The Manager’s Guide to Risk Assessment: Getting it Right

By Douglas M. Henderson FSA, CBCP

Risk assessment is required for just about all business plans or decisions. As a responsible manager, you need to consider threats to your organization’s resilience. But to determine probability and impact – and reduce your risk – can be a daunting task. Guided by Douglas M. Henderson’s The Manager’s Guide to Risk Assessment: Getting It Right, you will confidently follow a clearly explained, step-by-step process to conduct a risk assessment.

As you embark on the risk assessment process, you could not find a better and more uniquely qualified guide than Douglas M. Henderson. His 20+ years of experience with major consulting firms includes certification as a professional actuary and business continuity planner. His actuarial knowledge makes him an expert in applying mathematical and statistical methods to help organizations to assess and manage risks. He has applied this real-world knowledge of risk to helping businesses prepare for emergencies and business interruptions of all types.

Henderson offers samples and checklists, including case studies using a fictional company in which he conducts a complete qualitative risk assessment and then a complete quantitative risk assessment, then arrives at a set of comparable actions. His explanations and sample problems will help you to:

• Define risk management terms, such as threat, event, and risk control.
• Identify threats and determine the worst-case situation your organization could face.
• Collect information on probability for natural and non-natural threats.
• Understand the difference between qualitative and quantitative risk assessment.
• Describe probability and impact levels.
• Identify exposures and examine specific risk controls.
• Estimate a financial value for implementing a risk control.
• Determine when outside professional help is needed.

As an added bonus, Henderson explores the topic of risk controls with you, helping you to evaluate what risk controls will best reduce the probability of disruptive events and reduce their impact should they occur. To insure the best investment of time and money, you will perform a cost-benefit analysis for each possible risk control to make the best choice for your organization.

• Language: English
• Publisher: Rothstein Publishing
• Release date: Mar 21, 2017
• ISBN: 9781944480363

Douglas M. Henderson FSA, CBCP

Douglas M. Henderson, President of Disaster Management, Inc., has 20 years of experience in management with major consulting firms. In August of 1992, Doug was the key associate of the Emergency Response Team for a consulting firm located in South Miami-Dade County. Inspired by his real-life business experience with Hurricane Andrew and concerned about the lack of preparation within the business community, Doug founded Disaster Management, Inc. in 1993. Doug has a Degree in Mathematics from the University of Arizona. His professional credentials include FSA – Fellow, Society of Actuaries and CBCP – Certified Business Continuity Professional. Doug is the author of the book Is Your Business Ready for the Next Disaster? and is the author of the Business Continuity Template for Manufacturing and Distribution, the Template for Comprehensive Business Continuity Management, the Continuity of Operations Plan for Colleges and Universities and several other planning templates. Doug is also the co-author of the college textbook Business Continuity and Risk Management: Essentials of Organizational Resilience.

Book preview

The Manager’s Guide to

Risk Assessment:

Getting it Right

A Rothstein Publishing Collection eBook

Douglas M. Henderson

FSA, CBCP

Kristen Noakes-Fry, ABCI, Editor

EPUB ISBN: 978-1-944480-36-3

PDF ISBN: 978-1-944480-37-0

203.740.7400

info@rothstein.com

www.rothstein.com

Keep informed about Rothstein Publishing:

COPYRIGHT ©2017, Rothstein Associates Inc.

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher.

No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein.

Local laws, standards, regulations, and building codes should always be consulted first before considering any advice offered in this book.

EPUB ISBN: 978-1-944480-36-3

PDF ISBN: 978-1-944480-37-0

203.740.7400

info@rothstein.com

www.rothstein.com

Preface

My primary purpose in this book is to give you an understanding of the practical procedures required to conduct a risk assessment. Your initial goal in a risk assessment is to focus resources to respond to the threats that are most important to your organization. After this is accomplished, you will be able to develop specific procedures to improve organizational resiliency.

Why? What? How? This book begins by explaining why you should spend the time and energy involved with developing a risk assessment and why a basic understanding of risk management is beneficial to an organization. Next, you will explore what a risk assessment entails and the practical application to an individual organization, and then you will be introduced to two alternative approaches to performing a risk assessment. Finally, you will examine various methods to reduce risk.

Chapter 1: Overview of Risk Management

First, you will examine the progression by which ordinary threats become disruptive events to your organization. You will explore risk, risk management, and risk assessment principles and their importance to any well managed organization.

Chapter 2: Threat Identification

After examining threats from multiple perspectives, you will then learn how to determine the most likely specific threats to be analyzed. Essentially, you will be identifying the enemy, which is the first step in dealing with the problem.

Chapter 3: Determining Probability and Impact for Risk Assessment

You will see how to determine the probability of an event materializing and its possible impact upon your organization. Once probability and impact are established, you can determine risk. The chapter also introduces two methods of conducting a risk assessment – a qualitative approach and a quantitative approach. Both approaches are based on the same principles and, when used correctly, both approaches will produce accurate results. The quantitative approach will produce results with more precision than the qualitative approach, but will require some additional effort.

Chapter 4: Qualitative Risk Assessment

You will learn the basic process to conduct a qualitative risk assessment that classifies risks by using little or no mathematics.

Chapter 5: Quantitative Risk Assessment

You will learn the basic process to conduct a quantitative risk assessment that classifies risks by using mathematics.

Chapter 6: Risk Controls: Improving Organization Resiliency

Finally, you will see how to identify and implement risk controls to improve organizational resiliency. Once you have reviewed these principles of risk reduction, you will be ready to select and analyze possible risk reduction measures from a comprehensive list of risk controls.

Appendices

In the appendices, you will find two sample risk assessments; one qualitative risk assessment and one quantitative risk assessment. Each risk assessment is for a sample fictitious company that will provide you with a working example of how a risk assessment is conducted. Essentially, this allows you to apply the principles that you have learned in this book to a realistic situation. It will be a useful guideline when you decide to conduct a risk assessment for your organization.

While this book is directed primarily to managers and executives, you will find it useful if you are a business continuity (or organizational resilience) professional or participating in a professional training course. I am confident that when you complete your readings, you will be sufficiently versed to undertake a risk assessment.

Douglas M. Henderson

Port St Lucie, Florida

February 2017

Table of Contents

Cover

Title Page

Copyright

Preface

Chapter 1: Overview of Risk Management

1.1  What Are Threats, Events, and Disruptive Events – and How Are They Linked?

1.2  What Are Risk, Risk Assessment, and Risk Analysis?

1.2.1  Risk

1.2.2  Risk Assessment

1.2.3  Risk Analysis

1.3  The Big Picture

1.4  Risk Assessment Within BCM

1.4.1  Three Analysis Components in BCM

1.5  Risk Treatment Procedures

1.5.1  Risk Avoidance: Why Not Eliminate Risk Entirely?

1.5.2  Risk Transfer: The Easy Way Out?

1.5.2.1  Insurance

1.5.2.2  Subcontracting

1.5.3  Risk Reduction

1.5.3.1  Physical Risk Controls

1.5.3.2  Procedural Risk Controls

1.5.3.3  Identify Vulnerabilities

1.5.4  Risk Acceptance

1.6  Conducting a Risk Assessment

1.6.1  Assemble a Team

1.6.2  Consider a Consultant

1.6.3  Consider Purchasing Software

1.6.4  Consultant and Software Summary

1.6.5  Develop an Action Plan

1.6.6  Report to Management

Questions for Thought, Review, and Discussion References

Chapter 2: Threat Identification

2.1  Identifying Threats

2.2  Grouping Threats

2.3  Why Not Cover Just the Most Extreme (Worst Case) Threat?

2.4  Natural Threats

2.4.1  Weather Threats

2.4.2  Seismic

2.4.3  Other Natural Threats

2.5  Man-Made Threats

2.5.1  Internal (Likely Intentional/Security Related)

2.5.2  Internal (Likely Non-Intentional)

2.5.3  External (Likely Intentional)

2.5.4  External (Likely Non-Intentional)

2.5.5  External (Likely Non-Intentional Medical)

2.5.6  External (Likely Non-Intentional Transportation)

2.5.7  External (Likely Non-Intentional Utility)

2.6  Technology Threats

2.6.1  Alternate Site

2.6.2  Communication (External or Internal)

2.6.3  Data Center

2.6.4  Information Management

2.6.5  Information or Cyber Security Management

2.7  Other Threats

2.7.1  Internal

2.7.2  External

Questions for Thought, Review, and Discussion

References

Chapter 3: Determining Probability and Impact for Risk Assessment

3.1  Risk Determination

3.2  Determining Probability

3.2.1  Natural Threats

3.2.2  Non-Natural Threats

3.3  Determining Impact

3.3.1  Disruption of Operations

3.3.2  How Does a Risk Cause Downtime?

3.3.3  When Does a Disruption of Operations Cause a High Impact?

3.3.4  Importance of Risk Controls

3.3.5  Additional Considerations

3.3.5.1  Example #1: Ice Storm

3.3.5.2  Example #2: Hurricane

3.3.5.3  Example #3: Flood

3.3.5.4  Example #4: Oil Spill

3.4. Does the High Probability and High Impact Risk Category Exist?

3.5  Qualitative and Quantitative Risk Assessment

3.5.1  Which Approach Is Better?

Questions for Thought, Review, and Discussion

References

Further Reading

Chapter 4: Qualitative Risk Assessment

4.1  Qualitative Risk Assessment

4.2  How to Use a Risk Matrix for EveryChem, a Sample Organization

4.2.1  Probability for Seven Sample Threats

4.2.2  Impact for Seven Sample Threats

4.2.3  Risk Assessment Using 2X2 Risk Matrix

4.2.4  Recommended Management Action from Risk Assessment

4.3  Limitations of the 2X2 Risk Matrix

4.4  A Second Approach: Using a 3X3 Risk Matrix

4.4.1  Moderate Probability and Impact

4.5  An Example 3X3 Risk Matrix for EveryChem, the Sample Company

4.5.1  Expanded Probability for Seven Sample Threats

4.5.2  Expanded Impact for Seven Sample Threats

4.5.3  Risk Assessment Using 3X3 Risk Matrix

4.5.4  Recommended Management Action from Expanded Risk Assessment

4.5.5  Advantages of 3X3 Risk Mat

4.6  Can the 3X3 Risk Matrix Be Expanded?

Questions for Thought, Review, and Discussion

References

Chapter 5: Quantitative Risk Assessment

5.1  Quantitative Risk Assessment

5.2  Improving the Simple Formula by Squaring Impact

5.3  How to Use Quantitative Risk Assessment for EveryChem, a Sample Organization

5.3.1  Probability for Seven Sample Threats

5.3.2  Impact for Seven Sample Threats

5.3.3  Basic Quantitative Risk Assessment

5.3.4  Recommended Management Action from Risk Assessment

5.4  Limitations of the Basic Quantitative Risk Assessment

5.5. A Second Approach: Introducing a Moderate Probability and Impact

5.6  An Expanded Quantitative Risk Assessment for EveryChem, the Sample Organization

5.6.1  Probability for Seven Sample Threats

5.6.2  Impact for Seven Sample Threats

5.6.3  Expanded Quantitative Risk Assessment

5.6.4  Recommended Management Action from Expanded Risk Assessment

5.6.5  Advantages of the Expanded Quantitative Risk Assessment

5.7  Can Quantitative Risk Assessment Be Improved Further?

Questions for Thought, Review, and Discussion

References

Chapter 6: Risk Controls: Improving Organization Resiliency

6.1  Determine the Goals and Objectives

6.2  Evaluate Existing Risk Controls

6.3  Determine the Value of New Risk Controls

6.3.1  Nonfinancial Factors to Be Considered for Your Organization

6.3.2  Cost Justifying Risk Controls

6.3.3  How Much Time to Allow for a Risk Control to Produce a Positive Return?

6.3.4  When Does It Make Sense to Use an Outside Professional?

6.4  Existing Risk Controls

6.4.1  Building Fortification Controls

6.4.1.1  Earthquakes

6.4.1.2  Floods

6.4.1.3  Wind

6.4.1.4  Other Natural Hazards

6.4.2  Building Systems, Procedures, and Safety Risk Controls

6.4.2.1  Backup Electrical Power Systems*

6.4.2.2  Emergency Communication Systems

6.4.2.3  Fire Safety and Building Evacuation

6.4.2.4  General Building Systems

6.4.2.5  Hazardous Materials Control

6.4.2.6  Housekeeping

6.4.2.7  Medical Planning and Safety

6.4.2.8  Research Laboratory/Clean Room/Special Room Controls

6.4.2.9  Shelter-in-Place Safety

6.4.3  Security Risk Controls

6.4.3.1  Building Interior

6.4.3.2  Building Perimeter

6.4.3.3  Grounds and Parking Lot Security (Outer Perimeter)

6.4.4  Technology Risk Controls

6.4.4.1  General Information

6.4.4.2  Alternate Site Plan

6.4.4.3  Communication Systems

6.4.4.4  Data Center Protection

6.4.4.5  Data Center Recovery

6.4.4.6  Information Management

6.4.4.7  Information or Cyber Security Management

6.4.5  Supply Chain and Process Flow Analysis

6.4.5.1  Raw Materials

6.4.5.2  Manufacturing

6.4.5.3  Product Distribution/Shipping

Questions for Thought, Review, and Discussion

Appendix A: Case Study: Sample Organization