On this page:

Preparing Scotland: Scottish Guidance on Preparing for Emergencies

« Previous | Contents | Next »

Listen

03 Risk Assessment

This chapter to be reviewed by November 2008

Summary

  • A simple risk management framework for a local risk assessment process is outlined.
  • The Community Risk Register is described.
  • Annexes provide:
    • A summary of the local risk assessment process.
    • Guidance on hazards and threats to be considered (issued separately).
    • Descriptions of the likelihood of a risk.
    • Descriptions of the impact of a risk.
    • A risk matrix for scoring risks.
    • Examples of an individual risk assessment.
    • A Community Risk Register.

Risk assessment

3.1 Risk assessment is both an integral component of a risk management process and the first step in preparing for emergencies.

3.2 Risk assessment in this guidance addresses:

Hazards - which are natural or unintentional risks (for example, severe weather or industrial accidents)

and

Threats - which are malicious or deliberately made risks (for example, terrorist acts).

3.3 At its simplest, risk assessment asks the following questions:

What if? Which seeks to identify risks, both hazards and threats.

What then? When the likelihood and the impact (the consequences) of events are assessed.

So what? Which evaluates the significance of the risks and their relevance to the local area.

Then what? Which takes steps to manage the risks.

3.4 The purpose of risk assessment is to:

  • ensure that local responders have an accurate understanding of the risks that they face so that their planning has a sound foundation and is proportionate to the risks.
  • enable local responders to assess the adequacy of their planning and capabilities, and allow any shortcomings to be addressed.
  • facilitate co-ordinated local preparation based on consistent planning assumptions.
  • enable local responders to describe the emergency planning context for the public and officials.
  • inform and reflect Scottish and UK risk assessments that support emergency planning and capability development.
  • provide a rational basis for the prioritisation of objectives, work programmes and the allocation of resources.

3.5 Risk assessment contributes to a process that is cyclical and subject to regular review that will lead to a continuous improvement in local risk management. It is essential that the risk management process responds quickly to changes in the risk environment. This means that the process should be iterative, monitor risks and be kept up to date.

3.6 The process described below is consistent with that used at various levels of government. Adopting this process will promote better communication of risk between these different levels and with and between local areas. Local risk assessment relates to the duty on local responders under the Civil Contingencies Act, as described in Section 2 of the Preparing Scotland guidance. At the UK level, however, risk assessment will be co-ordinated by the Cabinet Office Civil Contingencies Secretariat, supported by the Scottish Executive for Scotland's interests, as part of the framework that underpins the UK Capabilities Programme.

3.7 For Scotland, the Scottish Executive Fire & Civil Contingencies Division ( SEFCCD) has commissioned work through formation of a Scottish Risk Assessment Group ( SRAG) on hazard assessment to ensure that variation in the likelihood and impacts of hazards in Scotland is accommodated in local arrangements. The SRAG guidance to Category 1 Responders in Scotland is based on the Local Risk Assessment Guidance ( LRAG) issued by the Cabinet Office Civil Contingencies Secretariat. Given the difficulties in assessing threats, central government - lead department, the Home Office - has developed threat assumptions on a UK national level. This guidance on threats is also included in the LRAG. Detailed guidance on hazards and threats for Category 1 responders in Scotland is provided in Annex 2 to this chapter. Annex 2 will be issued separately to Category 1 responders in each Strategic Co-ordinating Group area who require the information for risk assessment. Depending on available resources, Strategic Co-ordinating Groups may be provided with additional assistance from SRAG member organisations in developing their Community Risk Registers.

The risk management process

3.8 Risk assessment is one component of the general risk management process set out below.

Figure 1 - The Risk Management Process

image of Figure 1 - The Risk Management Process

The dashed lines in Figure 1 represent the different aspects of the process:

Establishing the context - involves defining the nature and scope of the risk problem and agreeing how the risk management process will be undertaken.

Evaluating Risk - covers the identification of those threats and hazards that present significant risks, analysis of their likelihood and their impacts which are combined to assist in prioritising risks.

Treating the risk - involves deciding which risks are unacceptably high and developing strategies to mitigate them.

3.9 Risks vary with changes in the environment in which they are set and changes in the hazards and threats. These changes will affect emergency preparedness and capabilities. Periodic reviews are required to ensure that changes are captured then reflected in the risk assessment and emergency planning processes.

The local risk assessment process

3.10 The recommended local risk assessment process is consistent with that shown in Figure 1. Individual steps are described below and summarised in Annex 1.

3.11 The process will be commissioned by the Strategic Co-ordinating Group which will determine the management arrangements for the project and review its outcomes.

Step 1: Establish the risk management context

3.12 Category 1 responders should begin by defining the scope of the risk management activity in the context of the Civil Contingencies Act and this guidance. They should review the process that they will adopt and identify the project's stakeholders. Key stakeholders will include the local Category 1 and Category 2 responders and groups in the community with a particular interest in elements of the work (for example, local business interests).

3.13 It is important that responders understand, at the outset, the principles and criteria with which risks will be evaluated and prioritised as described in this guidance. This should prepare them for later stages of the process in which they will need to decide which risks are acceptable, which must be tolerated, which require treatment, including those that require emergency plans.

3.14 At an early stage responders should describe the characteristics of the local area that will influence the likelihood and impact of an emergency in the community. To do this they should reflect on the following aspects of their area, describing the current situation, emerging trends and anticipated future events:

Social: - What is the demographic, ethnic and socio-economic composition of the community? How are the various communities geographically distributed within the local area? How great is social cohesion? Are there any particularly vulnerable groups in the community? How experienced is the community at coping with different types of emergencies?

Environment: - Are there any particular local vulnerabilities (poor coastal defences, etc.)? Is the area urbanised, rural or mixed?

Infrastructure: - How is the infrastructure configured in the area (transport, utilities, etc.)? What are the critical supply networks in the area? Are there any sites in the area that are particularly critical for local, regional and national essential services (telecommunications hubs, health, finance, legal, etc.)? What type of economy does the area have?

Hazardous sites: - What potentially hazardous sites exist in the area? Where are they in relation to communities or sensitive environmental sites?

Step 2: Initial hazard and threats assessment

Hazards

3.15 Taking into account the local context, each Category 1 responder should identify the hazards that, in its view, could give rise to an emergency in their area over the next five years. The hazards will be identified on the basis of experience, research or other information. Annex 2 provides a table to assist the process which, although extensive, is not exhaustive and other hazards may be identified. To assist in producing a consistent picture of risk across the UK hazards should be listed under the relevant hazard categories provided in Annex 2. Category 1 responders need only consider those hazards that are likely to present consequences requiring the performance of their functions or a special mobilisation.

3.16 Each Category 1 responder should submit its views of the hazards in the form of a draft Individual Risk Assessment. The example of a completed risk assessment at Annex 3 shows typical subject areas for which information will be required. The draft assessments should provide some outline information for these subject areas, as appropriate to each Category 1 responder's expertise and knowledge.

Threats

3.17 Central Government will also provide Strategic Co-ordinating Groups with general threat assessments. These are provided in a table in Annex 2. The assessments will describe the types and scales of threats that are assessed to be of sufficient likelihood to warrant consideration in the local emergency planning process. Some of the threats will only apply to certain local areas and it will be for the Strategic Co-ordinating Group to decide which apply to its area. Impacts on the local area can be assessed but the threat risk assessments cannot be treated in the same way as hazards, that is plotted on a risk matrix, and must be considered separately.

Step 3: Multi-agency collation of hazards and threats

3.18 Once all individual assessments are collated, the Category 1 responders best qualified to assess, or gather information on the likelihood of each hazard should be identified. In most cases the information will be best provided by a lead UK or Scottish organisation. Annex 2 provides this information for a wide range of hazard categories. If further analysis is required, the lead Category 1 responder should liaise with the appropriate lead organisation(s), for particular hazards, on behalf of the Strategic Co-ordinating Group.

3.19 At this stage it may be helpful to start populating the Community Risk Register ( CRR - see Annex 6) with the hazards identified and threats provided. The CRR will provide an overview and can be used as a working tool for project management, as well as an end-product of the risk management process.

Step 4: Risk analysis

3.20 The lead responders should undertake, or pass on, an assessment of the likelihood of a hazard occurring over the next five years. This timeframe will also be used in UK and Scottish national risk assessments. Where possible the lead responder should also seek to establish the scale(s) of emergencies that are of most concern. Annex 4 describes the quantitative and qualitative scoring for likelihood. Annex 2 provides guidance on likelihood in a five year timeframe for a wide range of hazards.

3.21 It is important for all responders to maintain a realistic perspective on the events. For example, the biggest in scale may not necessarily be the one of most concern as it may be reasonable to expect that significant external resources would be mobilised to assist.

3.22 It is also important to exclude, at this stage, events that are so low in likelihood that planning cannot be justified (e.g. meteorites hitting the earth). This is not to say that all low-likelihood, high-impact events should be excluded, but a careful judgement will be needed about the likelihood below which particular events will be excluded from the assessment.

3.23 In the case that the UK or Scottish organisation is unable to provide an assessment in the required timeframe, the lead responder should record the fact and make their own assessment using the best information and expertise available.

3.24 The next stage is to assess impacts more fully. This requires joint consideration by all responders of the risks identified and their scale or consequences. This will involve a good deal of common sense and should draw from experience and the information provided in Annex 2 on hazards and threats. Whilst the primary short-term consequences can be simple, the secondary or long-term consequences can be extensive and at times surprising. This activity may involve either a series of meetings or written submission followed by a meeting. The impacts of the hazards and threats should be assessed by using the scales and scoring methodology provided at Annex 4.

3.25 The assessments should be pragmatic, mixing evidence and judgement, both of which should be documented as far as possible. Where appropriate the assessments will be informed by studies on the context in which the assessment is set (see Step 1 above). These should outline the vulnerabilities (susceptibility to damage or harm) and the resilience (ability to withstand damage or harm) of relevant sites, systems and communities. An example completed risk assessment is provided at Annex 3.

3.26 The results should be entered into the Community Risk Register ( CRR). A layout for the CRR with example entries is shown at Annex 6.

Step 5: Risk evaluation

3.27 Risks are evaluated by combining the likelihood and impact scores for a hazard by plotting them on a risk matrix. The matrix at Annex 5 should be used. This risk matrix enables the risk analysis to be interpreted against pre-defined criteria and facilitates communication and comparison of the risk assessment. Annex 5 also provides definitions of the four risk ratings ("Very High", "High", "Medium" and "Low").

3.28 Note that in the risk matrix the likelihood score is given a slightly greater weighting than the impact score. For example, a 3 (Unlikely) likelihood score gives a "very high" risk with either of the upper 4 (Significant) and 5 (Catastrophic) impact scores whereas a 3 (Moderate) impact score only gives a "high" risk with either of the upper likelihood scores. The formula used to combine likelihood and impact scores varies from one risk assessment approach to another. The guidance presented here is consistent with a number of the major standards and consistency in the application of this risk matrix is essential if the results of the local risk assessments are to be easily compared. The results should be entered into the Community Risk Register.

Step 6: Risk treatment

3.29 Community Risk Registers are not an end in themselves, but serve as a means for ensuring a common approach to the harmonisation of emergency arrangements, plans and procedures.

3.30 At this stage of the risk assessment process the Strategic Co-ordinating Group should:

  • determine the acceptability of the risks based on their rating.
  • make decisions about its risk priorities.
  • determine risk treatment measures based on its priorities.

3.31 The process has a number of elements that are described below:

  • assess what is needed to manage and respond to the hazards and threats.
  • identify the arrangements and plans that are already in place.
  • consider any gap between needs and capability to meet those needs.
  • identify the additional treatments required to improve preparation and manage the risk more effectively.
  • determine the priority for treatment.
  • identify the responsibility for providing the treatment. Note that this may involve a transfer of the risk to an organisation outside the local area.
  • establish and manage a risk treatment programme.
  • record its judgements in the Community Risk Register.

Step 7: Monitoring and reviewing

3.32 There should be a full and formal review of all risks on a four-year cycle. However, risks should be monitored continuously and, where a change in circumstances arises, a new risk assessment should be performed. If necessary the Community Risk Register should be updated. Risk assessment should be a standing item on the agendas of the Strategic Co-ordinating Group. The Community risk Register should show the date for review of each risk.

3.33 Risk assessment guidance and methodologies will be reviewed on the basis of feedback from the development of risk registers at the local level and from experience in developing Scottish and UK national and regional assessments. The guidance contained in Annex 2 will be reviewed on an annual basis.

Step 8: Publishing risk assessments

3.34 When publishing the Community Risk Register ( CRR) and their individual risk assessments, local responders should take into account the principles of effective risk communication which are documented on the " UK Resilience" website ( http://www.ukresilience.info). They should also take into account the security classification of the information contained in the assessment. The Strategic Co-ordinating Group should review the information it proposes to publish to ensure that any sensitive information is treated appropriately. (For further guidance see Section 3, Chapters 5 and 7 of Preparing Scotland.)

3.35 The CRR is collectively owned by the Category 1 responders who co-operate in its production. We advise that the CRR should be published on the internet. To avoid having multiple versions, this can be done on the website of one Category 1 responder, with links to this site placed on the other Category 1 responders' sites.

« Previous | Contents | Next »

Page updated: Tuesday, June 12, 2007