
Risk Audit Guide
What is a hazard?
A hazard is a source of harm, such as materials, substances, sources of energy, processes, practices, and conditions. After a hazard is identified, the corresponding risk can be identified.
​
What is risk?
A risk is the chance of harm resulting from a hazard. This applies to health, bodily safety, equipment, and property. Examples include sharp objects, high temps, electricity, slippery surfaces, asbestos, and chemicals.
​
Why is risk assessment important?
Risk Assessment identifies hazards, determines who & what may be at risk, evaluates the risk, and determines the best way to control the risks. It includes a time horizon.
​
The overarching goal of a risk audit is to seek out problems before they occur to minimize loss of: finances, human capital, property, information, customers, and vendors; plus, mitigate external threats. The twenty-five (25) components of a Risk Audit include:
1. Risk assessment step: identify, determine, evaluate, control
2. Likelihood scale: from 0 (impossible) to 4 (>25%)
3. Risk categories: physical, location, human, technology
4. Walk arounds: what to consider & common issues
5. Levels of impact: low, medium, high
6. Consequence scale: from 1 (insignificant) to 5 (catastrophic)
7. Prevention vs Recovery: Determine cost, resources, & time of prevention vs recovery
8. Safety protocols: common within my industries
9. Communication: identify, consider, tailor, choose
10. Control measure hierarchy: eliminate, substitute, isolate, engineering, administrative, PPE
11. Evaluations: when to conduct, methods used
12. Managing risk: avoid, reduce, transfer, accept
13. Accident reporting: employee, supervisor, medical provider
14. Accident response plans: establish, determine, collect, secure
15. Emergency action plans: evacuation, critical procedures, responsible parties, and more
16. Training: type topical (electrical safety, fire safety, and more)
17. Business impact analysis: interviews, questionnaires, reports, research
18. Identifying vulnerabilities: data validation, prioritization, findings
19. Disaster recovery plans: people, facilities, technology, data, suppliers, policies & procedures
20. Disaster recovery plan documents: from objectives & assumptions to procedures for returning to space
21. Testing systems: purpose, objectives & measurements, collection of results, evaluation of results, plan updates
22. Disaster recovery for IT: threat modeling and cold, warm, hot sites
23. Enterprise Risk Management: recommended ERM software
24. Standards: ISO, ANSI, OSHA, and more
25. ISO 31000: develop a risk management culture and awareness of the importance of managing and monitoring risk
Please contact us for more information or to schedule a Risk Audit for your company, today.