The risk assessment sits at the foundation of risk management. Without a clear understanding of the risks faced, none of the other risk management activities can be undertaken. An efficient and balanced security program begins with a thorough risk assessment. Threats, new employment laws, and regulatory compliance concerns induce companies to assess their risk profile and security programs.
A risk assessment, in broad terms, is the combined effort of:
- a risk analysis to identify and analyze potential incidents that may negatively impact individuals, assets, and/or the environment; and
- a risk evaluation to make judgments on the acceptance level of the risk based on the risk analysis, while considering influencing factors.
Objectives of the risk assessment should be clearly understood and documented in order to focus tasks, resources, and goals of the assessment activities. All risk assessments should include an analysis and evaluation of the effectiveness of current risk treatment measures and opportunities for improvements. Objectives are set within the context of achieving the organization’s overall business and risk management objectives and these risks need to be managed systematically.
An effective risk assessment process is made up of:
- Asset Identification & Characterization
- Asset Criticality & Prioritization
- Identify Realistic & Perceived Threats
- Determine/Estimate Likelihood of Events
- Identify Likely Impact (Injury) and longer term consequences.
Risk assessments require proactive and ongoing monitoring of the internal and external context of the organization, as well as its risks and treatment measures. The risk assessment step is the point in the model where all of the earlier assessments (assets, threat and vulnerability) are combined and evaluated in order to give a complete picture of the risks to an asset or group of assets.
Risk Management principles acknowledge that while risk generally cannot be eliminated, enhancing protection from known or potential threats can reduce it.
Risk Management is therefore the procedure that an organization follows to protect itself, its staff, client/customers/guests and volunteers
Risk Management is not about managing risks, its about making decisions with risks in mind.