What is Vulnerability Analysis? First of all, most of you may ask. And I am going to say; hold on for second and keep reading please. Most people are optimists. Sure, plenty of businesses fail every year, but few business people honestly think that their businesses will be among the scores of vulnerabilities.
People tends to think like this. “Natural disasters—earthquakes, hurricanes, tornadoes, floods—happen, but they certainly won’t happen to my business! And even if they do, the company will be just fine, thank you.”
“Robbery, Internet attacks on computers, arson, embezzlement, fraud—these crimes are happening all over the world, but that doesn’t mean my business is at risk.”
Unfortunately, the world is a risky place, and bad things really do happen to even the most well-prepared, good-hearted, and competent businesspeople. The question isn’t, “Will something bad happen to the business?” Instead, the question is, “Will my organization be prepared when something bad happens to the business?” You can — and should — manage risk to protect your company.
Before you can effectively manage the risks that your organization is or will be exposed to, you need to understand the specific risks you’re up against. The goal of vulnerability analysis is to assess the probability and potential impact of the different risks that you identify.
Use the Vulnerability Analysis Chart (see below chart) to score your organization — the lower your score, the better. If you identify risks with a high score, give them a high priority in your organization and address those risks immediately — if you haven’t already taken care of them. Make the following 7 steps, adapted from processes developed by the Federal Emergency Management Administration (FEMA), a part of your vulnerability analysis.
Step-1. List Potential Risks
In the first column of the chart, list all the potential risks that could affect your facility and the people in it. Be sure to consider risks that could occur in your facility or within your community. Bring your risk control committee into the process to help ensure all possible risks are brought to light.
As you consider the different risks that could possibly occur, think in terms of the following potential areas of risk:
Human error – What potential employee error-driven risks are your business exposed to? Are your employees trained to work safely? Do they know what to do in an emergency? Consider potential risks as a result of:
- Poor training
- Poor maintenance
- Substance abuse
Business – What kinds of risks does your organization face that are uniquely business risks? The risks that a business faces can be quite different from the risks that an individual faces. Consider potential risks as a result of:
- Product liability
- Loss of key person
- Errors and omissions
- Construction defects
- Worker injury and death
Historical – What types of risks have your community, your facility, and other business facilities in your area faced in the past? Consider potential risks as a result of:
- Severe weather
- Hazardous material spills
- Transportation accidents
- Utility outages
Geographic – What can happen as a result of your facility’s geographic location? Consider potential risks as a result of:
- Your proximity to flood plains, seismic faults, and dams
- Your proximity to companies that produce, store, use, or transport hazardous materials
- Your proximity to major transportation routes and airports
- Your proximity to nuclear power plants
Technological – What could happen if you experience a process or system failure? Consider potential risks as a result of:
- Fire, explosion, or hazardous materials incident
- Safety system failure
- Telecommunications failure
- Computer system failure
- Power failure
- Heating or cooling system failure
- Emergency notification system failure
Physical – What types of risks does the design or construction of the facility pose? Does the physical facility enhance safety or detract from it? Consider potential risks as a result of:
- The physical construction of the facility
- Hazardous processes or byproducts
- Facilities for storing combustibles
- Layout of equipment
- Evacuation routes and exits
- Proximity of shelter areas\
Step-2. Estimate the Probability of the Risks
In the Probability column of the chart, rate the likelihood of each risk’s occurrence by using a simple scale of 1 to 5 — with 1 as the lowest probability and 5 as the highest. You need to rely on your own experience — and the experience of others in your company or industry — to develop reasonably accurate numbers. If your business is located in Kansas, for example, you know that the risk of a tornado probably rates a 4 or 5.
Step-3. Assess the Potential Human Impact
Analyze the potential human impact of each potential risk — the possibility of death or injury, in other words. Assign a rating in the Human Impact column of the chart by using a 1 to 5 scale — with 1 as the lowest impact and 5 as the highest. Again, draw on your experience, or on the experience of others in your company or industry to develop reasonably accurate numbers.
Step-4. Assess the Potential Property Impact
In the Property Impact column of the chart, consider the potential for property losses and damage. Assign a rating by using a 1 to 5 scale — with 1 being the lowest impact and 5 being the highest. Consider potential risks in terms of:
- Cost to replace
- Cost to set up temporary replacement
- Cost to repair
For example: although a utility outage will likely have a low probability of property loss or damage — perhaps a 1 or 2 — a terrorist attack resulting in physical damage would score higher, perhaps a 4 or 5.
Step-5. Assess the Potential Business Impact
Consider the potential loss of market share due to the potential risks you identify. Assign a rating in the Business Impact column by using a 1 to 5 scale —with 1 being the lowest impact and 5 being the highest. Consider potential risks in terms of:
- Business interruption
- Employees who can’t report to work
- Customers who can’t reach your facility
- Company in violation of contractual agreements
- Imposition of fines and penalties or legal costs
- Interruption of receipt of critical supplies
- Interruption of product distribution
For example: an earthquake could potentially result in your offices being made off-limits by authorities for days, weeks, or even months, creating a major and potentially long-lasting business interruption.
Step-6. Assess Internal and External Resources
Assess your company’s resources and your ability to respond to situations. Assign a score to your Internal Resources and External Resources by using a 1 to 5 scale — with 1 representing a lack of resources to respond and 5 representing more than sufficient resources to respond.
To perform this evaluation, consider each potential risk from beginning to end and evaluate each resource that you need to respond. For each risk, ask these questions:
- Do we have the needed resources and capabilities to respond?
- Will our external resources be able to respond to us in adverse times as quickly as we may need them, or will they have other priority areas to serve?
If the answers are yes, you can move on to the next assessment. If the answers are no, identify what you can do to correct the problem. For example: you may need to:
- Develop additional risk management procedures
- Conduct additional training
- Acquire additional equipment
- Establish mutual aid agreements
- Establish agreements with specialized contractors
Step-7. Add the Columns
Total the scores you’ve rated for each potential risk. The lower your score, the better. Risks with a high score should be given a high priority in your organization and addressed immediately. Although this is a subjective rating exercise, the comparisons help determine your risk planning and resource priorities.
How to Follow Vulnerability Analysis Up
After you’ve assessed your potential risks and prioritized them by their urgency and potential impact, you need to take action to reduce them or eliminate them entirely. Consider four basic strategies when selecting your risk management tools; keep them in mind as you decide what strategies you’ll pursue to reach your risk management goals:
- Shift the risk. One way of dealing with the risk of loss is to shift the risk to someone else. When you buy an insurance policy, you shift the risk to the insurance company. When you draft contracts with subcontractors that require them to carry liability insurance, you shift the risk to your subcontractors and their insurance companies.
- Avoid the risk. By identifying and correcting hazardous situations —say, for example, by repairing the brakes on a company delivery truck —you can avoid potential risks altogether.
- Reduce the risk. Although you can’t entirely avoid some risks, you can reduce them. For instance, training your employees in the proper techniques for lifting heavy objects substantially reduces the incidence of back injuries, which result in lost productivity.
- Assume the risk. In some cases, an organization may decide to bear the financial burden of a risk. By self-insuring for worker’s compensation claims, for example, or by paying higher deductibles on insurance policies, an organization assumes all or part of a risk of loss. This course of action should be taken only after a very careful assessment of the risk, along with a detailed cost/benefit study.
Whatever you do to address risks, do something! After you’ve determined that a potential risk of injury or loss exists, you have to take action by shifting, avoiding, reducing, or assuming the risk. Don’t waste time hoping that the risk will go away if you just ignore it. It won’t.