SlideShare a Scribd company logo

Risk Assessment Clause 4

Dipankar Ghosh
Dipankar Ghosh

This document provides an overview of the risk assessment process as outlined in the British Standard BS25999-2:2007. It describes the key steps in risk assessment including identifying vulnerabilities, threats, potential damages, scoring severity and likelihood, evaluating current mitigation measures, and calculating a risk magnitude score. The document uses a risk assessment model and provides examples of how to analyze risks using criteria for scoring severity, likelihood, mitigation, and determining appropriate risk treatment actions. The goal is to understand risks to critical assets and activities, prioritize them, and determine actions to reduce risks to an acceptable level.

1 of 11
Risk Assessment Clause 4.1.2 Requirements Of BS25999-2:2007
Executive Summary This document attempts to The standard does not prescribe provide an understanding of the any specific method of doing the Risk Management process risk assessment The British Standard, BS25999- This document provides an 2:2007 requires Risk example method of doing risk Assessment to be done as a assessment which borrows part of the ‘Understanding the heavily from Failure Modes and organisation’ Effects Analysis (FMEA) A flow chart illustrates the flow Using the concepts from FMEA of the RM process per Clause helps in a couple of ways: FMEA has been in use for quite some time 4.1.1 of the standard and also now and the writer assumes that the deals with ‘Determining choices’ knowledge of using FMEA is prevalent It provides numerical values for easy – 4.1.3 prioritisation and action. 02/08/2010 Dipankar Ghosh 2
Section 4.1.1 Of BS25999-2:2007 4.1.2 Risk Assessment 4.1.2.1 There shall be defined, documented and appropriate method of risk assessment that will enable the organisation to understand the threats to and vulnerabilities of its critical activities and supporting resources, including those provided by suppliers and outsource partners 4.1.2.2 The organisation shall understand the impact that would arise if an identified threat became an incident and caused a business disruption 02/08/2010 Dipankar Ghosh 3
Risk Management Flow Chart 02/08/2010 Dipankar Ghosh 4
Risk Management Flow Chart 02/08/2010 Dipankar Ghosh 5
Risk Assessment Model RMS After Actions Taken 11 Identified Potential Potential Severity Likelihood of Current Mitigation Risk Recommended Responsibility S L M R Vulnerabili- Threats Damages Of Occurrence Mitigation Score Magnitude Actions and Target Date M ties Damages Score (1-5) Measures (1-5) Score (1-125) S Score [ (1-5) S X [S] [L] [M] L [RMS=SxLxM] X M ] 1 2 3 4 5 6 7 8 9 10 1. Identified Vulnerabilities – These are weaknesses that has been identified which can result in a potential damaging impact on the business. (e.g. Fuel storage near electrical substation). Vulnerabilities are ‘internal’ to the ‘system’. 2. Potential Threats – These are ‘external’ causes which can exploit vulnerabilities to cause damage. (e.g. electrical short circuits and sparks can ignite the fuel nearby resulting in a fire) 3. Potential Damages – These are the effects or damages that are inflicted on the business and its assets. (e.g. loss of life due to fire, loss of building, equipment etc. due to fire). Note that risk exists only if an external threat exploits an internal vulnerability to cause damage or loss to your asset. You may have an empty house (no asset to be damaged/lost) with an unlocked door (vulnerability) and a thief lurking around (threat). But you face no risk! 02/08/2010 Dipankar Ghosh 6
Risk Assessment Model 4. Severity Of Effects Score – This is a score on a scale of 1-5 which reflects the assessment of the seriousness of the damages listed in 3. This is based on the Severity Score Criteria listed in the table below. Higher the severity higher is the score. Note that the criteria in this and the following tables are not sacrosanct and are for example purposes. Practitioners may want to adapt these according to their experience. Severity Of Effects Severity Score Criteria Score Hazardous or Catastrophic 1. May cause loss of lives, buildings or sites 5 2. The duration of recovery is very long Very high 1. May cause severe injuries 4 2. May lead to severe damage to buildings, equipment and goods 3. May cause severe hardships to customers, employees and suppliers and may lead to severe financial losses for all of them and the company 4. The duration of recovery is long High 1. May cause major injuries 3 2. May lead to major damage to buildings, equipments and goods 3. May cause hardships to customers, employees and suppliers and may lead to financial losses for all of them and the company 4. The duration of recovery is quite long Moderate 1. May cause minor injuries 2 2. May lead to moderate damage to buildings, equipments and goods 3. May cause moderate hardships to customers, employees and suppliers and may lead to some financial losses for all of them and the company 4. The duration of recovery is moderate None or Minor 1. No injuries caused 1 2. None or minor damage to buildings, equipments and goods 3. Insignificant hardships caused to customers, employees and suppliers and may lead to minor financial losses for all of them and the company 4. The duration of recovery is short 02/08/2010 Dipankar Ghosh 7
Risk Assessment Model 5. Likelihood Of Occurrence Score – This score measures on a scale of 1-5 the likelihood of occurrence of the identified risk event arising from the potential cause based on the guideline provided in the table below. More the likelihood more is the score. Likelihood of Occurrence Probability Score Criteria Score >90% chance of happening Almost Certain 5 70%-90% chance of happening Likely 4 50%-70% chance of happening Possible 3 30%-50% chance of happening Unlikely 2 0%-30% chance of happening Rare 1 6. Current Mitigation Measures – Risk mitigation is a three-pronged weapon to alleviate the effects of risks. Firstly, there need to be Prevention measures in place so that the risk event is prevented from occurring. (e.g. in the case of fire because of short circuit there could be prevention measure of having adequate air gaps between conductors, the best class of insulators may be provided etc.) Next, there need to exist Detection measures, in case the risk event occurs, or better still if the possible occurrence of the event can be detected even before the event occurs. (e.g. in the case of fire, fire and smoke detectors may be installed for early detection) And finally, there needs to be a Response mechanism in place, in case the event does occur. (e.g. availability of fire fighting equipment, trained personnel who know how to handle fires, ready availability of fire tenders nearby and above all a well documented and tested plan to handle the situation). A well tested business continuity plan is also a part of the response mechanism. 02/08/20010 Dipankar Ghosh 8
Risk Assessment Model 7. Mitigation Score – This score measures on a scale of 1-5 the assessment of availability of mitigation measures for the identified risk event based on an evaluation criteria provided by the table below. Weaker the current measures in place higher is the score. Current Mitigation Mitigation Score Criteria Score Measures Highly Ineffective 1. Prevention is impossible or prevention measures are not in place 5 2. No known detection method is available or even if available it has not been implemented 3. No response mechanism, in case of the event occurring, has been put in place Ineffective 1. Prevention is possible but prevention measures are not in place, 4 or even if in place they are not effective 2. Known detection method(s) is/are available but it/they have not been implemented, or even if implemented they do not work effectively or work only sporadically. 3. Response mechanism is in place but is not effective Moderately Effective 1. Prevention measures in place and are somewhat effective 3 2. Detection methods have been implemented and are somewhat effective 3. Response mechanism is in place and is somewhat effective Effective 1. Prevention measures in place and are quite effective 2 2. Detection methods have been implemented and are quite effective 3. Response mechanism is in place and is quite effective Very Effective 1. Prevention measures in place and are very effective 1 2. Detection methods have been implemented and are very effective 3. Response mechanism is in place and is very effective 02/08/2010 Dipankar Ghosh 9
Risk Assessment Model 8. Risk Magnitude Score (RMS) – This is the score obtained by multiplying the three scores – Severity (S), Likelihood (L) and Mitigation(M). That is: RMS = S X L X M The RMS value can range from 1 to 125 and helps rank the identified risk events and the causes in order of priority. Higher scores will generally require higher priority in terms of actions to be taken. 9. Recommended Actions – This column specifies the actions that are recommended to be taken to bring down the RMS of the identified risk event. These actions should be directed towards reducing the severity of effects, towards reducing the likelihood of occurrence and also towards bringing in mitigation measures of prevention, detection and response. 10. Responsibility and Target Date – This column contains the names of persons charged with the responsibility of completing the recommended actions and the target date of completion. 11. RMS After Actions Taken – Once the actions have been taken a re-assessment of the risk is done and the new RMS score is obtained. Needless to say, if the actions taken have been effective then the score would come down. 02/08/2010 Dipankar Ghosh 10
Risk Assessment Model Criteria For Risk Treatment It may be noted that not all Risks will require mitigating measures to be adopted. Based on the RMS score a risk may be: Tolerated or Accepted – in case of low risk Transferred (e.g. to insurance companies) – in case of medium to high risk, especially if it makes financial sense to transfer rather than mitigate from the return of investment point of view Mitigated (using controls for prevention, detection and response as discussed earlier) – in case of medium to high risk Take urgent corrective actions – in case of very high risks The table below provides the evaluation criteria which may be used to decided if a risk will be tolerated/accepted, transferred or mitigated. Please note that this is only indicative and practitioners must apply their own judgment when creating their own criteria table. RMS Score Treatment RMS Score 90-125 Take urgent actions 90-125 27-90 Mitigate or Transfer 27-90 0-27 Tolerate/Accept 0-27 02/08/2010 Dipankar Ghosh 11

Recommended

reliance steel & aluminum MacBethForm_5_2007
reliance steel & aluminum MacBethForm_5_2007reliance steel & aluminum MacBethForm_5_2007
reliance steel & aluminum MacBethForm_5_2007finance32
 
Whitepaper: Effective Risk Management – Substance over Form
Whitepaper: Effective Risk Management – Substance over FormWhitepaper: Effective Risk Management – Substance over Form
Whitepaper: Effective Risk Management – Substance over Form
CBIZ, Inc.
 
Film production risk assessment ig2
Film production risk assessment ig2Film production risk assessment ig2
Film production risk assessment ig2AlexNesbit
 
Project Controls Expo, 18th Nov 2014 - "Enterprise Project & Risk Analysis in...
Project Controls Expo, 18th Nov 2014 - "Enterprise Project & Risk Analysis in...Project Controls Expo, 18th Nov 2014 - "Enterprise Project & Risk Analysis in...
Project Controls Expo, 18th Nov 2014 - "Enterprise Project & Risk Analysis in...
Project Controls Expo
 
Chapter 4 risk
Chapter 4 riskChapter 4 risk
Chapter 4 risk
Rione Drevale
 
Filming risk assessment form
Filming risk assessment formFilming risk assessment form
Filming risk assessment formCharlie Hall
 
Risk based supplier qualification program
Risk based supplier qualification programRisk based supplier qualification program
Risk based supplier qualification program
Jasmina Kanazir
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
Resolver Inc.
 

Recommended

reliance steel & aluminum MacBethForm_5_2007
reliance steel & aluminum MacBethForm_5_2007reliance steel & aluminum MacBethForm_5_2007
reliance steel & aluminum MacBethForm_5_2007finance32
 
Whitepaper: Effective Risk Management – Substance over Form
Whitepaper: Effective Risk Management – Substance over FormWhitepaper: Effective Risk Management – Substance over Form
Whitepaper: Effective Risk Management – Substance over Form
CBIZ, Inc.
 
Film production risk assessment ig2
Film production risk assessment ig2Film production risk assessment ig2
Film production risk assessment ig2AlexNesbit
 
Project Controls Expo, 18th Nov 2014 - "Enterprise Project & Risk Analysis in...
Project Controls Expo, 18th Nov 2014 - "Enterprise Project & Risk Analysis in...Project Controls Expo, 18th Nov 2014 - "Enterprise Project & Risk Analysis in...
Project Controls Expo, 18th Nov 2014 - "Enterprise Project & Risk Analysis in...
Project Controls Expo
 
Chapter 4 risk
Chapter 4 riskChapter 4 risk
Chapter 4 risk
Rione Drevale
 
Filming risk assessment form
Filming risk assessment formFilming risk assessment form
Filming risk assessment formCharlie Hall
 
Risk based supplier qualification program
Risk based supplier qualification programRisk based supplier qualification program
Risk based supplier qualification program
Jasmina Kanazir
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
Resolver Inc.
 
Level 2
Level 2Level 2
Level 2
GWC GROUP
 
Level 2
Level 2Level 2
Level 2
GWC GROUP
 
Session B3 - Introduction to Project Cost and Schedule Risk Analysis
Session B3 - Introduction to Project Cost and Schedule Risk AnalysisSession B3 - Introduction to Project Cost and Schedule Risk Analysis
Session B3 - Introduction to Project Cost and Schedule Risk Analysis
Project Controls Expo
 
Risk management seminar -en
Risk management seminar -enRisk management seminar -en
Risk management seminar -enRolf Häsänen
 
Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1
Alejandro Perez
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fairiaemedu
 
Project risk management
Project risk managementProject risk management
Project risk management
Er Swati Nagal
 
Anju drolia
Anju droliaAnju drolia
Anju droliaPMI2011
 
Anjudrolia 131008015750-phpapp02
Anjudrolia 131008015750-phpapp02Anjudrolia 131008015750-phpapp02
Anjudrolia 131008015750-phpapp02PMI_IREP_TP
 
Risk management plan loren schwappach
Risk management plan loren schwappachRisk management plan loren schwappach
Risk management plan loren schwappachLoren Schwappach
 
Minimization of Risks in Construction projects
Minimization of Risks in Construction projectsMinimization of Risks in Construction projects
Minimization of Risks in Construction projects
IRJET Journal
 
Risk Management in Retrofitting Projects
Risk Management in Retrofitting ProjectsRisk Management in Retrofitting Projects
Risk Management in Retrofitting Projects
IRJET Journal
 
Risk Management
Risk ManagementRisk Management
Risk Management
Ibrahem Soltan
 
Risk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesRisk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation Slides
SlideTeam
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Erm public workshop
Erm public workshopErm public workshop
Erm public workshopDeddy Jacobus
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docxPart -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
karlhennesey
 
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET Journal
 

More Related Content

Similar to Risk Assessment Clause 4

Level 2
Level 2Level 2
Level 2
GWC GROUP
 
Level 2
Level 2Level 2
Level 2
GWC GROUP
 
Session B3 - Introduction to Project Cost and Schedule Risk Analysis
Session B3 - Introduction to Project Cost and Schedule Risk AnalysisSession B3 - Introduction to Project Cost and Schedule Risk Analysis
Session B3 - Introduction to Project Cost and Schedule Risk Analysis
Project Controls Expo
 
Risk management seminar -en
Risk management seminar -enRisk management seminar -en
Risk management seminar -enRolf Häsänen
 
Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1
Alejandro Perez
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fairiaemedu
 
Project risk management
Project risk managementProject risk management
Project risk management
Er Swati Nagal
 
Anju drolia
Anju droliaAnju drolia
Anju droliaPMI2011
 
Anjudrolia 131008015750-phpapp02
Anjudrolia 131008015750-phpapp02Anjudrolia 131008015750-phpapp02
Anjudrolia 131008015750-phpapp02PMI_IREP_TP
 
Risk management plan loren schwappach
Risk management plan loren schwappachRisk management plan loren schwappach
Risk management plan loren schwappachLoren Schwappach
 
Minimization of Risks in Construction projects
Minimization of Risks in Construction projectsMinimization of Risks in Construction projects
Minimization of Risks in Construction projects
IRJET Journal
 
Risk Management in Retrofitting Projects
Risk Management in Retrofitting ProjectsRisk Management in Retrofitting Projects
Risk Management in Retrofitting Projects
IRJET Journal
 
Risk Management
Risk ManagementRisk Management
Risk Management
Ibrahem Soltan
 
Risk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesRisk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation Slides
SlideTeam
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusDeddy Jacobus
 
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docxPart -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
karlhennesey
 
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET Journal
 

Similar to Risk Assessment Clause 4 (20)

Level 2
Level 2Level 2
Level 2
 
Level 2
Level 2Level 2
Level 2
 
Session B3 - Introduction to Project Cost and Schedule Risk Analysis
Session B3 - Introduction to Project Cost and Schedule Risk AnalysisSession B3 - Introduction to Project Cost and Schedule Risk Analysis
Session B3 - Introduction to Project Cost and Schedule Risk Analysis
 
Risk management seminar -en
Risk management seminar -enRisk management seminar -en
Risk management seminar -en
 
Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1Military + Civilian Best Practices: Risk Management ver 1.1
Military + Civilian Best Practices: Risk Management ver 1.1
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
 
Project risk management
Project risk managementProject risk management
Project risk management
 
Anju drolia
Anju droliaAnju drolia
Anju drolia
 
Anjudrolia 131008015750-phpapp02
Anjudrolia 131008015750-phpapp02Anjudrolia 131008015750-phpapp02
Anjudrolia 131008015750-phpapp02
 
Risk management plan loren schwappach
Risk management plan loren schwappachRisk management plan loren schwappach
Risk management plan loren schwappach
 
Minimization of Risks in Construction projects
Minimization of Risks in Construction projectsMinimization of Risks in Construction projects
Minimization of Risks in Construction projects
 
Risk Management in Retrofitting Projects
Risk Management in Retrofitting ProjectsRisk Management in Retrofitting Projects
Risk Management in Retrofitting Projects
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Risk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation SlidesRisk Mitigation Strategies PowerPoint Presentation Slides
Risk Mitigation Strategies PowerPoint Presentation Slides
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Erm public workshop
Erm public workshopErm public workshop
Erm public workshop
 
Enterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy JacobusEnterprise Risk Management - Deddy Jacobus
Enterprise Risk Management - Deddy Jacobus
 
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docxPart -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
Part -1 Chapter 35 ERM at Malaysia’s Media Company Astro Qui.docx
 
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
IRJET- Analysis of Risk Management in Construction Sector using Fault Tree...
 

Risk Assessment Clause 4

  • 1. Risk Assessment Clause 4.1.2 Requirements Of BS25999-2:2007
  • 2. Executive Summary This document attempts to The standard does not prescribe provide an understanding of the any specific method of doing the Risk Management process risk assessment The British Standard, BS25999- This document provides an 2:2007 requires Risk example method of doing risk Assessment to be done as a assessment which borrows part of the ‘Understanding the heavily from Failure Modes and organisation’ Effects Analysis (FMEA) A flow chart illustrates the flow Using the concepts from FMEA of the RM process per Clause helps in a couple of ways: FMEA has been in use for quite some time 4.1.1 of the standard and also now and the writer assumes that the deals with ‘Determining choices’ knowledge of using FMEA is prevalent It provides numerical values for easy – 4.1.3 prioritisation and action. 02/08/2010 Dipankar Ghosh 2
  • 3. Section 4.1.1 Of BS25999-2:2007 4.1.2 Risk Assessment 4.1.2.1 There shall be defined, documented and appropriate method of risk assessment that will enable the organisation to understand the threats to and vulnerabilities of its critical activities and supporting resources, including those provided by suppliers and outsource partners 4.1.2.2 The organisation shall understand the impact that would arise if an identified threat became an incident and caused a business disruption 02/08/2010 Dipankar Ghosh 3
  • 4. Risk Management Flow Chart 02/08/2010 Dipankar Ghosh 4
  • 5. Risk Management Flow Chart 02/08/2010 Dipankar Ghosh 5
  • 6. Risk Assessment Model RMS After Actions Taken 11 Identified Potential Potential Severity Likelihood of Current Mitigation Risk Recommended Responsibility S L M R Vulnerabili- Threats Damages Of Occurrence Mitigation Score Magnitude Actions and Target Date M ties Damages Score (1-5) Measures (1-5) Score (1-125) S Score [ (1-5) S X [S] [L] [M] L [RMS=SxLxM] X M ] 1 2 3 4 5 6 7 8 9 10 1. Identified Vulnerabilities – These are weaknesses that has been identified which can result in a potential damaging impact on the business. (e.g. Fuel storage near electrical substation). Vulnerabilities are ‘internal’ to the ‘system’. 2. Potential Threats – These are ‘external’ causes which can exploit vulnerabilities to cause damage. (e.g. electrical short circuits and sparks can ignite the fuel nearby resulting in a fire) 3. Potential Damages – These are the effects or damages that are inflicted on the business and its assets. (e.g. loss of life due to fire, loss of building, equipment etc. due to fire). Note that risk exists only if an external threat exploits an internal vulnerability to cause damage or loss to your asset. You may have an empty house (no asset to be damaged/lost) with an unlocked door (vulnerability) and a thief lurking around (threat). But you face no risk! 02/08/2010 Dipankar Ghosh 6
  • 7. Risk Assessment Model 4. Severity Of Effects Score – This is a score on a scale of 1-5 which reflects the assessment of the seriousness of the damages listed in 3. This is based on the Severity Score Criteria listed in the table below. Higher the severity higher is the score. Note that the criteria in this and the following tables are not sacrosanct and are for example purposes. Practitioners may want to adapt these according to their experience. Severity Of Effects Severity Score Criteria Score Hazardous or Catastrophic 1. May cause loss of lives, buildings or sites 5 2. The duration of recovery is very long Very high 1. May cause severe injuries 4 2. May lead to severe damage to buildings, equipment and goods 3. May cause severe hardships to customers, employees and suppliers and may lead to severe financial losses for all of them and the company 4. The duration of recovery is long High 1. May cause major injuries 3 2. May lead to major damage to buildings, equipments and goods 3. May cause hardships to customers, employees and suppliers and may lead to financial losses for all of them and the company 4. The duration of recovery is quite long Moderate 1. May cause minor injuries 2 2. May lead to moderate damage to buildings, equipments and goods 3. May cause moderate hardships to customers, employees and suppliers and may lead to some financial losses for all of them and the company 4. The duration of recovery is moderate None or Minor 1. No injuries caused 1 2. None or minor damage to buildings, equipments and goods 3. Insignificant hardships caused to customers, employees and suppliers and may lead to minor financial losses for all of them and the company 4. The duration of recovery is short 02/08/2010 Dipankar Ghosh 7
  • 8. Risk Assessment Model 5. Likelihood Of Occurrence Score – This score measures on a scale of 1-5 the likelihood of occurrence of the identified risk event arising from the potential cause based on the guideline provided in the table below. More the likelihood more is the score. Likelihood of Occurrence Probability Score Criteria Score >90% chance of happening Almost Certain 5 70%-90% chance of happening Likely 4 50%-70% chance of happening Possible 3 30%-50% chance of happening Unlikely 2 0%-30% chance of happening Rare 1 6. Current Mitigation Measures – Risk mitigation is a three-pronged weapon to alleviate the effects of risks. Firstly, there need to be Prevention measures in place so that the risk event is prevented from occurring. (e.g. in the case of fire because of short circuit there could be prevention measure of having adequate air gaps between conductors, the best class of insulators may be provided etc.) Next, there need to exist Detection measures, in case the risk event occurs, or better still if the possible occurrence of the event can be detected even before the event occurs. (e.g. in the case of fire, fire and smoke detectors may be installed for early detection) And finally, there needs to be a Response mechanism in place, in case the event does occur. (e.g. availability of fire fighting equipment, trained personnel who know how to handle fires, ready availability of fire tenders nearby and above all a well documented and tested plan to handle the situation). A well tested business continuity plan is also a part of the response mechanism. 02/08/20010 Dipankar Ghosh 8
  • 9. Risk Assessment Model 7. Mitigation Score – This score measures on a scale of 1-5 the assessment of availability of mitigation measures for the identified risk event based on an evaluation criteria provided by the table below. Weaker the current measures in place higher is the score. Current Mitigation Mitigation Score Criteria Score Measures Highly Ineffective 1. Prevention is impossible or prevention measures are not in place 5 2. No known detection method is available or even if available it has not been implemented 3. No response mechanism, in case of the event occurring, has been put in place Ineffective 1. Prevention is possible but prevention measures are not in place, 4 or even if in place they are not effective 2. Known detection method(s) is/are available but it/they have not been implemented, or even if implemented they do not work effectively or work only sporadically. 3. Response mechanism is in place but is not effective Moderately Effective 1. Prevention measures in place and are somewhat effective 3 2. Detection methods have been implemented and are somewhat effective 3. Response mechanism is in place and is somewhat effective Effective 1. Prevention measures in place and are quite effective 2 2. Detection methods have been implemented and are quite effective 3. Response mechanism is in place and is quite effective Very Effective 1. Prevention measures in place and are very effective 1 2. Detection methods have been implemented and are very effective 3. Response mechanism is in place and is very effective 02/08/2010 Dipankar Ghosh 9
  • 10. Risk Assessment Model 8. Risk Magnitude Score (RMS) – This is the score obtained by multiplying the three scores – Severity (S), Likelihood (L) and Mitigation(M). That is: RMS = S X L X M The RMS value can range from 1 to 125 and helps rank the identified risk events and the causes in order of priority. Higher scores will generally require higher priority in terms of actions to be taken. 9. Recommended Actions – This column specifies the actions that are recommended to be taken to bring down the RMS of the identified risk event. These actions should be directed towards reducing the severity of effects, towards reducing the likelihood of occurrence and also towards bringing in mitigation measures of prevention, detection and response. 10. Responsibility and Target Date – This column contains the names of persons charged with the responsibility of completing the recommended actions and the target date of completion. 11. RMS After Actions Taken – Once the actions have been taken a re-assessment of the risk is done and the new RMS score is obtained. Needless to say, if the actions taken have been effective then the score would come down. 02/08/2010 Dipankar Ghosh 10
  • 11. Risk Assessment Model Criteria For Risk Treatment It may be noted that not all Risks will require mitigating measures to be adopted. Based on the RMS score a risk may be: Tolerated or Accepted – in case of low risk Transferred (e.g. to insurance companies) – in case of medium to high risk, especially if it makes financial sense to transfer rather than mitigate from the return of investment point of view Mitigated (using controls for prevention, detection and response as discussed earlier) – in case of medium to high risk Take urgent corrective actions – in case of very high risks The table below provides the evaluation criteria which may be used to decided if a risk will be tolerated/accepted, transferred or mitigated. Please note that this is only indicative and practitioners must apply their own judgment when creating their own criteria table. RMS Score Treatment RMS Score 90-125 Take urgent actions 90-125 27-90 Mitigate or Transfer 27-90 0-27 Tolerate/Accept 0-27 02/08/2010 Dipankar Ghosh 11