Completing a Risk Assessment involves determining the probability of a particular disaster occurring in your office and the effects that the disaster may have on the operations of your office or your records. A Risk Assessment also helps you determine which protection method is best for your records. Although this is largely an exercise in probability, since we never know what will happen, it will narrow the scope of protection methods and allow for some early disaster preparedness.
There are 3 basic steps to completing a risk assessment:
- Identify the risks your office may encounter
- Determine what level of impact the risk will have
- Calculate the probability of that risk happening
First you will need to identify the 5-6 greatest risks to the records of your particular office. Not all offices are likely to face the same risks, although fire and water damage are the most common. For example, an office that deals in research may have the added risk of sabotage, whereas an office dealing strictly with technology and computers would have a far greater risk of losing information in a power outage or hard drive crash.
After you have identified the top risk factors that may affect your office, list the individuals who can help you with recovery from that risk. This could include Capital Projects, Physical Plant, OIM, or UW Technology staff. If no one in your office has the necessary skills, consider contracting the services of a vendor.
There are three categories of disasters:
- Wind damage
- Snow/ice storm
- Volcanic eruption
- Electromagnetic interference
- Power failure
- HVAC failure
- Malfunction or failure of CPU
- Failure of system or application software
- Telecommunications failure
- Gas leaks
- Communications failure
- Data entry error
- Improper handling of sensitive data
- Unauthorized access
- Malicious damage or destruction of data
- Bomb Threats
- Civil disorder
- Loss of physical access to resources
- Chemical spill
- Hazardous material
If you are uncertain which types of disasters/risks may be prevalent in your area, the following questions may assist you in the identification of potential risks.
- Is your area subject to extremes or to sudden changes in temperature and humidity? Which materials will be affected by changes?
- How soon after failure of your heating or cooling system will the climate in your building exceed recommended environmental conditions?
- Is your building situated by a lake, river or ocean?
- Is that body of water tidal?
- Is your basement below water level or water table level?
- Is your area subject to earthquakes?
- What sort of damage can occur in your office?
- Is your area subject to volcanic action?
- What element of a volcanic explosion is most likely to effect you?
- What are the structural materials?
- Does the building have a flat roof, skylights, roof access doors, or internal roof drains?
- Are there water/sewer pipes running through storage areas?
- Are hazardous materials such as gas cylinders, solvents, paints, etc. stored in the building?
- Have potential hazards such as live ammunition, poisonous/flammable/reactive chemicals, etc. been removed from collections?
Second, you will need to determine the level of impact each disaster will have on your office and the ability of your office to continue operations. Use the below Impact Rating Scale to assist you with placing a numerical value to the level of impact. For example if you believe the risk will cause office operations to be interrupted for only 3 hours, then the Impact Rating would be given a 1.
- 0 = no interruption in operations
- 1 = interruption up to 8 hours
- 2 = interruption for 8 - 48 hours
- 3 = over 48 hours of interruption - relocation of operations necessary
Once you have determined the level of impact you will need to identify the probability of the disaster actually happening. In this area, flooding or earthquakes are very probable and would more than likely receive a rating of high (10 probability points), whereas hurricanes are very unlikely and would receive a probability of low (1 probability point). The below listed Probability Rating Scale should be used to determine the probability.
- High = 10 points
- Medium = 5 points
- Low = 1 point
Last, determine the risk factor. This is done by taking the Impact Rating and multiplying it with the Probability Rating.
Impact Rating Probability Rating Risk Factor
(2) X (10) = (20)
The resulting sum will be your Risk Factor and can be used when you are determining methods of protection. If fire and water damage have high risk factors, look into the best protection methods from that sort of damage. If chemical spills are a high risk factor for your office, determine your protection methods based on that factor.