Risk Assessment and Mitigation

PERA divides Enterprise Risks into Generic Risks, Industry-specific Risks, and Facility-specific Risks.

1. Generic Risks
   are those that are commonly found in many enterprises. Examples include Risks associated with Corporate IT Systems that tend to be similar across many Industries.
2. Industry-specific Risks
   are those that are common in a specific industry; for example the risk of fire or explosions in Oil & Gas companies. Risks assoicated with a solar farm and a nuclear plant are clearly different, even though both produce electricity.
3. Facility-specific Risks
   are unique to a particular production facility. For example, a facility in an area prone to flooding or earthquakes will face special risks.

Thus, the Risk associated with a device, system, or network will vary widely according to the industry and facility.

Similarly, Risk Mitigation Measures often involve standards and regulations that are specific to that industry or location.

PERA has therefore established a PERA Enterprise Classification System. This classification system is used to identify industry-specific "PERA User Guides" that define Principal Roles, Professional Roles, and Standards for that industry. Click here to view a list of Industry Classes and Sub-classes where PERA has been applied.

A "Risk Summary Template" is provided for each Major Industry Class and some subclasses.
It should be noted that in each Risk Summary Report, the Professional Role responsible for managing that Risk, is indicated on the right.
These role assignments may be changed if necessary. However, consistency within an Industry or Enterprise is recommended.
Secondary Professional Roles (such as Procurement or H/R) may be identified by the responsible role when appropriate.

Risks may be divided into three main components:

• People (Human and Organizaitonal aspects of the Enterprise),
• Facilities (Physical process equipment, buildings, etc.), and
• Systems (Control and Information Systems from regulatory control devices to Corporate IT).

Supply Chain may be considered as a fourth component, but it is unique in that does not operate within the Enterprise, but may still have an impact on Enterprise operations.

Example Risk Management Standards

PEOPLE

• OSHA 29 CFR Most often cited Human safety standards.
• HACCP (Hazard Analysis, Critical Control Point). Used in Food and Beverage Industries to control risk of producing dangerous products.
• 40 CFR Part 68 EPARMP provides a systematic method for the analysis of risks associated with potential equipment and piping failures.

FACILITIES

• HAZOP (HAZard and OPerability Study). Used in chemical, petrochemical and other large scale continuous process industries to systematically evaluate and mitigate risk.
• SIS/SIL Safety Instrumented Systems for the process industry sector - Part 1: Framework, definitions, system, hardware and application programming requirements
• ISO 14000 defines the environmental risk mitigation required for all operating facilities.
• US Coast Guard Standards are used to assess and mitigate Offshore Platform Hazards (link to follow later).
• 40 CFR Part 63 Outlines key Emissions Standards established by the US Government which will require many refining and petrochemical facilities to reassess their flare systems. Pay special attention to National Emission Standards for Hazardous Air Pollutants for Source Categories.
• 40 CFR Part 68 EPA RMP provides a systematic method for the analysis of risks associated with potential equipment and piping failures.
• ISO Risk Management vocabulary document is ISO 73:2009
• ISO Risk Management Standard are ISO 31000 and ISO/IEC 31010

SYSTEMS

• Cybersecurity Classification System for Industrial Control Systems - ANSSI
• Risk Management Software (all Industries)
• Cyber Security Risk Management Specification is ISO/IEC 27000
  

SUPPLY CHAIN

• HACCP (Hazard Analysis, Critical Control Point). Used in Food and Beverage Industries to control risk of consumers receiving dangerous products.
• Material Safety Data Sheets describing the hazards associated with a large number of chemicals, provided by 3E Company.

In most cases, the first step in risk management involves finding all applicable standards for that particular industry and geographic (political) jurisdiction. If these standards are met, then at least regulatory requirements have been addressed.