Risk Assessment Key
Eri Pfaff
A risk assessment is a process used to identify potential hazards and analyze what could happen if a disaster or hazard occurs. There are numerous hazards to consider, and each hazard could have many possible scenarios happening within or because of it.
As you conduct the risk assessment, look for vulnerabilities or weaknesses that could make your business more susceptible to damage from a hazard. Vulnerabilities include deficiencies in building construction, process systems, security, protection systems and loss prevention programs. They contribute to the severity of damage when an incident occurs. For example, a building without a fire sprinkler system could burn to the ground while a building with a properly designed, installed and maintained fire sprinkler system would suffer limited fire damage.
In May 2024, EPA's RSL tables were updated to provide the latest comparison values for residential and commercial/industrial exposures to soil, air, and tapwater (drinking water). Read about the recent additions of the regional screening level tables
In April 2024, EPA announced the release of the the All Ages Lead Model (AALM) which rapidly estimates the effect of exposures on lead concentrations in tissues of children and adults; can assess exposures of a day or more, as well as chronic exposures; and can be applied to specific individuals or to groups of similarly exposed individuals.
What is Risk? EPA uses risk assessment to characterize the nature and magnitude of health risks to humans and ecological receptors from chemical contaminants and other stressors that may be present in the environment. Learn more about risk under the links below:
The Breast Cancer Risk Assessment Tool (BCRAT), also known as The Gail Model, allows health professionals to estimate a woman's risk of developing invasive breast cancer over the next five years and up to age 90 (lifetime risk).
The tool uses a woman's personal medical and reproductive history and the history of breast cancer among her first-degree relatives (mother, sisters, daughters) to estimate absolute breast cancer risk-her chance or probability of developing invasive breast cancer in a defined age interval.
The tool may underestimate risk in Black women with previous biopsies and Hispanic women born outside the United States. Because data on American Indian/Alaska Native women are limited, their risk estimates are partly based on data for White women and may be inaccurate. Further studies are needed to refine and validate these models.
Although a woman's risk may be accurately estimated, these predictions do not allow one to say precisely which woman will develop breast cancer. In fact, some women who do not develop breast cancer have higher risk estimates than some women who do develop breast cancer.
Risk assessment is the process of identifying hazards that could negatively affect an organization's ability to conduct business. These assessments help identify inherent business risks and prompt measures, processes and controls to reduce the impact of these risks on business operations.
Risk assessments help ensure the health and safety of employees and customers by identifying potential hazards. The goal of this process is to determine what measures should be implemented to mitigate those risks. For example, certain hazards or risks might determine the type of protective gear and equipment a worker needs.
As a risk assessment is conducted, vulnerabilities and weaknesses that could make a business more hazardous are analyzed. Potential vulnerabilities could include construction deficiencies, security issues and process system errors. Companies can use a risk assessment framework (RAF) to prioritize and share the details of the assessment, including any risks to their IT infrastructure. The RAF helps an organization identify hazards and any business assets put at risk by these hazards, as well as potential fallout if these risks come to fruition. If a hazard has a large enough impact, then a mitigation strategy can be constructed.
How a risk assessment is conducted varies widely, depending on the risks unique to a business's industry and the compliance rules applied to that given business or industry. However, organizations can follow these five general steps, regardless of their business type or industry.
Step 1: Identify the hazards. Identify any potential hazards that, if they were to occur, would negatively influence the organization's ability to conduct business. Potential hazards that could be considered or identified during risk assessments include natural disasters, utility outages, cyber attacks and power failure.
Step 2: Discover what or whom could be harmed. Determine which business assets would be negatively influenced if the risk came to fruition. Business assets deemed at risk of these hazards can include critical infrastructure, IT systems, business operations, company reputation and even employee safety.
Step 3: Evaluate the level of risk and develop control measures. A risk analysis can help identify how hazards will impact business assets, as well as define a risk management framework to minimize or eliminate the effect of these hazards on business assets. Other threats include property damage, business interruption, financial loss and legal penalties.
Step 4: Record the findings. The risk assessment findings should be recorded by the company and filed as easily accessible, official documents. The records should include details on potential hazards, their associated risks and plans to prevent the hazards.
Step 5: Review and update the risk assessment regularly. Potential hazards, risks and their resulting controls can change rapidly in a modern business environment. It is important for companies to update their risk assessments regularly to adapt to these changes.
Risk assessment tools and frameworks -- such as risk assessment templates -- are available for different industries. They might prove useful to companies developing their first risk assessments or for updating older ones. Some examples of these frameworks include the National Institute of Standards and Technology Cybersecurity Framework for cybersecurity purposes, ISO 27001 for IT purposes or the CSA Standard Z1002 for health and safety purposes.
A risk assessment matrix shows the likelihood of events happening and the potential consequences. In the following example, Likelihood refers to the level of possibility that a person could be injured if exposed to a hazard, while Impact refers to the severity of the injury.
Risk matrixes can be created as 22, 33, 44 or 55 charts -- the level of detail required can help determine the size. Color coding the matrix is critical, as this represents the probability and impact of the risks that have been identified. Injury severity and consequence could be assessed as fatal, major injury, minor injury or negligible injuries. Similarly, likelihood could be assessed as extremely likely, likely, unlikely or highly unlikely.
Risk assessments can be quantitative or qualitative. In a quantitative risk assessment, the chief risk officer or chief risk manager assigns numerical values to the probability an event will occur and the impact it would have. These numerical values can then be used to calculate an event's risk factor, which, in turn, can be mapped to a dollar amount.
Qualitative risk assessments, which are used more often, don't involve numerical probabilities or predictions of loss. The goal of a qualitative approach is to simply rank which risks pose the most danger.
Similar to risk assessment steps, the specific goals of risk assessments will vary based on industry, business type and relevant compliance rules. An information security risk assessment, for example, should identify gaps in the organization's IT security architecture, as well as review compliance with infosec-specific laws, mandates and regulations.
The ultimate goal of the risk assessment process is to evaluate hazards and determine the inherent risk created by those hazards. The assessment should not only identify hazards and their potential effects but also potential risk control measures to offset any negative impact on the organization's business processes or assets.
The components of a risk assessment differ, depending on an organization's specific industry. Typically, an assessment takes into account specific needs and provides corresponding control measures. Some examples of risk assessments include the following:
The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule. The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.
The SRA Tool is a desktop application that walks users through the security risk assessment process using a simple, wizard-based approach. Users are guided through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed.
This application can be installed on computers running 64-bit versions of Microsoft Windows 7/8/10/11. All information entered into the tool is stored locally on the user's computer. HHS does not collect, view, store, or transmit any information entered into the SRA Tool.
This version of the SRA Tool takes the same content from the Windows desktop application and presents it in a familiar spreadsheet format. The Excel Workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application. This version of the SRA Tool is intended to replace the legacy "Paper Version" and may be a good option for users who do not have access to Microsoft Windows or otherwise need more flexibility than is provided by the SRA Tool for Windows.
c80f0f1006