Reliability

Industrial Safety and

Risk Assessment

Risk assessment is the process of enumerating risks, determining theirclassifications, assigning probability and impact scores, and associating controls with each risk.

“The trick is for the right people to use the right tools at the right

time, each time!”

Risk Assessments measure the risk, the potential loss, and the probability that the loss will occur.

Risk (R) =Loss value (L) * Probability (P) (or)

R=L*P

Risk: potential events that have a negative impact on the Integrity, Confidentiality, and Availability of information.

Vulnerability: condition of a missing or ineffectively administered safeguard or control that allows a risk to occur with a greater impact or frequency or both.

Impact – the potential effect a risk may have on an asset.

Control – measures taken to prevent, detect, minimize, or eliminate risk to protect the Integrity, Confidentiality, and Availability of information.

Probability – the likelihood of the event occurring, rated from 0n to 1

Risk is a Common place

What to Investigate

Types of Risk Assessment

Qualitative – measure in terms like “high, medium, and low” for probability and impact. Look at relative value, risk.

Quantitative – measure in dollars and formulas.

The government has switched to more qualitativeprocesses – quantitative processes tend to take

a very long time and while they generate “hard” data, they are rarely completed!

High, medium, and low mean something different to everyone.

Assign understandable values, then seek group agreement.

Document thought process if necessary or appropriate.

"The greatest opportunity for the discovery and correction of undesired deviations takes place while the Risk

is being performed."

Performing a Risk Assessment

Define the purpose of the assessment Identify the product or system Select assessment approach Gather information Develop attack scenarios Estimate risk parameters Produce assessment report

Promoting the Risk Assessment

Elements of good risk assessments

1. Provides clear instructions2. Is composed of Segmented Questions3. Simplifies user Response4. Allows for user Commentary Area5. Identifies support contacts6. Focuses on leaders as well as executors7. Provides feedback to users and Risk leaders8. Has a broad Scope9. Supports draft operating mode10.Identifies User for follow up if necessary and applicable

Risk Assessment Foundation

A strong foundationis essential to thesuccess of a riskassessment!

Dealing with risk

Accept the risk

• You accept responsibility and acknowledge awareness of the risk.• Not always an acceptable alternative• Formal acknowledgement can be a useful tool!

Dealing with risk

Address and control the risk

Determine appropriate controls,from both a risk remediation and acost and effort to implement standpoint

Meta Process

Sponsor Scope Team Risk enumeration Risk classification and rating Control identification Report Action plan and execution

Sponsorship

A key factor in the success of risk assessment is having an effective sponsor.

The sponsor should be in charge of the area or system being assessed.

Sponsors should be willing to take responsibility for the assessment and to use its findings.

Scope

Carefully scope your assessment

Write a scope statement and makesure your group understands it.

Use scope to keep on topic duringbrainstorming, but do not limitbrainstorming.

Choosing a team

Diversity Expertise Sanity Leadership Numbers

Reporting Reports should include risks, probability

and impact ratings, and controls for eachrisk.

Reports should be signed off on by theproject sponsor and the areas that mustimplement controls.

Choose a reasonable implementationtimeframe and follow up!

Formal Risk Assessment

Suggest a risk Classify the risk Rate Probability Rate Impact Suggest controls

Formal Risk Assessment Introduction - team members introduce themselves and very

briefly describe their area of responsibility or expertise relevant to the scope of the assessment.

Brainstorm - Risks are brainstormed, no idea will be rejected or negatively discussed in the initial brainstorm.

Identification - risks categorized as affecting Confidentiality, Integrity, or Availability

Prioritization - risks are prioritized by their impact, and probability

Controls - controls are identified and recommended based on the risks identified. Controls are prioritized based on cost, priority, and capability to implement.

Report - a report is prepared by the facilitator and approved by the team.

Sign-off - the project lead is given the document and signs off on it.

Steps Involved in Risk Assessment1. Make sure the risk assessment process is practical and realistic.2. Involve as many people as possible in the process, especially those at

risk.3. Use a systematic approach to ensure all relevant risks and hazards are

addressed.4. Look at the big picture; don’t waste time on the obviously minor risks;

and don’t obscure the process in too much detail.5. Start by identifying the hazards.6. Assess the risks from those hazards, taking into account the

effectiveness of the existing controls;7. Be realistic, not idealistic. Look at what actually occurs and exists in the

workplace and, in particular, include non-routine operations.8. Identify who is at risk. Include all workers, including visitors, contractors

and the public.9. Start with the simple methods, use more systematic methods as

necessary.10. Always record the assessment in writing, including all assumptions you

make, with the reasons why.

Disadvantages

Accuracy Responsiveness Ease of Use

“Risk Assessment is necessary to be Safe Always in All ways”

Thank You