Taking Hazard
Vulnerability
Beyond Healthcare
By BOB FARKAS
For several years the Joint Commission on Accreditation of Healthcare Organization (JCAHO) has required hospi- tals to ensure they evaluate and mitigate risks and exposures
that could impact their ability to deliver
healthcare services under all conditions.
By incorporating findings from our facilities risk assessment work into an enhanced
HVA, we’ve produced an approach that
can be used in any environment which
critically depends upon its facilities services, such as electric power, heating and
cooling, etc.
quantitative risk assessment.” While the
existing HVA is useful for auditors looking to confirm minimum compliance, its
scope and subjective assessment methodology can be modified to determine how
risk mitigation strategies and limited capital can effectively be deployed for maximum benefit.
or have no influence on risk. The probability, impact, and mitigation scores are
derived from a qualitative assessment
of each factor based on a limited set of
general guidelines applied to the personal
knowledge, experience(s), subject matter
experts, and/or consensus of individual(s)
responsible for completing the assessment.
The final risk score, risk = probability
x severity, of an event/threat is a percentage derived by multiplying the probability with severity, which is the weighted
average computation of the six impact
and mitigation parameters. By ranking
the magnitudes of risk scores, a facility
can identify which events pose the highest risk and subsequently which risks need
to be addressed. Similarly a single composite score for each risk category can be
computed by multiplying the composite
weighted average probability of all events
with the composite weighed average of the
their severities.
Although JCAHO does not prescribe
any specific approach, the defacto “
standard” of this activity since 2001 has been
the “Hazard Vulnerability Analysis”
(HVA) which was originally developed in
response to JCAHO’s request for a “more
Standard HVA Model
The existing commonly used model
includes specific external and internal
events and threats such as flood, electrical
failure, terrorism, and chemical exposure
defined for natural, technological, human,
A risk score of each
event (or threat) within a
risk category, is computed
by scoring probability, types
of impact, and mitigating
activities. Impact categories include human, property and business impacts
while mitigating activities
include preparedness, internal resources, and external
resources.
Each probability, impact
and mitigation risk factor
is assigned a numeric
value representing a high,
medium or low chance of
occurring and magnitude
of impact. Mitigation activity scores are
reverse (high = 1, medium = 2, low =
3) representing comprehensiveness of
the mitigating activity and an offsetting
influence on impact. One can also assign
zero (0) for factors that are not applicable
Current Model
Ideally, an HVA could provide more
depth and breadth of specificity to more
accurately assess risk and to provide
actionable information to address those
risks. The three noteworthy enhancement opportunities of the traditional HVA
encompass:
n The subjectivity by which probability and
risk factors are scored: The model lacks
standard or objective criteria, or other
fact-based data by which to determine a
range of probabilities and vulnerabilities
in an objective way. Scoring is based on
perceptions, personal experience and
varying criteria from person-to-person
or assessment-to-assessment resulting
in an inconsistent methodology and
results.
n Impacts, mitigations, and risk events:
They may be too general or limited in
scope of possible contributing factors.
For example, in the technology risk
category many factors could contribute
to an information system failure event.
The single all encompassing category
is too general and doesn’t allow a more
granular means by which to identify
key factors that could contribute to
an IS failure. Similarly, a health care
facility with research capability or a
manufacturing facility with work-in-
