What Is a Business Continuity Plan (BCP)?

A business continuity plan is a protocol of preventing and recovering from potentially large

threats to the company’s business continuity. Such a plan often aims to address the need for
updated business norms and operational standards in unpredictable circumstances such as
natural disasters, data breach/ exposures, large scale system failures etc. The goal of such a
plan is to ensure continuity of business with no or little damage to regular working
environments, including job security for its employees.

It covers everything from business processes, human resources details, and more. Essentially
a BCP provides a concrete plan to the organization to maintain business continuity even in
challenging circumstances. 

Below are key reasons why businesses need to have a BCP today:

 BCP’s relevance has gone up considerably after the outbreak of the COVID-19 pandemic and
was also a major testing time for organizations that did have such a plan in place. The
organizations which had a business continuity plan in place were better able to cope during
these unprecedented circumstances better than those who did not have any such plans.
 The recorded number of natural disasters has increased from 375 in 2016 to 409 in
2019Opens a new window . Globally, the loss because of natural disasters was $232 billion in
2019, according to a study by AonOpens a new window .
 The number of cyberattacks has also increased in all geographies and all business
verticals. MonsterCloud reported that cyberattacks have skyrocketed during the COVID-19
pandemic. All this means that the organizations have to be better prepared to fight disasters.
The importance of BCP can hardly be exaggerated in this context. Preparing a BCP is
imperative for any enterprise, big or small, today. 

The end goal of a BCP is to ensure that the essential services continue to run in the event of
an incident. For instance, if there is an earthquake where your customer service
representatives operate from, your BCP will be able to tell you who will handle customer
calls until the original office is restored.

Also Read: What Is Disaster Recovery? Definition, Cloud and On-premise, Benefits and Best
Practices
Difference between a business continuity plan (BCP) and disaster recovery plan (DCP)

A BCP is often confused with a disaster recovery (DR) plan. While a DR plan is primarily
focused on restoring the IT systems and infrastructure, a BCP is much more than that. It
covers all areas and departments of the organization, including HR, marketing and sales,
support functions. 

The underlying thought behind BCP is that IT systems can hardly work in silos. Other
departments also need to be restored to cater to the client or for meeting the business
demands. 

“Many people think a disaster recovery plan (DRP) is the same as a business continuity plan,
but a DRP is only a small, yet essential, a portion of a full BCP. A DRP focuses solely on
restoring an organization’s IT infrastructure while minimizing data loss. On the other hand, a
BCP is a comprehensive guide on how to continue the mission and business-critical
operations during a time of an unplanned disruption (natural disasters, pandemics, or
malware),” says Caleb Pipkin, a security expert at Logically. 

Key Benefits of Having a Business Continuity Plan

Whether a business is small, big, or medium-sized, it needs a ‘plan B’ to recover quickly in

the event of a natural disaster or a crisis and can survive the disruption. BCP helps you dust
yourself and get back to business quickly and easily. It means that the enterprise will be
better placed to address their customers’ needs even in the wake of a disaster. 

On the other hand, the lack of a plan means that your organization will take longer to recover
from an event or incident. It could also lead to loss of business or clients. Let’s look at some
key benefits of BCP.

1. It is a roadmap to act in a disaster

A well-defined business continuity plan is like a roadmap during a disruption. It allows the
firms to react swiftly and effectively and maintain business continuity. In turn, this leads to a
faster and complete recovery of the enterprise in the shortest possible timeframe. It brings
down the business downtime and outlines the steps to be taken before, during, and after a
crisis and thus helps maintain its financial viability. 
2. Offers a competitive edge

Fast reaction and business continuity during a disruption allow organizations to gain a

competitive edge over its business rivals. It can translate into a significant competitive
advantage in the long run. Further, your clients will be more confident in your ability to
perform in adverse circumstances allowing you to build a long and sustainable relationship
with your business partners.

Developing competence to act and handle any unfavorable event effectively has a positive
effect on the company’s reputation and market value. It goes a long way in enhancing
customer confidence. 

Also Read: Top 8 Disaster Recovery Software Companies in 2021

3. Cuts down losses

Disasters have a considerable impact on all types of business, whether big or small. Business
disruption can lead to financial, legal, and reputational losses. Failure to plan could be
disastrous for businesses. You may lose your customers while trying to get your business on
track. In the worst circumstances, you may not be able to recover at all. A well-defined
business continuity strategy minimizes the damage to an organization and allows you to bring
down these losses as much as possible. 

4. Enables employment continuity and protects livelihoods

One of the most significant consequences of a disaster is the loss of employment. The loss of
livelihood can be curtailed to an extent if the business continues to function in the event of a
disaster. It leads to greater confidence in the workforce that their jobs might not be at risk,
and the management is taking steps to protect their jobs. It helps build confidence in senior
management’s ability to respond to the business disruption in a planned manner. 

5. Can be life-saving

A regularly tested and updated BCP can potentially help save the lives of the employees and
the customers during a disaster. For instance, if the BCP plan for fire is regularly tested, the
speed with which the workforce acts can help save lives. 
6. Preserves brand value and develops resilience

Possibly the biggest asset of an organization is its brand. Being able to perform in uncertain
times helps build goodwill and maintain its brand value and may even help mitigate financial
and reputational loss during a disaster. 

BCP curtails the damage to the company’s brand and finances because of a disaster event.
This helps bring down the cost of any incident and thus help the company be more resilient. 

Also Read: 10 Best Practices for Disaster Recovery Planning (DRP)

7. Enables adherence to compliance requirements

Having a BCP allows organizations to have additional benefits of complying with regulatory
requirements. It is a legal requirement in several countries.

8. Helps in supply chain security

A precise BCP goes a long way in protecting the supply chain from damage. It ensures
continuity in delivering products and services by being able to perform critical activities.

9. Enhances operational efficiency

One of BCP’s lesser-known benefits is that it helps identify areas of operational efficiency in
the organization. Developing BCP calls for an in-depth evaluation of the company’s
processes. This can potentially reveal the areas of improvement. Essentially, it gathers
information that can benefit in enhancing the effectiveness of the processes and operations. 

Also Read: 7 Ways to Build an Effective Disaster Recovery and Business Continuity Plan 

Step-by-Step Guide to Building a Formidable Business Continuity Plan (BCP) in 2021

The COVID-19 pandemic has put the spotlight on preparing for a disaster like never before.
We make the job easier for you by listing out the key steps in building a formidable business
continuity plan: 
How to Build a Business Continuity Plan

Step 1: Risk assessment 

This phase involves asking crucial questions to evaluate the risks faced by the company.
What are the likely business threats and disruptions which are most likely to occur? What is
the most profitable activity of your organization? It is vital to prioritize key risks and
operations, which will help mitigate the damage in the event of a disaster. 

Step 2: Business impact analysis

 The second step involves a thorough and in-depth assessment of your business processes to
determine the vulnerable areas and the potential losses if those processes are disrupted. This
is also known as Business Impact Analysis. 

Essentially, Business impact analysis (BIA) is a process that helps the organization define the
impact if critical business operations are interrupted because of a disaster, accident, or
emergency. It helps in identifying the most crucial elements of the business processes. For
instance, maintaining a supply chain might be more critical during a crisis than public
relations.

While there is no formal standard for a BIA, it typically involves the following steps: 

 Collating information: As a first step, a questionnaire is prepared to find out critical business
processes and resources that will help in the proper assessment of the impact of a disruptive
event. One-on-one sessions with key management members may be conducted further to gain
insights into the organization’s processes and workings.
 Analysis: This is followed by analyzing the collected information. A manual or computer-
assisted analysis is conducted. The analysis is based on an interruption in which crucial
activities or resources are not available. Typically it works on the assumption of the worst-
case scenario, even when the chances of a risk likelihood are low. This approach is followed
to zero in on the systems that, when disrupted or interrupted, threaten the organization’s very
survival. This way, these processes are prioritized in the business continuity plan. 

The analysis phase helps identify the minimum staff and resources required for running the
organization in the event of a crisis. This also allows the organizations to assess the impact on
the revenue if the business is unable to run for a day, a week, or more. There might be
contractual penalties, regulatory fines, and workforce-related expenditure which need to be
taken into account while finding out the impact on the business. Further, there might be
specific vulnerabilities of the firm, and they need to be considered in the BIA. 

 Preparing a report: The next step is preparing a BIA report, which is assessed by the senior
management. The report is a thorough analysis of the gathered information along with
findings. It also gives recommendations on the procedure that should be followed in the event
of a business disruption. The BIA report also shares the impact on the revenue, supply chain,
and customer delivery to the business in a specific time frame. 
 The business impact analysis report may also include a checklist of all the resources, such as
the names of key personnel, data backup, contact information, emergency responders, and
more.

 Presenting the report: Usually, this report goes through several amendments before being
cleared by the senior management. The involvement of senior management is crucial to the
success of the business continuity plan. It sends out a strong signal in the organization that it
is a serious initiative. 

Also Read: Will Extreme Weather Events Affect Your Business? Lessons From the Texas
Winter Storm

Step 3: BCP Testing

Several testing methods are available to test the effectiveness of the BCP. Here are a few
common ones: 

 TableTop test: As the name suggests, the identified executives go through the plan in detail to
evaluate whether it will work on not. Different disaster types and the response to them are
discussed at length. This type of testing is designed to make all the key personnel aware of
their role in the event of a disaster. The response procedure is reviewed, and responsibilities
are outlined, so everybody knows their roles.
 Walk through: In this type of testing, the team members go through their part in the plan with
a specific disaster in mind. Drills or a simulated response and disaster role-playing are part of
this. This is a more thorough form of testing and likely to reveal the shortcoming in the plan.
Any vulnerabilities discovered should be used to update the BCP accordingly.
 Disaster simulation testing: In this type of testing, an environment that simulates an actual
disaster is created. This is the closest to the actual event and gives the best case scenario
about the plan’s workability. It will help the team find gaps that might be overlooked in the
other types of tests. Document the results of your testing so you can compare the
improvement from the previous tests. It will help you in strengthening your business
continuity plan. 

Frequency of testing – Typically, organizations test BCP at least twice a year. At the same
time, it depends on the size of your organization and the business vertical you operate in.
Step 4: Maintenance

A business continuity plan should not be treated as a one-time exercise. It needs to be

maintained, so the organization’s structural and people changes are updated regularly. The
key personnel might move on from the firm, and this would need to be updated in the
Business Impact Analysis and BCP. The process for regular updating of the
documentation should be followed to ensure that the organization is not caught on the wrong
foot in case of a business disruption. 

Also Read: Offsite Data Replication: A Great Way To Meet Recovery Time Objectives

Step 5: Communication

Sometimes executives tend to ignore communication while preparing a BCP. It is a crucial

aspect, and your BCP should clearly define who will maintain the communication channels
with the employees, regulators, business partners, and partners during the crisis. The contact
information of the key people should be readily accessible for the BCP to work without any
trouble.

In the end, the organizations should accept that despite preparing a formidable business
continuity plan, several factors beyond your control may still affect its success or failure. The
key executives might not be available in the event of a crisis; both the primary and the
alternate data recovery sites might have been affected by the event; the communications
network might be damaged, and so on. Such factors are common during a natural disaster and
may lead to the limited success of the business continuity plan. 

Takeaway

The success of a business depends on it acting swiftly and efficiently when confronted with
an unanticipated crisis. Any failure to do so results in a financial and reputational loss, which
takes up a long time to recover. It can be avoided if the organization quickly gathers itself
during a disaster. A business continuity plan is then of paramount importance for a business
of any size. At the same time, it is crucial to ensure that the BCP is not a one-time exercise. It
needs to be continuously evaluated, tested, amended, and maintained so it doesn’t let you
down when you need it the most. 
What is a Risk Assessment?
Risk assessment is the cornerstone of the European approach to prevent
occupational accidents and ill health.

FacebookTwitterShare
There are good reasons for this. If the risk assessment process – the start of
the health and safety management approach – is not done well or not done at
all, the appropriate preventive measures are unlikely to be identified or put in
place.

Every year, millions of people in the EU are injured at work, or have their health
seriously harmed in the workplace. That is why risk assessment is so
important, as the key to healthy workplaces. Risk assessment is a dynamic
process that allows enterprises and organisations to put in place a proactive
policy of managing workplace risks.

For these reasons, it is important that all types and sizes of enterprise carry
out regular assessments. Proper risk assessment includes, among others
things, making sure that all relevant risks are taken into account (not only the
immediate or obvious ones), checking the efficiency of the safety measures
adopted, documenting the outcomes of the assessment and reviewing the
assessment regularly to keep it updated.

The most important piece of European legislation relevant to risk assessment

is the Framework Directive 89/391. This Directive has been transposed into
national legislation. Member States, however, have the right to introduce more
stringent provisions to protect their workers (for this reason you should check
the specific legislation relating to risk assessment in your country).

The European Commission has produced an important guidance to help

Member States, as well as employers and employees, to fulfil their risk
assessment duties, as laid down in the Framework Directive 89/391. The
information provided in this section is based on this guidance.

Definitions
Hazards
A hazard can be anything - whether work materials, equipment, work methods
or practices - that has the potential to cause harm.

Risks
A risk is the chance, high or low, that somebody may be harmed by the hazard.

Risk assessment
Risk assessment is the process of evaluating risks to workers' safety and
health from workplace hazards. It is a systematic examination of all aspects
of work that considers:

 what could cause injury or harm;

 whether the hazards could be eliminated and, if not;

 what preventive or protective measures are, or should be, in place to

control the risks.

What is a risk assessment?

Risk assessment is the identification of hazards that could negatively impact an
organization's ability to conduct business. These assessments help identify
these inherent business risks and provide measures, processes and controls to
reduce the impact of these risks to business operations.

Companies can use a risk assessment framework (RAF) to prioritize and share the
details of the assessment, including any risks to their information technology (IT)
infrastructure. The RAF helps an organization identify potential hazards and any
business assets put at risk by these hazards, as well as potential fallout if these risks
come to fruition.
In large enterprises, the risk assessment process is usually conducted by the Chief
Risk Officer (CRO) or a Chief Risk Manager.

Risk assessment steps

How a risk assessment is conducted varies widely depending on the risks unique to
the type of business, the industry that business is in and the compliance rules
applied to that given business or industry. However, there are five general
steps that companies can follow regardless of their business type or industry.

Step 1: Identify the hazards. The first step in a risk assessment is to identify any
potential hazards that, if they were to occur, would negatively influence the
organization's ability to conduct business. Potential hazards that could be
considered or identified during risk assessment include natural disasters, utility
outages, cyberattacks and power failure.

THIS ARTICLE IS PART OF

What is risk management and why is it important?

 Which also includes:

 governance, risk management and compliance (GRC)

 risk avoidance

 risk map (risk heat map)

DOWNLOAD 1

Download this entire guide for FREE now!

Step 2: Determine what, or who, could be harmed. After the hazards are identified,
the next step is to determine which business assets would be negatively influenced
if the risk came to fruition. Business assets deemed at risk to these hazards can
include critical infrastructure, IT systems, business operations, company reputation
and even employee safety.
Step 3: Evaluate the risks and develop control measures. A risk analysis can help
identify how hazards will impact business assets and the measures that can be put
into place to minimize or eliminate the effect of these hazards on business assets.
Potential hazards include property damage, business interruption, financial loss and
legal penalties.

Step 4: Record the findings. The risk assessment findings should be recorded by
the company and filed as easily accessible, official documents. The records should
include details on potential hazards, their associated risks and plans to prevent the
hazards.

Step 5: Review and update the risk assessment regularly. Potential hazards, risks
and their resulting controls can change rapidly in a modern business environment.
It is important for companies to update their risk assessments regularly to adapt to
these changes.

Risk assessment tools, such as risk assessment templates, are available for different
industries. They might prove useful to companies developing their first risk
assessments or updating older assessments.

How to use a risk assessment matrix

A risk assessment matrix, as shown in the example above, is drawn as a grid with
one axis labeled "likelihood" and the other axis labeled "consequence." Each axis
progresses from "low" to "high." Each event is plotted on one line in terms of its
low to high likelihood. On the other line, the event is plotted on one line in terms
of its low to high consequence. Where they meet determines the plot point on the
matrix. 
What is a risk assessment?
Back to top
Risk assessment is a term used to describe the overall process or method where you:

 Identify hazards and risk factors that have the potential to cause harm (hazard
identification).
 Analyze and evaluate the risk associated with that hazard (risk analysis, and risk
evaluation).
 Determine appropriate ways to eliminate the hazard, or control the risk when the
hazard cannot be eliminated (risk control).

A risk assessment is a thorough look at your workplace to identify those things, situations,
processes, etc. that may cause harm, particularly to people. After identification is made, you
analyze and evaluate how likely and severe the risk is. When this determination is made, you
can next, decide what measures should be in place to effectively eliminate or control the harm
from happening.
The CSA Standard Z1002 "Occupational health and safety - Hazard identification and
elimination and risk assessment and control" uses the following terms:
Risk assessment – the overall process of hazard identification, risk analysis, and risk
evaluation.
Hazard identification – the process of finding, listing, and characterizing hazards.
Risk analysis – a process for comprehending the nature of hazards and determining the level
of risk.
Notes:
(1) Risk analysis provides a basis for risk evaluation and decisions about risk control.
(2) Information can include current and historical data, theoretical analysis, informed
opinions, and the concerns of stakeholders.
(3) Risk analysis includes risk estimation.
Risk evaluation – the process of comparing an estimated risk against given risk criteria to
determine the significance of the risk.
Risk control – actions implementing risk evaluation decisions.
Note: Risk control can involve monitoring, re-evaluation, and compliance with decisions.
For definitions and more information about what hazards and risks are, please see the OSH
Answers document Hazard and Risk.

Why is risk assessment important?

Back to top
Risk assessments are very important as they form an integral part of an occupational health
and safety management plan. They help to:

 Create awareness of hazards and risk.

  Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the
public, etc.).
 Determine whether a control program is required for a particular hazard.
 Determine if existing control measures are adequate or if more should be done.
 Prevent injuries or illnesses, especially when done at the design or planning stage.
 Prioritize hazards and control measures.
 Meet legal requirements where applicable.

What is the goal of risk assessment?

Back to top
The aim of the risk assessment process is to evaluate hazards, then remove that hazard or
minimize the level of its risk by adding control measures, as necessary. By doing so, you
have created a safer and healthier workplace.
The goal is to try to answer the following questions:

1. What can happen and under what circumstances?

2. What are the possible consequences?
3. How likely are the possible consequences to occur?
4. Is the risk controlled effectively, or is further action required?

When should a risk assessment be done?

Back to top
There may be many reasons a risk assessment is needed, including:

 Before new processes or activities are introduced.

 Before changes are introduced to existing processes or activities, including when
products, machinery, tools, equipment change or new information concerning harm
becomes available.
 When hazards are identified.

How do you plan for a risk assessment?

Back to top
In general, determine:

 What the scope of your risk assessment will be (e.g., be specific about what you are
assessing such as the lifetime of the product, the physical area where the work activity
takes place, or the types of hazards).
  The resources needed (e.g., train a team of individuals to carry out the assessment, the
types of information sources, etc.).
 What type of risk analysis measures will be used (e.g., how exact the scale or
parameters need to be in order to provide the most relevant evaluation).
 Who are the stakeholders involved (e.g., manager, supervisors, workers, worker
representatives, suppliers, etc.).
 What relevant laws, regulations, codes, or standards may apply in your jurisdiction, as
well as organizational policies and procedures.

How is a risk assessment done?

Back to top
Assessments should be done by a competent person or team of individuals who have a good
working knowledge of the situation being studied. Include either on the team or as sources of
information, the supervisors and workers who work with the process under review as these
individuals are the most familiar with the operation.
In general, to do an assessment, you should:

 Identify hazards.
 Determine the likelihood of harm, such as an injury or illness occurring, and its
severity.
o Consider normal operational situations as well as non-standard events such as
maintenance, shutdowns, power outages, emergencies, extreme weather, etc.
o Review all available health and safety information about the hazard such as
Safety Data Sheet (SDS), manufacturers literature, information from reputable
organizations, results of testing, workplace inspection reports, records of
workplace incidents (accidents), including information about the type and
frequency of the occurrence, illnesses, injuries, near misses, etc.
o Understand the minimum legislated requirements for your jurisdiction.
 Identify actions necessary to eliminate the hazard, or control the risk using the
hierarchy of risk control methods.
 Evaluate to confirm if the hazard has been eliminated or if the risk is appropriately
controlled.
 Monitor to make sure the control continues to be effective.
 Keep any documents or records that may be necessary. Documentation may include
detailing the process used to assess the risk, outlining any evaluations, or detailing
how conclusions were made.

When doing an assessment, also take into account:

 The methods and procedures used in the processing, use, handling or storage of the
substance, etc.
 The actual and the potential exposure of workers (e.g., how many workers may be
exposed, what that exposure is/will be, and how often they will be exposed).
 The measures and procedures necessary to control such exposure by means of
engineering controls, work practices, and hygiene practices and facilities.
  The duration and frequency of the task (how long and how often a task is done).
 The location where the task is done.
 The machinery, tools, materials, etc. that are used in the operation and how they are
used (e.g., the physical state of a chemical, or lifting heavy loads for a distance).
 Any possible interactions with other activities in the area and if the task could affect
others (e.g., cleaners, visitors, etc.).
 The lifecycle of the product, process or service (e.g., design, construction, uses,
decommissioning).
 The education and training the workers have received.
 How a person would react in a particular situation (e.g., what would be the most
common reaction by a person if the machine failed or malfunctioned).

It is important to remember that the assessment must take into account not only the current
state of the workplace but any potential situations as well.
By determining the level of risk associated with the hazard, the employer, and the health and
safety committee (where appropriate), can decide whether a control program is required and
to what level.
See a sample risk assessment form.

How are the hazards identified?

Back to top
Overall, the goal is to find and record possible hazards that may be present in your
workplace. It may help to work as a team and include both people familiar with the work
area, as well as people who are not - this way you have both the experienced and fresh eye to
conduct the inspection. In either case, the person or team should be competent to carry out the
assessment and have good knowledge about the hazard being assessed, any situations that
might likely occur, and protective measures appropriate to that hazard or risk.
To be sure that all hazards are found:

 Look at all aspects of the work.

 Include non-routine activities such as maintenance, repair, or cleaning.
 Look at accident / incident / near-miss records.
 Include people who work off site either at home, on other job sites, drivers,
teleworkers, with clients, etc.
 Look at the way the work is organized or done (include experience of people doing
the work, systems being used, etc).
 Look at foreseeable unusual conditions (for example: possible impact on hazard
control procedures that may be unavailable in an emergency situation, power outage,
etc.).
 Determine whether a product, machine or equipment can be intentionally or
unintentionally changed (e.g., a safety guard that could be removed).
 Review all of the phases of the lifecycle.
 Examine risks to visitors or the public.
  Consider the groups of people that may have a different level of risk such as young or
inexperienced workers, persons with disabilities, or new or expectant mothers.

It may help to create a chart or table such as the following:

Example of Risk Assessment

Task Hazard Risk Priority Control
Delivering Drivers work alone May be unable to call
   
product to for help if needed
customers
Drivers have to Fatigue, short rest time
occasionally work long between shifts    
hours
Drivers are often in very Increased chance of
   
congested traffic collision
Longer working hours    
Drivers have to lift boxes Injury to back from
when delivering product lifting, reaching,    
carrying, etc.

How do you know if the hazard will cause harm (poses a

risk)?
Back to top
Each hazard should be studied to determine its' level of risk. To research the hazard, you can
look at:

 Product information / manufacturer documentation.

 Past experience (knowledge from workers, etc.).
 Legislated requirements and/or applicable standards.
 Industry codes of practice / best practices.
 Health and safety material about the hazard such as safety data sheets (SDSs),
research studies, or other manufacturer information.
 Information from reputable organizations.
 Results of testing (atmospheric or air sampling of workplace, biological swabs, etc.).
 The expertise of an occupational health and safety professional.
 Information about previous injuries, illnesses, near misses, incident reports, etc.
 Observation of the process or task.

Remember to include factors that contribute to the level of risk such as:

 The work environment (layout, condition, etc.).

 The systems of work being used.
 The range of foreseeable conditions.
  The way the source may cause harm (e.g., inhalation, ingestion, etc.).
 How often and how much a person will be exposed.
 The interaction, capability, skill, experience of workers who do the work.

How are risks ranked or prioritized?

Back to top
Ranking or prioritizing hazards is one way to help determine which risk is the most serious
and thus which to control first. Priority is usually established by taking into account the
employee exposure and the potential for incident, injury or illness. By assigning a priority to
the risks, you are creating a ranking or an action list.
There is no one simple or single way to determine the level of risk. Nor will a single
technique apply in all situations. The organization has to determine which technique will
work best for each situation. Ranking hazards requires the knowledge of the workplace
activities, urgency of situations, and most importantly, objective judgement.
For simple or less complex situations, an assessment can literally be a discussion or
brainstorming session based on knowledge and experience. In some cases, checklists or a
probability matrix can be helpful. For more complex situations, a team of knowledgeable
personnel who are familiar with the work is usually necessary.
As an example, consider this simple risk matrix. Table 1 shows the relationship between
probability and severity.

Severity ratings in this example represent:

 High: major fracture, poisoning, significant loss of blood, serious head injury, or fatal
disease
 Medium: sprain, strain, localized burn, dermatitis, asthma, injury requiring days off
work
 Low: an injury that requires first aid only; short-term pain, irritation, or dizziness

Probability ratings in this example represent:

 High: likely to be experienced once or twice a year by an individual

 Medium: may be experienced once every five years by an individual
 Low: may occur once during a working lifetime
The cells in Table 1 correspond to a risk level, as shown in Table 2.

These risk ratings correspond to recommended actions such as:

 Immediately dangerous: stop the process and implement controls

 High risk: investigate the process and implement controls immediately
 Medium risk: keep the process going; however, a control plan must be developed and
should be implemented as soon as possible
 Low risk: keep the process going, but monitor regularly. A control plan should also be
investigated
 Very low risk: keep monitoring the process

Let's use an example: When painting a room, a step stool must be used to reach higher areas.
The individual will not be standing higher than 1 metre (3 feet) at any time. The assessment
team reviewed the situation and agrees that working from a step stool at 1 m is likely to:

 Cause a short-term injury such as a strain or sprain if the individual falls. A severe
sprain may require days off work. This outcome is similar to a medium severity
rating.
 Occur once in a working lifetime as painting is an uncommon activity for this
organization. This criterion is similar to a low probability rating.

When compared to the risk matrix chart (Table 1), these values correspond to a low risk.

The workplace decides to implement risk control measures, including the use of a stool with a
large top that will allow the individual to maintain stability when standing on the stool. They
also determined that while the floor surface is flat, they provided training to the individual on
the importance of making sure the stool's legs always rest on the flat surface. The training
also included steps to avoid excess reaching while painting.
What are methods of hazard control?
Back to top
Once you have established the priorities, the organization can decide on ways to control each
specific hazard. Hazard control methods are often grouped into the following categories:

 Elimination (including substitution).

 Engineering controls.
 Administrative controls.
 Personal protective equipment.

For more details, please see the OSH Answers Hazard Control.

Why is it important to review and monitor the

assessments?
Back to top
It is important to know if your risk assessment was complete and accurate. It is also essential
to be sure that any changes in the workplace have not introduced new hazards or changed
hazards that were once ranked as lower priority to a higher priority.
It is good practice to review your assessment on a regular basis to make sure your control
methods are effective.

What documentation should be done for a risk

assessment?
Back to top
Keeping records of your assessment and any control actions taken is very important. You
may be required to store assessments for a specific number of years. Check for local
requirements in your jurisdiction.
The level of documentation or record keeping will depend on:

 Level of risk involved.

 Legislated requirements.
 Requirements of any management systems that may be in place.

Your records should show that you:

 Conducted a good hazard review.

 Determined the risks of those hazards.
 Implemented control measures suitable for the risk.
 Reviewed and monitored all hazards in the workplace.