November 2007 Archives
A Risk Assessment is a survey which assists in analyzing potential threats, determining the impacts of those threats and identifying controls that are in place to minimize the impact of the threat.
When we work with some of the departments/campuses at the University on the risk assessment survey for their area, it's hard for them to see the real benefit of this assessment. This tool can be used for multiple purposes. The Risk Assessment:- provides insight to which threat is most probable and will have the largest impact on in areas such as employees, facilities and operations of critical services.
- presents a "gap analysis" of what mitigation controls exists vs. the lack of mitigation controls
- assists in defining which of these threats should be used in table top exercise scenarios for recovery plans.
- presents a "gap analysis" of what mitigation controls exists vs. the lack of mitigation controls
By using information provided by our insurance company, departments and campuses at Penn State are able to determine the impact based on the probability and severity of both environmental and man-made threats.
Environmental threats include anything that is produced by a force of nature and include flood, ice storms, earthquakes, etc. Man-made threats are self-explanatory and examples are fire in buildings, civil unrest, chemical spill, etc.
After the impact of threats are determined and identification of mitigation controls is complete, the most challenging piece is how to use this information in business continuity planning. Management needs to determine how they will handle each of the threats. Management should use the information gathered to:- List the threats in greatest probability and impact order.
- Determine what the risks would be if they chose to do nothing to mitigate or lessen the threat or impact
- Determine how to deal with the threat
- Mitigation - implement a procedure or infrastructure that lessens the probability or impact of a threat
- Avoidance - stop performing an activity or operation that carries the threat
- Acceptance - accept the risk and do nothing to mitigate the threat or lessen the impact
- Transference - transfer the risk to another group
- Avoidance - stop performing an activity or operation that carries the threat
Perform cost benefit analysis to ensure the decision makes sense from a business standpoint
- Determine what the risks would be if they chose to do nothing to mitigate or lessen the threat or impact
If mitigation controls already exist, they should be analyzed. Both from the standpoint of how does the mitigation control that exists today helps in minimizing the possibility of the threat or lessens the impact and identify if any new mitigation controls could be utilized which could be more efficient or more economical. If the mitigation control costs money (depending on the amount), a cost benefit analysis should be performed to determine whether implementing the new change is worthwhile.
At Penn State, we encourage departments and campuses to complete the Risk Assessment at the same time as the Business Impact Analysis (BIA). It is important to identify the critical business functions the University provides using the BIA and identifying what could cause an outage of those business functions. We use a standard survey for all units going through the business continuity planning process, but the probability of environmental and man-made threats vary based on the location of the participant.
Once the Risk Assessment and BIA are complete, the management team from the department and campus will analyze the results to make recommendations for recovery strategies in Phase 3 of our planning process.
