A documented risk assessment is one of the requirements for TAPA certification.
What is a risk assessment?
Risk assessment is all about the probability or chance something bad will happen and the impact the bad event will have on your company.
Risks and Mitigation
A risk assessment identifies risks and risk mitigation.
Once you understand the concept illustrated by the risk assessment matrix above, conducting and documenting the risk assessment is easy.
Study the Illustration
The left hand side boxes of the matrix are the probability or likelihood of the risk happening. The probability is evaluated from Remote, Possible, Occasional, Probable and Frequent. Frequent means that there is a high likelihood that the risk event will occur. Remote means that there is almost no chance that the risk event would occur at your company.
The top boxes are the impact on your company if the risk happened. The impacts range from Negligible, Marginal, Moderate, Critical, Catastrophic. Catastrophic could be defined as loss of life or permanent closure of the business. Critical is also serious but not as bad as Catastrophic. Critical might mean physical danger, lost customer, lost productivity, etc. Moderate could be serious customer dissatisfaction, partial loss of cargo, etc.
The labels for the Likelihood and Consequences may be changed by you for better understanding in your company. The labels you use in your risk assessment matrix should be defined in the work procedure for the Risk Assessment. Just remember to give each label a numeric value from 1 to 5.
Documented Risk Assessment
Now you have to document the risks to your company.
The TAPA FSR, TSR and PSR identify some mandatory risks that must be included in the risk assessment. Those risks include: Theft of Cargo, Theft of Information, Unauthorized access to the facility, Unauthorized access to cargo, Fictitious pickups of cargo, Security continuity during workforce shortages, Ground level windows, Ground level ramps, etc. among others.
All the risks mentioned in the TAPA requirements must be included on the risk assessment. In addition, TAPA expects that you will identify additional risks that are applicable to your company based on your industry, location, culture, etc.
Actual Risk Assessment
The easiest way to document the Risk Analysis is to make a Word document or Excel table. Then write a list of all the mandatory TAPA FSR, TSR and / or PSR risks. Be sure to add any additional risks that are applicable.
Risk Rating with No Mitigation
First you need to calculate the Risk Rating. The Risk Rating is the value of the risk before any mitigation or counter action is implemented.
The Risk Rating is found by multiplying the P Probability Value times the I Impact Value.
Mitigation and Counter Measures
Then document all the mitigation and counter measures you have implemented to reduce your exposure to the risk. Mitigation lowers the Probability and the Impact on the company if the risk event happens.
Easy Example:
The Corona virus is a risk to a company. The Probability of it happening in a company is High with a value of 5. The Impact on the company is Catastrophic with a value of 5. The resulting Risk Rating without mitigation is 25.
Probability Mitigation
Mitigation to lower the Likelihood or Probability includes Hygiene Training, Hand Disinfection Stations, Masks in Common Areas, open windows, installation of filter systems, filter maintenance program, etc. May things can be done to decrease the Likelihood or Probability of the Corona Virus spreading in the company.
Is this Enough?
The result of the above actions against the spread of the virus in the company is perhaps lower – from 5 to 3. Regarding some risks, reducing the Likelihood or Possibility may be enough to reduce the risk to an acceptable level. However, in our example above, 3 Probability time 5 Impact give us a 15 Very High Residual Risk.
Therefore something more needs to be done.
Impact Mitigation
Impact mitigation will lower the effect of the virus on the company if the virus is introduced. Example of mitigation to lower the impact are such things as working from home, using another branch office to manage the work, redirecting cargo to another facility, creating temporary partnerships with other companies, sharing resources, etc. After the Impact mitigation is implemented, the Impact value is also lower. Hopefully, the planned Probability and Impact mitigation will reduce the Residual Risk to an acceptable level.
Residual Risk After Mitigation
After Probability and Impact mitigation has been implemented, the Probability and Impact are again assessed. The Residual Risk is the value of the Probability after mitigation times the Impact after mitigation. If the Residual Risk is not lower than the initial Risk Rating, then the mitigation had no effect.
Please Remember
Risks change all the time. Some risks are mitigated by technology, political decisions, company policies, new equipment, etc. Other risks are newly identified due to some of the same factors.
For this reason, the Risk Assessment needs to be reviewed and updated every year to evaluate the continued effectiveness of mitigation… and to identify and plan, implement, monitor, and evaluate preventive actions necessary to mitigate new threats.
This example is a very basic approach to risk analysis, but it is better than a simple “What If” list without any methodology.
For those companies that are ISO 9001 certified, the auditor may very well write a nonconformity if a risk assessment includes the mitigation, but does not include an evaluation of the effects of actions taken to reduce risks, as required by ISO 9001.
Last Point
Some companies write a risk assessment with identified risks… but with planned mitigation. The mitigation must be implemented. A warehouse full of cargo with planned locks that are not yet installed makes no sense.
Conclusion
As you think about your risks, you will find that much mitigation for many risks have been implemented. If the Residual Risk is acceptable, additional mitigation is not needed. Later, with considering continual improvement of the security system, additional mitigation may be identified to help lower the Residual Risk to a most acceptable level.