This site Dyman & Associates Projects provides guidance and tools to help businesses understand what they need to do to assess and control risks in the workplace and comply with health and safety law. Although written with small businesses in mind, the site is relevant to all businesses.

Five steps to risk assessment

This is not the only way to do a risk assessment, there are other methods that work well, particularly for more complex risks and circumstances. However, we believe this method is the most straightforward for most organizations.

How to assess the risks in your workplace?

Follow the five steps in our leaflet:

Step 1: Identify the hazards

Step 2: Decide who might be harmed and how

Step 3: Evaluate the risks and decide on precautions

Step 4: Record your findings and implement them

Step 5: Review your risk assessment and update if necessary

Don’t over complicate the process. In many organizations, the risks are well known and the necessary control measures are easy to apply. You probably already know whether, for example, you have employees who move heavy loads and so could harm their backs, or where people are most likely to slip or trip. If so, check that you have taken reasonable precautions to avoid injury.

If you run a small organization and you are confident you understand what’s involved, you can do the assessment yourself. You don’t have to be a health and safety expert.

If you already have a health and safety policy, you may choose to simply complete the risk assessment part of the template. We also have a number of example risk assessments to show you what a risk assessment might look like. Choose the example closest to your own business and use it as a guide for completing the template, adapting it to meet the needs of your own business. [See this Cyber Security]

If you work in a larger organization, you could ask a health and safety adviser to help you. If you are not confident, get help from someone who is competent. In all cases, you should make sure that you involve your staff or their representatives in the process. They will have useful information about how the work is done that will make your assessment of the risk more thorough and effective. But remember, you are responsible for seeing that the assessment is carried out properly.

For more Info Dyman & Associates Risk Management Projects

When thinking about your risk assessment, remember:

§  a hazard is anything that may cause harm, such as chemicals, electricity, working from ladders, an open drawer, etc.; and

§  the risk is the chance, high or low, that somebody could be harmed by these and other hazards, together with an indication of how serious the harm could be.

Click for full info in Risk Management

Hardly a day goes by without news of another data breach. It's safe to say that we live and work in risky times. But there's a growing recognition that cybercriminals aren't the only threat—or even the primary threat to an enterprise. "There's a far greater need to educate and train employees about security issues and put controls and monitoring in place to increase the odds of compliance," says John Hunt, a principal in information security at consulting firm PwC.

It's a task that's easier said than done, particularly in an era of BYOD, consumer technology and personal clouds. According to Jonathan Gossels, president and CEO of security firm SystemsExperts, it's critical to construct policies and security protections around two basic areas: malicious insiders and those who inadvertently breach security. "The best security program in the world can be undermined by ill-advised behavior," Gossels explains.

Construct effective policies. Surveys indicate that many workers are not adhering to existing policies. In some cases, they simply disregard them. "The thing that you have to keep in mind," notes Hunt, "is that policies must be clear, understandable and not interfere with the ability of people to get their work done." If an organization is struggling with non-compliance and shadow IT, then it may be time to reexamine policies, as well as the underlying systems and tools the enterprise has in place. "Many organizations have older policies that don't take into account today's tech tools, such as iPads and other portable devices," says Hunt. The policies should also extend to contract workers and freelancers, he notes.

Educate and train employees. One of the biggest problems, says Gossels, is weak passwords and workers sharing passwords. He recommends educating employees about the use of strong passwords. It's also essential to teach employees about increasingly sophisticated phishing techniques. And executives, including CEOs, make the mistake of clicking bad links. "When you receive an e-mail from the Better Business Bureau or a fax that looks legitimate, it's very easy in the rush of the moment to click it," says Gossels. It's critical that employees learn to hover over links. Some organizations also use simulated phishing and spear phishing attacks to identify careless workers. Finally, employees must understand the risks of using personal clouds, USB drives, and other media to share and store sensitive data.

Develop controls that match policies. It's one thing to introduce a collection of security policies, it's another to build controls that effectively enforce them. According to Gossels, any time an organization introduces a policy, it should also consider how to build in technical controls, preferably automated ones. "The less you leave things to humans and chance, the better off you will be," he says. That means using mobile device management and media asset management tools, two-step verification, encryption, endpoint security, and other security measures. It also means looking for so-called low and slow approaches that frequently fly below the radar. But, more than anything else, it means mapping threats to policies and security systems—and ensuring that tools are in place to wipe lost or stolen smartphones and tablets, when necessary. Hunt adds that it's crucial to consider, when adopting policies, how long it will take to build the matching controls. He sees often companies lagging by nine to 12 months—or more.

Monitor activity and access from all endpoints. There's a growing focus on monitoring the network and endpoints for unusual activity and odd behavior, Hunt explains. "If you detect activity that doesn't fit the norm of a person's role, then it's a good idea to take a closer look at the situation," he points out. In fact, even if an organization embeds role-based policies and controls in its IT systems—something that's generally viewed as a best practice—it's wise to monitor activity and look for anomalies. Networks and systems are particularly vulnerable during mergers and acquisitions and during transitions to different or new systems.

Developing an effective Risk Management Plan can help keep small issues from developing into emergencies. Different types of Risk Management Plans can deal with calculating the probability of an event, and how that event might impact you, what the risks are with certain ventures and how to mitigate the problems associated with those risks. Having a plan may help you deal with adverse situations when they arise and, hopefully, head them off before they arise.

Steps

1. Understand how Risk Management works. Risk is the effect (positive or negative) of an event or series of events that take place in one or several locations. It is computed from the probability of the event becoming an issue and the impact it would have (See Risk = Probability X Impact). Various factors should be identified in order to analyze risk, including:

Event: What could happen?

Probability: How likely is it to happen?

Impact: How bad will it be if it happens?

Mitigation: How can you reduce the Probability (and by how much)?

Contingency: How can you reduce the Impact (and by how much)?

Reduction = Mitigation X Contingency

Exposure = Risk – Reduction

2. Define your project. In this article, let's pretend you are responsible for a computer system that provides important (but not life-critical) information to some large population. The main computer on which this system resides is old and needs to be replaced. Your task is to develop a Risk Management Plan for the migration

3. Get input from others. Brainstorm on risks. Get several people together that are familiar with the project and ask for input on what could happen, how to help prevent it, and what to do if it does happen. Take a lot of notes! You will use the output of this very important session several times during the following steps. Try to keep an open mind about ideas.

4. Identify the consequences of each risk. From your brainstorming session, you gathered information about what would happen if risks materialized. Associate each risk with the consequences arrived at during that session. Be as specific as possible with each one. "Project Delay" is not as desirable as "Project will be delayed by 13 days."

5. Eliminate irrelevant issues. If you’re moving, for example, a car dealership’s computer system, then threats such as nuclear war, plague pandemic or killer asteroids are pretty much things that will disrupt the project. There’s nothing you can do to plan for them or to lessen the impact.

6. List all identified risk elements. You don’t need to put them in any order just yet. Just list them one-by-one.

7. Assign probability. For each risk element on your list, determine if the likelihood of it actually materializing is High, Medium or Low. If you absolutely have to use numbers, then figure Probability on a scale from 0.00 to 1.00. 0.01 to 0.33 = Low, 0.34 to 0.66 = Medium, 0.67 to 1.00 = High.

8. Assign impact. In general, assign Impact as High, Medium or Low based on some pre-established guidelines. If you absolutely have to use numbers, then figure Impact on a scale from 0.00 to 1.00 as follows: 0.01 to 0.33 = Low, 0.34 – 066 = Medium, 0.67 – 1.00 = High.

9. Determine risk for the element. Often, a table is used for this. If you have used the Low, Medium and High values for Probability and Impact, the top table is most useful. If you have used numeric values, you will need to consider a bit more complex rating system similar to the second table here. It is important to note that there is no universal formula for combining Probability and Impact; that will vary between people and projects.

10. Rank the risks. List all the elements you have identified from the highest risk to the lowest risk.

11. Compute the total risk: Here is where numbers will help you. In Table 6, you have 7 risks assigned as H, H, M, M, M, L, and L. This can translate to 0.8, 0.8, 0.5, 0.5, 0.5, 0.2 and 0.2, from Table 5. The average of the total risk is then 0.5 and this translates to Medium.

12. Develop mitigation strategies. Mitigation is designed to reduce the probability that a risk will materialize. Normally you will only do this for High and Medium elements. You might want to mitigate low risk items, but certainly address the other ones first. For example, if one of your risk elements is that there could be a delay in delivery of critical parts, you might mitigate the risk by ordering early in the project

13. Develop contingency plans. Contingency is designed to reduce the impact if a risk does materialize. Again, you will usually only develop contingencies for High and Medium elements.

14. Analyze the effectiveness of strategies. How much have you reduced the Probability and Impact?

15. Compute your effective risk. Now your 7 risks are M, M, M, L, L, L and L, which translate to 0.5, 0.5, 0.5, 0.2, 0.2, 0.2 and 0.2. This gives an average risk of 0.329.

16. Monitor your risks. Now that you know what your risks are, you need to determine how you’ll know if they materialize so you’ll know when and if you should put your contingencies in place. This is done by identifying Risk Cues. Do this for each one of your High and Medium risk elements.