CHAPTER 3: SAFETY AND HEALTH AT WORK METRICS
Tasks solved in this chapter:
– developing methodological basis for measurement of the safety and health at work on the basis of the nature and characteristics of risk and presenting their economic dimensions.
– presenting a methodology for quantitative assessment of risk
– developing a methodology for risk management based on an analysis of the the risk management system; presenting an exemplary approach to risk assessment and practical guidelines to its reduction.
3.1. Basic formulation
3.1.1. Hazard. Risk. Definitions. Risk characteristics.
Hazard. Anything may be a hazard: working materials, equipment, work methods or practices which can potentially cause damage.
Risk. Risk is the presence of large or small probability of occurrence of damage to a person as a result of hazard.
Definition. Generally possible adverse deviation from the desired and expected outcome of the implementation of business decision or action due to the multiplicity and indeterminacy of the factors of the environment in which business is carried out, creating objective conditions for hazard.
• The risk, as a phenomenon of real life, is objective and can not be removed, but only to limited transferred, replaced, shared, compensated;
• The risk arises in the process of interaction between the human and natural environment in order to achieve certain results;
• It emerges in the form of a discrepancy between actual and expected desired results;
• The objective basis of risk is in the multivariate, probabilistic nature of the behaviour of the elements in the environment in which it operates. This leads to the fact that most solutions have several outcomes, results.
• The risk is associated with the possible return.
There are concepts close to risk:
Ambiguity – the possible outcomes can not be determined, the probability of different outcomes can not be calculated,
Uncertainty – subjective condition characterized by doubt due to lack of knowledge of what will happen in the future (subjective risk).
3.1.2. Types of risks. Origin. Elements of risk.
The factors generating the risk situation, have the following character:
٨Character by nature: economic, financial, political, transfer, accounting, social, cultural, moral, spiritual.
٨ Market: commercial (liquidity), pricing, risk of non-payment (finance), foreign exchange, credit.
٨ Technological and production.
٨ Natural, climatic, geographic.
Severity of the impact on business:
٨ -Acceptable – the loss is covered by part of the assets. The company maintains economic and legal ability to continue business.
٨ -Heavy- the loss is covered by all of the company’s assets. The company maintains a formal opportunity to continue the business but loses its economic potential.
٨ -Unacceptable – the loss cannot be covered by all of the company’s assets. Unsatisfied creditors remain. The company loses both formal, and economic opportunity to do business – bankruptcy.
٨-Risk at the preparation stage of the deal,
٨-At concluding the deal,
٨-At completion of the deal,
٨-Post delivery risk.
Dynamics of the business environment and business management:
٨- Dynamic – action risk, adaptation risk. Can be external (environmental) and internal (inappropriate management decisions)
٨- Static – risk of the inaction, can be also foreign and domestic. Arises as a result of accidents, disasters, fraud, dishonesty.
Directions of deviation from the expected result:
٨- Speculative risk – contains the opportunity to win or lose. This risk is taken voluntarily, because of the desire for profit. Most risks are speculative. This risk cannot be hedged!
٨- Pure risk – contains the opportunity to lose or not to lose. There is no profitable scenario. It is borne under duress because it is inevitable. The pure risk can be partially insured. It can be personal, property, liability of third parties, third party liability.
Position of the subjective factor: objective – subjective, reasonable – unreasonable justified – unjustified, controllable – uncontrollable.
Elements of risk:
٨ Probability of risk event;
٨ Frequency of occurrence of the risk event;
٨ Influence the occurrence of the risk event – qualitative assessment of the loss;
٨ Relative importance compared to the other risks;
٨ Exposure to risk = probability of occurrence of the influence of the occurrence;
3.2. Methodological basis for measurement (assessment) of the risk.
Risk assessment comes down to determining:
– quantitative characteristics of probability of the occurrence of the desired event (incidence of damage),
– quantitative characteristics of adverse consequences, damages (technique of damage) caused by them. The calculation of the adverse effects is associated with the assessment of the damages. Appropriate measure by which to express the weight of the damage is the monetary form.
Generally, the losses that arise from the effects of random events are divided into total and partial. In total damages – the outcome of the risk action is total destruction of the object and the amount of the damage equal to its value.
In the absence of information for establishing the overall allocation of damages some of the following variables are used:
– Maximum possible damage – that is damage that can occur only in the most unlikely combination of circumstances;
– Probable maximum damage – it can occur in normal conditions. It is that amount of the damage, the probability of the occurrence of which is so large that must be considered in the development of security strategy;
– Expected maximum loss – Refers to the most probable damage.
The expected maximum loss has greatest practical application. Its assessment is based only on material damages. In its essence the expected value of the damage is the most likely value. It is the average value of the parameters that reflect the state the mean, median, mode. The other two variables, the maximum possible damage and probable maximum damage defined field of dissipation the standard deviation, dispersion coefficient of variation and more.
In the assessment of the losses that may occur as a result of a single event, all consequences of this event – direct and indirect should be taken into account.
Direct losses are the immediate damage to health, property and financial damage to the system to function over a period of time to achieve its objectives, to fulfil its program or make it in time and with required quality.
In practice, the interdependence between the different damages is difficult to assess. That is why the aggregate damage approach is used, i.e. Several types of probable damages will be regarded as a homogeneous damage. This combined damage includes losses related to property, health, reputation, damage to the environment, losses of third parties.
Evaluation of the various components. It is carried out trough:
– losses from damage to or destruction of property;
– losses from failure of achieving the planned state;
– capital losses due to recovery of damages (damages to third parties).
The basic requirement for the evaluation of the incidence of damages is the availability of information of sufficient quantity and quality which includes:
– empirical data on losses in a particular company;
– evidences of such losses in companies of a similar type;
– statistical data for the country or other countries.
The larger period which is examined and the larger the number of surveyed losses, the more reliable is the probability of damage occurrence, calculated on the basis of the respective data.
The assessment may be objective and subjective.
Objective probability for the occurrence of an event can be determined on the basis of internal or external statistical information. The internal statistical information is used to assess the probability of a small damage. The external statistical information is used to control the distribution built on the basis of internal information; finding information about the probability of large, but rarely occurring damages; assessment of the parameters of the overall distribution of the damages.
Subjective probability for the occurrence of damage is determined when there are no statistical observations.
The following probability distributions can be developed on the basis of statistical data:
– probability of a certain type of event (e.g. accident)
– probability of occurrence of damage (e.g. cuts)
– the likely severity of each type of loss (e.g. number of sufferers).
Knowing the characteristics of the probability distribution allows to set some parameters that are important for forecasting the most likely damage, standard deviation and more.
3.3. Economic measurements of safety and health at work
When analysing the economic dimensions of health and safety at work it is necessary to have in mind the essential characteristics of the concepts of “safety” and “health” to which the economic dimensions refer to:
• Safety is the state of protection of the vital interests of a person, organization, enterprise, society from potential or existing threats. Ensuring safety is expressed in observing a set of rules to prevent accidents and rescue peoples’ life.
• Health is the state of complete physical, mental and social well-being of the individual. Health is the ability to realize the endeavours to meet the needs of life in relationship with the environment in which people have control over their own situation and the opportunity to improve it.
In accordance with that, the economic dimension of occupational safety and health (OSH) relate to the defining them and cover the activities related to:
► Extending the analysis on:
– the economic dimension of OSH, including an assessment of the socio-economic costs associated with the consequences of poor compliance or failure to comply with requirements for safety and health at work,
– costs and benefits associated with the prevention in the area of OSH, in order to justify based on data policies and processes of decision-making levels of community and individual businesses.
► development of methodologies for assessing the socio-economic costs,
related occupational diseases, work-related stress and violence at
the working place.
► impact of the legal framework, employment legal relationships, social security systems and other contextual factors influencing the interaction between society and enterprises in order to identify ways to influence the process of decision-making related to OSH at the companies’ levels.
3.4. Risk assessment.
The risk assessment on the safety and health of workers is the process of evaluating the resulting from the workplace risks for the safety and health of workers, say assessment of hazards arising from the work environment. Knowledge of hazards is as set out in item 3.1.1
The risk assessment of safety and health of workers is a systematic examination of all aspects of the work, which includes:
• potential cause of injury or damage;
• opportunities to eliminate threats;
• effective or planned introduction of preventive or protective measures to control the risk.
In broad terms, the risk can be regarded as a description of the types treads, which may affect an information system and the likelihood of their occurrence.
Risk assessment comes down to:
– quantitative characteristics of probability of the occurrence of the desired event (incidence of damage),
– quantitative characteristics of adverse consequences, damages (technique of damage) caused by them.
Essence of working place risk assessment
The essence of working place risk assessment is in the identification of treads, related to work, working process and working environment with consequent decisions for the limitation or elimination of this risk. This aims to reduce occupational accidents and diseases. The risk assessment is carried out by specialists from the company, if necessary supported by external experts, with the assistance of the persons engaged in labour process.
Risk assessment is the end result, which establishes the acceptability of the risk and the measures need to be implemented to prevent or reduce and limit the risk.
Objective of risk assessment
Employers have the general duty to ensure the safety and health of workers in all aspects of work. The purpose of conducting a risk assessment is to allow the employer to take the necessary measures to protect the safety and health of workers.
These measures include: Prevention of occupational risks; providing information about the workers; providing training to the workers; providing organization and means for the implementation of the necessary measures.
While the purpose of the risk assessment includes prevention of occupational risks, and this should always a goal, this goal is not always achievable in practice. When the elimination of risks is not possible, the risks should be reduced, and the residual risk should be controlled. At a later stage as a part of the review program, this residual risk will be assessed again and may be reviewed again for the possibility its elimination, possibly in the context of a new knowledge.
Risk assessment should be structured and implemented a way to help employers to:
* identify the hazards encountered in the work process and determine what measures should be taken in relation to these hazards in order to preserve health and safety;
* assess the risks in order to make the utmost informed selection of working equipment, equipment in the workplace and work organization;
* arrange the measures in order of importance;
* demonstrate to the competent authorities that they have taken into account all factors related to work and make a valid assessment of the risks and necessary measures to safeguard the health and safety;
* ensure that the necessary and mandatory preventive measures taken after the risk assessment improve the level of protection of the worker.
Why should be risk assessment performed? The main goal of the occupational risk assessment is to protect the health and safety of workers. Risk assessment helps to minimize the possibility of damage to workers or the environment from activities related to work. It also helps to keep the business competitive and effective. In accordance with the legislation on health and safety at work, all employers should regularly carry out a written risk assessment.
Risk assessment is a dynamic process that allows enterprises and organizations to implement proactive policy of managing workplace risks. Proper risk assessment includes all significant risks (not only the immediate or obvious), verifying the effectiveness of the adopted safety measures, recording the results of the assessment and performing regular review of the assessment to keep it up to date.
Why is risk assessment mandatory?
• To improve working conditions, safe and healthy working environment
• To prevent accidents at work
• To reduce the working day losses from absenteeism, sick leave and turnover of staff
• To improve quality, productivity and labour morality
• To achieve a positive financial impact for the company as a result of avoiding working day losses and legal disputes
What do we gain from risk assessment?
Risk assessment allows the employers to take the necessary measures to protect the safety and health of their employees.
These measures include:
• occupational risks prevention;
• providing information and training;
• providing the organization and means for the implementation of the necessary measures.
3.5.Statutory framework for assessment of risk.
The most important European legislation, of significance for the risk assessment, is the Framework Directive 89/391. It contains general principles for the prevention of occupational risks and general guidelines for their implementation. It holds the employers responsible for providing safe and healthy working conditions in every aspect related to work, and the risk assessment is an essential aspect of this mandatory management of occupational safety and health (OSH). It has a central role because it allows the employers to implement the measures that are necessary for the protection of the safety and health of their workers.
Complex assessment of working conditions
Assessment of working conditions reveals the complex impact of all elements according to their impact on health and working capacity of the worker or employee. It is carried out by workplaces or types of activities and
represents a number (amount of points) Xi, expressing the weight of the element on the working capacity and health depending on:
– its specific impact
– the degree of deviation from the established norms requirements for the element.
The weight of each element of the working conditions is determined by comparing the measured values of the parameters by the specified for the given grade limits. Subject to assessment are the elements of working conditions as follows:
1. micro-climate – temperature, heat radiation, air speed and humidity;
2. toxic substances by groups according to their impact;
3. dust classified in groups;
5. vibrations – local and general;
7. physical load – dynamic and static load;
8. electromagnetic fields and laser radiation;
9. ionizing radiation;
10. operational risk.
Mandatory requirement in determining the level of each element of the working conditions (with the exception of ionizing radiation and production risk) is its being active for more than half of the statutory working hours. The measurement of the indicators of the working conditions is carried out according to the established methods.
When determining the degree of the elements which are characterized by more than one indicator, the degree of the indicator with most unfavourable characteristics is taken into account. The degree of production micro-climate is limited by the temperature and the heat (IR) radiation.
In cases where the assessment is made by the “Temperature” indicator both winter and summer periods are evaluated, taking into account and category of physical load.
The category of physical load in relation to the micro-climate is determined by the total body energy expense: – light physical load;
– medium physical load; – heavy physical load.
• Micro-climate for working outdoors all year round and not all year round work;
• Degree of toxic substances:
– only one registered substance;
– emission of more than one substance single-acting;
– emission of more than one substance independently-acting;
• Degree of dust:
– just one type of dust is registered;
– more than one type of dust of one and the same group are registered;
– more than one type of dust of different groups are registered;
• Degree of lightening: met requirements for minimum values of combined and general lighting.
• Physical load degree: the values of dynamic and static load are determined.
• Ionizing radiation degree: determined by statutory types of work
Complex evaluation is obtained by summing the scores of the elements of working conditions existing at the workplace.
Where several workplaces with various complex assessments are serviced, the overall assessment is defined as the weighted average of the duration of work at every workplace and its complex assessment.
Complex assessment is updated in case of changes of the working conditions of the workplaces.
Workplace is the area of work of one or more contractors, which is characterized by equal working conditions in all aspects of the working environment and labour process.
When the work is intermittent (repair, in-plant transportation, instrumentation and automation, etc.), the evaluation is carried out by type of work. The complex assessment is used to determine the amount of additional remuneration depending on the conditions of labor.
Organization and control.
The complex assessment of working conditions is determined by data from the existing passports and working conditions and by measurements and assessments with a particular limitation period.
The measurements are carried out by specialized laboratories.
Risk assessment tools
There are many tools for risk assessment and methodologies that help the organizations to evaluate their risks. The choice of method depends on the conditions of work, the number of employees, the types of work activities and equipment, the specific characteristics of the workplace and any specific risks. The most usual tools for risk assessment are the check-lists, which are an useful tool for identifying hazards. Other types of risk assessment tools include: guides, guidance documents, manuals, brochures, questionnaires and interactive tools. These tools can be general or specific for the industry or risk. The database is actualised with new tools on regular basis.
How to assess risk
At EU level there are no specific rules on how carry out risk assessment. However, there are two principles that we should always have in mind when approaching risk assessment:
– structuring of the assessment in order to guarantee that attention is paid to all relevant hazards and risks;
– after determining a risk, we should begin assessment by the first principles, asking the question whether the risk can be eliminated.
Step-by-step approach to the assessment of risk
There is no singular way to carry out risk assessment and under different circumstances different approaches can be employed.
The risk assessment procedure (including elements of risk management) can be divided into a series of steps. Very useful is the direct five-step approach (including elements of risk management), as the one presented below, fig.3.1
There are other methods which are also good, particularly for more complex
risks and circumstances. Which approach to apply to the assessment depends on:
– the nature of the workplace (e.g. permanently or temporarily);
– the type of process (e.g. repetitive operations, shifting processes);
– the task performed (e.g. repeated, rare or high risk);
– the technical complexity.
In some cases only one evaluation exercise covering all risks in a workplace or activity may be appropriate . In other cases, different approaches may be suitable to the different parts of the workplace.
Approach to risk assessment
It is advisable that the approach to assessing workplace risk includes the presented in fig.3.2. interrelated activities.
Types of approaches to risk assessment
There is a large amount of approaches to measuring and presenting risk.
depending on the methodology the dimension can be defined with different terms – quantitative, qualitative, one-dimensional, multi-dimensional or any of the possible combinations thereof, fig. 3.3. In all cases, the approach used to measure the risk must be comprehensible and logical.
Possible approaches to measurement are:
• Quantitative approaches – the risk is measured in monetary losses.
• Qualitative approaches – the risk is measured in qualitative terms determined by degrees.
• Single-dimensional approaches – consider a limited number of components
• Multidimensional approaches – consider additional components during measuring
the risk: visibility, reliability, safety and performance.
3.6. Methodology for quantitative assessment of risk
1. Methodology objective and purpose: Planning of measures to overwhelm the risks at workplaces, and in the case of residual risk – undertaking the necessary measures to protect workers.
2. Scope and order of conducting the assessment
2.1. Scope of assessment. Risk assessment includes: – workplaces; – premises; – workflows; – working equipment; – organization of work; – other factors. 2.2. Order of conducting the assessment The risk assessment shall be carried out in the following sequence:
• Grouping of workers and employees by positions and jobs;
• Identifying the elements forming danger when carrying out activities, describing and comparing the status of these elements with regulatory requirements;
• Identifying the sources of danger and the persons exposed to them;
• Identifying the elements of risk and the acceptability of the risk;
• Planning of measures to eliminate or mitigate the risk.
For each hazard identified after analysis of the elements forming danger, the source of danger and the exposed to this danger are determined.
The significance of risk is assessed as assigning digital expression of gradations of probability, exposure and severity of the injury. Belgium adopted a practice of defining risk (R) as a value composed of the product of three parameters – probability (P) exposure (E) and consequences (C) Р = P * E * C
4. The probability of harm is assessed by: frequency; duration; probability of occurrence of particular event; technical possibilities for limiting the damage; values of the parameters of the working environment – table 3.1.
|Barely possible, but still possible in limited cases||1.0|
|Relatively high probability||10.0|
5. Frequency of the exposure is the time during which the damage exists – table 3.2.
|Frequency of the exposure (E)|
|Too low (less than once a month)||0.5|
|Very low (up to 1 hour per weeek)||1.0|
|Low (1 hour per day)||2.0|
|Average (1/3 of the working hours)||3.0|
|High enough (1/2 of the working hours)||6.0|
|Permanently, through all working hours||10.0|
6. Severity of damage. It is estimated in accordance to: types of objects to be protected; severity of possible injuries or lesion – table. 3.3.
|Consequences (damages) (C)|
|1.0||Minor||Injury without loss||Damage < 48 BGN|
|3.0||Significant||Injury with loss||Damage from 48 – 480 BGN|
|7.0||Serious||Disability, irreversible injury||Damage from 4,800 – 19,200 BGN|
|15||Dangerous||One death||Damage from 24,000 – 48,000 BGN|
|40||Catastrophic||Many deaths||Damage > 48,000 BGN|
7. Eligibility of health and safety risk – table 3.4.
|Up to 20||0||Too limited, acceptable risk|
|From 20 to 70||1||Small risk, needs attention|
|From 70 to 200||2||Measures for reduction risk are needed|
|From 200 to 400||3||Immediate improvement of working conditions is necessary|
|400||4||Discontinuation of activities until the risk is eliminated|
The end result of the assessment determines the acceptability of the identified risk and the measures need to be implemented to eliminate the risk
The risk is assessed periodically in order to carry out continuous monitoring of the efficiency at work and of the changes in the external and internal environment. When the possible loss is unacceptably high, it is necessary to adopt cost-effective measures for protection – fig. 3.4.
3.7.1. Essence of risk management. In quantitative terms the risk is a function of the probability of realization of a particular threat, using vulnerabilities of the system, and the extend of the possible loss.
Risk management – fig. 3.5. – consists of:
• Analysing and evaluating the level of risk (measured risk);
• Implementing effective and efficient mechanisms for risk reduction (min. risk);
• Achieving conviction that the risks are within acceptable limits (residual risk).
Therefore, risk management mainly involves two types of activities – fig. 3.6.
• Risk assessment (measuring).
• Choice of effective protective equipment to neutralize the risks
Elements of risk management – table 3.5.
|Values||What resources shall be protected?|
|Treads||What is needs to protected values?
How likely is the threat to be realized?
|What will be the consequences after realization of the threat (e.g. information disclosure, destruction of data, etc.)?|
|What will be the long-term consequences after realization of the tread (e.g. loss of reputation, losses or bankruptcy)?|
|Measures for protection||What effective measures should are needed to protect values?|
|Residual risk||Is the risk of realization of the threat acceptable ?|
Strategies for risk management.
With regard to the assessed risk the following actions are possible: • risk liquidation; • risk reduction; • acceptance of risk; • readdressing the risk.
Life cycle of the Management System (MS) and possible risk
Basic features of the Management System (MS) This ensures highest effect at minimal costs. At the stage risk analysis the general requirements to MS are developed. At design phase the knowledge of the risks helps in choosing the appropriate architectural solutions that play a key role in information security – fig. 3.7. At implementation phase the risk should be considered when configuring, testing and verification of system requirements and complete life cycle of risk management must precede the introduction of the system in operation. At operation stage risk management must accompany any substantial changes in the system.
Methodological base of the risk management.
There are a great number of methodologies for risk management. Their implementation depends on the specifics of the organization and expected results. Despite the diversity, the structural scheme, a part of which is the scheme of the developed “methodology of risk management” – fig. 3.8 – has inputs with standard information security, in order to allow analysis and risk assessment to be carried out with comparable accuracy and repeatability of the results.
Requirements to the methodology of risk management:• Provides results useful for job security; • Is user-friendly; • Does not require highly accurate data; • Provides acceptable accuracy of variables: loss, probability value; • Uses the process approach to risk management.
Quantitative Method for risk analysis
Designated for risk analysis in large risk treatment centres.
• Describes the receipt of the risk assessment for each file.
• Assess: – the incidence of threats;
• The consequences of any threat in monetary units.
3.7.2. Main features of MS (based on ISO 27005)
Typical for the main features is:
• They are descriptive and does not contain specific requirements for the ways of risk management;
• They allow independent consideration of the different aspects of ISMS and organizing risk management on this basis;
• They adhere to the most general concept of risk, meaning the combination of probabilities of events and their consequences;
• The features allow using both quantitative and qualitative methods of risk assessment;
• Risk management is formulated as a continuous coordinated actions aimed at management and control of risk within the organization.
• The features do not offer a specific methodology for risk assessment;
• The features determine an approach to continuous control of the process of management, presented on fig. 3.9. The latter is an addendum to fig. 3.8.
In the context of the features, the phases – fig. 3.9 – covering them are: 1) Analysis and Risk Assessment; 2) Risk treatment and selection of safety measures; 3) Risk Control – through monitoring, testing. 4) Risk optimization.
1. Risk analysis and assessment
This is the first stage of MS management. It is designated for identifying the sources of risk and determining its level of importance. It includes:
1a) Risk analysis
• Making an inventory and categorization of protected resources;
• Clarifying the regulatory, technical and contractual requirements to the resources in the field of information security;
• Estimating the value of these resources. The value includes all potential losses associated with the compromising the protected resources.
• Calculating the probability of their realization.
1b.) Risk assessment.
Carrying out calculation and comparing with a set scale. Calculation of risk consists in multiplying the (probability of compromising the resource) x (the value of loss).
The features lack substantiated (recommendation) on the choice of mathematical and methodological apparatus for risk assessment. We may present an example, which refers to the qualitative assessment methods. In this case the procedures are the following:
a). Assessing the level of the value of the identified resource by a five-point scale – negligible, low, medium, high, very high;
b). Assessing the level of probability of the threats by a scale: low, medium, high;
c). Assessing the level of probability of the vulnerabilities – low, medium, high;
d). Calculating the levels of risk by a given table;
e). Arrangement of incidents by level of risk.
2. Risk treatment and selection of safety measures.
Risk treatment covers the selection and implementation of control measures and means for minimizing the risk. Besides the estimated level of risk, the cost of implementation and support of security mechanisms may also be included.
The following risk treatment measures apply:
a). Reducing the risk – the risk is deemed unacceptable and to minimize it, appropriate mechanisms and security tools are implemented;
b). Risk transfer – the risk is deemed unacceptable and under certain conditions is readdressed to another organization;
c). Acceptance of risk – the risk is considered consciously acceptable (organization accepts the possible consequences) Usually in this case, the value of security outweigh the possible potential losses.
d). Denial of Risk – quitting the business processes, which are the cause of the risk.
3. Risk control.
To control the risk it recommended:
• Technical measures (monitoring, analysis and inspections);
• Analysis by management;
• Independent internal audits.
4. Risk optimization.
Risk optimization phase contains reassessment of risk and accordingly:
• Review the policy;
• The risk management guidelines;
• Correction and update security mechanisms.
• Correction and update security mechanisms.
The model is presented on fig. 3.10. and synthesizes the foregoing. For the presented model, characteristics of the basic blocks are analysed.
►Input block „Input impacts“. It includes a summary of all relevant to risk management and information security information about the organization. The actions defining context depend on the purpose of risk management and include (for example): • Support for MS; • Confirming the determination of management; • Preparing a plan for business continuity; • Preparing a plan for incident response; • Description of the security requirements
The basic criteria for determining the context concern:
• Criteria for risk assessment; • Criteria for assessing the impact on risk;
• Criteria for acceptance of risk;
• Necessary resources.
►Risk identification – fig.3.10. Identified are: • Assets; • Threats and sources; • Vulnerabilities; • Controls; • Probabilities; • Impacts.
►Preliminary risk assessment – fig.3.10. Assessed are: Assets; Threats; Vulnerabilities; Impacts; Risks.
►Risks comparison-fig.3.10. It uses information about the priority
of risks, received at the stage of risk analysis for decision-making activities.
►Risk treatment – fig.3.10
3.7.3. Risk management system (MS) analysis
The functions of the constituent units of the risk management system are presented and analysed in accordance with standardized requirements (ISO27001). Fig. 3.11. shows an example block diagram of MS with units 1.1- 1.4, 2.0 and 3.0. Fig. 3.12. presents a summary of their particular functions.
Fig. 3.12. presents the tasks solved by the separate blocks:
1.1. Creating MS; 1.2. Implementing and operating of MS; 1.3. Monitoring and review of MS; 1.4. Maintenance and improvement of MS; 2.0. Requirements to the documentation; 3.0. Commitment of the management.
3.7.4. Methodology of risk management. Risk assessment.
Subject of the methodology.
– The specific methodology for risk analysis is selected on the basis on the defined limits of protection and degree of detail, fig. 3.13. (Second structural line in the figure).
– The risk dependent on the identified values of the system and the likelihood of realization of threats, using existing vulnerabilities values, is measured with the help of risk analysis – fig. 3.13 (3d and 4th structural line in the figure);
Activities performed. Depending on the subject, the following actions are performed:
• Defining the limits of the protection and the necessary level of detail;
• Selection of appropriate methodology for risk analysis: depending on the type of system, quantitative or qualitative approach and the corresponding methodology are chosen. It is appropriate that this methodology is standardized.
•Risk assessment. Determining the probability of causing harm to the values through realization of the threat;
• Identifying values, threats and vulnerabilities;
• Assessing the probability and measuring the risk.
•Risk minimization. Determining the residual risk, based on the capabilities of the organization to invest funds in achieving security.
As a result of the activities carried out it is necessary to receive:
• Identification of the areas of unacceptable risk;
• Choice of the most effective means of protection;
• Determining to what extend the residual risk is acceptable .
Key features of the activity. They are:
*Defining the limits. The limits may include the entire information system or parts of it.
*Defining the level of detail. The degree of detail depends on the value of stored information and on the availability of critical for the operation of the system applications. In all cases a detailed description of the following will be necessary: – the process of data transmission, – connections with external networks; – a number of critical applications
The degree of detail depends on: – changes in configurations; – emergence of new external links; – modernization of the systems or application programs.
*Determination of the methodology used. If it has been predetermined it is necessary to be adjusted in accordance with set limits and detail.
*Identification and evaluation of values-fig.3.14. All components of the information system are valuable, but each of them has its own weight. The report on the values of the system is the first step in determining the areas that need particular attention. This is determined by:
• Ensuring protection of all data values;
• Fast recovery of the information environment after an accident.
Data values include: – hardware of the information environment; – software; – electronic documents; – databases;
– communication channels.
3.7.5. Sample approach to the assessment of risk
In a symbolic view the risk assessment has the form:
Risk = (Threat * Visibility) + (Vulnerability * Consequences)
In the presented dependence participate: threat visibility, vulnerability and consequences.
Tread – any event that can potentially harm through disclosure, modification, destruction of data or failure of critical system components operation. The threat becomes a risk only when:
• there is a vulnerable place in the system, which can be attacked;
• the system is visible from the outside world.
Visibility of the system – a measure of the interest of external objects to a system.
Level of visibility – determines the probability of attack by hostile objects using one threat or another. It can be changed by a specific law or according to some event. All organizations which have access to the Internet are to some extent visible to the outside world.
Vulnerability management. It is presented by the dependence:
Vulnerability → Consequences → Investments
Violation of the internal organization of work. This leads to: – loss
of opportunities; – Loss of working time; – restoration works – affected external functions of the organization – supply of products, receiving orders, etc.
All this directly leads to financial losses. In the attached tables (3.6 to 3.9) are presented the values of the risk profile scale
|There are no real threats||1|
|It is difficult to assess the possibility of threats||3|
|Threats are real There are cases of their realization.||5|
|Average – periodical publications about the organization||3|
|High – regular publications about the organization||5|
|Low – no evidence of systemic fragility||1|
|Average – admitted opportunities for vulnerabilities (staff and software)||3|
|High – there are evidences for vulnerabilities||5|
|No financial loss. Measures are taken to transfer the risk.||1|
|Violation of the internal functions of the organization;
|Violation of external functions. Great financial loss.||5|
Result: 2 – 10: low risk; 11 – 29: average risk; 30 – 50: high risk.
Risk assessment example. In table format – Table. (3.7 to 3.9) are presented qualitative scale for assessing the level of losses; qualitative scale for assessing the probability of carrying out of the attack; example for determining the level of risk.
Qualitative scale for assessing the level of losses Table 3.7
|No.||Type of loss||Explanation|
|Assets loss||Impact on the production.|
|5||Critical||critical||loss of reputation|
Qualitative scale for assessing the probability of an attack Table 3.8
|No.||Type of probability||Numeric interval|
|1||very low||The probability of an attack is null||0 – 0.25|
|2||low||The probability is high enough||0.25 – 0.5|
|3||average||The probability is average||0.5|
|4||high||It is more likely to have attacks||05 – 0.75|
|5||very high||The attacks are almost certain||0.75 – 1|
An example of determining the level of risk Table 3.9
3.7.6. Practical guidelines for minimizing the risk.
The term “risk reduction” in practice is defined as:
– reducing the risk by reducing the probability;
– the impact of danger; – reducing the vulnerability of society.
Three types of safety management can be distinguished in the practical experience of the partners:
– risk management, aimed at reducing the risk,
– crisis management, aimed at overcoming the consequences of the incident,
– management of restoration, aimed at returning society to the normal way of life before the disaster.
On the other hand four phases can be distinguished: – phase before the occurrence of the risk;
– phase in which the risk exists, but is not materialized;
– phase of the incident; – phase of recovery.
The three types of safety management does not correspond strictly to the phases and gradually move from phase to phase.
In the phase before the occurrence of the risk, everything is directed towards the highest form of risk management: the prevention of a situation from turning into a risk. This is the basic form of planning measures.
At emergence of risk, focusing on prevention measures to reduce the probability. The responsible public and private partners prepare for the disaster.
In the risk phase you can start with recovery management, by preparing measures to make recovery easier.
In the disaster phase the preparation becomes a real “readiness” or disaster relief. This phase marks the beginning of recovery. It may allow for reassessment of risks. This new risk awareness can greatly reduce its adoption, leading to a variety of strategies to mitigate the effects. So the cycle is closed: So the cycle is closed: from the recovery phase back to the stage prior to the risk fig. 3.15.
The objectives of reducing risk shall be:
– Specific – referring to a specific priority risk.
– Measurable – the results for the society can be measured, for example: what is the percentage of risk reduction.
– Acceptable – the objectives must be acceptable to the people who make decisions and to the stakeholders.
– Realistic – to be achieved in reality.
– Time-bound – the objectives are set for a specific period of time.
Evaluation of opportunities
The stage of the process of risk mitigation, in which the opportunities are evaluated is
defined as “the process of identifying, analyzing and evaluating the opportunities in risk management, available for reducing the priority risks and the opportunities in crisis management and recovery for improving disaster relief and reconstruction work.” The purpose of the assessment of the possibilities is to facilitate strategic decision-making for specific measures. This phase is the most strategic: This phase is the most strategic: where are the weaknesses in the ability to reduce the risks and what can be done to prevent them. The most distinct difference between the three parts of the assessment of the opportunities, which are similar to the risk assessment:
1. Identifying the opportunities – analysing the causes and consequences in order to find opportunities to reduce the risk.
2. Analysis of opportunities – to examine the relative value of the identified opportunities.
3. 3. Assessing the opportunities – comparing the possible measures taken by the politicians with their political criteria.
Identifying opportunities is a continuation of analysis for risk assessment: by exploring various scenarios to identify specific measures that contribute to achieving the selected goals. The next two phases of the assessment of the possibilities is best illustrated by the following figure – fig. 3.16.
When comparing the risks with the possible mitigation measures (and readiness) it is necessary to assess which are the best measures. For the purpose, an analysis of the opportunities, including ”cost-benefit” analysis shall be carried out.
”Cost-benefit” analysis. It is defined as a procedure for assessing the appropriateness of the project by comparing costs and benefits. The results can be expressed in various ways, including through internal rate of return, net present value and the “cost-benefit” ratio. In order to use cost-benefit analysis in the process of risk mitigation it is important not to limit it to the monetary value. In the subject of risk reduction should be included vital interests of society: both economic and public-related aspects, related with casualties or environmental damage. That is why the cost-benefit analysis, or a social cost-benefit analysis should also include information on the effects that do not have monetary value. As it requires a multi-criteria approach, the cost-benefit analysis needs diverse expertise opinions.
The practical experience requires:
– The “cost-benefit” analysis to be performed on the grounds of different expertises.
– The probability of a given risk to have a great impact on the results of the cost – benefit analysis.
– It is difficult to calculate the probability of events related to climate for a longer period of time because of the global warming.
– A particular problem is the space-time variability of risks, which means that the probability and the impact can vary a lot in time and space.
– To calculate the monetary expression of vulnerabilities and possible damage in most cases an extensive study is necessary.
Based on the nature of fundamental concepts in health and safety at work we have determined their characteristic features. We have determined the elements of risk, risks types and their origin.
We have analysed the methodological basis for risk measurement and its quantitative characteristics. We have presented the economic measurements of safety and health at work.
We have analysed is the essence of risk assessment and the sequence of actions for its execution. In accordance with the risk assessment objectives we have presented measures for their achievement. We have presented the legal framework for risk assessment and complex assessment of labour conditions. We have presented the step-by-step approach to assessing risk by analysing individual actions at each step.
We have presented a methodology for quantitative risk assessment covering procedures for performing in accordance with its subject. The significance of risk is assessed as assigning digital expression of gradations of probability, exposure and severity of the injury.
We have analysed risk management: its nature, elements and strategies. We have presented the methodological basis of the risk management.
On the basis pf the standardized requirements for risk management we have presented features covering: assessment, treatment, control and optimization. In connection therewith we have presented a model for risk management. We have analysed the system of risk management as a whole and its components separately. We have presented a methodology for risk management and exemplary approach to risk assessment.
Practical guidelines for minimizing the risk have been proposed.