Is the process of identifying risk assessing its relative magnitude and taking steps to reduce it to an acceptable level?

Ranking or prioritizing hazards is one way to help determine which risk is the most serious and thus which to control first. Priority is usually established by taking into account the employee exposure and the potential for incident, injury or illness. By assigning a priority to the risks, you are creating a ranking or an action list.

There is no one simple or single way to determine the level of risk. Nor will a single technique apply in all situations. The organization has to determine which technique will work best for each situation. Ranking hazards requires the knowledge of the workplace activities, urgency of situations, and most importantly, objective judgement.

For simple or less complex situations, an assessment can literally be a discussion or brainstorming session based on knowledge and experience. In some cases, checklists or a probability matrix can be helpful. For more complex situations, a team of knowledgeable personnel who are familiar with the work is usually necessary.

As an example, consider this simple risk matrix. Table 1 shows the relationship between probability and severity.

Severity ratings in this example represent:

• High: major fracture, poisoning, significant loss of blood, serious head injury, or fatal disease
• Medium: sprain, strain, localized burn, dermatitis, asthma, injury requiring days off work
• Low: an injury that requires first aid only; short-term pain, irritation, or dizziness

Probability ratings in this example represent:

• High: likely to be experienced once or twice a year by an individual
• Medium: may be experienced once every five years by an individual
• Low: may occur once during a working lifetime

The cells in Table 1 correspond to a risk level, as shown in Table 2.

These risk ratings correspond to recommended actions such as:

• Immediately dangerous: stop the process and implement controls
• High risk: investigate the process and implement controls immediately
• Medium risk: keep the process going; however, a control plan must be developed and should be implemented as soon as possible
• Low risk: keep the process going, but monitor regularly. A control plan should also be investigated
• Very low risk: keep monitoring the process

Let's use an example: When painting a room, a step stool must be used to reach higher areas. The individual will not be standing higher than 1 metre (3 feet) at any time. The assessment team reviewed the situation and agrees that working from a step stool at 1 m is likely to:

• Cause a short-term injury such as a strain or sprain if the individual falls. A severe sprain may require days off work. This outcome is similar to a medium severity rating.
• Occur once in a working lifetime as painting is an uncommon activity for this organization. This criterion is similar to a low probability rating.

When compared to the risk matrix chart (Table 1), these values correspond to a low risk.

The workplace decides to implement risk control measures, including the use of a stool with a large top that will allow the individual to maintain stability when standing on the stool. They also determined that while the floor surface is flat, they provided training to the individual on the importance of making sure the stool's legs always rest on the flat surface. The training also included steps to avoid excess reaching while painting.

What is the assessment of the amount of risk an organization is willing to accept for a particular information asset?

What is the term that indicates the probability that a specific vulnerability within an organization will be successfully attacked?

Is the process of preventing the financial impact of an incident by implementing a control?

Which is more important to the information asset classification scheme that it be comprehensive or that it be mutually exclusive?