have investigated and thought about impact and capability elements, the more accurate your assessment will be. Impact: Based on “worst-case scenario” -impact on people, property, infrastructure & business should worst-case event occur. After entering the attributed scores, sort the Total Column in descending order to profile your vulnerability. Location; Facility; or Entity:(e.g. Our Building; or Our Company Pty Ltd; our Area) Risk Source Chance of Speed of Duration of Impact on Impact on Pre-Impact Awareness Resources (Hazard) Occurrence Onset Impact Property People Planning Level Capability Total Natural Events Avalanche 0.0 Biological 4 2 2 1 5 3 4 2 2.6 Drought 0.0 Dust/Sand Storm 0.0 Earthquake 4 5 2 3 3 2 2.5 2 4.2 Extreme Heat/Cold 0.0 Fire (forest, range, urban) 0.0 Flood/Wind driven water 4 4 3 3 1 3 3 3 3.2 Hurricane 0.0 Landslide 0.0 Lightning Storm 0.0 Snow/Ice/Hail 0.0 Tornado 0.0 Tsunami 0.0 Volcanic Eruption 0.0 Windstorm/Tropical Storm 1 5 2 4 3 1 1 1 4.1 Technological/Industrial Events Building/Structure Collapse 0.0 Business Interruption 0.0 Dam/Levee Failure 0.0 Explosions/Fire 0.0 Extreme Air Pollution 0.0 Financial Collapse 0.0 Fuel/Resource Shortages 0.0 Hazardous Material Releases 0.0 Power/Utility Failure 0.0 Radiological Accidents 0.0 Transportation Accidents 0.0 Civil/Political Events Civil Unrest 0.0 Eco-Terrorism 0.0 Economic 0.0 Enemy Attack 0.0 General Strike 0.0 Hostage Situation(s) 0.0 Sabotage 0.0 Terrorism 0.0 KEY High Risk: Greater than 3.5 Medium Risk: 2.0 to 3.5 Low Risk: Less than 2 Analysis of Results: You should consider strengthening your preparedness capability. If your snapshot indicates a level of concern re vulnerability you may want to consider capacity building processes. Risk Identification & Assessment Tool Notes: This tool profiles your vulnerability to various sources of risk (hazards -or extreme events). Using a scale of 1 to 5, likelihood of occurrence and impact potential are weighed against capability. The result is a calculation of risk. The highest score possible is 5.0. The lower the total score, the lower the overall risk (from the hazard). Instructions: Please add or delete Hazards in Risk Source Column (B) to suit your particular context and location. (The default list is developed from NFPA 1600 -Standard for Disaster/Emergency Management and Business Continuity Programs)2d. Vulnerability (Terrorism) Location; Facility; or Entity: ######### WORKED EXAMPLE ONLY K CRITERIA 0 1 2 3 4 5 Score Target Visibility not well known locally known widely known 4.0 Target Utility none very low low medium high very high 4.5 Asset Accessibility remote, secure perimeter, armed guards open access, e.g. "drive up" parking 4.5 Asset Mobility moves frequently fixed in place 5.0 Presence of Hazardous Materials limited quantities, secure loctn large quantities, some controls open access 0.0 Collateral Damage Potential no risk moderate risk in 1 Km r high risk beyond 1 Km r or domino 4.0 Site Population 0 500 -1000 > 5000 3.0 TOTAL 25.0 KEY for each CRITERIA High Risk: Greater than 3.5 : Greater than 24.5 Medium Risk: 2.0 to 3.5 : 14.0 to 24.5 Low Risk: Less than 2 : Less then 14 Analysis of Results: If vulnerability is high, you may want to consider strengthening preparedness capability. emergencyriskmanagement.com™ is at your service with planning guidelines and consultancy services. Collateral Damage Potential is about the potential consequences for the surrounding area if the asset is attacked or damaged. This should include the domino effect on lifelines -e.g. a dam failure may knock out utility infrastructure to a city /region. Site Population is about the potential for mass casualties based on the maximum number of individuals on site at a given time. Facility "Inherent" Vulnerability Assessment Matrix (Terrorism) for the TOTAL re each ASSET Notes: Developed from FEMA Terrorism Planning Courses, this tool profiles indicators of inherent vulnerability to terrorism of an asset derived from the nature of that asset. Suitable for contexts from plant to gathering places. Uses a scale of 1 to 5, to Instructions: In the Table below Row 14, attribute a score of 0 to 5 against each CRITERIA for each ASSET under consideration in column K. Asset Visibility is about how aware the general public is of the existence of the facility, site, system, or location Target Utility is about how valuable the place might be in meeting the range of objectives of a potential terrorist or saboteur -the modern era has seen the focus expand beyond politically iconic targets to pick up "soft" /cage rattling targets. Asset Accessibility is about how accessible the place is to the public and service providers (builders, cleaners, food vendors, waste managers etc). Asset Mobility is about whether the asset's location is fixed or mobile. If mobile, how often is it moved, relocated, or repositioned? Presence of Hazardous Materials is about whether flammable, explosive, biological, chemical, and/or radiological materials are present on site. emergencyriskmanagement.comTMRISK LEVEL Very High Act immediately to mitigate the risk.Either eliminate, substitute or implement engineering control measures. Remove the hazard at the source. An identified very high risk does not allow scope for the use of administrative controls , even in the short term. Act immediately to mitigate the risk. Either eliminate, substitute or implement engineering control measures. An achievable timeframe must be established to ensure that elimination, substitution or engineering controls are implemented. If these controls are not immediately accessible, set a timeframe for their implementation and establish interim risk reduction strategies for the period of the set timeframe. NOTE: Risk (and not cost) must be the primary consideration in determining the timeframe. Medium Take reasonable steps to mitigate the risk. Until elimination, substitution or engineering controls can be implemented, institute administrative or personal protective equipment controls. These “lower level” controls must not be considered permanent solutions. Interim measures until permanent solutions can be implemented: • Develop administrative controls to limit the use or access. • Provide supervision and specific training related to the issue of concern. (See Administrative Controls below) Low Take reasonable steps to mitigate and monitor the risk. Institute permanent controls in the long term. Permanent controls may be administrative in nature if the hazard has low frequency, rare likelihood and insignificant consequence. Elimination Eliminate the hazard. Substitution Provide an alternative that is capable of performing the same task and is safer to use. Engineering Controls Provide or construct a physical barrier or guard. Administrative Controls Develop policies, procedures practices and guidelines, in consultation with employees, to mitigate the risk. Provide training, instruction and supervision about the hazard. Personal Protective Equipment Personal equipment designed to protect the individual from the hazard. The "Hierarchy of Control" can be useful -as can other heuristic devices such as "Prevention, Preparedness, Response & Recovery" or "Engineering, Education, Encouragement, & Enforcement". As a general approach. A "mix of interventions" usully provides the best result. High Considerations regarding how to use the Risk Rating to prioritise and implement action plans. Once the level of risk has been determined the following table may be of use in determining when to act to intervene and institute the control measures. Hierarchy of Control Interventions identified may be a mixture of the hierarchy in order to provide as low as reasonably practicable exposure.