Carrying out Vulnerability and Risk Assessments and Directing Improvement Plans

1. What is Vulnerability? What is Risk?

A vulnerability/risk assessment is a step by step evaluation that aims to identify vulnerabilities/risks and, the ability to reduce these vulnerabilities/risks through corrective actions. An effective vulnerability/risk assessment identifies critical business aspects (e.g. processes, assets). The vulnerability/risk assessment provides a framework for developing vulnerability/risk reduction options and determining associated costs to enable this.

It is important to note that vulnerability and risk assessments are subjective, and therefore (a) need to be completed by competent persons (preferably a team - i.e. more than one person), and (b) require careful consideration. It is therefore best to include comments as far as possible to indicate how a decision was made.

2. Vulnerability Assessment Examples

Example 1: Provision of Effective and Sustainable Municipal Water Services

The Municipal Strategic Self-Assessment (MuSSA) tool identifies water services vulnerability and therefore helps currently stressed municipalities in South Africa to prioritize what has to be done to enable effective, sustainable water services delivery.

  • MuSSA focuses on assessing overall Business Health of WSA to fulfill water services function
  • Determines Vulnerability Status of 18 Key Functional Business Attributes of Water Services Business at a strategic / high level
  • Provides strategic flags (vs. deep technical detail, which is captured via other programs incl. Regulatory) as to Business Health
  • 5 Essence Questions per each Key Functional Business Attribute
  • Output indicates vulnerability score for each Business Attribute
  • Additional output is an overall score: Municipal Vulnerability Index

Example 2: Guiding Effective Enterprise and Skills Development

As part of its Corporate Social Responsibility efforts, a mining company in South Africa aimed to assist budding local entrepreneurs (through its associated foundation). The main aim of this project was to develop a Business Health Check tool which could be used to assess both the state of readiness of the entrepreneur, whether proposed business plans were feasible and whether businesses were adhering to required standard practice, accounting protocols, etc (i.e. Will the investment made be money well spent?). The Business Health Check process enabled a positive and educational dialogue between the entrepreneur and the foundation, with areas of weakness clearly shown. In addition, skills development needs, incubator support needs, and mentoring/coaching needs are clearly shown. The beneficiary and the foundation are therefore able to jointly plan supportive measures to reduce Business Risk.

3. Risk Assessment Examples

Example 1: Water Safety Plan

The provision of safe drinking water and effective sanitation are considered the most important determinants of public health. Water Safety Planning is an approach often utilised by water authorities to identify and manage risks. The Water Safety Planning tool allows a user to complete a Water Safety Plan (WSP), and includes the following sections: (1) Formulate the WSP team, (2) Describe the system (source, treatment, storage, distribution, point of use), (3) Assess/evaluate the water system (source, treatment, storage, distribution, point of use), (4) Hazard/risk assessment of the water system (source, treatment, storage, distribution, point of use), (5) Summary of risks and associated prioritization and (6) Identify control measures and associated corrective actions, responsibilities, timeframes, and costs (for subsequent WSP implementation).

Example 2: Water Services Infrastructure Risk

The basic elements of the water services infrastructure risk assessment include:

Example: Basic elements of a water services infrastructure risk assessment

Elements Points to consider
1. Identify assets
  • Look at the entire system, including customers served and system components. Define the highest priority services provided by the water services.
  • Identify the most important facilities, processes and assets of the system for achieving the desired function and avoiding undesired consequences.
2. Identify threats and challenges
  • Identify types of threats that could substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water or otherwise present significant public health concerns to the surrounding community/environment.
  • Identify and define ranges of these impacts for each of the events (e.g. magnitude of service disruption, economic impact, impact on public confidence, chronic problems arising, and number of illnesses).
3. Consider consequences
  • Consider undesirable acts that could reasonably cause undesired consequences.
  • Consider how each identified threat could affect the system, from the smallest possible impact to the worst case scenario.
4. Assess likelihood
  • Determine possible modes of undesirable acts that might result in impact of significant concern especially for system critical assets (based on the critical assets of the water system).
5. Evaluate existing control measures
  • Identify currently employed measures/strategies for detecting issues (e.g. alarm), delaying issues (e.g. access control) and responding to issues (e.g. emergency plans).
  • Evaluate the effectiveness of these strategies to protect the system.
6. Plan to reduce risks
  • Develop a list of recommended actions that will reduce the system's vulnerability to threats.
  • Rank the actions by the urgency for rectification.
  • Consider short and long term solutions to each of the vulnerabilities identified in the system.

4. Plan-Do-Check-Act

It is important to remember that the completion of the vulnerability/risk assessment tools is only the start of the process. For the tools to be effective a holistic (start-to-finish) management approach needs to be adopted (e.g. "Plan-Do-Check-Act" (PDCA) framework) to address identified vulnerabilities/risks. This needs commitment from management to plan, budget, implement required remedial measures, track improvements, etc. The required cycle is best summarised as follows: (i) PLAN: (what needs to be done, (ii) DO (budget and implement), (iii) CHECK (track improvements, is it working), and (iv) ACT (adjust the plan, etc if not effective and re-start the cycle).

Therefore, once the assessment has been completed, and vulnerabilities/risks have been identified, appropriate improvement plans need to developed, implemented and tracked.

5. Tool Development

Tools are normally developed in conjunction with clients and domain experts. The methodology generally includes the following steps:

  • Consider beneficiaries and stakeholders
  • Identify required tools (e.g. vulnerability assessment and/or risk assessment)
  • Identify the categories/criteria
  • Craft "essence questions" with topic specialists
  • Develop draft tool
  • Test internally and refine
  • Workshop and refine
  • Deploy

6. Further Information

If you would like to utilise one of the existing RiskQ tools, or would like assistance in designing and developing your own customised tool, please contact us.

Existing tools

  • Business Health Assessment
  • Climate Change Adaptation Vulnerability Assessment
  • Municipal Strategic Self-Assessment of Water Services (MuSSA) (2012)
  • Municipal Strategic Self-Assessment of Water Services (MuSSA) (2013)
  • Waste Stabilization Ponds Assessment Tool
  • WNK Waterveiligheidsplan (Afrikaans WRC Water Safety Plan)
  • WRC W2RAP (Wastewater Risk Abatement Plan) Status Checklist Tool
  • WRC W2RAP (Wastewater Risk Abatement Plan) Tool
  • WRC Water Safety Plan Tool
  • WRC Water Safety Plan Status Checklist
  • WRC waterVUL - Water Infrastructure Vulnerability Assessment

Get in Touch

If you would like to utilise one of the existing RiskQ tools, or would like assistance in designing and developing your own customised tool, please contact us.

  • r Phone:
    +27 21 880 2932
  • h Email:
    info@riskq.co.za
  • m Address:
    Unit 8A, Octoplace
    Technopark
    Stellenbosch
    Western Cape
    South Africa