XYZ SITE / PROJECT Risk Register

Reference - Issue No. : and/or Issue Date: Future Review date:

Identified Risks Risk Statement

(e.g. description of each specific risk scenario with regard to people, information, physical assets, finances, reputation, and any other "things you value")

Analysis & Evaluation

Likelihood (A, B, C, D or E - see Sheet 1) Consequence (1, 2, 3, 4, or 5 - see Sheet 1) Risk level (L, M, H or VH - see Sheet 1)

Existing controls described & evaluated

Effectiveness of our strategies
(N = Not generally applied or only applied in isolated situations for example in less than 20% of cases; P = Partially applied, not usually documented or applied in less than 50% of cases; L = Largely applied, formally documented and largely repeatable or applied in up to 85% of cases; F = Fully applied, formally documented and fully repeatable or applied in more than 85% of cases.)

Further Actions
Revised Risk level (L, M, H or VH - see Sheet 1)

Accept Risk (Yes or No)

What we are doing now to manage this risk.

Further Action Needed & Opportunities for improvement - Include milestone(s) & target date(s)

Assigned To

Record by rows and cells as necessary.

VH VH VH VH H H
H

No No No No No No No Yes Yes Yes Yes Yes Yes

Opportunities for

VH VH VH VH H H H M M M L L L

M M M
L

L L

Page 1 of 14

Risk Assessment
Determining the Level of Risk
This worksheet can be used to identify the level of risk and help to prioritize any interventions or control measures. Step 1. Determine your risk appetite establish your areas of consideration ("things you value") & your acceptability thresholds. Consider the consequences and likelihood for each of the identified risks and use the matrix* below to establish a risk level. NB: This workbook will record the quality of your planning process - it will not ensure it.

Consequence Criteria
The "area of consideration" example used below is injury to people. You should copy this template and adjust these criteria for each "thing you value".

1 Insignificant
Dealt with by in-house first aid, etc

2 Minor
Medical help needed. Treatment by medical professional/hospital outpatient, etc

3 Moderate

4 Major

5 Catastrophic

Significant non-permanent Extensive permanent injury Death. Permanent disabling injury.Overnight (eg loss of finger/s) injury (eg blindness, loss of hospitalisation (inpatient) Extended hospitalisation hand/s, quadriplegia)

A-

Almost certain to occur in most circumstances Likely to occur frequently Possible and likely to occur at some time Unlikely to occur but could happen May occur but only in rare and exceptional circumstances

Medium (M) Medium (M) Low (L) Low (L) Low (L)

High (H) Medium (M) Medium (M) Low (L) Low (L)

High (H) High (H) High (H) Medium (M) Medium (M)

Very High (VH) High (H) High (H) Medium (M) Medium (M)

Very High (VH) Very High (VH) High (H) High (H) High (H)

Likelihood

BCDE-

Matrix* from page 55 of HB 436:2004 issued by Standards Australia to support the Australia / New Zealand Standard for Risk Management (AS/NZS 4360)

S 4360)

Vulnerability Assessment Workbook

This document is a Vulnerability Assessment Assessment This document is a sample sample Vulnerability Tool. It is not a tool. substitute for a comprehensive emergency preparedness program. Individuals or entities using this tool are solely responsible for any hazard assessment and compliance with applicable laws and regulations. N.B. It is not a

Instructions
Print this sheet (two pages) and use when completing sheets 2, 3 & 4. Evaluate potential for event & response among the following categories using the hazard specific scales in sheets 2c & 2d of this Workbook. Assume each event incident occurs at the worst possible time. Sheet 2b informs Business Impact considerations. Please note specific score criteria on each work sheet to ensure accurate recording. Issues to consider for chance of occurrence include, but are not limited to: 1 Known risk 2 Historical data 3 Manufacturer/vendor statistics Issues to consider for response include, but are not limited to: 1 Time to marshal an on-scene response 2 Scope of response capability 3 Historical evaluation of response success Issues to consider for human impact include, but are not limited to: 1 Potential for staff death or injury 2 Potential for public death or injury Issues to consider for property impact include, but are not limited to: 1 Cost to replace 2 Cost to set up temporary replacement 3 Cost to repair 4 Time to recover Issues to consider for business impact include, but are not limited to: 1 Business interruption 2 Employees unable to report to work 3 Customers unable to reach facility 4 Company in violation of contractual agreements 5 Imposition of fines and penalties or legal costs 6 Interruption of critical supplies 7 Interruption of product distribution 8 Reputation and public image 9 Financial impact/burden

Issues to consider for preparedness include, but are not limited to: 1 Status of current plans 2 Frequency of drills 3 Training status 4 Insurance 5 Availability of alternate sources for critical supplies/services Issues to consider for internal resources include, but are not limited to: 1 Types of supplies on hand/will they meet need? 2 Volume of supplies on hand/will they meet need? 3 Staff availability 4 Coordination & Communication capability 5 Availability of back-up systems 6 Internal resources ability to withstand disasters/survivability Issues to consider for external resources include, but are not limited to: 1 Types of agreements with community agencies/drills? 2 Coordination with local and state agencies 3 Coordination with proximal health care facilities 4 Coordination with treatment specific facilities 5 Community resources Complete worksheets for all Hazards. The summary section will automatically provide your specific and overall risk profile. Notes developed from work by Kaiser Permanente.

Questionnaire: Mapping Business Impact Vulnerability

This form captures a summary of the organisation's key functions, the things which rely on those functions and the things upon which those functions rely. The information will provide input to our enterprise wide Business Impact Assessment (BIA) considerations.

Completed by: Title: Phone:

Date Received: Reviewed by: Date Reviewed: 1) Business Unit:

2) Business Function:

3) Mission Critical Business Processes:

A business process is a set of tasks that contribute to the operation of your business function. Please list the primary and most critical processes that are performed by your business function.
1 2 3 4 5 6

4) Business Function Dependencies:

List the areas, business units, or customers, in priority order, that your critical processes support. Indicate if they are Internal or External to the organisation. Indicate if the customer dependency is outside the Region or Country.
1 2 3 4 5 6

I or E

Internat'l (Y or N)

5) Operational Detail:
Hours of Operation: Peaks: Annually Describe Peak Periods
Total Number of Personnel Supporting this Function Number of People Needed for Critical Business Processes

Quarterly

Monthly

Weekly

Daily

Request

Page 6 of 14

6) Business Function Information:

In the event your business function experiences an interruption (e.g. work area, phones, systems and software applications become suddenly unavailable) what manual processes or 'work around' procedures could be performed, if any, until systems are restored?

1 2 3 4

How long could you operate in a manual mode before systems become available? (Consider the amount of backlogged and missing data.) Are there written procedures for operating in a manual mode? When were the procedures for operating in a manual mode last updated? What additional resources are needed to perform your mission critical business processes manually? (I.E. additional staff, forms, phone, manual accounting, log sheets, etc.?) In the event of a disruption , there would be some "lost data or transactions". Describe the data loss for this function. Could lost data or "work in progress" transactions be recovered? How will lost data be recovered? Are there written procedures for recovering lost data? When were the procedures for recovering lost data last updated? If lost data could not be recovered, what is the potential impact to your business function and on the entire company? Are there data integrity or specific balancing procedures to verify the integrity of the restored and/or reconstructed data? Do you store critical data or information on your desktop or laptop? How is this critical data backed up? How often is the backup sent offsite? Do you rely on data (information) that is not electronic? Specify the data and the type of media (ie. contracts, forms, personnel records, etc.)? Is the non-electronic data backed-up (copied) and stored offsite? Are documented procedures for business function processes, recovery of lost data and balancing stored offsite? Do you rely on specialised or unique equipment to perform your critical processes? If yes, list equipment. Summarise exposures and risks that management should be aware of in the event of a disruption:

6 7 8 9 10 11 12 13 14 15 16 17 18

Page 7 of 14

7) Process Flow Information:

Consider the inputs and outputs while documenting this section. What business departments or third-party resources do you rely on and which ones rely on you to complete this function?

1
Who do you rely on for input?

List the type of data and where it comes from (i.e. Sales invoices from Sales, internal, fax & mail)

Specify (IT, Internal dept, or External/3rd Party Name)

How is data received? (fax, phone, electronic)

Internat'l (Y or N)

2
Who relies on you for output?

List the type of data and where you are sending it to. (e.g. Sales Revenue to Banks)

Specify (IT, Internal dept, or External/3rd Party Name)

How is data received? (fax, phone, electronic)

Internat'l (Y or N)

What operations do outside resources perform to assist this function (e.g. do you outsource cheque printing, report distribution, nightly processing, batch processing, master CD production, etc.)?

How often? (i.e. hourly, daily, monthly, etc.)?

5
Legal Regulatory Contractual Compliance

Identify and explain any specific legal, regulatory, contractual, and compliance issues or consequences (e.g. government agency obligations, customer contracts, Service Level Agreements etc.):

8) Timeframe for Recovery

A Maximum Tolerable Outage is defined as the maximum elapsed time an application or process can sustain an interruption from the time a crisis is identified to the restoration of service. A Recovery Point Objective is defined as the maximum data loss this application or process can sustain and still be satisfactory (for the corporate business RPO goals). In your opinion, what is the MTO for this business function? Please insert MTO in one box below. < 1 Day < 2 Days < 5 Days < 10 Days 30 Days + Do you rely on computers only? Do you rely on computers and telephone?

MTO

Page 8 of 14

Risk Identification & Assessment Tool

Notes: This tool profiles your vulnerability to various sources of risk (hazards - or extreme events). Using a scale of 1 to 5, likelihood of occurrence and impact potential are weighed against capability. The result is a calculation of risk. The highest score possible is 5.0. The lower the total score, the lower the overall risk (from the hazard). Instructions: Please add or delete Hazards in Risk Source Column (B) to suit your particular context and location. (The default list is developed from NFPA 1600 - Standard for Disaster/Emergency Management and Business Continuity Programs) Score in each of the cells for each relevant hazard based on a scale of 0 to 5 - with 5 being the highest. The more you have investigated and thought about impact and capability elements, the more accurate your assessment will be. Impact: Based on worst-case scenario - impact on people, property, infrastructure & business should worst-case event occur. After entering the attributed scores, sort the Total Column in descending order to profile your vulnerability. Location; Facility; or Entity:(e.g. Our Building; or Our Company Pty Ltd; our Area)
Risk Source (Hazard)
Chance of Occurrence Speed of Onset Duration of Impact Impact on Property Impact on People Pre-Impact Planning Awareness Level Resources Capability

Total

Natural Events
Avalanche Biological Drought Dust/Sand Storm Earthquake Extreme Heat/Cold Fire (forest, range, urban) Flood/Wind driven water Hurricane Landslide Lightning Storm Snow/Ice/Hail Tornado Tsunami Volcanic Eruption Windstorm/Tropical Storm 4 2 2 1 5 3 4 2 0.0 2.6 0.0 0.0 4.2 0.0 0.0 3.2 0.0 0.0 0.0 0.0 0.0 0.0 0.0 4.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

2.5

Technological/Industrial Events
Building/Structure Collapse Business Interruption Dam/Levee Failure Explosions/Fire Extreme Air Pollution Financial Collapse Fuel/Resource Shortages Hazardous Material Releases Power/Utility Failure Radiological Accidents Transportation Accidents

Civil/Political Events
Civil Unrest Eco-Terrorism Economic Enemy Attack General Strike Hostage Situation(s) Sabotage Terrorism

KEY High Risk: Greater than 3.5 Medium Risk: 2.0 to 3.5 Low Risk: Less than 2 Analysis of Results: You should consider strengthening your preparedness capability. If your snapshot indicates a level of concern re vulnerability you may want to consider capacity building processes.

2d. Vulnerability (Terrorism)

Facility "Inherent" Vulnerability Assessment Matrix (Terrorism)

Notes: Developed from FEMA Terrorism Planning Courses, this tool profiles indicators of inherent vulnerability to terrorism of an asset derived from the nature of that asset. Suitable for contexts from plant to gathering places. Uses a scale of 1 to 5, to Instructions: In the Table below Row 14, attribute a score of 0 to 5 against each CRITERIA for each ASSET under consideration in column K. Asset Visibility is about how aware the general public is of the existence of the facility, site, system, or location Target Utility is about how valuable the place might be in meeting the range of objectives of a potential terrorist or saboteur - the modern era has seen the focus expand beyond politically iconic targets to pick up "soft" / cage rattling targets. Asset Accessibility is about how accessible the place is to the public and service providers (builders, cleaners, food vendors, waste managers etc). Asset Mobility is about whether the asset's location is fixed or mobile. If mobile, how often is it moved, relocated, or repositioned? Presence of Hazardous Materials is about whether flammable, explosive, biological, chemical, and/or radiological materials are present on site. Collateral Damage Potential is about the potential consequences for the surrounding area if the asset is attacked or damaged. This should include the domino effect on lifelines - e.g. a dam failure may knock out utility infrastructure to a city / region. Site Population is about the potential for mass casualties based on the maximum number of individuals on site at a given time. Location; Facility; or Entity: ######### WORKED EXAMPLE ONLY
CRITERIA
0 1 not well known none very low low 2 3 locally known medium high 4 5 widely known very high

K
Score

Target Visibility Target Utility Asset Accessibility Asset Mobility Presence of Hazardous Materials Collateral Damage Potential Site Population KEY for each CRITERIA High Risk: Greater than 3.5 Medium Risk: 2.0 to 3.5 Low Risk: Less than 2

4.0 4.5 4.5 5.0 0.0 4.0 3.0 25.0

remote, secure perimeter, armed guards moves frequently limited quantities, secure loctn no risk 0 large quantities, some controls moderate risk in 1 Km r 500 - 1000

open access, e.g. "drive up" parking fixed in place open access high risk beyond 1 Km r or domino > 5000

TOTAL

for the TOTAL re each ASSET : Greater than 24.5 : 14.0 to 24.5 : Less then 14

Analysis of Results: If vulnerability is high, you may want to consider strengthening preparedness capability. emergencyriskmanagement.com is at your service with planning guidelines and consultancy services.

emergencyriskmanagement.com TM

Considerations regarding how to use the Risk Rating to prioritise and implement action plans.
Once the level of risk has been determined the following table may be of use in determining when to act to intervene and institute the control measures.

RISK LEVEL Very High

Act immediately to mitigate the risk.Either eliminate, substitute or implement engineering control measures. Act immediately to mitigate the risk. Either eliminate, substitute or implement engineering control measures. Remove the hazard at the source. An identified very high risk does not allow scope for the use of administrative controls , even in the short term. An achievable timeframe must be established to ensure that elimination, substitution or engineering controls are implemented. NOTE: Risk (and not cost) must be the primary consideration in determining the timeframe.

High

If these controls are not immediately accessible, set a timeframe for their implementation and establish interim risk reduction strategies for the period of the set timeframe. Take reasonable steps to mitigate the risk. Until elimination, substitution or engineering controls can be implemented, institute administrative or personal protective equipment controls. These lower level controls must not be considered permanent solutions.

Medium

Interim measures until permanent solutions can be implemented: Develop administrative controls to limit the use or access. Provide supervision and specific training related to the issue of concern. (See Administrative Controls below)

Low

Take reasonable steps to mitigate and monitor the risk. Institute permanent controls in the long term. Permanent controls may be administrative in nature if the hazard has low frequency, rare likelihood and insignificant consequence.

Hierarchy of Control

Interventions identified may be a mixture of the hierarchy in order to provide as low as reasonably practicable exposure.
Eliminate the hazard. Provide an alternative that is capable of performing the same task and is safer to use. Provide or construct a physical barrier or guard. Develop policies, procedures practices and guidelines, in consultation with employees, to mitigate the risk. Provide training, instruction and supervision about the hazard. Personal equipment designed to protect the individual from the hazard.

Elimination Substitution Engineering Controls Administrative Controls Personal Protective Equipment

The "Hierarchy of Control" can be useful - as can other heuristic devices such as "Prevention, Preparedness, Response & Recovery" or "Engineering, Education, Encouragement, & Enforcement". As a general approach. A "mix of interventions" usully provides the best result.