Download - Guide to Conducting a Risk Assessment
-
8/3/2019 Guide to Conducting a Risk Assessment
1/21
InPartnershipwith
SupremusGroup,LLC
RiskAssessmentTools|JamieVance,CBCP
GUIDETOCONDUCTINGARISKASSESSMENT SECONDEDITION
-
8/3/2019 Guide to Conducting a Risk Assessment
2/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
2
LegalStatement
The business has purchased Contingency Planning Guides, Templates, and Reports from Continuity
Resources and Supremus Group, LLC. Templates and report documents are customizable with the
businesss information, logos, and confidential data. However, this statement and all copyright
information(in
footers)
must
remain
in
all
documents.
Supremus Group LLC (SG) and Continuity Resources (CR) disclaims liability for any personal injury,
property, or other damages of any nature whatsoever, whether special, indirect, consequential, or
compensatory,directlyorindirectlyresultingfromthepublication,useof,orrelianceonthisdocument.
In issuingandmakingthisdocumentavailable,SGandCR isnotundertakingtorenderprofessionalor
otherservicesfororonbehalfofanypersonorentity.NorareSGandCRundertakingtoperformany
dutyowedbyanypersonorentitytosomeoneelse.Anyoneusingthisdocumentshouldrelyonhisor
her own independentjudgment or, as appropriate, seek the advice of a competent professional in
determiningthe
exercise
of
reasonable
care
in
any
given
circumstance.
ThisproductisNOTFORRESALEorREDISTRIBUTIONinanyphysicalorelectronicformat.Thepurchaser
ofthistemplatehasacquiredtherightstouse itforaSINGLEenterpriseatonefacilityunlesstheuser
haspurchasedamultiuselicense.Anyonewhomakesunlicensedcopiesoforusesthetemplateorany
derivativeofitisinviolationofUnitedStatesandInternationalcopyrightlawsandsubjecttofinesthat
aretrebledamagesasdeterminedbythecourts.AREWARDofupto1/3ofthosefineswillbepaidto
anyonereportingsuchaviolationuponthesuccessfulprosecutionofsuchviolators.
Thepurchaseragrees thatderivativeofthis templatewillcontain the followingwordswithin the first
five pages of that document. Thewords are:Derived from the Contingency Plan Template Suite of
SupremusGroupLLCandContinuityResources.2008CopyrightSupremusGroupLLCandContinuity
Resources.
PurposeofGuide
The RiskAssessmentGuide is intended toprovidebusinesseswith thenecessary tools to conduct a
facilityriskassessment. Thisguidefocuseson identifyingrisksandthreats inthefollowingcategories:
Weather,ManMade,andTechnology. Thisguideistobeusedinconjunctionwiththeriskassessment
templatesandreportsofferedbyContinuityResourcesandSupremusGroup,LLC.
-
8/3/2019 Guide to Conducting a Risk Assessment
3/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
3
KeyTerminology
There can be terminology and definition differences in regard to risk assessment, business impact
analysis,recoveryplanning,disasterrecovery,disasters,impacts,etc. Fortheintentofthisdocument,
pleaseapplythefollowingdefinitions:
BusinessImpactAnalysis: Processofidentifyingthecriticalbusinessfunctionswithinthebusinessanddeterminingtheimpactofnotperformingthosebusinessfunctions.
BusinessContinuityPlanning: Processofdevelopingadvancearrangementsandproceduresthatenableanorganizationtorespondtoanevent insuchamannerthatcriticalbusinessfunctionscontinuewith
plannedlevelsofinterruptionoressentialchange.
Customer/OperationalImpact: CustomerImpactmeasuresthepotentialfutureimpactofaserviceoroperational outage. Operational Impact is themeasure of loss to functions thatwould impact the
productionofproductsandservices.Disaster: Asudden,unplanneddevastatingeventcausingsubstantialdamageorlossDisasterRecoveryPlanning: The technological aspectofbusiness continuityplanning.Theadvanceplanningandpreparationthatisnecessarytominimizelossandensurecontinuityofthecriticalbusiness
functionsofanorganizationintheeventofdisaster.
Financial Impact: Financial impactmeasures the immediate revenue lossandcostexposures to theorganizationduringaperiodabusinesscannotperformtheirdailyoperationsandservicesLegal / Regulatory Impact: Legal and regulatory impact measures the legal ramifications andgovernmental
financial
and
operational
impact
from
service
and
operational
outages.
RiskAssessment: Process of identifying and evaluating the hazards and risks that are present andanalyzingthevulnerabilitiesofthebusinesstothesethreats.
RTO: Recovery TimeObjective. Themaximum allowable time a process can be down following adisruptiveevent.
RevisionHistory
Thetablebelowindicatesrevisions,deletions,additions,etc.thathasbeenmadetothisdocument.
Version DescriptionofChange Chap/Page RevisedBy Date2006.01 CreationofDocument Allsections JamieMcCafferty 02.20.2006SecondEdition Updateofformatandchapters AllChapters JamieVance 01.10.2008
-
8/3/2019 Guide to Conducting a Risk Assessment
4/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
4
TableofContentsLegalStatement_______________________________________________________________________________2
PurposeofGuide______________________________________________________________________________2
KeyTerminology______________________________________________________________________________3
RevisionHistory_______________________________________________________________________________3
CHAPTER1: INTRODUCTION__________________________________________________________________6Compliance__________________________________________________________________________________6
Scope_______________________________________________________________________________________7
CHAPTER2: RISKASSESSMENT_______________________________________________________________8ObjectivesoftheRiskAssessment________________________________________________________________8
DevelopaProjectPlan_________________________________________________________________________8
Whatshouldbeincluded?_____________________________________________________________________10
CHAPTER3: PHASEONE(PROJECTDEVELOPMENT)_____________________________________11Scope______________________________________________________________________________________11
ObjectivesandDeliverables____________________________________________________________________11
MethodofCollection _________________________________________________________________________11
IdentifyPeople______________________________________________________________________________11
InterviewOrder______________________________________________________________________________12
CHAPTER4: PHASETWO(DATAGATHERING) ____________________________________________13Identifying
Risks
and
Threats
___________________________________________________________________
13
ProbabilityofOccurrence______________________________________________________________________14
VulnerabilitytoRisk__________________________________________________________________________14
PotentialImpact_____________________________________________________________________________14
-
8/3/2019 Guide to Conducting a Risk Assessment
5/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
5
PreventativeMeasuresinPlace_________________________________________________________________14
InsuranceCoverage___________________________________________________________________________15
PastExperiences_____________________________________________________________________________15
CHAPTER5: PHASETHREE(ANALYZETHEDATA)________________________________________16ReviewSurveyandInterviewNotes _____________________________________________________________16
FollowupMeetings __________________________________________________________________________16
ReporttheResults____________________________________________________________________________17
CHAPTER6: PHASEFOUR(FINALREPORTANDPRESENTATION)______________________18Creation
of
Executive
Report
___________________________________________________________________
18
PresentingtheResults ________________________________________________________________________18
NextSteps__________________________________________________________________________________19
CHAPTER7: CONCLUSION_____________________________________________________________________20KeysforSuccess______________________________________________________________________________20
-
8/3/2019 Guide to Conducting a Risk Assessment
6/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
6
Chapter1: IntroductionThe intentionofthisdocument istohelptheorganizationconductaRiskAssessment,which identifies
current risks and threats to the business and implement measures to eliminate or reduce those
potential
risks.
This
document
provides
guidance
on
how
to
conduct
the
Risk
Assessment,
analyze
the
informationthatiscollected,andimplementstrategiesthatwillallowthebusinesstomanagetherisk.
Thefollowingdocumentsareavailabletohelpthebusinesscompletetheassessment:
RiskAssessmentTemplate RiskAssessmentWorksheet FacilityRAFindingsReport ExecutiveRAFindingsReport ExamplesofPreventativeMeasures
The RiskAssessment is only part one of an overall BusinessAssessment. A Business Assessment is
separated into two constituents, Risk Assessment and Business Impact Analysis (BIA). The Risk
Assessmentis
intended
to
measure
present
vulnerabilities
to
the
businesss
environment,
while
the
Business ImpactAnalysisevaluatesprobable loss thatcouldresultduringadisaster. Tomaximize the
RiskAssessment,aBusinessImpactAnalysisshouldalsobecompleted.
For more information regarding the Business Impact Analysis, please use Guide to Conducting a
Business ImpactAnalysis. If thisdocumentwasnot includedwith thispackage, itcanbepurchased
fromhttp://www.traininghipaa.net.
Compliance
To protect shareholder confidence, customers, employees, and the organization; companies are
responsiblefor
implementing
preventative
and
protective
measures
to
safeguard
against
disasters,
business interruptions,andrisks.Many industriesaregovernedbydifferentrequirementssetforthby
regulatory bodies. This guidewill helpmeet the requirements for business continuity and disaster
recoveryplanning,implementedbythefollowingindustrystandards:
SarbanesOxley(SOX) ISO17799(Section11BusinessContinuityStandard) FFIECrequirementsforBusinessContinuityPlanning NISTforTechnologyRecoveryPlanning
Pleasenote:thisguideisnotallencompassingfortheaboveindustrystandards.Inordertomeetthese
requirements, theorganizationmust implementa fullymatureBusinessContinuityPlanningProgram.
However, conductingaRiskAssessment isoneof the first steps in implementingBusinessContinuity
Planning.
-
8/3/2019 Guide to Conducting a Risk Assessment
7/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
7
Scope
TheRA isperformed to identifypotential risks, threats,and thevulnerabilityof thebusiness to these
risks. TheRiskAssessmentprocessprovidesthefoundationfortheentireContingencyPlanningeffort.
ThegoalofContingencyPlanning is to safeguard thebusiness in theevent thatallorportionsof its
operationsand/or
computer
services
are
rendered
unusable.
Each
facility
that
the
business
owns
or
operatesin,shouldbeanalyzedtodeterminethepotentialriskandimpactrelatedtovariousthreats.
Oncethedataiscollected,ananalysisofallfacilitiesrisks,threats,andvulnerabilitieswillbecompleted.
A final report will be developed with recommendations for mitigation activities and presented to
executivemanagement. If a Business Impact Analysis is conducted, the recovery strategieswill be
presented aswell. This will allow the business leaders to determine what recovery strategies and
solutionswillbeimplemented.
-
8/3/2019 Guide to Conducting a Risk Assessment
8/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
8
Chapter2: RiskAssessmentARiskAssessment(RA)isidentifying,analyzingandweighingallthepotentialrisks,threats,andhazards
tothebusinesss internalandexternalenvironment. Theassessmentdiscovers ifafacility(building) is
vulnerable
to
weather
related
events,
HVAC
failure,
internal
or
external
security
vulnerabilities,
and
local
areahazards. Inaddition, theRAallowsabusiness todocumentwhatmitigatingactionshavebeen
takentomanagetheseexposures. By identifyingthethreatsthatcurrentlyarebeingmitigatedversus
threatsthatarenot,abusinesscancompilea listofrecommendationsfor improvement. Datacanbe
collectedbyutilizingquestionnaires(surveys)tools,interviews,anddiscussions.
Tobesuccessful,anyriskassessmenthastoconcentrateonthe local identifiable issuesrelatingtothe
business. Before exploring other concerns, concentrate on themost realistic risks and threats that
currentlyexistinthebusinessenvironment. Thiscanincludefactorssuchas:
Thenatureofthebusiness Surroundingareaoffacility Theconstructionofthefacility Commonweatherpatterns Technologydependencies
ObjectivesoftheRiskAssessment
During the RiskAssessment, risks and threats to the businesswillbe identified and evaluated. The
vulnerabilityofthebusinesstotheseriskswillberated. Additionally,theRAwill:
Identifywhatpreventionpracticesarebeingused Defineandimplementsafeguardstomitigaterisks Concludetheoverallrisktothebusiness Buildacaseforstrategyselections
Once theassessment iscompleted, thebusinesscanmakedecisions regardingmethodsofmitigating
risksorselectionofrecoverystrategies. BycompletingaRiskAssessmentandBusinessImpactAnalysis,
thebusinesscanimplementthebeststrategiesforContingencyPlanning.
DevelopaProjectPlan
The successofaRAwilldependonawelldefinedprojectplan. Theprojectplan shoulddefinekey
members,objectives,
and
the
steps
that
will
need
to
be
followed
for
the
success
of
the
project.
A
three
phasedapproachhasbeendefinedforthisguide. Duringthefirstphase,identifytheprojectteam,key
facilityrepresentatives,anddefinethescopeandobjectives.
-
8/3/2019 Guide to Conducting a Risk Assessment
9/21
2008Sup
www.train
Limitedrigh
Allotherrig
Inthese
thosewil
mitigatio
The third
determin
Thefourt
findings
resultsca
Thisdiag
becondu
thatneed
Pha
remusGroupLL
ingHIPAA.net
tsgrantedtolic
htsreserved
ondphase,
lbedonedu
activitiesd
phase is f
ingvulnerabi
hphaseiffor
illbedone
nbereporte
amshowst
cted ineach
totakeplac
eOne:
PhaseT
ndVul
Phadet
CandContinuit
enseeforinter
atacollectio
ring thispro
fined. Addit
r analyzing
lityfor
the
e
creatingthe
uringthisp
withtheR
ephasesne
phaseandr
duringPha
Review Meet Identif Condu
Project
o:Ide
erabilit
seThrermine
Phase
F
Guid
Resources
aluseonly
niscomplet
cess. Facilit
ionally,thel
the data, r
tirefacility.
finalfacility
aseaswell.
findingstog
cessaryforc
peatedat le
eTwo. Som
internalpla
ithoutside
assets
taninsuran
PlanDe
tifyRis
ies(gat
: Analyulnerab
our:
Re
toCond
d. Ifusing
risks, threa
velofpoten
viewing the
andexecutiv
IfaBusine
ether.
ompletinga
asteverytw
ofthoseac
sandpolici
roups
ereview
elopm
ks,Thre
erdata
zethedility
port
th
ctingaRi
questionna
tsandvulne
tialimpactto
findings wi
emanageme
s ImpactAn
RiskAssessm
oyears. Th
ionsare:
s
nt
ts,
)
ataand
finding
kAssess
ireandface
rabilitieswill
facilityisest
th the facili
ntreports. P
alysishasbe
ent.Theent
remaybea
s
ent 200
ofaceinter
be identifie
imated.
ty managers
resentation
ncomplete
ireprocesss
dditionalact
Page
9
iews,
and
, and
fthe
,the
hould
ivities
-
8/3/2019 Guide to Conducting a Risk Assessment
10/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
10
Whatshouldbeincluded?
Despitethepreventionpracticesemployed,potentialhazardsthatareexistentandcouldresultinaloss
to thebusinessneed tobe considered. Even though the exactnatureof these exposures and their
consequencesaretoughtodetermine,itisvaluabletoconductariskassessmentofallthreatsthatcan
logicallyhappen.
Alllocationsandfacilitiesshouldbeincludedintheriskassessment. Surroundingbusinesses,localfire,
police, and communityutilities should alsobe included in the assessment. Additionally, any vendor
providedservicethatiscriticaltothebusiness,shouldbeevaluated.
-
8/3/2019 Guide to Conducting a Risk Assessment
11/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
11
Chapter3: PhaseOne(ProjectDevelopment)Scope
Theprojectteamwillneedtodefinetheprojectscope. Thescopedeterminestherulesunderwhichthe
projectis
executed.
The
scope
can
include:
Whatfacilitieswillbeinvolved Whatdatawillbegathered Timeframeforcompletingtheproject Responsibilitiesforthoseinvolved Stepsnecessarytocompletetheproject
Thescopeshouldbeformallydocumentedinaprojectplananddistributedtoallkeyparticipantsofthe
project. Ahighleveloverviewoftheprojectplancanbecreatedandsenttoexecutivemanagement.
Objectivesand
Deliverables
Definingtheobjectivesanddeliverablesoftheproject isessential. Theobjectivesofariskassessment
thatwereidentifiedinthesectiontwocanbeusedasanexample.
MethodofCollection
TherearenumerouswaystocollectdataduringaRA. Thefirstmethodisbysendingoutquestionnaires
(surveys) foreach facilitymanager tocomplete. Thesequestionnaireswillaskquestions in regard to
facilityrisks,technologyrisks,potentialmanmaderisks,andweatherrelatedrisks.
The secondmethod is a facetoface interview. During the interview, theproject team canuse the
completedquestionnairetogetmoredetailed informationaboutthecriticalityofthefacility,potential
threatsandrisks,andvulnerabilities.
IdentifyPeople
ProjectTeamAprojectteammustbeestablishedtosupporttheRAprojectfrombeginningtoend. Thisteamwillbe
responsible for data gathering/collection, conducting facetoface interviews, analyzing the collected
data,creatingthefinalexecutivereportandmakingfinalrecommendationstoexecutivemanagement.
Aprojectmanagershouldbeidentified. Theprojectmanagerisresponsibleforcoordinatingdaytoday
activitiesandresourcesmanagementfortheproject.
-
8/3/2019 Guide to Conducting a Risk Assessment
12/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
12
ProjectSponsorForthisprojecttobesuccessful,aprojectsponsormustbe identified. Theprojectsponsorsrole isto
makecertainthattheprojectparticipantsinthebusinessunitclearlyunderstandtheirresponsibilitiesto
theproject.
KeyFacilityLeadership(Participants)After identifyingtheprojectsponsor,projectmanagerandprojectteam;identifyallfacilitiesownedor
occupiedbythebusiness. Eachfacilityshouldprovideanexperiencedpersontocompletethesurveys
andattendtheinterviewsessions.
InterviewOrder
Usingthelistoffacilitiesandkeyparticipantsdefinedearlier,itisagoodideatoschedulethefacilitiesto
completetheRAprocess. BothclinicalandnonclinicalfacilitiesshouldbeinvolvedwiththeRAprocess.
Evenifthefacilityisnotcritical,aninterviewand/orquestionnairemustbeconducted.
Examples of facilities to Interview: Corporate Headquarters, Data Centers, Leased offices, RecordsStorageFacility,Administrationbuildings,etc.CreateScheduleA scheduleof interviews shouldbedevelopedaccording to the facilityparticipantsavailability. This
schedule will allow each participant to know the date and time to be present for the facetoface
interview. The questionnaire shouldbe sent out at leastonemonth in advance of the facetoface
interview. Areturndateshouldbeprovidedtothepersonresponsible forfillingoutthesurvey. This
willgive the responder time togather thedataandget itback to theproject team. Bydoingapre
interviewquestionnaire; theproject teamcancustomize thequestions for the facetoface interview,
basedon
the
information
provided
by
the
business
unit.
Once the questionnaire has been returned to the project team, a detailed list of questions can be
prepared for the facetoface interview. The interview process should be scheduled for one hour.
During the interview, it is important to take notes based on the interviewees responses to the
questions. Aftertheinterview;compileanynotestaken,therespondersquestionnaire,andsendback
totheintervieweetoensuretheaccuracyofthedatagathered.
-
8/3/2019 Guide to Conducting a Risk Assessment
13/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
13
Chapter4: PhaseTwo(DataGathering)The process of identifying risks, threats, and the probability of occurrence is vital during the Risk
Assessmentprocess. Inaddition,identifyingthepotentialimpacttothebusinessisnecessarytoprepare
preventative
measures
and
create
recovery
strategies.
Risk
identification
also
provides
a
number
of
otheradvantagesincluding:
Exposes previously overlooked vulnerabilities that need to be addressed byplansandprocedures
Identifieswherepreventativemeasuresarelackingorneedreevaluated Can point out the importance of contingency planning to get staff and
managementonboard
Will assist in documenting interdependencies between departments andincreasecommunicationbetweeninternalgroups.
CanalsopointoutsinglepointsoffailuresbetweencriticaldepartmentsThis
Risk
Assessment
guide
focuses
on
three
categories
of
risk.
Restricting
the
categories,
allows
the
business to focuson identifying risks thatarecommon. In theattachedRiskAssessmentSurvey, the
categories include, Natural Risks, ManMade (Human) Risks, and Environmental Risks. These are
certainlynottheonlycategoriestoconsiderandshouldnotbeconstraining. Ifariskisnotavailablein
thetemplateadditionalcategoriescanbeadded.
IdentifyingRisksandThreats
Thenatureofariskorthreatshouldbedetermined,regardlessofthetype. Factorstoconsidershould
include(butnotlimitedto):
Geographiclocation Weatherpatternsfortheareaandsurroundingareas Internalhazards(HVAC,facilitysecurity,access,etc) ProximitytolocalresponseorsupportUnits Externalhazards(neighboringhighways,plants,etc
Potentialexposuresmaybeclassifiedasnatural,manmadeorenvironmental. Examplesinclude:
NaturalThreats: flooding,highwinds,severestorms,tornado,hurricane, fire,highwinds,snowstorms,icestorms,epidemic
Manmade (human) Threats: Bomb threats, vandalism, terrorism, civildisorder,
sabotage,
hazardous
waste,
work
stoppage
(internal/external),
computercrime
EnvironmentalThreats: HVAC failure,malfunction/failureofsystemsoftware,failureofapplications/hardware,telecommunicationsfailure,powerfailure
-
8/3/2019 Guide to Conducting a Risk Assessment
14/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
14
ProbabilityofOccurrence
Typesofregularlyoccurringnaturaldisastersaretypicallywellknownwithinacommunityandcanoften
be researched easily. History of weather related events serve as a valuable resource for ranking
probabilityandrisk.
Possibilitiesofdisastersdue tomanmadeeventsaremanyandvaried. Eventsmaybeaccidentalor
planned incidentsdesigned towreakhavoc. Manmadeeventsmustbecarefullyconsideredandnot
dismissedbecauseithasneverhappenedhere.
Businesseshavebecomeincreasinglydependentontechnologytoprovidedailybusinessoperations. As
aresult, failure(s)of technologysystemscaneasilyputa facility intoan internalstateofdisaster. To
determinetheprobabilityoftheseevents,onemustexaminetheinternaltechnologycomponentsinthe
facilityandtheavailabilityofbackupsystemstocompensateforfailure.
VulnerabilitytoRisk
For each risk that has been identified, the vulnerability of the business to this threat must be
established. Identifyingthevulnerabilitytoariskdeterminestheadverseeffectsofagiventhreattothe
business. Theanalysisofthis informationhelpsdetermine;who ismost likelytobeaffected,what is
mostlikelytobedestroyedordamaged,andwhatcapacitiesexisttocopewiththeeffectsoftherisk/
threat.
PotentialImpact
Thepotentialimpacttothebusinessoperationsneedstobeestimatedforeachriskorthreat.Potential
impactcouldincludelostrevenue,disruptionofservices,threattolifeand/orhealthsafety,damageor
failureof
technologies,
legal
ramifications,
loss
of
community
trust,
etc.
PreventativeMeasuresinPlace
Anotherstepistoevaluatethebusinessscurrentlevelofmitigationactivitiesthatarecurrentlyinplace.
Mitigation is the act of implementing preventative measures or procedures to reduce or eliminate
potentialrisks. Someexamplesofpreventativemeasuresare:
Fire / Smoke detection and alarm systems are in place and aremonitored on acontinualbasis
Employeesaretrainedinevacuationprocedures Dataandvitalrecordsarebackupupandstoredoffsite Arrangeforsnowandiceremovalfromparkinglots,walkways,loadingdocks,etc.
Businesseshavedonedisasterplanning formanyyearsandmostarewellprepared tomanagemany
typesofemergencies. Thescopeofdisasterplanning iscontinuallychangingandthetypicalbusiness
willfindatleastsomerisksforwhichimprovementsarenecessary.
-
8/3/2019 Guide to Conducting a Risk Assessment
15/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
15
InsuranceCoverage
Thebusinessmaycarry insurancetocompensate for lossessufferedasaresultofsomeemergencies.
Backup systems may also be thought of as insurance protecting against certain occurrences. The
availabilityof insurancecoverageorbackupsystemsshouldbe factored intothedeterminationofthe
currentrisk
assessment.
PastExperiences
Ahelpfultoolindeterminingpotentialrisksorthreatstothebusinessistoreflectonprevioushistoryof
disruptions,outages,productivity loss,etc. Anytypeof incidentthat impactedthedailyoperationsof
thebusinessshouldbedocumented. Thedateandoutagetimeshouldalsobeprovidedasreference.
-
8/3/2019 Guide to Conducting a Risk Assessment
16/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
16
Chapter5: PhaseThree(AnalyzetheData)OncetheRiskAssessmentSurvey(s)andfacetoface interviewshavebeenconducted;thenextstep is
toanalyzeandpresenttheresultstoExecutiveManagement. Analysisofdatacanbeatimeconsuming
and
tedious
process;
especially
with
an
enormous
amount
of
data,
but
it
is
critical
to
the
RA
process.
The analysiswill be the foundation for planning recommendations to ExecutiveManagement. The
recoverystrategiesthatneedtobedevelopedshouldbebasedonthefindingsoftheRiskAssessment
Surveyandinterviews,aswellastheBusinessImpactAnalysisfindings.
ReviewSurveyandInterviewNotes
The facility(s)questionnaireandanynotestakenduring interviewsmustbeanalyzed. Thepurposeof
analyzingall thedata is tocreateanoverviewofall thebusinessspotential risks,vulnerabilities,and
preventativemeasuresthatarecurrently inplace. This isthe informationthat ismost importantand
willbereporteddirectlytoExecutiveManagement. Withoutthis information,thebusinesswillnotbe
abletomakeappropriatedecisionsconcerningcontingencyplanning.
FollowupMeetings
Whenreviewingthedatafromthesurvey(s)and/orfacetofaceinterviews,createalistofquestionsfor
followupmeetings. Eachrespondenttothesurveyshouldbescheduledforafollowupmeeting. These
meetings
should
not
require
more
than
an
hour
each.
Prior
to
the
meeting,
send
a
detailed
list
of
the
questionsconcerningtheindividualdepartment.
The followupmeetingprovidesanopportunitytomakesurethatalldatawascapturedandanalyzed
correctly. Iftherearegapsorquestions,usuallyafollowupmeetingcanobtaintheneededinformation
(toclosethegap)ortoprovidemoredetaileddata.
-
8/3/2019 Guide to Conducting a Risk Assessment
17/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
17
ReporttheResults
Once the survey and interviews have been completed, issuing a report to each facility manager is
important.Thereportensuresthatthe informationgatheredduringthesurveyand interviewprocess,
hasbeeninterpretedanddocumentedaccurately.Thereportshouldcontainthefollowinginformation:
Respondentinformation Overviewofthefacilitysbusinessoperations Previousdisruptionhistory&details Risks&Vulnerabilities
o NaturalRiskso ManMadeRiskso EnvironmentalRiskso FacilitiesRisks
Preventivemeasuresthatareinplace Overallriskratingforeachfacility
Ifonlyonefacilitywassurveyedandinterviewed,theneedforanindividualfacilityreportprobablywill
notbenecessary. TheExecutiveRiskAssessmentReportwillworkforjustonefacility.
-
8/3/2019 Guide to Conducting a Risk Assessment
18/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
18
Chapter6: PhaseFour(FinalReportandPresentation)Begin the final reportwithan executiveoverviewof the risk assessmentproject. Theoverviewwill
explaintheobjectivesoftheproject,scopeandapproachused. Attheend,provideasummaryreview
of
the
existing
potential
hazards.
CreationofExecutiveReport
Thedatagatheredduringtheriskassessmentwillformthefoundationforthefinalreport. Thepurpose
istoprovideexecutivemanagementwithenough informationtomakethemcomfortable inendorsing
the recommending strategies, actions, budgets or to accept the level of risk by not implementing
recovery strategies. The report should include graphs, which visually demonstrate the findings.
However,donotoverusegraphs. Toomanygraphscanmakethereportconfusing. Providegraphsfor
overallinformationonthedepartments,financialimpact,etc.
Previous
Disruption
History
Provide details about the previous disruptions that have been experienced by each facility. This is
informationthatwasobtainedduringthesurveyandinterviewprocess. Provideahighleveloverviewof
thedisruption,thedate(ifpossible)andafewdetailsaboutthedisruption.
RisksandVulnerabilities
Document the facility rankings for each risk or threat and vulnerabilities thatwere identified in the
survey. Documenttherankingforeachtypeofrisk. Stresstheimportanceofimplementingmitigating
measuresforthoserisksthatareinthehighorextremelyhighcategory.
PreventativeMeasures
Provide informationaboutthepreventativemeasuresthatarecurrently inplaceatthefacility. These
measuresreducetheamountofvulnerabilityorpotentialimpactfromassociatedrisksorthreats.
PresentingtheResults
Apresentationtoexecutivemanagementshouldbeheldtodiscussthefindingsoftheriskassessment.
IfaBusiness ImpactAnalysiswasperformed, it isdesirable tohold thepresentation for the findings
together. Generally, executivemanagement isnot interested in every specificdetail about the Risk
Assessmentprocessorentiresurveyresults,sokeeptheinformationhighlevel.
-
8/3/2019 Guide to Conducting a Risk Assessment
19/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
19
NextSteps
Now that executive management has been presented the results of Risk Assessment (and BIA if
applicable),decisionsaroundthefollowingneedtobemade:
Mitigatepotentialhazardsandrisks(foundintheRiskAssessment) Select recovery strategies tominimize thepotential loss that could result from a
businessinterruption
Recovery strategies are the strategies selected to mitigate the potential impacts resulting from a
disruption to business operations. Once a recovery strategy is selected, business units can start
documentingrecoveryplans, implementingrecoveryprocedures,andeducatingemployeesonwhatto
doduringadisasteroremergency.
-
8/3/2019 Guide to Conducting a Risk Assessment
20/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
20
Chapter7: ConclusionTheRiskAssessmentprocessisanessentialphaseofContingencyPlanning. Thepossibilityofadisaster
impactingabusiness isunpredictable. Thebusiness should implementacomprehensiveContingency
Planning
Program
and
develop
recovery
plans
that
encompass
all
critical
operations
and
functions
of
the
business.
KeysforSuccess
Tomake theRiskAssessmentprocess a success,executivemanagement commitment,effectivedata
gatheringtools,availabilityofkeyresources,andaccesstocriticaldataisrequired.
ExecutiveManagementSupport
If a lack of executive management commitment exists, it will be tough scheduling interviews and
obtaining the required information inanefficientmanner. Beforekickoffoftheriskassessment,get
executivemanagements
buy
in.
Put
together
apresentation
showing
the
benefits
of
the
risk
assessment and ultimately, the contingency planning program. By selling the benefits of the risk
assessmentandgettingmanagementonboard,theriskassessmentprocesswillflowmoreefficiently.
EffectiveDataGatheringTools
Usingeffectivedatagatheringtools(surveys,checklists,etc.),iscriticaltotheprocess. Ifsurveyscontain
questions that irrelevantorunrealistic,keypersonnelmaybecomedisengagedor losepatience. This
canleadtoanabruptendtotheprocess.
KeyResources
Allfacilitiesownedoroccupiedbythebusinessmustberepresented inthe interviewprocess,notjust
headquartersor themain facility. Inaddition,ensure interviewsaredonewith theappropriatestaff.
Eachfacilityshouldberepresentedbyaseniormemberwhohasthebestunderstandingofwhateach
facilitydoes,exposures,andvulnerabilities. This seniormember can includeother staffmembersas
partoftheprocess,butheorshemustbeinattendance.
CriticalData
Gathering critical data is crucial to the risk assessment process. If standard operating procedures
currentlyexist, review them first. Thiswillhelpsave timeandprovideabasicunderstandingofdaily
businessoperations. Most importantly,stressthatthe informationbeinggathered isonlyforthesake
ofthecontingencyplanningeffort,nothingelse.
-
8/3/2019 Guide to Conducting a Risk Assessment
21/21
GuidetoConductingaRiskAssessment 2008
2008SupremusGroupLLCandContinuityResources
www.trainingHIPAA.net
Limitedrightsgrantedtolicenseeforinternaluseonly
Allotherrightsreserved
Page
21
ExecutiveReport
Onceallthedataisgatheredandanalyzed,compileanexecutivemanagementreport. Thisreportmust
bereviewedwiththeexecutivemanagementteam,CEOorhighestexecutive(s)available. Basedonthe
commentsoftheexecutivestaff,thefindingsshouldbemodified.