InPartnershipwith

SupremusGroup,LLC

GUIDETOCONDUCTINGARISKASSESSMENT

SECONDEDITION

RiskAssessmentTools|JamieVance,CBCP

GuidetoConductingaRiskAssessment 2008

LegalStatement
The business has purchased Contingency Planning Guides, Templates, and Reports from Continuity Resources and Supremus Group, LLC. Templates and report documents are customizable with the businesss information, logos, and confidential data. However, this statement and all copyright information(infooters)mustremaininalldocuments.

Supremus Group LLC (SG) and Continuity Resources (CR) disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory,directlyorindirectlyresultingfromthepublication,useof,orrelianceonthisdocument. Inissuingandmakingthisdocumentavailable,SGandCRisnotundertakingtorenderprofessionalor otherservicesfororonbehalfofanypersonorentity.NorareSGandCRundertakingtoperformany dutyowedbyanypersonorentitytosomeoneelse.Anyoneusingthisdocumentshouldrelyonhisor her own independent judgment or, as appropriate, seek the advice of a competent professional in determiningtheexerciseofreasonablecareinanygivencircumstance. ThisproductisNOTFORRESALEorREDISTRIBUTIONinanyphysicalorelectronicformat.Thepurchaser ofthistemplatehasacquiredtherightstouseitforaSINGLEenterpriseatonefacilityunlesstheuser haspurchasedamultiuselicense.Anyonewhomakesunlicensedcopiesoforusesthetemplateorany derivativeofitisinviolationofUnitedStatesandInternationalcopyrightlawsandsubjecttofinesthat aretrebledamagesasdeterminedbythecourts.AREWARDofupto1/3ofthosefineswillbepaidto anyonereportingsuchaviolationuponthesuccessfulprosecutionofsuchviolators. The purchaser agrees that derivative of this template will contain the following words within the first five pages of that document. The words are: Derived from the Contingency Plan Template Suite of SupremusGroupLLCandContinuityResources.2008CopyrightSupremusGroupLLCandContinuity Resources.

PurposeofGuide
The Risk Assessment Guide is intended to provide businesses with the necessary tools to conduct a facilityriskassessment.Thisguidefocusesonidentifyingrisksandthreatsinthefollowingcategories: Weather,ManMade,andTechnology.Thisguideistobeusedinconjunctionwiththeriskassessment templatesandreportsofferedbyContinuityResourcesandSupremusGroup,LLC.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 2

GuidetoConductingaRiskAssessment 2008

KeyTerminology
There can be terminology and definition differences in regard to risk assessment, business impact analysis,recoveryplanning,disasterrecovery,disasters,impacts,etc.Fortheintentofthisdocument, pleaseapplythefollowingdefinitions: BusinessImpactAnalysis:Processofidentifyingthecriticalbusinessfunctionswithinthebusinessand determiningtheimpactofnotperformingthosebusinessfunctions. BusinessContinuityPlanning:Processofdevelopingadvancearrangementsandproceduresthatenable anorganizationtorespondtoaneventinsuchamannerthatcriticalbusinessfunctionscontinuewith plannedlevelsofinterruptionoressentialchange. Customer/OperationalImpact:CustomerImpactmeasuresthepotentialfutureimpactofaserviceor operational outage. Operational Impact is the measure of loss to functions that would impact the productionofproductsandservices. Disaster:Asudden,unplanneddevastatingeventcausingsubstantialdamageorloss Disaster Recovery Planning: The technological aspect of business continuity planning. The advance planningandpreparationthatisnecessarytominimizelossandensurecontinuityofthecriticalbusiness functionsofanorganizationintheeventofdisaster. Financial Impact: Financial impact measures the immediate revenue loss and cost exposures to the organizationduringaperiodabusinesscannotperformtheirdailyoperationsandservices Legal / Regulatory Impact: Legal and regulatory impact measures the legal ramifications and governmentalfinancialandoperationalimpactfromserviceandoperationaloutages. Risk Assessment: Process of identifying and evaluating the hazards and risks that are present and analyzingthevulnerabilitiesofthebusinesstothesethreats. RTO: Recovery Time Objective. The maximum allowable time a process can be down following a disruptiveevent.

RevisionHistory
Thetablebelowindicatesrevisions,deletions,additions,etc.thathasbeenmadetothisdocument. Version
2006.01 SecondEdition

DescriptionofChange
CreationofDocument Updateofformatandchapters

Chap/Page
Allsections AllChapters

RevisedBy
JamieMcCafferty JamieVance

Date
02.20.2006 01.10.2008

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 3

GuidetoConductingaRiskAssessment 2008

TableofContents
LegalStatement ______________________________________________________________________________2 _ PurposeofGuide______________________________________________________________________________2 KeyTerminology______________________________________________________________________________3 RevisionHistory ______________________________________________________________________________3 _

CHAPTER1:INTRODUCTION__________________________________________________________________ 6
Compliance __________________________________________________________________________________6 Scope_______________________________________________________________________________________7

CHAPTER2:RISKASSESSMENT_______________________________________________________________ 8
ObjectivesoftheRiskAssessment________________________________________________________________8 DevelopaProjectPlan _________________________________________________________________________8 Whatshouldbeincluded? _____________________________________________________________________10

CHAPTER3:PHASEONE(PROJECTDEVELOPMENT)_____________________________________11
Scope______________________________________________________________________________________11 ObjectivesandDeliverables____________________________________________________________________11 MethodofCollection _________________________________________________________________________11 IdentifyPeople ______________________________________________________________________________11 InterviewOrder______________________________________________________________________________12

CHAPTER4:PHASETWO(DATAGATHERING) ____________________________________________13
IdentifyingRisksandThreats___________________________________________________________________13 ProbabilityofOccurrence______________________________________________________________________14 VulnerabilitytoRisk __________________________________________________________________________14 PotentialImpact _____________________________________________________________________________14
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 4

GuidetoConductingaRiskAssessment 2008

PreventativeMeasuresinPlace_________________________________________________________________14 InsuranceCoverage___________________________________________________________________________15 PastExperiences_____________________________________________________________________________15

CHAPTER5:PHASETHREE(ANALYZETHEDATA)________________________________________16
ReviewSurveyandInterviewNotes _____________________________________________________________16 FollowupMeetings __________________________________________________________________________16 ReporttheResults____________________________________________________________________________17

CHAPTER6:PHASEFOUR(FINALREPORTANDPRESENTATION)______________________18
CreationofExecutiveReport___________________________________________________________________18 PresentingtheResults ________________________________________________________________________18 NextSteps__________________________________________________________________________________19

CHAPTER7:CONCLUSION_____________________________________________________________________20
KeysforSuccess _____________________________________________________________________________20 _

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 5

GuidetoConductingaRiskAssessment 2008

Chapter1:Introduction
TheintentionofthisdocumentistohelptheorganizationconductaRiskAssessment,whichidentifies current risks and threats to the business and implement measures to eliminate or reduce those potentialrisks.ThisdocumentprovidesguidanceonhowtoconducttheRiskAssessment,analyzethe informationthatiscollected,andimplementstrategiesthatwillallowthebusinesstomanagetherisk. Thefollowingdocumentsareavailabletohelpthebusinesscompletetheassessment: RiskAssessmentTemplate RiskAssessmentWorksheet FacilityRAFindingsReport ExecutiveRAFindingsReport ExamplesofPreventativeMeasures The Risk Assessment is only part one of an overall Business Assessment. A Business Assessment is separated into two constituents, Risk Assessment and Business Impact Analysis (BIA). The Risk Assessment is intended to measure present vulnerabilities to the businesss environment, while the BusinessImpactAnalysisevaluatesprobablelossthatcouldresultduringa disaster. To maximize the RiskAssessment,aBusinessImpactAnalysisshouldalsobecompleted. For more information regarding the Business Impact Analysis, please use Guide to Conducting a Business Impact Analysis. If this document was not included with this package, it can be purchased fromhttp://www.traininghipaa.net.

Compliance
To protect shareholder confidence, customers, employees, and the organization; companies are responsible for implementing preventative and protective measures to safeguard against disasters, businessinterruptions,andrisks.Manyindustriesaregovernedbydifferentrequirementssetforthby regulatory bodies. This guide will help meet the requirements for business continuity and disaster recoveryplanning,implementedbythefollowingindustrystandards: SarbanesOxley(SOX) ISO17799(Section11BusinessContinuityStandard) FFIECrequirementsforBusinessContinuityPlanning NISTforTechnologyRecoveryPlanning Pleasenote:thisguideisnotallencompassingfortheaboveindustrystandards.Inordertomeetthese requirements, the organization must implement a fully mature Business Continuity Planning Program. However, conducting a Risk Assessment is one of the first steps in implementing Business Continuity Planning.

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved

Page 6

GuidetoConductingaRiskAssessment 2008

Scope
The RA is performed to identify potential risks, threats, and the vulnerability of the business to these risks.TheRiskAssessmentprocessprovidesthefoundationfortheentireContingencyPlanningeffort. The goal of Contingency Planning is to safeguard the business in the event that all or portions of its operations and/or computer services are rendered unusable. Each facility that the business owns or operatesin,shouldbeanalyzedtodeterminethepotentialriskandimpactrelatedtovariousthreats. Oncethedataiscollected,ananalysisofallfacilitiesrisks,threats,andvulnerabilitieswillbecompleted. A final report will be developed with recommendations for mitigation activities and presented to executive management. If a Business Impact Analysis is conducted, the recovery strategies will be presented as well. This will allow the business leaders to determine what recovery strategies and solutionswillbeimplemented.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 7

GuidetoConductingaRiskAssessment 2008

Chapter2:RiskAssessment
ARiskAssessment(RA)isidentifying,analyzingandweighingallthepotentialrisks,threats,andhazards tothebusinesssinternalandexternalenvironment.Theassessmentdiscoversifafacility(building)is vulnerabletoweatherrelatedevents,HVACfailure,internalorexternalsecurityvulnerabilities,andlocal area hazards. In addition, the RA allows a business to document what mitigating actions have been takentomanagetheseexposures.Byidentifyingthethreatsthatcurrentlyarebeingmitigatedversus threatsthatarenot,abusinesscancompilealistofrecommendationsforimprovement.Datacanbe collectedbyutilizingquestionnaires(surveys)tools,interviews,anddiscussions. Tobesuccessful,anyriskassessmenthastoconcentrateonthelocalidentifiableissuesrelatingtothe business. Before exploring other concerns, concentrate on the most realistic risks and threats that currentlyexistinthebusinessenvironment.Thiscanincludefactorssuchas: Thenatureofthebusiness Surroundingareaoffacility Theconstructionofthefacility Commonweatherpatterns Technologydependencies

ObjectivesoftheRiskAssessment
During the Risk Assessment, risks and threats to the business will be identified and evaluated. The vulnerabilityofthebusinesstotheseriskswillberated.Additionally,theRAwill: Identifywhatpreventionpracticesarebeingused Defineandimplementsafeguardstomitigaterisks Concludetheoverallrisktothebusiness Buildacaseforstrategyselections Once the assessment is completed, the business can make decisions regarding methods of mitigating risksorselectionofrecoverystrategies.BycompletingaRiskAssessmentandBusinessImpactAnalysis, thebusinesscanimplementthebeststrategiesforContingencyPlanning.

DevelopaProjectPlan
The success of a RA will depend on a well defined project plan. The project plan should define key members,objectives,andthestepsthatwillneedtobefollowedforthesuccessoftheproject.Athree phasedapproachhasbeendefinedforthisguide.Duringthefirstphase,identifytheprojectteam,key facilityrepresentatives,anddefinethescopeandobjectives.

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved

Page 8

Guide etoCondu uctingaRis skAssessm ment 2008 8

condphase,d datacollectio oniscomplete ed.Ifusinga aquestionnai ireandfacet tofaceinterv views, Inthesec those will be done du uring this pro ocess. Facility risks, threats and vulnerabilities will be identified and y d nactivitiesde efined.Additionally,thele evelofpotent tialimpactto ofacilityisest timated. mitigation The third phase is fo analyzing the data, re d or eviewing the findings with the facilit managers, and e ty determini ingvulnerabilityfortheen ntirefacility. Thefourthphaseiffor rcreatingthefinalfacilityandexecutive emanagementreports.P Presentationo ofthe findingsw willbedoned duringthisph haseaswell.IfaBusines ssImpactAna alysishasbee encompleted d,the resultscanbereported dwiththeRA Afindingstoge ether.

Phas seOne:ProjectPlanDev velopme ent PhaseTw P wo:Iden ntifyRisk ks,Threa ats, andVuln a nerabilities(gath herdata) ) Phas seThree e:Analy yzethedataand dete erminev vulnerab bility PhaseFour:Reportthe efindings
ramshowsth hephasesnecessaryforco ompletinga RiskAssessm ment.Theentireprocessshould Thisdiagr beconductedineach phaseandre epeatedatle easteverytw woyears.The eremaybeadditionalactivities dtotakeplace eduringPhas seTwo.Some eofthoseact tionsare: thatneed Review winternalplan nsandpolicie es Meetw withoutsideg groups Identify yassets Conduc ctaninsuranc cereview

2008Supr remusGroupLLCandContinuity yResources www.trainingHIPAA.net Limitedrigh htsgrantedtolic censeeforintern naluseonly Allotherrig ghtsreserved

Page 9

GuidetoConductingaRiskAssessment 2008

Whatshouldbeincluded?
Despitethepreventionpracticesemployed,potentialhazardsthatareexistentandcouldresultinaloss to the business need to be considered. Even though the exact nature of these exposures and their consequencesaretoughtodetermine,itisvaluabletoconductariskassessmentofallthreatsthatcan logicallyhappen. Alllocationsandfacilitiesshouldbeincludedintheriskassessment.Surroundingbusinesses,localfire, police, and community utilities should also be included in the assessment. Additionally, any vendor providedservicethatiscriticaltothebusiness,shouldbeevaluated.

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved

Page 10

GuidetoConductingaRiskAssessment 2008

Chapter3:PhaseOne(ProjectDevelopment)
Scope
Theprojectteamwillneedtodefinetheprojectscope.Thescopedeterminestherulesunderwhichthe projectisexecuted.Thescopecaninclude: Whatfacilitieswillbeinvolved Whatdatawillbegathered Timeframeforcompletingtheproject Responsibilitiesforthoseinvolved Stepsnecessarytocompletetheproject Thescopeshouldbeformallydocumentedinaprojectplananddistributedtoallkeyparticipantsofthe project.Ahighleveloverviewoftheprojectplancanbecreatedandsenttoexecutivemanagement.

ObjectivesandDeliverables
Definingtheobjectivesanddeliverablesoftheprojectisessential.Theobjectivesofariskassessment thatwereidentifiedinthesectiontwocanbeusedasanexample.

MethodofCollection
TherearenumerouswaystocollectdataduringaRA.Thefirstmethodisbysendingoutquestionnaires (surveys) for each facility manager to complete. These questionnaires will ask questions in regard to facilityrisks,technologyrisks,potentialmanmaderisks,andweatherrelatedrisks. The second method is a facetoface interview. During the interview, the project team can use the completedquestionnairetogetmoredetailedinformationaboutthecriticalityofthefacility,potential threatsandrisks,andvulnerabilities.

IdentifyPeople
ProjectTeam AprojectteammustbeestablishedtosupporttheRAprojectfrombeginningtoend.Thisteamwillbe responsible for data gathering/collection, conducting facetoface interviews, analyzing the collected data,creatingthefinalexecutivereportandmakingfinalrecommendationstoexecutivemanagement. Aprojectmanagershouldbeidentified.Theprojectmanagerisresponsibleforcoordinatingdaytoday activitiesandresourcesmanagementfortheproject.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 11

GuidetoConductingaRiskAssessment 2008
ProjectSponsor Forthisprojecttobesuccessful,aprojectsponsormustbeidentified.Theprojectsponsorsroleisto makecertainthattheprojectparticipantsinthebusinessunitclearlyunderstandtheirresponsibilitiesto theproject. KeyFacilityLeadership(Participants) Afteridentifyingtheprojectsponsor,projectmanagerandprojectteam;identifyallfacilitiesownedor occupiedbythebusiness.Eachfacilityshouldprovideanexperiencedpersontocompletethesurveys andattendtheinterviewsessions.

InterviewOrder
Usingthelistoffacilitiesandkeyparticipantsdefinedearlier,itisagoodideatoschedulethefacilitiesto completetheRAprocess.BothclinicalandnonclinicalfacilitiesshouldbeinvolvedwiththeRAprocess. Evenifthefacilityisnotcritical,aninterviewand/orquestionnairemustbeconducted. Examples of facilities to Interview: Corporate Headquarters, Data Centers, Leased offices, Records StorageFacility,Administrationbuildings,etc. CreateSchedule A schedule of interviews should be developed according to the facility participants availability. This schedule will allow each participant to know the date and time to be present for the facetoface interview. The questionnaire should be sent out at least one month in advance of the facetoface interview.Areturndateshouldbeprovidedtothepersonresponsibleforfillingoutthesurvey.This will give the responder time to gather the data and get it back to the project team. By doing a pre interview questionnaire; the project team can customize the questions for the facetoface interview, basedontheinformationprovidedbythebusinessunit. Once the questionnaire has been returned to the project team, a detailed list of questions can be prepared for the facetoface interview. The interview process should be scheduled for one hour. During the interview, it is important to take notes based on the interviewees responses to the questions.Aftertheinterview;compileanynotestaken,therespondersquestionnaire,andsendback totheintervieweetoensuretheaccuracyofthedatagathered.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 12

GuidetoConductingaRiskAssessment 2008

Chapter4:PhaseTwo(DataGathering)
The process of identifying risks, threats, and the probability of occurrence is vital during the Risk Assessmentprocess.Inaddition,identifyingthepotentialimpacttothebusinessisnecessarytoprepare preventative measures and create recovery strategies. Risk identification also provides a number of otheradvantagesincluding: Exposes previously overlooked vulnerabilities that need to be addressed by plansandprocedures Identifieswherepreventativemeasuresarelackingorneedreevaluated Can point out the importance of contingency planning to get staff and managementonboard Will assist in documenting interdependencies between departments and increasecommunicationbetweeninternalgroups. Canalsopointoutsinglepointsoffailuresbetweencriticaldepartments This Risk Assessment guide focuses on three categories of risk. Restricting the categories, allows the business to focus on identifying risks that are common. In the attached Risk Assessment Survey, the categories include, Natural Risks, ManMade (Human) Risks, and Environmental Risks. These are certainlynottheonlycategoriestoconsiderandshouldnotbeconstraining.Ifariskisnotavailablein thetemplateadditionalcategoriescanbeadded.

IdentifyingRisksandThreats
Thenatureofariskorthreatshouldbedetermined,regardlessofthetype.Factorstoconsidershould include(butnotlimitedto): Geographiclocation Weatherpatternsfortheareaandsurroundingareas Internalhazards(HVAC,facilitysecurity,access,etc) ProximitytolocalresponseorsupportUnits Externalhazards(neighboringhighways,plants,etc Potentialexposuresmaybeclassifiedasnatural,manmadeorenvironmental.Examplesinclude: NaturalThreats:flooding,highwinds,severestorms,tornado,hurricane,fire, highwinds,snowstorms,icestorms,epidemic Manmade (human) Threats: Bomb threats, vandalism, terrorism, civil disorder, sabotage, hazardous waste, work stoppage (internal/external), computercrime EnvironmentalThreats: HVACfailure,malfunction/failureofsystemsoftware, failureofapplications/hardware,telecommunicationsfailure,powerfailure

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved

Page 13

GuidetoConductingaRiskAssessment 2008

ProbabilityofOccurrence
Typesofregularlyoccurringnaturaldisastersaretypicallywellknownwithinacommunityandcanoften be researched easily. History of weather related events serve as a valuable resource for ranking probabilityandrisk. Possibilities of disasters due to manmade events are many and varied. Events may be accidental or planned incidents designed to wreak havoc. Manmade events must be carefully considered and not dismissedbecauseithasneverhappenedhere. Businesseshavebecomeincreasinglydependentontechnologytoprovidedailybusinessoperations.As a result, failure(s) of technology systems can easily put a facility into an internal state of disaster. To determinetheprobabilityoftheseevents,onemustexaminetheinternaltechnologycomponentsinthe facilityandtheavailabilityofbackupsystemstocompensateforfailure.

VulnerabilitytoRisk
For each risk that has been identified, the vulnerability of the business to this threat must be established.Identifyingthevulnerabilitytoariskdeterminestheadverseeffectsofagiventhreattothe business. The analysis of this information helps determine; who is most likely to be affected, what is mostlikelytobedestroyedordamaged,andwhatcapacitiesexisttocopewiththeeffectsoftherisk/ threat.

PotentialImpact
Thepotentialimpacttothebusinessoperationsneedstobeestimatedforeachriskorthreat.Potential impactcouldincludelostrevenue,disruptionofservices,threattolifeand/orhealthsafety,damageor failureoftechnologies,legalramifications,lossofcommunitytrust,etc.

PreventativeMeasuresinPlace
Anotherstepistoevaluatethebusinessscurrentlevelofmitigationactivitiesthatarecurrentlyinplace. Mitigation is the act of implementing preventative measures or procedures to reduce or eliminate potentialrisks.Someexamplesofpreventativemeasuresare: Fire / Smoke detection and alarm systems are in place and are monitored on a continualbasis Employeesaretrainedinevacuationprocedures Dataandvitalrecordsarebackupupandstoredoffsite Arrangeforsnowandiceremovalfromparkinglots,walkways,loadingdocks,etc. Businesses have done disaster planning for many years and most are well prepared to manage many types of emergencies. The scope of disaster planning is continually changing and the typical business willfindatleastsomerisksforwhichimprovementsarenecessary.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 14

GuidetoConductingaRiskAssessment 2008

InsuranceCoverage
Thebusinessmaycarryinsurancetocompensateforlossessufferedasaresultofsomeemergencies. Backup systems may also be thought of as insurance protecting against certain occurrences. The availabilityofinsurancecoverageorbackupsystemsshouldbefactoredintothedeterminationofthe currentriskassessment.

PastExperiences
Ahelpfultoolindeterminingpotentialrisksorthreatstothebusinessistoreflectonprevioushistoryof disruptions,outages,productivityloss,etc.Anytypeofincidentthatimpactedthedailyoperationsof thebusinessshouldbedocumented.Thedateandoutagetimeshouldalsobeprovidedasreference.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 15

GuidetoConductingaRiskAssessment 2008

Chapter5:PhaseThree(AnalyzetheData)
OncetheRiskAssessmentSurvey(s)andfacetofaceinterviewshavebeenconducted;thenextstepis toanalyzeandpresenttheresultstoExecutiveManagement.Analysisofdatacanbeatimeconsuming andtediousprocess;especiallywithanenormousamountofdata,butitiscriticaltotheRAprocess. The analysis will be the foundation for planning recommendations to Executive Management. The recoverystrategiesthatneedtobedevelopedshouldbebasedonthefindingsoftheRiskAssessment Surveyandinterviews,aswellastheBusinessImpactAnalysisfindings.

ReviewSurveyandInterviewNotes
Thefacility(s)questionnaireandanynotestakenduringinterviewsmustbeanalyzed.Thepurposeof analyzing all the data is to create an overview of all the businesss potential risks, vulnerabilities, and preventative measuresthatarecurrentlyin place. Thisistheinformationthatismostimportantand willbereporteddirectlytoExecutiveManagement.Withoutthisinformation,thebusinesswillnotbe abletomakeappropriatedecisionsconcerningcontingencyplanning.

FollowupMeetings
Whenreviewingthedatafromthesurvey(s)and/orfacetofaceinterviews,createalistofquestionsfor followupmeetings.Eachrespondenttothesurveyshouldbescheduledforafollowupmeeting.These meetingsshouldnotrequiremorethananhoureach.Priortothemeeting,sendadetailedlistofthe questionsconcerningtheindividualdepartment. Thefollowupmeetingprovidesanopportunityto makesurethatalldatawascapturedandanalyzed correctly.Iftherearegapsorquestions,usuallyafollowupmeetingcanobtaintheneededinformation (toclosethegap)ortoprovidemoredetaileddata.

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved

Page 16

GuidetoConductingaRiskAssessment 2008

ReporttheResults
Once the survey and interviews have been completed, issuing a report to each facility manager is important.Thereportensuresthattheinformationgatheredduringthesurveyandinterviewprocess, hasbeeninterpretedanddocumentedaccurately.Thereportshouldcontainthefollowinginformation: Respondentinformation Overviewofthefacilitysbusinessoperations Previousdisruptionhistory&details Risks&Vulnerabilities o NaturalRisks o ManMadeRisks o EnvironmentalRisks o FacilitiesRisks Preventivemeasuresthatareinplace Overallriskratingforeachfacility Ifonlyonefacilitywassurveyedandinterviewed,theneedforanindividualfacilityreportprobablywill notbenecessary.TheExecutiveRiskAssessmentReportwillworkforjustonefacility.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 17

GuidetoConductingaRiskAssessment 2008

Chapter6:PhaseFour(FinalReportandPresentation)
Begin the final report with an executive overview of the risk assessment project. The overview will explaintheobjectivesoftheproject,scopeandapproachused.Attheend,provideasummaryreview oftheexistingpotentialhazards.

CreationofExecutiveReport
Thedatagatheredduringtheriskassessmentwillformthefoundationforthefinalreport.Thepurpose istoprovideexecutivemanagementwithenoughinformationtomakethemcomfortableinendorsing the recommending strategies, actions, budgets or to accept the level of risk by not implementing recovery strategies. The report should include graphs, which visually demonstrate the findings. However,donotoverusegraphs.Toomanygraphscanmakethereportconfusing.Providegraphsfor overallinformationonthedepartments,financialimpact,etc. PreviousDisruptionHistory Provide details about the previous disruptions that have been experienced by each facility. This is informationthatwasobtainedduringthesurveyandinterviewprocess.Provideahighleveloverviewof thedisruption,thedate(ifpossible)andafewdetailsaboutthedisruption. RisksandVulnerabilities Document the facility rankings for each risk or threat and vulnerabilities that were identified in the survey.Documenttherankingforeachtypeofrisk.Stresstheimportanceofimplementingmitigating measuresforthoserisksthatareinthehighorextremelyhighcategory. PreventativeMeasures Provideinformationaboutthepreventativemeasuresthatarecurrentlyinplaceatthefacility.These measuresreducetheamountofvulnerabilityorpotentialimpactfromassociatedrisksorthreats.

PresentingtheResults
Apresentationtoexecutivemanagementshouldbeheldtodiscussthefindingsoftheriskassessment. If a Business Impact Analysis was performed, it is desirable to hold the presentation for the findings together. Generally, executive management is not interested in every specific detail about the Risk Assessmentprocessorentiresurveyresults,sokeeptheinformationhighlevel.

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved

Page 18

GuidetoConductingaRiskAssessment 2008

NextSteps
Now that executive management has been presented the results of Risk Assessment (and BIA if applicable),decisionsaroundthefollowingneedtobemade: Mitigatepotentialhazardsandrisks(foundintheRiskAssessment) Select recovery strategies to minimize the potential loss that could result from a businessinterruption Recovery strategies are the strategies selected to mitigate the potential impacts resulting from a disruption to business operations. Once a recovery strategy is selected, business units can start documentingrecoveryplans,implementingrecoveryprocedures,andeducatingemployeesonwhatto doduringadisasteroremergency.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 19

GuidetoConductingaRiskAssessment 2008

Chapter7:Conclusion
TheRiskAssessmentprocessisanessentialphaseofContingencyPlanning.Thepossibilityofadisaster impacting a business is unpredictable. The business should implement a comprehensive Contingency PlanningProgramanddeveloprecoveryplansthatencompassallcriticaloperationsandfunctionsofthe business.

KeysforSuccess
To make the Risk Assessment process a success, executive management commitment, effective data gatheringtools,availabilityofkeyresources,andaccesstocriticaldataisrequired. ExecutiveManagementSupport If a lack of executive management commitment exists, it will be tough scheduling interviews and obtaining the required information in anefficient manner. Beforekickoffoftheriskassessment, get executive managements buyin. Put together a presentation showing the benefits of the risk assessment and ultimately, the contingency planning program. By selling the benefits of the risk assessmentandgettingmanagementonboard,theriskassessmentprocesswillflowmoreefficiently. EffectiveDataGatheringTools Usingeffectivedatagatheringtools(surveys,checklists,etc.),iscriticaltotheprocess.Ifsurveyscontain questions that irrelevant or unrealistic, key personnel may become disengaged or lose patience. This canleadtoanabruptendtotheprocess. KeyResources Allfacilitiesownedoroccupiedbythebusinessmustberepresentedintheinterviewprocess,notjust headquarters or the main facility. In addition, ensure interviews are done with the appropriate staff. Eachfacilityshouldberepresentedbyaseniormemberwhohasthebestunderstandingofwhateach facility does, exposures, and vulnerabilities. This senior member can include other staff members as partoftheprocess,butheorshemustbeinattendance. CriticalData Gathering critical data is crucial to the risk assessment process. If standard operating procedures currently exist, review them first. This will help save time and provide a basic understanding of daily businessoperations.Mostimportantly,stressthattheinformationbeinggatheredisonlyforthesake ofthecontingencyplanningeffort,nothingelse.
2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved Page 20

GuidetoConductingaRiskAssessment 2008
ExecutiveReport Onceallthedataisgatheredandanalyzed,compileanexecutivemanagementreport.Thisreportmust bereviewedwiththeexecutivemanagementteam,CEOorhighestexecutive(s)available.Basedonthe commentsoftheexecutivestaff,thefindingsshouldbemodified.

2008SupremusGroupLLCandContinuityResources www.trainingHIPAA.net Limitedrightsgrantedtolicenseeforinternaluseonly Allotherrightsreserved

Page 21