6 Steps to Conduct a Risk Assessment 

This six-step process will help reduce the likelihood of a risk event and lower the severity of its impact on operations

By Jim Turner, Facility Influencer  

It’s the facility executive’s lament: There’s never enough funding to do everything that needs to be done, including managing events that could negatively impact the facilities. Some risk has to be accepted, but decisions are still needed about how much risk the organization can accept.  

While it is impossible to completely eliminate risk, a risk management plan, starting with risk assessments, serves as a foundation step that allows executives to mitigate risks by addressing them early and preventing surprises during performance. 

Types of risks  

In the critical facilities space, we focus on resilience, or managing the risk of losing power or cooling to sensitive equipment. We address this risk by striving for concurrent maintainability in our supply and distribution infrastructure. This means we want to have primary, reserve, and spare equipment so that we can perform maintenance any time it is necessary. The expense is justified by considering how long the operation can continue without power and cooling infrastructure. 

Other industries face other risks, for example: 

Technical risks: a broad category of failures caused by faults with equipment, materials, or construction methodologies; 

Risk of emergencies: typically focused on risks to human health and safety, but also apply to the facility operation itself; 

Cost and schedule risks: risk events are disruptive and have repercussions, such as the cost of remediation and repair, and lost revenue from missed business opportunities. 

The impact from these risks ranges from very low, such as when a technical issue creates an insignificant or barely noticeable flaw in the product, to very high, when the end product can’t be used. Similarly, cost and schedule impacts can range from low, adding 5 percent or less to overall costs, to high, when the impact approaches 20 percent or higher. 

One other risk type is compliance with legal requirements, such as the Americans with Disabilities Act (ADA) or Occupational Safety and Health Administration (OSHA) regulations. ADA requires the building owner ensure barrier-free access to their place of business, while OSHA specifies responsibilities for communicating about workplace hazards and preventing injuries from them. In parallel to ADA and OSHA compliance, building operators must establish preparedness plans that address when and how evacuations should occur, designating assembly areas, managing crowds and traffic, and establishing key roles to oversee the event. 

With all of these facilities risks there are many opportunities for disruption and damage, each with the potential for significant consequences to operations. By identifying, assessing, and planning mitigation strategies with a risk assessment, managers can minimize risk probability and severity, monitor operations for emerging issues, and design risk prevention into their operations.   

Conducting a risk assessment 

Risk assessments establish some structure around the process of reviewing your facility’s systems and equipment to identify potential problems or failures, and to understand the impact they might have. There are three aspects of potential impact that the assessment can help manage: the likelihood of a risk event, the severity of its impact on the operation or costs, and the probability that a fault will be detected. 

Some facilities will require a rigorous risk assessment, such as a Failure Modes and Effects Analysis (FMEA) designed by an engineer. When risk events do occur, a root cause analysis, paired with FMEA, can provide a detailed understanding of the risk. Finally, conducting the assessment with a multi-disciplinary team, including quality assurance specialists, engineers, architects, operations and maintenance personnel, and building occupants, will help maximize the benefits from the assessment. 

I recommend a six-step process that I’ve summarized below. It is designed to be flexible, since each facility and operation requires a unique approach.   

Step 1: Define the scope and objectives of the risk assessment.   

Begin by considering the depth of review you need – are you looking at key processes or specialized equipment? Use your initial understanding of the issue to set the assessment’s objectives. There is the potential for scope creep, such as if you need to understand upstream or downstream risks, so you may want to break the work down into manageable portions or phases.  

Step 2: Identify hazards and sources of risk. 

Next, gather data from existing documentation and employees. Create a thorough list of potential failures – there are likely to be several issues to consider. What is each failure’s potential impact on end products or processes? There may be multiple effects for each item considered.   

If the list seems too big at this stage, pare it down or break the analysis into phases. Once the risks are identified, record them in a spreadsheet or another tool so that you can build a risk register to be used in the risk management phase. 

Step 3: Analyze the likelihood and severity of risk events. 

Step three identifies and rates the probability of the risk event. Rare events, with long periods of uninterrupted activity between failures, have a low probability. Increasing frequency earns a medium or high rating. One way to think about frequency is to consider predicted time frames: is the event annual, semi-annual, monthly, or more frequent?  

Similarly, the severity should be rated as low, medium, or high. Severity is the estimated value of the risk’s impact. Rate easily addressed minimal impact events as low. More severe but correctable impacts are medium, and significant impacts – some even catastrophic, requiring equipment replacement and operational downtime – are rated high.   

A third factor is the ease of detection. In this case, easily detected failures get a low rating; those with more difficulty in detection are rated medium; and those where the chance of detection is low or remote get the highest rating. 

Step 4: Evaluate the risk level and priority. 

Now that the risks are identified and analyzed and the scores are recorded in the risk register, prioritize them so they can be addressed with mitigation strategies. Give a three to each factor rated high, a two for medium, and a one for low, for the likelihood, severity, and detectability ratings, and multiply results for the score. Your team can then rack-and-stack the risks to focus on the highest priorities.   

You may be ready to consider the potential financial impact of these events at this stage. Quantifying impact may involve estimating repair costs, anticipated idle time costs, or lost revenue. Cost impact is useful information to have when prioritizing which risks to address early in the mitigation process. 

Step 5: Develop and implement mitigation strategies. 

The team now uses prioritization to determine how much risk can be tolerated and which risks to focus on. Decide on which precautions to implement and assign teams to develop them. Administrative, management, and engineering controls are tools designed to address risk causes: 

  • Administrative controls: controls focused on day-to-day processes, such as inspections, preventive maintenance, and cleaning; they may be part of existing operating manuals or may need to be developed due to emerging experience with the equipment; 
  • Management controls: controls including the risk register, along with meetings to set priorities and manage progress; 
  • Engineering controls: more technical and complex risks may require new processes or performance measurement, with enhanced monitoring and testing to manage them.  

Step 6: Manage the risk assessment and mitigation process.    

Risk assessment and management is important throughout the facility’s life cycle and facility executives need to return to it regularly. The risks need to be continuously evaluated for validity or for emerging issues, the register needs to be updated whenever there is a change in probability or severity; and new mitigations may be developed based on the team’s growing experience with managing the risks. 

Facilities are at risk for disruption and damage from many sources and the consequences can be severe, including injuries to personnel or customers, downtime, lost revenues, or loss of key equipment and buildings. Facility executives can use the risk assessment process described here as a first step in identifying the risks they face and developing mitigation strategies to minimize their impacts. 

Jim Turner serves as a trusted advisor to real estate and facilities leaders with a current focus on critical infrastructure and buildings. His expertise covers the built environment life cycle, including planning, design, construction, operations, and disposal. His work often features strategic planning; project development; construction and program management; cost analysis; operations and maintenance planning; organizational design; strategy and change management; and workflow design. He has tenure with several leading engineering-architecture-constructions firms, including Jacobs and AECOM. 

Contact FacilitiesNet Editorial Staff »

  posted on 1/15/2024   Article Use Policy

Related Topics: