Risk is a concept that helps give meaning to uncertainty
– especially uncertainties around vulnerability to extreme events.
Our soon-to-be-available app uses an approach that recognises we all have different contexts.
– we might share some of the same exposures to extreme events
– we might share some of the same things we care about
Yet there is a need to consider how your hazards interface with your vulnerabilities.
– your hazards of significance
– your asset vulnerabilities
– your thresholds for acceptable risk
… and based on these considerations, tailor your action plans to meet your needs.
The default context of the app is set for “business” – where the focus is on the “care-abouts”supporting prioritised activities (the set of necessary activities required to deliver a product or service).
Where risk is viewed as a function of the interface between significant hazards relevant to the business context and the vulnerability of critical resources/assets.
How does the app work?
1. Identify hazards relevant to your context and attribute a score to their significance.
Examples below are from the “Standard on Continuity, Emergency, and Crisis Management”, NFPA 1600
2. Landslide, mudslide, subsidence
6. Extreme temperatures (hot, cold)
8. Flood, flash flood, seiche, tidal surge
9. Geomagnetic storm
11. Snow, ice, hail, sleet, avalanche
12. Wild land fire / Bushfire
13. Windstorm, tropical cyclone, hurricane, tornado, waterspout, dust storm, sandstorm
14. Food-borne illnesses
15. Infectious/communicable/pandemic diseases
16. Building / structure collapse
18. Explosion / fire
19. Fuel/resource shortage
20. Hazardous material spill or release
21. Equipment failure
22. Nuclear reactor incident
23. Radiological incident
24. Transportation incident
25. Unavailability of essential employee(s)
26. Water control structure failure (e.g. Dam or Levee)
28. Incendiary fire
29. Bomb threat
30. Demonstrations/civil disturbance/riot/insurrection
32. Disinformation (rumours, false allegations, or accusations)
34. Geopolitical risks including acts of war, change in government, and political instability
35. Missing person
36. Cyber security incidents
37. Product defect or contamination
38. Robbery / theft / fraud
39. Strike or labor dispute
40. Suspicious package
42. Vandalism / sabotage
43. Workplace / school / university violence
44. Supply chain constraint or failure
45. Hardware, software, and network connectivity interruption, disruption, or failure
46. Utility interruption, disruption, or failure
47. Foreign currency exchange rate change
48. Economic recession
50. Theft / fraud / malfeasance / impropriety / scandal involving currency, monetary instruments, goods, and intellectual property
51. Loss of senior executive
52. Failed acquisition/strategic initiative
53. Humanitarian issues
When attributing a level of significance to the “Hazard” consideration should include:
- past recurrence intervals (how many events in the last “x” years)
2. future likelihood of occurrence (is frequency increasing)
3. speed of onset (how quickly might it be upon us)
4. magnitude (how big will it be)
5. duration (how long will it stay)
6. timing (is it more significant at different times)
7. intensity (how much energy is released)
8. likely or potential area of coverage (extent of spatial impact)
9. perception (level of fear or dread invoked)
10. protection (level of existing mitigating factors)
2. Identify the things you care about (“care-abouts”) and score their vulnerability against significant hazards (when disasters occur, the impact slider can be used).
For each of the identified processes or prioritised activities required for your entity to achieve its objectives, identify the “care-abouts” that support the processes or critical activities by focusing on the following:
(3) Infrastructure (including premises)
(4) Technology (including plant and equipment)
(5) Information (digital and analogue)
(6) Supply chain (supplies and suppliers)
How vulnerable is this resource in the current circumstances?
Vulnerability is a function of many things.
It is about the characteristics and features of the resource, and the dependencies and interdependencies associated with it, which make it more resilient, or more adaptable, or more fragile.
Vulnerability may be summarized as “a measure of the extent to which a community, structure, service or geographical area is likely to be damaged or disrupted, on account of its nature or location, by the impact of a particular event.” [SOURCE: Glossary of Environment Statistics, Studies in Methods, Series F, No. 67, The Organisation for Economic Co-operation and Development]
For people, this may be about factors such as their health and their behaviour.
For premises, it may be about such things as the integrity of the structure and location (exposure to hazards).
For processes, it may be about factors such as their fitness for purposes and backup.
For providers, from utilities (“lifelines” – such as energy, water, waste, communications) to supplies related more directly to your products and services, it may be about factors such as the provider’s size, capability, resilience, and replaceability.
For profile, it may be about the nature and perception of the prioritised activity, associated stakeholders, and how well relationships associated with the activity are managed.
Note: Vulnerability encompasses a variety of concepts and elements including sensitivity or susceptibility to harm and lack of capacity to cope and adapt. [SOURCE: ISO 14090:2019 Adaptation to climate change] Adaptive capacity is the “ability of systems, institutions, humans, and other organisms to adjust to potential damage, to take advantage of opportunities, or to respond to consequences”.
In a nutshell, it is about the resource’s “propensity or predisposition to be adversely affected”. [SOURCE: ISO 14091 Adaptation to climate change – Guidelines on vulnerability, impacts and risk assessment]
Evaluating vulnerabilities should give consideration to:
(2) Single-source and sole-source suppliers
(3) Single points of failure
(4) Potential qualitative and quantitative impacts from a disruption to the resources in NFPA 1600/1660 (people, property, operational capabilities including technology, the environment, and the entity itself)
Communication and collaboration are fundamental to successful management. Especially the management of risk. Therefore reports generated are based on being able to select from combinations of any – or all – of the data fields outlined above, and can be generated as PDF documents – to be shared and communicated as required.