Академический Документы
Профессиональный Документы
Культура Документы
Identified Risks
Further Actions
VH
No
VH
VH
VH
H
H
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
M
M
M
L
L
L
Page 1 of 14
Opportunities for
improvement
Assigned To
(N = Not
generally applied or only applied in
isolated situations for example in less
than 20% of cases; P = Partially
applied, not usually documented or
applied in less than 50% of cases; L =
Largely applied, formally documented
and largely repeatable or applied in up
to 85% of cases; F = Fully applied,
formally documented and fully
repeatable or applied in more than 85%
of cases.)
Risk level
(L, M, H or VH - see Sheet 1)
Likelihood
(A, B, C, D or E - see Sheet 1)
Risk Statement
Issue Date:
VH
VH
VH
VH
H
H
H
M
M
M
L
L
L
Risk Assessment
Determining the Level of Risk
This worksheet can be used to identify the level of risk and help to prioritize any interventions or control measures.
Step 1. Determine your risk appetite establish your areas of consideration ("things you value") & your acceptability thresholds.
Consider the consequences and likelihood for each of the identified risks and use the matrix* below to establish a risk level.
NB: This workbook will record the quality of your planning process - it will not ensure it.
Consequence Criteria
The "area of consideration" example used below is injury to people.
Likelihood
You should copy this template and adjust these criteria for each "thing you value".
1 Insignificant
2 Minor
Dealt with by
in-house first aid, etc
3 Moderate
4 Major
5 Catastrophic
Death. Permanent
disabling injury (eg
blindness, loss of hand/s,
quadriplegia)
A-
Medium (M)
High (H)
High (H)
B-
Medium (M)
Medium (M)
High (H)
High (H)
C-
Low (L)
Medium (M)
High (H)
High (H)
High (H)
D-
Low (L)
Low (L)
Medium (M)
Medium (M)
High (H)
E-
Low (L)
Low (L)
Medium (M)
Medium (M)
High (H)
Matrix* from page 55 of HB 436:2004 issued by Standards Australia to support the Australia / New Zealand Standard for Risk Management (AS/NZS 4360)
360)
This
document
is a sample
Vulnerability
This
document
is a sample
Vulnerability
Assessment Assessment
Tool. It is not a tool.
substitute for a comprehensive emergency preparedness program. Individuals or
entities using this tool are solely responsible for any hazard assessment and
compliance with applicable laws and regulations.
Instructions
Print this sheet (two pages) and use when completing sheets 2, 3 & 4.
Evaluate potential for event & response among the following categories using
the hazard specific scales in sheets 2c & 2d of this Workbook.
Assume each event incident occurs at the worst possible time.
Sheet 2b informs Business Impact considerations.
Please note specific score criteria on each work sheet to ensure accurate recording.
Issues to consider for chance of occurrence include, but are not limited to:
1 Known risk
2 Historical data
3 Manufacturer/vendor statistics
Issues to consider for response include, but are not limited to:
1 Time to marshal an on-scene response
2 Scope of response capability
3 Historical evaluation of response success
Issues to consider for human impact include, but are not limited to:
1 Potential for staff death or injury
2 Potential for public death or injury
Issues to consider for property impact include, but are not limited to:
1 Cost to replace
2 Cost to set up temporary replacement
3 Cost to repair
4 Time to recover
Issues to consider for business impact include, but are not limited to:
1 Business interruption
2 Employees unable to report to work
3 Customers unable to reach facility
4 Company in violation of contractual agreements
5 Imposition of fines and penalties or legal costs
6 Interruption of critical supplies
7 Interruption of product distribution
8 Reputation and public image
9 Financial impact/burden
It is not a
Issues to consider for preparedness include, but are not limited to:
1 Status of current plans
2 Frequency of drills
3 Training status
4 Insurance
5 Availability of alternate sources for critical supplies/services
Issues to consider for internal resources include, but are not limited to:
1 Types of supplies on hand/will they meet need?
2 Volume of supplies on hand/will they meet need?
3 Staff availability
4 Coordination & Communication capability
5 Availability of back-up systems
6 Internal resources ability to withstand disasters/survivability
Issues to consider for external resources include, but are not limited to:
1 Types of agreements with community agencies/drills?
2 Coordination with local and state agencies
3 Coordination with proximal health care facilities
4 Coordination with treatment specific facilities
5 Community resources
Complete worksheets for all Hazards.
The summary section will automatically provide your specific and overall risk profile.
Notes developed from work by Kaiser Permanente.
Completed by:
Title:
Phone:
Date Received:
Reviewed by:
Date Reviewed:
1) Business Unit:
2) Business Function:
I or E
1
2
3
4
5
6
5) Operational Detail:
Hours of Operation:
Peaks:
Annually
Quarterly
Monthly
Page 6 of 14
Weekly
Daily
Request
Internat'l (Y
or N)
How long could you operate in a manual mode before systems become available? (Consider the amount of backlogged and missing data.)
When were the procedures for operating in a manual mode last updated?
What additional resources are needed to perform your mission critical business processes manually? (I.E. additional staff, forms, phone, manual accounting,
log sheets, etc.?)
In the event of a disruption , there would be some "lost data or transactions". Describe the data loss for this function. Could lost data or "work in progress"
transactions be recovered?
When were the procedures for recovering lost data last updated?
If lost data could not be recovered, what is the potential impact to your business function and on the entire company?
10
Are there data integrity or specific balancing procedures to verify the integrity of the restored and/or reconstructed data?
11
12
13
14
Do you rely on data (information) that is not electronic? Specify the data and the type of media (ie. contracts, forms, personnel records, etc.)?
15
16
Are documented procedures for business function processes, recovery of lost data and balancing stored offsite?
17
Do you rely on specialised or unique equipment to perform your critical processes? If yes, list equipment.
18
Summarise exposures and risks that management should be aware of in the event of a disruption:
Page 7 of 14
1
Who do you rely on for input?
2
Who relies on you for output?
List the type of data and where it comes from (i.e. Sales Specify (IT, Internal dept,
or External/3rd Party
invoices from Sales, internal, fax & mail)
Name)
Internat'l (Y
or N)
Internat'l (Y
or N)
List the type of data and where you are sending it to.
(e.g. Sales Revenue to Banks)
What operations do outside resources perform to assist this function (e.g. do you outsource cheque printing, report distribution, nightly processing, batch
processing, master CD production, etc.)?
Identify and explain any specific legal, regulatory, contractual, and compliance issues or consequences (e.g. government agency obligations, customer
contracts, Service Level Agreements etc.):
Legal
Regulatory
Contractual
Compliance
A Maximum Tolerable Outage is defined as the maximum elapsed time an application or process can sustain an interruption from the time a crisis is identified
to the restoration of service.
RPO
A Recovery Point Objective is defined as the maximum data loss this application or process can sustain and still be satisfactory (for the corporate business
goals).
In your opinion, what is the MTO for this business function? Please insert MTO in one box below.
< 1 Day
< 2 Days
< 5 Days
< 10 Days
Do you rely on computers only?
Do you rely on computers and telephone?
Page 8 of 14
30 Days +
Chance of
Speed of
Duration of
Impact on
Impact on
Pre-Impact
Awareness
Resources
Occurrence
Onset
Impact
Property
People
Planning
Level
Capability
2.5
Total
Natural Events
Avalanche
Biological
Drought
Dust/Sand Storm
Earthquake
Extreme Heat/Cold
Fire (forest, range, urban)
Flood/Wind driven water
Hurricane
Landslide
Lightning Storm
Snow/Ice/Hail
Tornado
Tsunami
Volcanic Eruption
Windstorm/Tropical Storm
0.0
2.6
0.0
0.0
4.2
0.0
0.0
3.2
0.0
0.0
0.0
0.0
0.0
0.0
0.0
4.1
Technological/Industrial Events
Building/Structure Collapse
Business Interruption
Dam/Levee Failure
Explosions/Fire
Extreme Air Pollution
Financial Collapse
Fuel/Resource Shortages
Hazardous Material Releases
Power/Utility Failure
Radiological Accidents
Transportation Accidents
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
Civil/Political Events
Civil Unrest
Eco-Terrorism
Economic
Enemy Attack
General Strike
Hostage Situation(s)
Sabotage
Terrorism
KEY
High Risk: Greater than 3.5
Medium Risk: 2.0 to 3.5
Low Risk: Less than 2
Analysis of Results: You should consider strengthening your preparedness capability.
If your snapshot indicates a level of concern re vulnerability you may want to consider capacity building processes.
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
Target Visibility
Target Utility
Asset Accessibility
Asset Mobility
Presence of Hazardous Materials
Collateral Damage Potential
Site Population
very low
K
4
Score
widely known
4.0
very high
4.5
4.5
fixed in place
5.0
locally known
low
medium
high
open access
0.0
no risk
moderate risk in 1 Km r
4.0
500 - 1000
> 5000
3.0
TOTAL
25.0
Analysis of Results: If vulnerability is high, you may want to consider strengthening preparedness capability.
emergencyriskmanagement.com is at your service with planning guidelines and consultancy services.
emergencyriskmanagement.comTM
Considerations regarding how to use the Risk Rating to prioritise and implement action plans.
Once the level of risk has been determined the following table may be of use in determining when to act to intervene and institute the control measures.
RISK LEVEL
Very High
High
Medium
Low
Hierarchy of Control
Remove the hazard at the source. An identified very high risk does not allow scope for the
use of administrative controls , even in the short term.
If these controls are not immediately accessible, set a timeframe for their
implementation and establish interim risk reduction strategies for the period of the
set timeframe.
NOTE: Risk (and not cost) must be the primary consideration in determining the timeframe.
Take reasonable steps to mitigate and monitor the risk. Institute permanent controls
in the long term. Permanent controls may be administrative in nature if the hazard
has low frequency, rare likelihood and insignificant consequence.
Interventions identified may be a mixture of the hierarchy in order to provide as low as reasonably practicable exposure.
Elimination
Substitution
Provide an alternative that is capable of performing the same task and is safer to use.
Engineering Controls
Administrative Controls
The "Hierarchy of Control" can be useful - as can other heuristic devices such as "Prevention, Preparedness, Response & Recovery" or
"Engineering, Education, Encouragement, & Enforcement". As a general approach. A "mix of interventions" usully provides the best result.