A risk assessment is about identifying all the possible threats to your business and its processes, from wherever they might originate. It is an important part of a thorough business continuity plan.

For example, if flooding from a hurricane wipes out a business’s records and they don’t have a backup site (or the backup is too close and is also flooded) the compliance issues from the destroyed records will linger for months and possibly even years afterward.

Whether the disaster is natural, like a hurricane or pandemic, or man-made, like a cyber-attack, it is important to identify and plan for situations where you may not have immediate access to the data, resources, staff, or even locations you are accustomed to during normal business operations.  The goal of business continuity planning, after all, is to keep the business running no matter what happens.  Therefore, it makes sense that we would take some time to address all the what-ifs and plan for those things.  

The most common mistakes businesses make when it comes to business continuity planning and risk assessment include:

• Not accounting for loss of critical people.
• Not planning to accommodate the stress and trauma staff incur in a crisis.
• Not making the emergency plan easily accessible to staff at the office or working remotely or making plans that are too generic or are out of date.
• Failing to communicate plans and processes quickly and transparently and the resulting PR problems that can be related to recovery.
• No alternative emergency operation centers or recovery sites, or not having a plan for employees to work from home when a physical site isn’t available.
• Believing that outside assistance and insurance will take care of everything.

During the risk assessment process, you must look within your organization to:

• Identify processes and situations that can cause harm, particularly harm to people.
• Determine how likely it is that each hazard will occur and how severe the consequences could be.
• Decide what steps the organization should take to prevent these hazards, control the risks, or mitigate bad possible outcomes.

The goal of a risk assessment plan will vary across industries, but overall, the goal is to help organizations prepare for and mitigate risk.  Other goals include:

• Providing an analysis of possible threats
• Preventing injuries or illnesses
• Meeting legal requirements
• Creating awareness about hazards and risks
• Creating an accurate inventory of available assets
• Justifying the cost of managing risks
• Determining the budget to remediate risks
• Understanding the return on investment

Before you begin the risk management process, you should determine the scope of the assessment, necessary resources, stakeholders involved, and the laws and regulations you will need to follow.  Because the risk assessment process is so involved, it is most often best to consult with or hire a risk management specialist for this process.

5 Steps in the Risk Assessment Process

1. Identify the Hazards

Look around your workplace and see what processes or activities could potentially harm your organization. Include all aspects of work, including remote workers and non-routine activities such as repair and maintenance. You should also look at accident/incident reports to determine what hazards have impacted your company in the past.

These include but are not limited to natural disasters (i.e., hurricanes or fires), biological disasters (i.e., pandemics or foodborne illnesses), workplace accidents (i.e., slips, transportation accidents, or mechanical breakdowns), intentional acts (i.e., bomb threats, robbery or strikes), technological hazards (i.e., loss of  internet connection or power and cyberattacks), chemical hazards (i.e., asbestos or cleaning fluid spills), mental hazards (i.e., excess workload, sexual harassment, bullying), and interruptions in the supply chain.

2. Determine Who Might be Harmed and How

For every hazard that you identify in step one, think about who will be harmed should the hazard take place.

3. Evaluate the Risks and Take Precautions

Look at your list of potential risks and the effected people.  How likely is it that the hazard will occur?  How severe will the consequences be should the hazard occur? This evaluation will help you determine where you should reduce the level of risk and which risks should be deemed top priority.

4. Record Your Findings

If you have more than 5 employees in your workplace, you are required by law to write down your risk assessment process. Your plan should include the hazards you’ve found, the people they affect, and how you plan to mitigate all the risks. The record—or the risk assessment plan—should show that you:

• Conducted a proper check of your workplace
• Determined who would be affected
• Controlled and dealt with obvious hazards
• Initiated precautions to keep risks low
• Kept your staff involved in the process

This is a laborious process.  We recommend using a specialized compliance specialist, like CentraVance Consulting, to help with this.

5. Review Assessment and Update if Necessary

Your workplace is always changing, so the risk to your business change as well. As new equipment, people, and processes are introduced, each brings the risk of a new hazard.  Perhaps the new hazard is more widespread like the global pandemic Covid-19.  To protect your business and its reputation, you must continually review and update your risk assessment process to stay on top of these new hazards.

By applying the risk assessment steps mentioned above and employing the help of a brand reputation specialist, you should be able to manage any potential risk to your business.  Get prepared by completing a thorough risk assessment as a part of a larger business continuity plan. After all, luck favors the prepared!