XYZ SITE / PROJECT Risk Register

Reference - Issue No. : and/or

Identified Risks

Existing controls described & evaluated

Further Actions

VH

No

VH
VH
VH
H
H

No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes

M
M
M
L

L
L

Page 1 of 14

Further Action Needed &

Opportunities for
improvement - Include
milestone(s) & target
date(s)

Opportunities for
improvement

Assigned To

What we are doing

now to manage this
risk.

(N = Not
generally applied or only applied in
isolated situations for example in less
than 20% of cases; P = Partially
applied, not usually documented or
applied in less than 50% of cases; L =
Largely applied, formally documented
and largely repeatable or applied in up
to 85% of cases; F = Fully applied,
formally documented and fully
repeatable or applied in more than 85%
of cases.)

Revised Risk level

(L, M, H or VH - see Sheet
1)

Effectiveness of our strategies

Accept Risk (Yes or No)

Risk level
(L, M, H or VH - see Sheet 1)

Record by rows and cells as

necessary.

Likelihood
(A, B, C, D or E - see Sheet 1)

(e.g. description of each

specific risk scenario with
regard to people,
information, physical
assets, finances,
reputation, and any other
"things you value")

Future Review date:

Analysis & Evaluation

Consequence
(1, 2, 3, 4, or 5 - see Sheet 1)

Risk Statement

Issue Date:

VH
VH
VH
VH
H
H
H
M
M
M
L
L
L

Risk Assessment
Determining the Level of Risk
This worksheet can be used to identify the level of risk and help to prioritize any interventions or control measures.
Step 1. Determine your risk appetite establish your areas of consideration ("things you value") & your acceptability thresholds.
Consider the consequences and likelihood for each of the identified risks and use the matrix* below to establish a risk level.
NB: This workbook will record the quality of your planning process - it will not ensure it.

Consequence Criteria
The "area of consideration" example used below is injury to people.

Likelihood

You should copy this template and adjust these criteria for each "thing you value".

1 Insignificant

2 Minor

Dealt with by
in-house first aid, etc

Medical help needed.

Treatment by medical
professional/hospital
outpatient, etc

3 Moderate

4 Major

Significant non-permanent Extensive permanent injury

injury.Overnight
(eg loss of finger/s)
hospitalisation (inpatient)
Extended hospitalisation

5 Catastrophic
Death. Permanent
disabling injury (eg
blindness, loss of hand/s,
quadriplegia)

A-

Almost certain to occur in most

circumstances

Medium (M)

High (H)

High (H)

Very High (VH)

Very High (VH)

B-

Likely to occur frequently

Medium (M)

Medium (M)

High (H)

High (H)

Very High (VH)

C-

Possible and likely to occur at

some time

Low (L)

Medium (M)

High (H)

High (H)

High (H)

D-

Unlikely to occur but could

happen

Low (L)

Low (L)

Medium (M)

Medium (M)

High (H)

E-

May occur but only in rare and

exceptional circumstances

Low (L)

Low (L)

Medium (M)

Medium (M)

High (H)

Matrix* from page 55 of HB 436:2004 issued by Standards Australia to support the Australia / New Zealand Standard for Risk Management (AS/NZS 4360)

360)

Vulnerability Assessment Workbook

N.B.

This
document
is a sample
Vulnerability
This
document
is a sample
Vulnerability
Assessment Assessment
Tool. It is not a tool.
substitute for a comprehensive emergency preparedness program. Individuals or
entities using this tool are solely responsible for any hazard assessment and
compliance with applicable laws and regulations.

Instructions
Print this sheet (two pages) and use when completing sheets 2, 3 & 4.
Evaluate potential for event & response among the following categories using
the hazard specific scales in sheets 2c & 2d of this Workbook.
Assume each event incident occurs at the worst possible time.
Sheet 2b informs Business Impact considerations.
Please note specific score criteria on each work sheet to ensure accurate recording.
Issues to consider for chance of occurrence include, but are not limited to:
1 Known risk
2 Historical data
3 Manufacturer/vendor statistics
Issues to consider for response include, but are not limited to:
1 Time to marshal an on-scene response
2 Scope of response capability
3 Historical evaluation of response success
Issues to consider for human impact include, but are not limited to:
1 Potential for staff death or injury
2 Potential for public death or injury
Issues to consider for property impact include, but are not limited to:
1 Cost to replace
2 Cost to set up temporary replacement
3 Cost to repair
4 Time to recover
Issues to consider for business impact include, but are not limited to:
1 Business interruption
2 Employees unable to report to work
3 Customers unable to reach facility
4 Company in violation of contractual agreements
5 Imposition of fines and penalties or legal costs
6 Interruption of critical supplies
7 Interruption of product distribution
8 Reputation and public image
9 Financial impact/burden

It is not a

Issues to consider for preparedness include, but are not limited to:
1 Status of current plans
2 Frequency of drills
3 Training status
4 Insurance
5 Availability of alternate sources for critical supplies/services
Issues to consider for internal resources include, but are not limited to:
1 Types of supplies on hand/will they meet need?
2 Volume of supplies on hand/will they meet need?
3 Staff availability
4 Coordination & Communication capability
5 Availability of back-up systems
6 Internal resources ability to withstand disasters/survivability
Issues to consider for external resources include, but are not limited to:
1 Types of agreements with community agencies/drills?
2 Coordination with local and state agencies
3 Coordination with proximal health care facilities
4 Coordination with treatment specific facilities
5 Community resources
Complete worksheets for all Hazards.
The summary section will automatically provide your specific and overall risk profile.
Notes developed from work by Kaiser Permanente.

Questionnaire: Mapping Business Impact Vulnerability

This form captures a summary of the organisation's key functions, the things which rely on those functions and the things upon which those functions rely.
The information will provide input to our enterprise wide Business Impact Assessment (BIA) considerations.

Completed by:
Title:
Phone:

Date Received:
Reviewed by:
Date Reviewed:
1) Business Unit:

2) Business Function:

3) Mission Critical Business Processes:

A business process is a set of tasks that contribute to the operation of your business function. Please list the primary and most critical processes that are
performed by your business function.
1
2
3
4
5
6

4) Business Function Dependencies:

List the areas, business units, or customers, in priority order, that your critical processes support. Indicate if they are
organisation. Indicate if the customer dependency is outside the Region or Country.

Internal or External to the

I or E

1
2
3
4
5
6

5) Operational Detail:
Hours of Operation:
Peaks:
Annually

Quarterly

Monthly

Describe Peak Periods

Total Number of Personnel Supporting this Function
Number of People Needed for Critical Business Processes

Page 6 of 14

Weekly

Daily

Request

Internat'l (Y
or N)

6) Business Function Information:

In the event your business function experiences an interruption (e.g. work area, phones, systems and software applications become suddenly unavailable) what manual processes or
'work around' procedures could be performed, if any, until systems are restored?

How long could you operate in a manual mode before systems become available? (Consider the amount of backlogged and missing data.)

Are there written procedures for operating in a manual mode?

When were the procedures for operating in a manual mode last updated?

What additional resources are needed to perform your mission critical business processes manually? (I.E. additional staff, forms, phone, manual accounting,
log sheets, etc.?)

In the event of a disruption , there would be some "lost data or transactions". Describe the data loss for this function. Could lost data or "work in progress"
transactions be recovered?

How will lost data be recovered?

Are there written procedures for recovering lost data?

When were the procedures for recovering lost data last updated?

If lost data could not be recovered, what is the potential impact to your business function and on the entire company?

10

Are there data integrity or specific balancing procedures to verify the integrity of the restored and/or reconstructed data?

11

Do you store critical data or information on your desktop or laptop?

12

How is this critical data backed up?

13

How often is the backup sent offsite?

14

Do you rely on data (information) that is not electronic? Specify the data and the type of media (ie. contracts, forms, personnel records, etc.)?

15

Is the non-electronic data backed-up (copied) and stored offsite?

16

Are documented procedures for business function processes, recovery of lost data and balancing stored offsite?

17

Do you rely on specialised or unique equipment to perform your critical processes? If yes, list equipment.

18

Summarise exposures and risks that management should be aware of in the event of a disruption:

Page 7 of 14

7) Process Flow Information:

Consider the inputs and outputs while documenting this section. What business departments or third-party resources do you rely on and which ones rely on you to
complete this function?

1
Who do you rely on for input?

2
Who relies on you for output?

List the type of data and where it comes from (i.e. Sales Specify (IT, Internal dept,
or External/3rd Party
invoices from Sales, internal, fax & mail)
Name)

How is data received?

(fax, phone, electronic)

Internat'l (Y
or N)

Specify (IT, Internal dept,

or External/3rd Party
Name)

How is data received?

(fax, phone, electronic)

Internat'l (Y
or N)

List the type of data and where you are sending it to.
(e.g. Sales Revenue to Banks)

What operations do outside resources perform to assist this function (e.g. do you outsource cheque printing, report distribution, nightly processing, batch
processing, master CD production, etc.)?

How often? (i.e. hourly, daily, monthly, etc.)?

Identify and explain any specific legal, regulatory, contractual, and compliance issues or consequences (e.g. government agency obligations, customer
contracts, Service Level Agreements etc.):

Legal
Regulatory
Contractual
Compliance

8) Timeframe for Recovery

MTO

A Maximum Tolerable Outage is defined as the maximum elapsed time an application or process can sustain an interruption from the time a crisis is identified
to the restoration of service.

RPO

A Recovery Point Objective is defined as the maximum data loss this application or process can sustain and still be satisfactory (for the corporate business
goals).

In your opinion, what is the MTO for this business function? Please insert MTO in one box below.
< 1 Day
< 2 Days
< 5 Days
< 10 Days
Do you rely on computers only?
Do you rely on computers and telephone?
Page 8 of 14

30 Days +

Risk Identification & Assessment Tool

Notes: This tool profiles your vulnerability to various sources of risk (hazards - or extreme events). Using a scale of 1 to 5,
likelihood of occurrence and impact potential are weighed against capability. The result is a calculation of risk. The highest score possible is
5.0. The lower the total score, the lower the overall risk (from the hazard).
Instructions: Please add or delete Hazards in Risk Source Column (B) to suit your particular context and location.
(The default list is developed from NFPA 1600 - Standard for Disaster/Emergency Management and Business Continuity Programs)
Score in each of the cells for each relevant hazard based on a scale of 0 to 5 - with 5 being the highest.
The more you have investigated and thought about impact and capability elements, the more accurate your assessment will be.
Impact: Based on worst-case scenario - impact on people, property, infrastructure & business should worst-case event occur.
After entering the attributed scores, sort the Total Column in descending order to profile your vulnerability.
Location; Facility; or Entity:(e.g. Our Building; or Our Company Pty Ltd; our Area)
Risk Source
(Hazard)

Chance of

Speed of

Duration of

Impact on

Impact on

Pre-Impact

Awareness

Resources

Occurrence

Onset

Impact

Property

People

Planning

Level

Capability

2.5

Total

Natural Events
Avalanche
Biological
Drought
Dust/Sand Storm
Earthquake
Extreme Heat/Cold
Fire (forest, range, urban)
Flood/Wind driven water
Hurricane
Landslide
Lightning Storm
Snow/Ice/Hail
Tornado
Tsunami
Volcanic Eruption
Windstorm/Tropical Storm

0.0
2.6
0.0
0.0
4.2
0.0
0.0
3.2
0.0
0.0
0.0
0.0
0.0
0.0
0.0
4.1

Technological/Industrial Events
Building/Structure Collapse
Business Interruption
Dam/Levee Failure
Explosions/Fire
Extreme Air Pollution
Financial Collapse
Fuel/Resource Shortages
Hazardous Material Releases
Power/Utility Failure
Radiological Accidents
Transportation Accidents

0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0

Civil/Political Events
Civil Unrest
Eco-Terrorism
Economic
Enemy Attack
General Strike
Hostage Situation(s)
Sabotage
Terrorism
KEY
High Risk: Greater than 3.5
Medium Risk: 2.0 to 3.5
Low Risk: Less than 2
Analysis of Results: You should consider strengthening your preparedness capability.
If your snapshot indicates a level of concern re vulnerability you may want to consider capacity building processes.

0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0

2d. Vulnerability (Terrorism)

Facility "Inherent" Vulnerability Assessment Matrix (Terrorism)

Notes: Developed from FEMA Terrorism Planning Courses, this tool profiles indicators of inherent vulnerability to terrorism of an asset derived from the nature of that
asset. Suitable for contexts from plant to gathering places. Uses a scale of 1 to 5, to
Instructions: In the Table below Row 14, attribute a score of 0 to 5 against each CRITERIA for each ASSET under consideration in column K.
Asset Visibility is about how aware the general public is of the existence of the facility, site, system, or location
Target Utility is about how valuable the place might be in meeting the range of objectives of a potential terrorist or saboteur - the modern era has seen the focus expand
beyond politically iconic targets to pick up "soft" / cage rattling targets.
Asset Accessibility is about how accessible the place is to the public and service providers (builders, cleaners, food vendors, waste managers etc).
Asset Mobility is about whether the asset's location is fixed or mobile. If mobile, how often is it moved, relocated, or repositioned?
Presence of Hazardous Materials is about whether flammable, explosive, biological, chemical, and/or radiological materials are present on site.
Collateral Damage Potential is about the potential consequences for the surrounding area if the asset is attacked or damaged. This should include the domino effect on
lifelines - e.g. a dam failure may knock out utility infrastructure to a city / region.
Site Population is about the potential for mass casualties based on the maximum number of individuals on site at a given time.
Location; Facility; or Entity: ######### WORKED EXAMPLE ONLY
CRITERIA

Target Visibility
Target Utility
Asset Accessibility
Asset Mobility
Presence of Hazardous Materials
Collateral Damage Potential
Site Population

not well known

none

very low

K
4

Score

widely known

4.0

very high

4.5

open access, e.g. "drive up" parking

4.5

fixed in place

5.0

locally known
low

medium

remote, secure perimeter, armed guards

moves frequently

high

limited quantities, secure loctn

large quantities, some controls

open access

0.0

no risk

moderate risk in 1 Km r

high risk beyond 1 Km r or domino

4.0

500 - 1000

> 5000

3.0
TOTAL

KEY for each CRITERIA

High Risk: Greater than 3.5
Medium Risk: 2.0 to 3.5
Low Risk: Less than 2

25.0

for the TOTAL re each ASSET

: Greater than 24.5
: 14.0 to 24.5
: Less then 14

Analysis of Results: If vulnerability is high, you may want to consider strengthening preparedness capability.
emergencyriskmanagement.com is at your service with planning guidelines and consultancy services.

emergencyriskmanagement.comTM

Considerations regarding how to use the Risk Rating to prioritise and implement action plans.
Once the level of risk has been determined the following table may be of use in determining when to act to intervene and institute the control measures.

RISK LEVEL
Very High

High

Medium

Low

Hierarchy of Control

Act immediately to mitigate the risk.Either eliminate, substitute or implement

engineering control measures.

Remove the hazard at the source. An identified very high risk does not allow scope for the
use of administrative controls , even in the short term.

Act immediately to mitigate the risk. Either eliminate, substitute or implement

engineering control measures.

An achievable timeframe must be established to ensure that elimination, substitution or

engineering controls are implemented.

If these controls are not immediately accessible, set a timeframe for their
implementation and establish interim risk reduction strategies for the period of the
set timeframe.

NOTE: Risk (and not cost) must be the primary consideration in determining the timeframe.

Take reasonable steps to mitigate the risk. Until elimination, substitution or

engineering controls can be implemented, institute administrative or personal
protective equipment controls. These lower level controls must not be considered
permanent solutions.

Interim measures until permanent solutions can be implemented:

Develop administrative controls to limit the use or access.
Provide supervision and specific training related to the issue of concern. (See
Administrative Controls below)

Take reasonable steps to mitigate and monitor the risk. Institute permanent controls
in the long term. Permanent controls may be administrative in nature if the hazard
has low frequency, rare likelihood and insignificant consequence.

Interventions identified may be a mixture of the hierarchy in order to provide as low as reasonably practicable exposure.
Elimination

Eliminate the hazard.

Substitution

Provide an alternative that is capable of performing the same task and is safer to use.

Engineering Controls

Provide or construct a physical barrier or guard.

Administrative Controls

Develop policies, procedures practices and guidelines, in consultation with employees, to

mitigate the risk. Provide training, instruction and supervision about the hazard.

Personal Protective Equipment

Personal equipment designed to protect the individual from the hazard.

The "Hierarchy of Control" can be useful - as can other heuristic devices such as "Prevention, Preparedness, Response & Recovery" or
"Engineering, Education, Encouragement, & Enforcement". As a general approach. A "mix of interventions" usully provides the best result.