
Risk Audit Guide
What is a hazard?
A hazard is a source of harm, such as materials, substances, sources of energy, processes, practices, and conditions. After a hazard is identified, the corresponding risk can be identified.
What is risk?
A risk is the chance of harm resulting from a hazard. This applies to health, bodily safety, equipment, and property. Examples include sharp objects, high temps, electricity, slippery surfaces, asbestos, and chemicals.
Why is risk assessment important?
Risk Assessment identifies hazards, determines who & what may be at risk, evaluates the risk, and determines the best way to control the risks. It includes a time horizon.
The overarching goal of a risk audit is to seek out problems before they occur to minimize loss of: finances, human capital, property, information, customers, and vendors; plus, mitigate external threats. The twenty-five (25) components of a Risk Audit include:
1. Risk assessment step: identify, determine, evaluate, control
2. Likelihood scale: from 0 (impossible) to 4 (>25%)
3. Risk categories: physical, location, human, technology
4. Walk arounds: what to consider & common issues
5. Levels of impact: low, medium, high
6. Consequence scale: from 1 (insignificant) to 5 (catastrophic)
7. Prevention vs Recovery: Determine cost, resources, & time of prevention vs recovery
8. Safety protocols: common within my industries
9. Communication: identify, consider, tailor, choose
10. Control measure hierarchy: eliminate, substitute, isolate, engineering, administrative, PPE
11. Evaluations: when to conduct, methods used
12. Managing risk: avoid, reduce, transfer, accept
13. Accident reporting: employee, supervisor, medical provider
14. Accident response plans: establish, determine, collect, secure
15. Emergency action plans: evacuation, critical procedures, responsible parties, and more
16. Training: type topical (electrical safety, fire safety, and more)
17. Business impact analysis: interviews, questionnaires, reports, research
18. Identifying vulnerabilities: data validation, prioritization, findings
19. Disaster recovery plans: people, facilities, technology, data, suppliers, policies & procedures
20. Disaster recovery plan documents: from objectives & assumptions to procedures for returning to space
21. Testing systems: purpose, objectives & measurements, collection of results, evaluation of results, plan updates
22. Disaster recovery for IT: threat modeling and cold, warm, hot sites
23. Enterprise Risk Management: recommended ERM software
24. Standards: ISO, ANSI, OSHA, and more
25. ISO 31000: develop a risk management culture and awareness of the importance of managing and monitoring risk
Please contact us for more information or to schedule a Risk Audit for your company, today.