Risk Assessment in a project is the most difficult phase of all to carry out.

From the definition we gave elsewhere, a risk is a combination of uncertainty and constraint. Constraints are usually difficult to remove, though they are important to understand. For instance, a constraint that the project must be finished in time to reflect a new piece of legislation is easy to understand. Manpower constraints are often more uncertain, such as the availability of skilled staff at the critical phase of the project. But, you say, you are just defining a constraint as an uncertainty.
One important step in assessing your project ideas is risk analysis or risk assessment, and the best thing to do about it is when you comply with the law. This helps you focus on the risks and what matters in your workplace, especially the ones that can potentially cause harm to your project proposal. We propose a project and analyzed it with a projection to earn profit, but the question is how if the project we propose in the future delivers only losses instead of profit that we expect? So risk analysis will answer this critical question. We all know that risk cannot be avoided but it can be decrease the occurrence by applying risk analysis. Although the law does not expect business owners to totally eliminate all the risks, it pushes them to protect people from accidents as much as possible. There are various methods that work well with risk management systems, particularly for more complex risks and circumstances. A risk assessment is a careful examination of what can possibly cause harm. It makes the owner of the project aware whether or not he has taken enough precautions and what to do to prevent accidents like losses.

How to assess the risks in your workplace

Follow the five steps in our leaflet: Five steps to risk assessment 1. Identify the hazards 2. Decide who might be harmed and how 3. Evaluate the risks and decide on precaution 4. Record your findings and implement them 5. Review your assessment and update if necessary Dont overcomplicate the process. In many organisations, the risks are well known and the necessary control measures are easy to apply. You probably already know whether, for example, you have employees who move heavy loads and so could harm their backs, or where people are most likely to slip or trip. If so, check that you have taken reasonable precautions to avoid injury. If you run a small organisation and you are confident you understand whats involved, you can do the assessment yourself. You dont have to be a health and safety expert. Download the Risk Assessment and Policy Template. This template brings together your risk assessment, health and safety policy, and record of health and safety arrangements into one document .

to help you get started and save time. If you already have a health and safety policy, you may choose to simply complete the risk assessment part of the template. We also have a number of example risk assessments to show you what a risk assessment might look like. Choose the example closest to your own business and use it as a guide for completing the template, adapting it to meet the needs of your own business. If you work in a larger organisation, you could ask a health and safety adviser to help you. If you are not confident, get help from someone who is competent. In all cases, you should make sure that you involve your staff or their representatives in the process. They will have useful information about how the work is done that will make your assessment of the risk more thorough and effective. But remember, you are responsible for seeing that the assessment is carried out properly. When thinking about your risk assessment, remember:

a hazard is anything that may cause harm, such as chemicals, electricity, working from ladders, an open drawer, etc; and the risk is the chance, high or low, that somebody could be harmed by these and other hazards, together with an indication of how serious the harm could be.

Risk assessment is the process by which businesses and organizations focus on critical areas of concern and prioritize their use of resources in order to maximize response and recovery efforts. In making strategic decisions, business and government leaders routinely try to predict the benefits and/or harm that might be caused by implementing or failing to implement those decisions. The Risk Assessment Matrix (RAM) can be viewed as a logical extension of that process. Through this process, companies and agencies: Identify their most important (critical) processes and functions; Identify threats most likely to impact those processes and functions; Determine the vulnerability of critical functions and processes to those threats; and Prioritize deployment of personnel and resources in order to maintain continuous operation of critical functions and processes.

An accurate risk assessment can reveal operations that are subject to a single point of failure. Implementation of effective prevention measures will eliminate some threats and significantly reduce the impact of others. It has been reported that, for every $1.00 spent on prevention, there is a potential savings of $7.00. Information collected using the RAM model will enable a business or agency to identify:

Functions and processes critical to maintaining continuous operation; Threats most likely to disrupt those identified, critical functions and processes; Personnel and expertise required to handle critical incidents that impact the continuity of business and/or agency operations.

Areas to be considered include:

Company/agency products and services and the facilities and equipment needed to produce them; Products and services provided by suppliers, especially sole source vendors; and Lifeline services such as electrical power, water, sewer, gas, telecommunications, and transportation.

Some of the data collected during the RAM process should be shared between public and private entities in order to facilitate effective public and private response. Ineffective response results in unintended impacts such as:

Loss of business and tax revenue; Loss of customer and citizen confidence; Exposure to litigation; Bankruptcy; and Damage to business and community reputation/image.

Risk Assessment Matrix: A Flexible Tool

The RAM format is intended for use by private and public organizations of varying sizes and configurations. It is a concise, user-friendly tool for gathering information to prioritize assets, identify mitigation needs and develop preparedness, response, and recovery plans.

The six (6) steps in the RAM process are:

1. 2. 3. 4. 5. 6. Identify business functions and processes. Rank functions and processes according to criticality. Determine recovery time required to sustain critical functions and processes. Identify threats that impact each critical business function and process. Determine the vulnerability of each critical business function and process. Confirm that appropriate personnel, plans, and resources are in place to respond. If gaps exist, identify relevant solution areas1 to address shortcomings.

The manner in which the RAM is completed will vary according to circumstances. A small business or agency may assign one individual to complete the process for the entire organization. A large, multi-divisional organization (shipping, human resources, operations/manufacturing, etc.) may wish to task an individual in each division or unit with assessing that part of the operations. Data collected is then used to establish critical incident response priorities.

Preliminary Information

Before focusing on specific functions, it is important to make sure that everyone in the organization sees the big picture. Those responsible for specific areas need to have a clear understanding of how their areas contribute to the bottom line of the organization. Corporations and agencies with a well-defined vision, mission statement and strategic plan are ready to initiate the RAM process. Other groups may need to spend some time in this area.

Following are the six (6) steps of the RAM model. Within the steps are values or explanations. Use the RAM worksheet to capture pertinent information2.

Step One: Identify Functions and Processes

1 2

Planning, Organization, Facilities, Equipment, Training and Exercising. Detailed instructions are printed on the back side of each RAM form. A copy of the RAM is attached to this document.

List the separate functions and processes required to create a product or provide a service. Typical business functions/procedures include:3

Shipping & Receiving Inventory Service Human Resources Marketing Sales

Communications Production Finance Training Facility Management Information Technology

This list is not all-inclusive. Make adjustments as necessary.

Step Two: Determine Criticality

Of the business processes listed in Step #1, which are the most critical to the continual operation of the business or agency? In determining criticality, consider the following: Does this business function affect the safety of employees or the general public? How important is this business function to the mission of the agency/business? How important is this function to the continuity of business operations? How would a loss or disruption affect the bottom line?

The following definitions may be used as a general guide and should be modified to meet the requirements of each specific process or function: Critical necessary and/or vital. May pose a life-safety risk to employees and/or general public. Essential important but not critical. Disruption would cause difficulties. Non-Essential disruption is merely inconvenient. Step Three: Determine Recovery Time

Determine the recovery time for each critical business function listed in Step #2. In determining recovery time, consider the following:
Time from loss or disruption of process to the point when continued disruption or loss is detrimental to the mission of the business; Special circumstances that may delay or prevent recovery actions, i.e., designation of an area as a crime scene or contamination by a dangerous chemical; Impact on public confidence if response is perceived to be too slow.

In determining recovery time the following guide may be considered:4 Immediate 0 to 24 hours; Delayed 24 hours to 7 days; Deferred beyond 7 days.

Step Four: Identify Threats

Identify threats that may halt or disrupt each of the critical business functions identified in Step #3. This will likely require input from public agencies (law enforcement, fire services, emergency medical services, public works, local emergency management officials, etc.). Consider those threats that have

Each business must determine their appropriate recovery criteria.

occurred and those that may be likely to occur. Multiple threats may impact a single function or multiple functions. In identifying threats consider:
Natural disasters (tornados, floods, severe weather); Human-caused events (workplace violence, terrorist attack, sabotage, critical information theft); Facility-related emergencies (hazardous materials, loss of utilities, proximity to other threats); Asset protection incidents (inadequate systems, untrained personnel); Information systems difficulties (lack of backup); Employee-related problems (training, attitude, misconduct/grievances); Other events and incidents (nearby threats, political activities).

When assessing the various threats it is important to consider:

1) What can occur; 2) The damage it is likely to cause. Step Five: Determine Vulnerability

Determine which of the threats identified above have the greatest likelihood of disrupting or attacking each critical business function. When assessing how vulnerable a process or function is to the various threats, it is important to consider: 1) How likely it is that a threat will occur; 2) How often a threat is likely to occur.

The following descriptions are suggested as a guide: Highly Vulnerable business functions that are most likely to experience threat. Vulnerable may experience the threat or threat. Not Vulnerable not likely to experience the threat or threat.

Step Six: Select Action Plans

Determine if there are appropriate plans5 and resources to address the threats that are most disruptive to the critical business functions. It is imperative that these plans and capabilities are current and adequate6. If gaps or shortcomings are discovered, determine: What do I have and what do I need? Solution areas include: o Planning. o Organization. o Facilities o Equipment. o Training. o Exercising. Can the issues be addressed using available company personnel and resources or will outside personnel and/or resources be required of other businesses and/or public organizations?

5 6

This includes both private, business plans and public, emergency operations plans. Plans and resources must be tested regularly by conducting tabletop, functional and full-scale exercises.

If solutions require coordination with public agencies, do the businesses and public agencies involved need to develop or enhance a public-private partnership?

Risk Assessment Matrix Form

A copy of the Risk Assessment Matrix Form is attached. There are further instructions for completing the RAM on the back side of the document.
Summary

The above process should result in a determination of 1) what is critical to the continual operation of the business or agency, 2) what is most likely to disrupt those critical business functions, and 3) if there are current and adequate response plans in place. The process involves determining priorities and allocating resources to assure continuity of critical operations.

Business: Telephone:

Address:

1 Function or Process

2 Crit.

3 Rec.

4 Threat

5 Vul.

6 Action Plan

Priority

Form Completed By:

Date:

INSTRUCTIONS FOR COMPLETING THE RAM PRIORITY LISTING FORM (See illustration at bottom of form.) 1. List all business functions and processes on a sheet of paper. 2. Determine criticality and list the top 1-3 function(s) on the RAM form. 3. Determine recovery time for each function. 5. Determine vulnerability. Establish priority ranking for follow-up actions. 6. Develop action plan to prioritize personnel response & resource use.

4. Identify threats that impact critical functions.

Functions and processes:

Communications Customer Service Facility Management Finance Human Resources Information Technology Inventory Marketing Production Sales Shipping/Receiving Training

Recovery Time:
4

Threats (continued):
Hazardous Materials Incident Hurricane Loss of Key Supplier or Customer Severe Winter Storm Technological Emergency Terrorist Attack Tornado

I: Immediate 0 24 hrs Del: Delayed 24 hrs to 7 days Def: Deferred Over 7 days Threats (Natural/Human-Caused):
Civil disturbance Communications Failure Earthquake Explosion Fire Flood and Flash flood

Vulnerability:

Criticality:

H: Highly Vulnerable Business function is highly susceptible to the threat. V: Vulnerable Business function is somewhat susceptible to the threat. NV: Not vulnerable Business function is not likely to be affected by the threat.

C: Critical Necessary. Life safety risk. E: Essential Important, but not immediately critical. Critical over time. NE: Non-essential Merely inconvenient.

Action Plan:

Planning. Review and update: Plant Closing Policy Evacuation Plan Fire Protection Plan Mutual Aid Agreements Hazardous Materials Response Plan Vital Records Protection Plan Security Procedures Insurance Programs Employee Manuals Organization. Review need for: Emergency Response Team Emergency Medical Services Security

Organization (continued): Emergency Management Group Evacuation Team Public Information Officer Facilities. Determine the need for: Emergency Operating Center Media Briefing Area Shelter Areas First-Aid Stations Sanitation Facilities. Equipment. Determine the need for: Fire Protection/Suppression Equipment Communications Equipment First Aid Supplies Emergency Supplies Warning Systems Emergency Power Equipment Decontamination Equipment Training. Determine need for: Sessions To Review Procedures Technical Training For Ert Exercising. Conduct Regular Exercises: Tabletop, Functional, and/or Full-Scale Natural & Human-Caused Scenarios For more planning guidance, see Emergency Management Guide for Business and Industry @ http://www.fema.gov/pdf/library/ bizindst.pdf published by the Red Cross.

RAM Illustration
Business: Telephone: Sample Illustration Sample Illustration Address: Sample Illustration Sample Illustration

1 Function or Process

2 Crit.

3 Rec.

4 Threat

5 Vul.

6 Action Plan

Priority

Shipping & Receiving Shipping & Receiving Inventory

C C C

I I I

Equipment failure Fire Sole-Source Supplier

H H H

Lease agreement Sprinklers; fire inspection; fire response Agreement with alternate supplier

1 1 1