Professional Documents
Culture Documents
N TT EE RR N
N AA TT II O
O N
N AA LL
Risk Assessment
Supply Chain Risk Management:
A Compilation of Best Practices
ANSI/ASIS SCRM.1-2014
ANSI/ASIS/RIMS RA.1-2015
S TA N D A R D
The
The worldwide
worldwide leader
leader in
in security
security standards
standards
and
and guidelines
guidelines development
development
ANSI/ASIS/RIMS RA.1-2015
RISK ASSESSMENT
ASIS International and The Risk and Insurance Management Society, Inc.
Abstract
This Standard provides guidance on developing and sustaining a coherent and effective risk assessment program including
principles, managing an overall risk assessment program, and performing individual risk assessments, along with confirming
the competencies of risk assessors and understanding biases. This Standard describes a well-defined risk assessment program
and individual assessments to provide the foundation for the risk management process. Seven annexes provide additional
guidance for applying risk assessments and potential treatments.
ANSI/ASIS/RIMS RA.1-2015
ASIS and RIMS standards and guideline publications, of which the document contained herein is one, are developed through a
voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of
persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and
establishes rules to promote fairness in the development of consensus, it does not write the document and it does not
independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments
contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or
anyone else. ASIS and RIMS do not accept or undertake a duty to any third party because they do not have the authority to
enforce compliance with their standards or guidelines. They assume no duty of care to the general public, because their works
are not obligatory and because they do not monitor the use of them.
ASIS and RIMS disclaim liability for any personal injury, property, or other damages of any nature whatsoever, whether special,
indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on
this document. ASIS and RIMS disclaim and make no guaranty or warranty, expressed or implied, as to the accuracy or
completeness of any information published herein, and disclaims and makes no warranty that the information in this document
will fulfill any person’s or entity’s particular purposes or needs. ASIS and RIMS do not undertake to guarantee the performance
of any individual manufacturer or seller’s products or services by virtue of this standard or guide.
In publishing and making this document available, ASIS and RIMS are not undertaking to render professional or other services
for or on behalf of any person or entity, nor are ASIS and RIMS undertaking to perform any duty owed by any person or entity
to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the
advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and
other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult
for additional views or information not covered by this publication.
ASIS and RIMS have no power, nor do they undertake to police or enforce compliance with the contents of this document. ASIS
and RIMS have no control over which of their standards, if any, may be adopted by governmental regulatory agencies, or over
any activity or conduct that purports to conform to their standards. ASIS and RIMS do not list, certify, test, inspect, or approve
any practices, products, materials, designs, or installations for compliance with its standards. They merely publish standards
to be used as guidelines that third parties may or may not choose to adopt, modify, or reject. Any certification or other statement
of compliance with any information in this document should not be attributable to ASIS and RIMS and is solely the responsibility
of the certifier or maker of the statement.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright
owner.
Copyright © 2015 ASIS International and The Risk and Insurance Management Society, Inc. All rights reserved.
ISBN: 978-1-934904-75-6
ii
ANSI/ASIS/RIMS RA.1-2015
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed
in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected
to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are
designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a
recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having
distinct compatibility or performance advantages.
ASIS International and The Risk Management Society, Inc. collaborated in the development of this Risk Assessment standard.
About ASIS
ASIS International (ASIS) is the largest membership organization for security management professionals that crosses industry
sectors, embracing every discipline along the security spectrum from operational to cybersecurity. Founded in 1955, ASIS is
dedicated to increasing the effectiveness of security professionals at all levels.
With membership and chapters around the globe, ASIS develops and delivers board certifications and industry standards, hosts
networking opportunities, publishes the award-winning Security Management magazine, and offers educational programs,
including the Annual Seminar and Exhibits—the security industry’s most influential event. Whether providing thought
leadership through the CSO Roundtable for the industry’s most senior executives or advocating before business, government,
or the media, ASIS is focused on advancing the profession, and ensuring that the security community has access to intelligence,
resources, and technology needed within the business enterprise. www.asisonline.org
The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines
Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development
Organization (SDO), ASIS actively participates in the International Organization for Standardization (ISO). The mission of the
ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards
and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge,
experience, and expertise of ASIS membership, security professionals, and the global security industry.
About RIMS
As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™,
is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government
entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education
opportunities to its membership of more than 11,000 risk management professionals who are located in more than 60 countries.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street,
Alexandria, VA 22314-2818.
Commission Members
Charles Baley, Farmers Insurance Group, Inc.
Michael Bouchard, Sterling Global Operations, Inc.
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance LLC
Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc.
F. Mark Geraci, CPP, Purdue Pharma L.P., Chair
iii
ANSI/ASIS/RIMS RA.1-2015
At the time it approved this document, RA, which is responsible for the development of this Standard, had the following
members:
Committee Members
Committee Co-Chair: Carol Fox, ARM, Director of Strategic and Enterprise Practice, RIMS
Committee Co-Chair: Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Commission Liaison: Glen Kitteringham, CPP, Kitteringham Security Group Inc.
Committee Secretariat: Sue Carioti, ASIS Secretariat
iv
ANSI/ASIS/RIMS RA.1-2015
v
ANSI/ASIS/RIMS RA.1-2015
vi
ANSI/ASIS/RIMS RA.1-2015
vii
ANSI/ASIS/RIMS RA.1-2015
viii
ANSI/ASIS/RIMS RA.1-2015
ix
ANSI/ASIS/RIMS RA.1-2015
x
ANSI/ASIS/RIMS RA.1-2015
xi
ANSI/ASIS/RIMS RA.1-2015
xii
ANSI/ASIS/RIMS RA.1-2015
TABLE OF CONTENTS
0 INTRODUCTION ......................................................................................................................................................... XV
0.1 GENERAL ........................................................................................................................................................................... XV
0.2 DEFINITION OF RISK ASSESSMENT ...........................................................................................................................................XVI
0.3 QUANTITATIVE AND QUALITATIVE ANALYSIS ............................................................................................................................ XVII
0.4 MANAGING ORGANIZATIONAL AND SPECIFIC RISK ASSESSMENTS ................................................................................................ XVIII
0.5 PLAN-DO-CHECK-ACT MODEL ............................................................................................................................................... XIX
1 SCOPE ......................................................................................................................................................................... 1
2 NORMATIVE REFERENCES ............................................................................................................................................ 1
3 TERMS AND DEFINITIONS ............................................................................................................................................ 2
3.1 DEFINITIONS ......................................................................................................................................................................... 2
4 PRINCIPLES.................................................................................................................................................................. 8
4.1 GENERAL ............................................................................................................................................................................. 8
4.2 IMPARTIALITY, INDEPENDENCE, AND OBJECTIVITY ........................................................................................................................ 9
4.3 TRUST, COMPETENCE, AND DUE PROFESSIONAL CARE .................................................................................................................. 9
4.4 HONEST AND FAIR REPRESENTATION ....................................................................................................................................... 10
4.5 RESPONSIBILITY AND AUTHORITY ............................................................................................................................................ 10
4.6 CONSULTATIVE APPROACH .................................................................................................................................................... 10
4.7 FACT-BASED APPROACH ........................................................................................................................................................ 10
4.8 CONFIDENTIALITY ................................................................................................................................................................ 11
4.9 CHANGE MANAGEMENT ....................................................................................................................................................... 11
4.10 CONTINUAL IMPROVEMENT ................................................................................................................................................. 11
5 MANAGING A RISK ASSESSMENT PROGRAM ............................................................................................................. 11
5.1 GENERAL ........................................................................................................................................................................... 11
5.2 UNDERSTANDING THE ORGANIZATION AND ITS OBJECTIVES ......................................................................................................... 12
5.3 ESTABLISHING THE FRAMEWORK............................................................................................................................................. 16
5.4 ESTABLISHING THE PROGRAM ................................................................................................................................................ 22
5.5 IMPLEMENTING THE RISK ASSESSMENT PROGRAM ..................................................................................................................... 28
5.6 MONITORING THE RISK ASSESSMENT PROGRAM ........................................................................................................................ 38
5.7 REVIEW AND IMPROVEMENT.................................................................................................................................................. 39
6 PERFORMING INDIVIDUAL RISK ASSESSMENTS .......................................................................................................... 40
6.1 GENERAL ........................................................................................................................................................................... 40
6.2 COMMENCING THE RISK ASSESSMENT ..................................................................................................................................... 40
6.3 PLANNING RISK ASSESSMENT ACTIVITIES .................................................................................................................................. 45
6.4 CONDUCTING RISK ASSESSMENT ACTIVITIES.............................................................................................................................. 56
6.5 POST RISK ASSESSMENT ACTIVITIES ......................................................................................................................................... 79
7 CONFIRMING THE COMPETENCE OF RISK ASSESSORS ................................................................................................ 82
7.1 GENERAL ........................................................................................................................................................................... 82
7.2 COMPETENCE ..................................................................................................................................................................... 82
A RISK ASSESSMENT METHODS, DATA COLLECTION, AND SAMPLING ........................................................................... 88
A.1 GENERAL ........................................................................................................................................................................... 88
A.2 TYPES OF INTERACTIONS ....................................................................................................................................................... 88
A.3 ASSESSMENT PATHS............................................................................................................................................................. 89
A.4 SAMPLING ......................................................................................................................................................................... 89
B ROOT CAUSE ANALYSIS ............................................................................................................................................. 93
xiii
ANSI/ASIS/RIMS RA.1-2015
TABLE OF FIGURES
FIGURE 1: RISK MANAGEMENT PROCESS (BASED ON ISO 31000) ...........................................................................................................XVI
FIGURE 2: PLAN-DO-CHECK-ACT MODEL............................................................................................................................................ XIX
FIGURE 3: FORMAL VS. INFORMAL RISK ASSESSMENTS ............................................................................................................................ 30
FIGURE 4: INFLUENCE DIAGRAM EXAMPLE .......................................................................................................................................... 37
FIGURE 5: RISK PORTFOLIO DESIGN FORMAT ...................................................................................................................................... 47
FIGURE 6: MANAGING UNCERTAINTY IN CONTEXT ................................................................................................................................ 48
FIGURE 7: ELEMENTS OF THREAT ....................................................................................................................................................... 65
FIGURE 8: DETERMINING THREAT LEVELS ............................................................................................................................................ 66
FIGURE 9: CRITICALITY AND CONSEQUENCE ANALYSIS ............................................................................................................................ 70
FIGURE 10: DETERMINING THE LEVEL OF RISK ..................................................................................................................................... 71
FIGURE 11: RISK EVALUATION FUNNEL ............................................................................................................................................... 74
FIGURE 12: CONCEPTUAL RISK “FRONTIER” ........................................................................................................................................ 75
FIGURE 13: SAMPLE MATRIX ............................................................................................................................................................ 76
FIGURE 14: SAMPLING PROCESS ....................................................................................................................................................... 90
FIGURE 15: DEFINE, ANALYZE AND SOLVE ........................................................................................................................................... 94
FIGURE 16: BUSINESS IMPACT ANALYSIS (BIA) .................................................................................................................................. 114
FIGURE 17: EXAMPLE OF BIA METHODOLOGY .................................................................................................................................. 115
FIGURE 18: EXAMPLE OF BIA PROCESS ............................................................................................................................................. 115
xiv
ANSI/ASIS/RIMS RA.1-2015
0 INTRODUCTION
0.1 General
A risk assessment provides the analytical foundation for risk management, therefore, a risk assessment
step of the overall risk assessment process is used to inform decision-making. By using a logical,
structured and consistent approach to assessing risk, persons responsible for decision-making can
systematically select from possible choices that are based on reason and best available information. In
order to achieve the organization’s overall and risk management objectives, those responsible for
conducting the risk assessment should follow a structured approach to review and analyze relevant facts,
observations, and possible outcomes. The output of the risk assessment process provides a basis for
informed decision-making to determine a particular course or courses of action.
The risk management process of an organization should support enterprise-wide strategic and
operational activities, as well as program and project-related activities. A risk assessment provides the
cornerstone for informed decision-making about how to address uncertainties in achieving an
organization’s objectives. Therefore, a comprehensive risk assessment is designed to consider the
organization’s vision, mission, values, and culture, as well as strategic and tactical objectives. It may
consider an organization's broader objectives and activities or some specific goals and objectives but in
all cases it assesses what can affect the achievement of these both positively or negatively.
In this Standard, we focus on risk assessments from the viewpoint that risk – the effect of uncertainty on
achieving objectives (particularly uncertainty with respect to future outcomes) – is a dynamic concept.
Therefore, risk assessments require proactive and ongoing monitoring of the internal and external
context of the organization, as well as its risks and treatment measures. Uncertainty is inseparable from
likelihood: the future plays out in various and differing scenarios, some more likely than others.
Throughout this Standard, risk is considered from the perspective of achievement of objectives and
outcomes; therefore, the effect of uncertainty on objectives may result in opportunities with potential
gains (“improving”), as well as threats that may result in potential losses (“worsening”). Risk assumes
that things will change, whether in the environment or in other circumstances.
This risk assessment standard provides guidance on developing and sustaining a coherent and effective
risk assessment program, including principles, managing an overall risk assessment program, and
performing individual risk assessments, along with confirming the competencies of risk assessors. This
standard is complementary to the standards noted in the normative references and follows the risk
assessment process outlined in the ISO 31000:2009 Risk management — Principles and guidelines and
illustrated in Figure 1. A well-defined risk assessment program and individual assessments provide the
foundation for the risk management process.
This Standard provides a generic model for conducting risk assessments (including impact analyses) for
risk management decision-making and for use with risk-based management system standards. Risk-
based management system standards require a defined, repeatable, and documented risk assessment
process. It provides the foundation for planning the management of issues addressed by a management
system standard, as well as identifies opportunities for improvements. Therefore, following the approach
described in this Standard, meets the requirements for the risk assessment process in management system
standards.
xv
ANSI/ASIS/RIMS RA.1-2015
xvii
ANSI/ASIS/RIMS RA.1-2015
xviii
ANSI/ASIS/RIMS RA.1-2015
and the uncertainties in achieving desired outcomes (e.g., exploiting an opportunity, meeting obligations,
or managing risk-related events).
A comprehensive risk assessment program may comprise many different strategic and tactical risk
assessments – either ad-hoc or conducted at defined intervals or change(s) in circumstance(s). Individual
assessments within the overall risk assessment program are conducted within a clearly defined scope
and consistent with achieving the objectives of the overall risk assessment program. This Standard also
provides guidance on the preparation for and the execution of individual risk assessments.
xix
ANSI/ASIS/RIMS RA.1-2015
f) Provide top management with a feedback loop to assess progress and make appropriate
changes to the risk assessment program; and
g) Manage information within the organization, thereby improving operational efficiency.
In conjunction with the PDCA model, this Standard uses a process approach for the risk assessment
program. A risk assessment program is a compilation of a system of interrelated activities; their
identification, linkages, and interactions can be referred to as a “process approach”. When designing a
risk assessment program, it is necessary to identify and manage many activities in order to function
effectively. Any activity using resources and managed in order to enable the transformation of inputs
into outputs can be considered to be a process. In developing the risk assessment program and individual
risk assessments, it is important to recognize that often the output from one process directly influences
the input of another process.
xx
AMERICAN NATIONAL STANDARD ANSI/ASIS/RIMS RA.1-2015
Risk Assessment
1 SCOPE
This Standard:
a) Provides guidance for establishing a risk assessment program and conducting individual risk
assessments consistent with ISO 31000:2009 Risk management — Principles and guidelines, and the
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk
Management (ERM) framework;
b) Provides guidance on conducting risk assessments for risk- and resilience-based management
system standards for the disciplines of risk, resilience, security, crisis, continuity, and recovery
management, including principles of risk assessments, managing the risk assessment program,
and conducting risk assessments, as well as evaluation of competence of persons involved in
the risk assessment process;
c) Describes the process for conducting risk assessments consistent with the Plan-Do-Check-Act
Model; and
d) Provides the informational basis necessary for decision-makers to make informed decisions
about managing risks in the organization and its supply chain.
Organizations of all types and sizes can use the concepts and guidance of this Standard to conduct risk
assessments supporting their risk management activities. It is recommended that organizations
implementing risk- and resilience-based management system standards use the procedures described in
this Standard in conjunction with ISO 31000:2009 to conduct their risk management activities (see Figure
1).
This Standard is a guidance document and not intended as a specification for third-party certification. It
provides a comprehensive approach to establishing a risk assessment program and the conduct of
individual assessments. Implementation of this Standard should be tailored to the needs of the
organization.
2 NORMATIVE REFERENCES
The following standards contain provisions which, through reference in this text, constitute provisions
of this American National Standard. At the time of publication, the editions indicated were valid. All
standards are subject to revision, and parties to agreements based on this American National Standard
are encouraged to investigate the possibility of applying the most recent editions of the standards
indicated below.
a) ISO 31000:2009, Risk management — Principles and guidelines;
b) ISO/IEC 31010:2009, Risk management — Risk assessment techniques; and
c) ISO Guide 73:2009, Risk management — Vocabulary.
1
ANSI/ASIS/RIMS RA.1-2015
3.1 Definitions
For the purposes of this Standard, the following terms and definitions apply:
Term Definition
3.1 asset Anything that has tangible or intangible value to the organization.
NOTE 1: Tangible assets include human, physical, and
environmental assets.
NOTE 2: Intangible assets include information, intellectual
property, brand, and reputation.
3.2 audit Systematic, independent, objective, and documented process for
obtaining, examining, verifying, and evaluating information relative to a
set of criteria.
3.3 capability analysis Process of evaluating the 1) competence, aptitude, and experience of
people and the organization, 2) suitability of technology, and 3)
application of processes for particular purpose(s) to determine whether or
not the expected output will fall within an acceptable range.
3.4 client Organization or person that receives a product or service
NOTE 1: Examples include consumers, contractors, end-user,
retailer, beneficiary and purchaser.
NOTE 2: A client can be internal (e.g., another division) or
external to the organization.
3.5 communication and Ongoing, iterative, and two-way processes for the exchange of
consultation information with and between stakeholders and decision-makers
regarding the management of risk.
NOTE 1: Information may relate to the context of the
organization, characteristics of the risks and its assessment,
and the selection and evaluation of risk treatment options.
NOTE 2: Communication and consultation informs the decision-
making process but does not infer joint decision-making.
3.6 community A group of associated organizations and people sharing common
interests.
3.7 competence Demonstrable ability to apply knowledge and skills to achieve intended
results.
3.8 conformity Consistency with a requirement.
3.9 consequence Result or effect of an action, condition, or decision on achieving objectives
and outcomes.
NOTE 1: Uncertainties interact and may result in singular or
multiple consequences with a potential for positive or negative
effects on objectives.
NOTE 2: Consequences should consider both tangible and
intangible factors and can be expressed qualitatively or
quantitatively, or both.
NOTE 3: Consequences may have cascading effects.
3.10 continual improvement Ongoing processes to improve products, services, and management
practices to enhance the ability to fulfill requirements
NOTE: Changes may be incremental or comprehensive.
2
ANSI/ASIS/RIMS RA.1-2015
Term Definition
3.11 corrective action Action to rectify the causes of a detected nonconformity or other
undesirable circumstances.
NOTE 1: There can be more than one cause for a
nonconformity.
NOTE 2: Corrective action is taken to prevent recurrence,
whereas preventive action is taken to prevent occurrence.
3.12 criticality Of essential importance with respect to objectives and/or outcomes.
[ANSI/ASIS SPC.1-2009]
3.13 criticality analysis A process designed to systematically identify, evaluate, and rank positive
and negative impacts on an organization‘s stakeholders, assets, services,
and activities based on the importance of its mission or function, or the
significance of risks on the organization's ability to meet its objectives and
expectations.
NOTE: Determines which qualities or degrees of risk are of the
highest importance for successful execution of an organization’s
objectives or which might represent a decisive turning point in
strategy execution.
3.14 critical control point A point, step, or process at which controls can be applied to modify risk.
(CCP) NOTE 1: A threat or hazard can be prevented, eliminated, or
reduced to targeted levels.
NOTE 2: A point at which opportunity can be leveraged.
3.15 disruptive event An event that interrupts planned activities, operations, or functions,
whether anticipated or unanticipated.
3.16 document Information and supporting medium in any format.
3.17 effectiveness Extent to which planned activities accomplish a purpose thereby
producing the intended or expected outcomes.
3.18 event Change occurring in an interval of time with the potential to alter
outcomes.
NOTE 1: Likelihood and consequences of an event may be
predictable using qualitative or quantitative measures.
NOTE 2: An event may be due to singular or multiple causes
and may have more than one occurrence.
NOTE 3: The non-occurrence of an anticipated change is also
an event.
NOTE 4: An event is not a risk, rather it is the uncertainty in the
outcomes that creates risk.
3.19 impact The positive or negative effect on someone or something (see
consequence).
3.20 impact analysis Process that identifies and evaluates the potential effects of change upon
an organization. This may include an assessment of the pros and cons of
pursuing a course of action in light of its possible consequences, or the
extent and nature of further change (intended or unintended) that such
change may cause.
3.21 incident An event with consequences that has the capacity to cause gains or
losses/harm to objectives and/or assets (e.g., tangible, intangible and
human assets, the environment, and rights of stakeholders).
3
ANSI/ASIS/RIMS RA.1-2015
Term Definition
3.22 integrity Assuring the soundness, reliability, and completeness of tangible and
intangible assets.
3.24 management system Framework of policies, processes, and procedures used to ensure that an
organization can fulfill all tasks required to achieve its objectives.
NOTE: Management systems are used by organizations to
establish their policies, objectives, and targets; determine and
allocate resources; define roles and authorities; implement
procedures; and evaluate performance in order to achieve
desired outcomes and objectives.
3.25 monitoring Ongoing scrutiny, oversight, evaluation, and situational awareness for
determining the current status and to identify changes in the internal and
external environments as well as performance.
3.26 nonconformity Failure to fulfill a requirement.
3.27 opportunity analysis Process of identifying uncertainties that may be exploited and analyzing
the organization’s capability and readiness to exploit them. The process
may include identifying unmet or underserved customer/client needs,
identifying target markets, analyzing competitive advantages, as well as
analyzing the organization’s resource capacity to undertake an
opportunity.
3.33 record A document set down in writing or some other permanent form for later
reference.
3.34 residual risk Remaining risk after risk treatment.
NOTE: Residual risk may include risk retained by informed
decision, untreatable risk, and/or unidentified risk.
3.35 resilience Adaptive capacity of an organization in a complex and changing
environment. [ANSI/ASIS SPC.1-2009]
4
ANSI/ASIS/RIMS RA.1-2015
Term Definition
3.36 resources Any asset (human, physical, information, or intangible), facilities,
equipment, materials, products, or waste that has potential value and can
be used. [ANSI/ASIS SPC.1-2009]
3.37 review Activity undertaken to determine the suitability, adequacy, and
effectiveness of the management system and its component elements to
achieve established objectives.
3.38 risk Effect of uncertainty on the achievement of strategic, tactical, and
operational objectives.
NOTE 1: Risk is considered as potentially having positive and/or
negative outcomes.
NOTE 2: Uncertainty is the state where outcomes are
unknown, lacking sufficient information, or otherwise
undetermined or undefined in the course of decision-making.
NOTE 3: Objectives may include strategic goals related to the
whole or parts of the organization and its value chain, as well as
operational and tactical issues at levels of the organization.
NOTE 4: Risk can be characterized by the effect of uncertainty
on tangible and/or intangible assets and/or potential risk events.
NOTE 5: Risk is often expressed in terms of a combination of
the consequences and likelihood of the outcomes of uncertainty.
NOTE 6: Sometimes risk is focused on negative outcomes
where it is considered a function of threats, vulnerabilities, and
consequences.
3.39 risk acceptance Informed action of consenting to retain, receive, or undertake a particular
risk.
3.40 risk analysis Process to characterize and understand the nature of risk and to define the
level of risk.
NOTE: Risk analysis assesses the likelihood and
consequences of a risk to provide the basis for risk evaluation
and risk treatment decision-making.
3.41 risk appetite The total exposed amount that an organization wishes to undertake on
the basis of risk-return trade-offs for one or more desired and expected
outcomes. [RIMS Executive Report on Exploring Risk Appetite and Risk
Tolerance]
3.42 risk assessment Overall and systematic process of evaluating the effects of uncertainty on
achieving objectives.
NOTE: Risk assessment includes risk identification, risk
analysis, and risk evaluation.
3.43 risk attitude Organization’s or individual’s view/perspective of the perceived
qualitative and quantitative value that may be gained in comparison to the
related potential loss or losses. [RIMS Executive Report on Exploring Risk
Appetite and Risk Tolerance]
3.44 risk criteria Terms of reference used to measure and evaluate the significance and
effects of risk.
NOTE 1: Risk criteria are a function of the organization’s
objectives, values, and policies, as well as the external and
internal environment.
NOTE 2: Risk criteria can be derived from jurisdictional laws,
obligations, and other requirements.
5
ANSI/ASIS/RIMS RA.1-2015
Term Definition
3.45 risk driver Event, individual(s), process, or trends having impact on the objectives of
the organization.
3.46 risk evaluation Process of equating the results of risk analysis with risk criteria to
determine whether a particular risk level is within an acceptable tolerance
or presents a potential opportunity.
NOTE: Risk evaluation provides the basis for decision about
risk treatment methods.
3.47 risk identification Process for determining what risks are anticipated, their characteristics,
time dependencies, frequencies, duration period, and possible outcomes.
NOTE: Risk identification involves the identification of threats,
opportunities, criticalities, weaknesses, and strengths, as well
as identifying sources of risk and potential events and their
causes and impacts.
3.48 risk management A strategic business discipline that supports the achievement of an
organization’s objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an interrelated risk
portfolio. [RIMS Resources]
3.49 risk register A compilation for all risks identified, analyzed, and evaluated in the risk
assessment process.
NOTE: The risk register includes information on likelihood,
consequences, treatments, and risk owners.
3.50 risk source A factor with the potential to create uncertainty in achieving objectives.
NOTE: A risk source may include tangible or intangible factors
alone or in combination.
3.51 risk tolerance The amount of uncertainty an organization is prepared to accept in total
or more narrowly within a certain business unit, a particular risk category,
or for a specific initiative.
NOTE: The level of tolerance or acceptable level of variation
related to achieving objectives may be influenced by jurisdiction
law and stakeholder requirements.
[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]
6
ANSI/ASIS/RIMS RA.1-2015
Term Definition
3.52 risk treatment Process of selecting and implementing measures to modify risk to achieve
objectives.
NOTE 1: Measures to modify risk may include:
Avoiding the risk;
7
ANSI/ASIS/RIMS RA.1-2015
Term Definition
3.56 threat analysis Process of identifying and quantifying the potential cause of an
unwanted event which may result in harm to individuals, assets, a
system or organization, the environment, or the community.
NOTE 1: Threats may be due to intentional, unintentional, or
natural events.
NOTE 2: The term hazard refers to a [dangerous] condition or
threat that may increase the frequency or severity of a loss.
[Adapted from the Risk Management Principles and Practices
textbook published by The Institutes, www.theinstitutes.org.]
3.57 top management Person or group of people responsible and accountable for formulating
organizational goals, objectives, strategies, policies, and/or allocating
resources.
3.58 undesirable event Any event that has the potential to cause a negative impact on the
achievement of objectives or assets whether tangible or intangible.
3.59 value chain The series of functions, processes, or activities, from raw materials to the
eventual end-user that creates and builds value at every step in order to
deliver a product or service.
NOTE: For further information on risk vocabulary, please consult the ISO lexicon of terminology:
Additional risk related definitions can be found in the ISO Online Browsing Platform for ISO
31000:
<https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en>. Accessed August 2015.
4 PRINCIPLES
4.1 General
The principles in this Standard give guidance necessary to provide transparency, confidence, and trust in
the risk assessment processes. A risk assessment is an effective tool for evaluating the organization’s risk
and resilience challenges and maturity and to drive performance improvements. In addition the risk
assessment provides assurance to decision-makers that the adopted risk- and resilience-based
management system and risk management measures are achieving their intended objectives.
Examples of stakeholders in the risk assessment process include but are not limited to:
a) Customers, clients, stockholders, employees, contractors, and supply chain partners
(e.g., outsourced partners and critical infrastructure suppliers);
b) Government and regulatory authorities;
c) Non-governmental organizations;
d) Civil society groups; and
e) Members of the public (including the media).
8
ANSI/ASIS/RIMS RA.1-2015
The principles below apply to all the activities involved in the assessment program as well as during
individual risk assessments. Use of these principles help validate that persons performing risk
assessments independently yet in similar circumstances will arrive at similar and repeatable conclusions.
9
ANSI/ASIS/RIMS RA.1-2015
10
ANSI/ASIS/RIMS RA.1-2015
The importance of agreeing to the validity of the underlying information is key in a risk assessment. A
clear process should be agreed as to what constitutes verifiable evidence and, when unavailable, what
constitutes reliable information or estimates.
4.8 Confidentiality
Persons involved in the risk assessment process should keep confidential any sensitive, proprietary, and
risk-related information about an organization and its management system, as well as information that
may cause harm to the interviewees, clients, customers, supply chain partners, persons who work on
their behalf, complainants, and other external stakeholders. The risk assessment and its associated data
may be considered confidential and, if so, should only be shared with persons who have a genuine need
to know. Information exchange should be based on established procedures. A mechanism should be in
place to ensure all relevant information is protected and only provided to the appropriate people and
organizations. Confidentiality arrangements should consider legal obligations, including those for
protecting information as well as requirements related to disclosure.
5.1 General
The risk assessment program establishes a framework for the overall risk assessment steps in the risk
management process. The risk assessment program sets the parameters for the overarching
organizational structure, resources, commitment, and documented methods used to plan and execute
risk assessments. An effective program has a foundation of clearly defined objectives. A competent
person possessing the necessary training, skills, and experience should manage the risk assessment
program. The necessary resources should be identified and committed to meet the program objectives
(including qualified personnel, financial allocations, and sufficient time). Priority should be given to
11
ANSI/ASIS/RIMS RA.1-2015
assessing matters significant to the organization’s mission and the achievement of its objectives. The risk
assessment program should also consider legal, regulatory, contractual, and societal obligations. A
comprehensive risk assessment program should identify opportunities to maximize favorable outcomes
as well as minimize the likelihood and consequences of undesirable and disruptive events.
The risk assessment program should define:
a) Objectives and purpose of the risk assessment;
b) Scope, activities, areas, and locations to be covered by the risk assessment;
c) Duration, number, schedule, and frequency of the risk assessment;
d) Responsibilities and authorities associated with managing and conducting the risk assessments;
e) Risk assessment criteria (standards, policies, assessment metrics, and other criteria);
f) Assessor competence and selection of teams;
g) Business management issues related to risk assessment criteria and the risk assessment itself;
h) Resources (human, time and scheduling, financial, technology, equipment, travel, etc.);
i) Confidentiality, safety, and security issues;
j) Methods of how the risk assessment will be conducted;
k) Communication of risk assessment findings;
l) Monitoring risk assessment activities;
m) Documentation, records, and documentation procedures; and
n) Risk assessment evaluation and continual improvement.
A goal of a risk assessment program is to review the risk management controls and system, as well as to
identify opportunities for improvement. When developing the risk assessment program the following
issues should be considered:
a) The management approach and the management system standard(s) being used;
b) The size and nature of the organization being assessed;
c) The complexity and volatility of the operating environment;
d) The scope, complexity, and level of maturity of the risk and business management system(s)
being assessed;
e) The risks associated with the organization being assessed and its applicable industry sector;
f) Business attributes and priorities of the organization being assessed; and
g) Allocation of resources required to adequately evaluate the management system.
12
ANSI/ASIS/RIMS RA.1-2015
expert in the operation of the enterprise to be evaluated, but must acquire enough of an understanding
of how the organization operates to appreciate its complexities and nuances.
Understanding the organization should include (but is not limited to), factors such as:
a) Organization mission and business objectives;
b) Nature of the business activity;
c) Tangible and intangible assets and its value chain;
d) Governance, authority, and management style;
e) Current risk control measures;
f) Types of services provided or products produced, manufactured, stored, or otherwise supplied;
g) Stakeholders and their objectives;
h) Types of clients, clientele, and customers served;
i) Information flow;
j) Roles, responsibilities, and accountabilities;
k) Supply chain and critical infrastructure dependencies and interdependencies;
l) Legal and regulatory environment;
m) Voluntary commitments of the organization;
n) Competitive nature of the industry;
o) Enterprise culture;
p) Geographic spread of the enterprises;
q) Any special issues raised by the production, administration and service processes (e.g.,
environmental waste, disposal of defective goods, etc.);
r) Type of labor (e.g., labor union, unskilled, use of temporary workers, outsourcing, use of
immigrants, etc.);
s) Hours of operation;
t) Sensitivity of information; and
u) Perception of risk tolerance and acceptance (internally and externally).
When evaluating the objectives of an organization, some questions to consider include:
a) What are the explicit and implicit strategic objectives of the organization and the divisions
within?
b) What is the state of development, size, industry sector, geographical spread, maturity of its
business management style, and complexity of the organization and its activities?
c) What is the nature and extent of the significant risks associated with achieving the
organization’s objectives?
13
ANSI/ASIS/RIMS RA.1-2015
d) What are the boundaries for risk taking, what risks are they willing to take, and which are they
not?
e) What is the attitude towards governance in the organization and in the management of risk?
f) Is there an organizational structure to facilitate the management of risk?
g) What is the risk management culture in the organization?
h) Is the organization progressive and innovative or conservative and adverse to change?
i) Are there resources and systems to support the risk management processes?
j) What are the determining factors to consider in risk appetite and risk tolerance?
14
ANSI/ASIS/RIMS RA.1-2015
15
ANSI/ASIS/RIMS RA.1-2015
example, changes in the economic or socio-political environment may be monitored for their effects on
how acceptable a risk may be. Also, when evaluating the impact of a risk on the enterprise it is important
to revisit the designated levels of risk appetite and risk tolerance to determine if factors (e.g., reputational
impacts) were fully understood when making the initial estimates. Risk appetite, risk tolerance, and risk
aversions also may vary among different enterprise levels and elements of the value chain, but should
be aligned.
Risk appetite, risk tolerance, and risk aversions need to be articulated concepts. Risk appetite has to be
set in the context of the maturity of the business and risk management processes of the organization. The
organization needs to have the competence and capability to manage risk within the boundaries it sets.
Therefore, the boundaries should be tailored and proportionate to the size, nature, and maturity of the
business and risk management processes.
16
ANSI/ASIS/RIMS RA.1-2015
18
ANSI/ASIS/RIMS RA.1-2015
20
ANSI/ASIS/RIMS RA.1-2015
b) Framing a decision in terms of potential loss or gain will influence the criticality of the decisions
and perceived level of acceptable risk;
c) Timeframes for decision-making will influence the criticality of decision-making (shorter
timeframe usually results in higher criticality);
d) Quickly changing environments require revisiting the relevance of past experience and
expertise; and
e) Uncertainties, not just obvious problems, affect critical decision-making.
One risk may have compound effects on other risks. In the decision-making process, it is important to
assess risk so that interaction between multiple risks is understood. The impact of various decisions in
the assessment and treatment of risks should be considered throughout the risk assessment process, as
well as the potential for unintended consequences when addressing risk decisions.
21
ANSI/ASIS/RIMS RA.1-2015
The risk manager is responsible for the planning, management, and conduct of the risk assessment
program, while the RTL is responsible for the conduct of individual assessments. They are both
responsible for the professional and ethical behavior of the risk assessment team members. The RM and
RTL are responsible for:
a) Defining the objectives, criteria, and scope of the risk assessment program as individual
assessments;
b) Communicating and consulting with relevant parties to the risk assessment;
c) Ensuring the risk assessment team and its members have the necessary competence to
successfully conduct the risk assessment;
d) Ensuring the allocation of adequate resources for risk assessment;
e) Ensuring the risk assessment program is executed as planned in a timely fashion;
f) Ensuring the completeness and integrity of documentation;
g) Ensuring risks to the client and risk assessment team of conducting the risk assessment program
are appropriately managed;
h) Reviewing work product(s) assigned to assessors for completeness and accuracy; and
i) Ensuring the integrity and confidentiality of information.
22
ANSI/ASIS/RIMS RA.1-2015
The client should appoint at least one representative from top management to interface with the
assessment team. The client’s representative should have the authority to provide the assessors:
a) Authority to conduct assessment and make decisions;
b) Appropriate organizational, functional, stakeholder, and historical information to evaluate
risks;
c) Access to areas and activities to be assessed;
d) Access to relevant persons;
e) Access to information;
f) Facilities for the risk assessment team use (e.g., private work space, telecommunications, safety
and hygiene facilities, etc.);
g) Support personnel if needed;
h) Safety, security, and regulatory requirements; and
i) Information needed for protection of proprietary rights and confidentiality.
23
ANSI/ASIS/RIMS RA.1-2015
24
ANSI/ASIS/RIMS RA.1-2015
25
ANSI/ASIS/RIMS RA.1-2015
27
ANSI/ASIS/RIMS RA.1-2015
j) Review of documentation;
k) Availability and accessibility of information;
l) Number of sites, multi-site considerations and diversity of stakeholders;
m) Single or multiple shifts, as well as weekends and off-hours;
n) Physical size and layout of the organization to be assessed;
o) Meeting requirements (opening and closing meetings, top management briefings, and
assessment team meetings);
p) Communications (including availability of information and communications technologies and
methods);
q) Safety and security arrangements and equipment;
r) Travel and logistics (including lodging, meals, and breaks);
s) Data analysis and report preparation;
t) Availability of competent personnel to conduct the risk assessments; and
u) Anticipated scheduling delays.
28
ANSI/ASIS/RIMS RA.1-2015
29
ANSI/ASIS/RIMS RA.1-2015
Adapted from A Cultural Approach to Decision Making Presentation at RIMS 2011 ERM Conference by Dr. Carl Spetzler.
Copyright © 2013. Risk and Insurance Management Society, Inc. All rights reserved.
30
ANSI/ASIS/RIMS RA.1-2015
Risk assessments become an automatic and informal part of the decision-making process when risk
management is fully integrated into the organization’s culture. When decisions become more significant
or complex, a moderate deliberative risk assessment process is needed. In these situations, limited risk
assessment techniques may be used in order to reach a decision in a shortened timeframe. When
decisions are strategic in nature and complex, a more rigorous deliberative effort is needed. In such
cases, multiple risk assessment techniques can be applied when there is a longer decision timeframe.
31
ANSI/ASIS/RIMS RA.1-2015
b) Experience; and
c) Personal skills and traits.
Factors to consider in selecting members of an assessment team include:
a) Overall competence of the assessment team needed to achieve the risk assessment objectives;
b) Nature of the risk management system and what specific risk disciplines have been addressed
(e.g., compliance, safety, security, crisis and continuity management – assessors may have a
specific discipline focus and bias so discipline balance should be considered);
c) Knowledge of industry sector and the risks the sector faces, including understanding the
specific context of the organization and its dependencies;
d) Complexity of the risk management activities, including the use of single or multiple
management system standards;
e) Risk assessment methods to be used;
f) Legal, regulatory and other requirements keeping in mind jurisdictional variations;
g) Independence, impartiality and avoidance of perceived or real conflict of interest;
h) Personal, cultural, social and language skills required to deal with diversity in the organization;
i) Security, clearances, citizenship, and safety requirements of the team members;
j) Dynamics of the team members and their ability to work together and with the client;
k) Logistics and availability of personnel; and
l) Leadership requirements and the need to oversee and train new assessors.
When considering the selection of assessors, the risk manager should evaluate the qualifications,
knowledge, experience, personal skills, and traits of the assessors needed to achieve the risk assessment
objectives. The risk manager should have a documented process for evaluating and selecting assessors.
See section 7 for additional details.
Technical experts may supplement the competence of the team. At all times the technical experts should
operate in conjunction with the risk assessors. Technical experts are intended to supplement the overall
expertise of a risk assessment team to provide subject matter expertise. Technical experts are not a
substitute for assessors having competence in the risk disciplines being assessed.
Assessors-in-training may also be included in the team. Assessors-in-training should have knowledge
of conducting risk assessments, the risks associated with the organization, and risk management. They
should participate under the direction and guidance of an experienced assessor.
The risk manager and RTL, may make adjustments to the team during the course of the assessment
depending on the necessity for additional competencies.
32
ANSI/ASIS/RIMS RA.1-2015
an experienced assessor and familiar with the business and industry sector being assessed, as well as
risk-based disciplines being managed. The RTL is responsible for:
a) Satisfactory performance of all phases and activities of the assessment;
b) Representing the assessment team with the client and/or organization’s management team;
c) Initiating and maintaining communication with the client and/or organization’s management
team;
d) Encouraging diversity of views while maintaining professional behavior and harmony amongst
the assessment team members;
e) Developing the risk assessment plan;
f) Managing risks during the risk assessment process;
g) Leading, organizing and directing assessment team members (particularly assessors-in-
training);
h) Making effective use of resources during the risk assessment and time management;
i) Conducting opening and closing meetings;
j) Conducting regular meetings and briefings with the risk assessment team as well as client
and/or organization’s management team;
k) Protecting the health, safety and security of the assessment team;
l) Assuring the confidentiality and protection of sensitive and proprietary information;
m) Preventing and resolving conflicts;
n) Reviewing the evidence and observations of the assessors and leading the team in determining
the findings and conclusion; and
o) Preparing and submitting the risk assessment report, assuring its factual accuracy and clarity of
recommendations.
Specific assessment assignments should be based on the experience and knowledge of the individual
assessors and reflect the complexity of the assessment tasks. There should be a balance in the assessment
team between technical, legal, industry, administrative, and risk-based discipline management
knowledge. The RTL should assign and communicate assessment responsibilities prior to commencing
the assessment.
5.5.5 Managing and Maintaining Program Documentation, Records, and Document Control
The risk manager should identify the documentation needs of the risk assessment. Procedures should
be established for the use and handling of documents and records created for the risk assessment
program by the risk manager. Clear procedures should be outlined for obtaining and handling client
and organizational documentation. The client and organizational management must explicitly approve
copying of any information or photography. Assessors should not remove, modify, delete, or destroy
documents (including electronic files) without explicit written permission to do so.
33
ANSI/ASIS/RIMS RA.1-2015
The risk manager should establish, implement, and maintain procedures to protect the sensitivity,
confidentiality, and integrity of documents and records including access to, identification, storage,
protection, retrieval, retention, and disposal of records. Documents should be clearly labelled as to their
status and version (e.g., draft or final, active or archival) as well as level of sensitivity and confidentiality.
Records should be maintained of access to information and documents.
In instances where reports are deemed confidential, the risk manager should establish computer and
network controls over files and risk assessment information to prevent access by unauthorized users.
When confidential information is collected the risk manager should establish procedures and provide
technology to assessment team members to use encrypted storage devices or laptops to secure this
information.
Records and documentation should be created, maintained, and appropriately stored for both the overall
risk assessment program and individual assessments, including;
a) Program objectives, criteria, and scope
b) Risk assessment and treatment methods, and measures;
c) Evaluation of achievement of risk assessment objectives; and
d) Risk assessment program effectiveness and opportunities for improvement.
For individual risk assessments, records should include:
a) Plans and reports;
b) Assumptions, stakeholders, and information sources;
c) Risk criteria and risk appetite;
d) Safety, security, and confidentiality requirements and conditions;
e) Agenda and minutes from opening and closing meetings;
f) Non-conformance and corrective action reports;
g) Modification of risk treatment methods; and
h) Risk assessment follow-up reports.
Procedures should be established to create and maintain records of risk assessment performance.
Performance review records should be used to drive continual improvement of risk assessment process
and assessment team competence. Examples of performance records include:
a) Feedback from the organization and client;
b) Selection criteria and competence of assessment team members;
c) Performance evaluations of the assessment team members and team leader;
d) Effectiveness of time management; and
e) Needs for continuing training and competence improvement of assessment team members.
34
ANSI/ASIS/RIMS RA.1-2015
35
ANSI/ASIS/RIMS RA.1-2015
e) Has the organization acted on identified risks, internal audit findings, exercise results, and
lessons learned from events by implementing appropriate corrective and preventive actions?
f) Is there a change management mechanism?
36
ANSI/ASIS/RIMS RA.1-2015
Adapted from Risk and Insurance Management Society, Inc. Copyright © 2014. All rights reserved.
37
ANSI/ASIS/RIMS RA.1-2015
38
ANSI/ASIS/RIMS RA.1-2015
39
ANSI/ASIS/RIMS RA.1-2015
6.1 General
This section focuses on individual risk assessments, both the preparation for, and the execution of these
risk assessments. Depending on the scope of the assessment, not all provisions in this section are
applicable to all risk assessments.
Risk assessments can be conducted by an internal team, external team, or combination depending on the
needs and resources of the organization and depth of expertise. A risk assessment often follows the order
described in this section. However this is not always the case depending on the circumstances of the
assessment, particularly the definition of assessment objectives.
40
ANSI/ASIS/RIMS RA.1-2015
analysis and evaluation of the effectiveness of current risk treatment measures and opportunities for
improvement. Objectives are set within the context of achieving the organization’s overall business and
risk management objectives. Objectives should be anchored in key value drivers. In defining the
objectives for individual assessments, consider:
a) Nature of the organization’s objectives;
b) Events that could affect the achievement of enterprise-wide objectives (positively or negatively);
c) Clear outcomes to achieve from the assessment;
d) Use of the risk assessment outcomes and dissemination of results;
e) Risk categories to be considered;
f) How the individual assessment relates to the overall risk assessment program;
g) Current control measures to manage risk and to protect tangible and intangible assets;
h) Indicators for measuring risk levels;
i) Timeframes for the risk assessment; and
j) Resources needed to achieve the objectives.
Objectives of individual assessments may be broadly defined to consider enterprise-wide strategic or
operational requirements; or more narrowly focused to consider risks related to specific products,
activities, process, or functions. The objectives can consider issues related to the organization and/or all
or part of its supply chain (however, in today’s world few organizations are not affected by their supply
chain and dependencies).
Individual risk assessments may identify, analyze, and evaluate risks related to one or more issues
contributing to uncertainty in achieving the organization’s objectives, including (but not limited to):
a) Mission and strategic vision;
b) Operational aspects (e.g., people, processes, and systems);
c) Legal and regulatory compliance and ethical practices;
d) Contractual obligations;
e) Ability to meet project objectives;
f) Product design, development, manufacturing, distribution, use, and disposal (including
services);
g) Information access, protection, and use;
h) Brand and reputation;
i) Financial, credit, and market factors;
j) Security (tangible and intangible asset protection);
k) Safety issues;
l) Undesirable and disruptive events (e.g., criminal activities, natural disasters, technology
failures, mismanagement);
41
ANSI/ASIS/RIMS RA.1-2015
42
ANSI/ASIS/RIMS RA.1-2015
43
ANSI/ASIS/RIMS RA.1-2015
A scope statement should be prepared clearly defining the boundaries of the risk assessment. This
should include a statement of work highlighting what are the organizational, physical, operational,
logical, and risk disciplines included in the boundaries so to explicitly delineate what is in and what is
out of the risk assessment.
The RTL should obtain from the client verification or permission and access to conduct the risk
assessment within the approved scope.
During the course of the risk assessment, the RTL should notify the client if any significant conditions
exist outside of the scope of the assessment that otherwise may impact risk to the organization or
constitute an additional risk.
45
ANSI/ASIS/RIMS RA.1-2015
46
ANSI/ASIS/RIMS RA.1-2015
Copyright © 2013. Risk and Insurance Management Society, Inc. All rights reserved.
47
ANSI/ASIS/RIMS RA.1-2015
Adapted from 2012 RIMS Conference presentation by Joanna Makomaski. Copyright © 2012. Risk and Insurance Management
Society, Inc. All rights reserved.
48
ANSI/ASIS/RIMS RA.1-2015
49
ANSI/ASIS/RIMS RA.1-2015
Various techniques can be used to improve the accuracy and completeness of data gathering for
assessment purposes. Irrespective of the actual techniques employed, it is important that in the overall
risk assessment process recognition is given to human and organizational factors.
Interactions during the course of the assessment between the assessment team and those who best
understand the risks facing the organization may take a number of forms. In identifying and evaluating
the risks that are relevant and important to the organization’s objectives, the assessment team may gather
data by exploring procedures, processes, activities, technologies (including information systems), and
the interaction between human and technological performance. Gathering data can be accomplished
through direct contact or through indirect review.
Direct contact – between stakeholders and the assessment team, such as:
a) Conducting interviews (in-person, telephone, or on-line) including completing surveys and
questionnaires with stakeholder participation;
i. Open-ended questions (structured interview).
ii. Close-ended questions (checklists).
b) Conducting document reviews with stakeholder participation;
c) Brainstorming in group sessions, involves stimulating and encouraging free-flowing
conversation amongst a group of knowledgeable people to identify potential failure modes and
associated risks;
d) Facilitated workshops, or Delphi methodology, a means of combining expert opinions that may
support source and effects identification, likelihood and consequence estimation, and risk
evaluation. It is a collaborative technique for building consensus involving independent
analysis and voting by experts;
e) Scenario co-development; and
i. What If Questions.
ii. Scenario analysis - a process using descriptive models to ascertain and analyze possible
events that may occur in the future and their potential outcomes. It can be used to
identify risks by considering possible future developments and exploring their
implications. Sets of scenarios reflecting (for example) ‘best case’, ‘worst case’ and
‘expected case’ may be used to analyze potential consequences and their probabilities
for each scenario as a form of sensitivity analysis when analyzing risk.
iii. Exercising (e.g., table-top, war gaming, red-teaming, and adversary path development).
f) Envisioning multiple potential outcomes.
Indirect review – assessment team review of available data and documentation, such as:
a) Conducting document repository reviews (e.g., loss data and near-miss records, customer
satisfaction reports, internal audit, security, and management reports);
b) On-line risk survey results;
c) Industry and analyst reports;
50
ANSI/ASIS/RIMS RA.1-2015
plausible estimate for each calculation. Sensitivity analysis can also involve more complex mathematical
and statistical techniques to determine which factors in a risk analysis model contribute most to the
variance in risk estimates. Complexity generally is due to the fact that multiple sources of variability and
uncertainty are influencing the estimate at the same time, rather than acting independently.
When making decisions based on the sensitivity analysis, the following should be considered:
a) Most systems are dynamic;
b) Previous assumptions and values may not apply to changing conditions;
c) Model outputs may be very sensitive to certain parameters and assumptions (particularly
subjective likelihood estimations);
d) Model parameters may better describe some risks better than others; and
e) Complexity of the model may actually be sensitive to multiple variables.
It should be kept in mind that risk analysis models are based on certain assumptions and premises;
therefore, the analysis is only as accurate as the reliability of the variables and parameters used.
52
ANSI/ASIS/RIMS RA.1-2015
understand the client and organization. This includes organizational policy documents, mission
statements, company profiles, organizational structure, management system(s), and industry practices.
It also includes information related to products, services, processes, and activities, as well as
understanding the geographic extent, interactions, and dependencies.
The RTL should obtain any risk management system descriptions, including manuals, for study by the
team. Previous risk assessment reports are also useful but should not bias current assessment efforts.
Proprietary concerns and non-disclosure agreements may need to be addressed. Document review
should examine the scope and policy statements of the client’s risk management system to check
consistency with the risk assessment objectives, criteria, and scope. Any inconsistencies should be
clarified with the client.
Sufficient documentation should be obtained in preparation of the risk assessment to determine if the
risk management system is properly designed and if there are any significant gaps that would indicate
the risk management system is neither complete or being properly maintained.
53
ANSI/ASIS/RIMS RA.1-2015
54
ANSI/ASIS/RIMS RA.1-2015
Within the defined scope and objectives, factors that contribute to the feasibility of the risk assessment
include:
a) Adequate resources committed to the risk assessment;
b) Adequate time within scheduling constraints;
c) Availability of assessment team personnel with the mix of characteristics, competences, and
necessary clearances;
d) Cooperation with the client and a conducive work environment;
e) Access to adequate and relevant information for preparing and conducting the assessment;
f) Logistical expenses; and
g) Language requirements.
55
ANSI/ASIS/RIMS RA.1-2015
56
ANSI/ASIS/RIMS RA.1-2015
57
ANSI/ASIS/RIMS RA.1-2015
Checklists should be revisited before each assessment to evaluate if they are appropriate for the job at
hand.
58
ANSI/ASIS/RIMS RA.1-2015
b) Introduce the assessment team and meet counterparts of the organization or client participating
in the assessment;
c) Confirm and explain risk criteria;
d) Confirm communication channels;
e) Verify clearances and approval to conduct the risk assessment;
f) Verify the feasibility of risk assessment activities; and
g) Provide an opportunity for the client to ask questions about the assessment.
The RTL chairs the pre-assessment meeting. A designated assessment team member should record
attendance and minutes. It should be held with the client’s management. Those who are responsible for
the services, functions, or processes being assessed may be present as well.
The pre-assessment meeting should be as detailed as necessary to ensure everyone present understands
the assessment process. The pre-assessment meeting is where, at a minimum, the nature of the
assessment is explained. The formality of the meeting is dependent on the type of assessment being
conducted.
The following items are appropriate for the pre-assessment meeting (where applicable):
a) Introduction of members of the assessment team to client representatives, including experts,
observers, and guides. Each of their roles should also be explained;
b) Confirm the risk assessment plan - scope, criteria, reference standards, objectives, and methods
used in the assessment;
c) Confirm the logistics of the assessment including:
i. Schedules – especially site visits and meetings;
ii. Communication channels between the client and the assessment team;
iii. Language to be used during the assessment;
iv. Issues of health and safety;
v. Review security and emergency procedures for the assessment team;
vi. Any issues related to information security and confidentiality; and
vii. An overall assessment schedule, showing topics, assessors, and approximate times to
complete.
d) Inform the client how the risk assessment findings will be reported including the method of
grading non-conformities and method of presenting assessment findings;
e) Confirm how the client will be informed of the progress of the assessment throughout the risk
assessment;
f) Confirm what resources and facilities will be made available to the assessment team;
g) Express the conditions in which the assessment may be terminated;
h) Explain possible ways to address the possible findings in the assessment; and
59
ANSI/ASIS/RIMS RA.1-2015
i) Give information regarding the systems for feedback from the client on the results of the
assessment, as well as the system for complaints and appeals.
The pre-assessment meeting sets the tone for the assessment and establishes a rapport between the client
and the assessment team. The RTL should prepare an agenda for the pre-assessment meeting and project
both knowledge and confidence in the assessment activities. Assessment team members should
participate in the pre-assessment meeting only if called upon by the RTL.
6.4.4 Implementation
60
ANSI/ASIS/RIMS RA.1-2015
61
ANSI/ASIS/RIMS RA.1-2015
All activities, functions, and assets that contribute to achieving the organization’s objectives, and within
the scope of the risk assessment, should be considered. Tangible and intangible assets include (but are
not limited to):
a) Internal and external human resources;
b) Property (e.g., facilities, equipment, materials, products, physical systems);
c) Process controls (physical and cyber);
d) Financial and administrative processes (e.g., funds, inventory, accounting, and recordkeeping
systems);
e) Information and telecommunication systems;
f) Transportation systems;
g) Access to critical infrastructure and support utilities;
h) Intellectual property and proprietary information; and
i) Brand, image, and reputation.
After identifying activities, functions, and assets that contribute to achieving the organization’s objectives
for each activity, function, and asset consider:
a) Its contribution to the value chain of the organization and the achievement of objectives;
b) The potential for risk to be exploited for the advantage of the organization;
c) Severity and timeframes of the consequences if activities, functions, or assets were lost, or offer
a potential opportunity;
d) Critical infrastructures, dependencies, and interdependencies (internal and external);
e) Functions and countermeasures that currently exist for protection and support;
f) Criticality to value chain and achieving the organization’s objectives; and
g) Priority and critical value relative to other activities, functions, and assets.
63
ANSI/ASIS/RIMS RA.1-2015
helps to provide an understanding of what potential effects, positive and negative, are likely to take place
if different decisions are taken.
Threat and opportunity analysis can be conducted using either quantitative, qualitative, or a combined
approach. Regardless of the method, a common set of metrics and scales should be defined so that the
calculations can be performed and reported using consistent scales and parameters. Comparisons will
only be valid if values are determined using the same methods and metrics. All priority and critical
activities, functions, and assets should be analyzed.
Sources of risk give rise to potential threats and opportunities. Threat and opportunity analysis sets the
boundaries as to the type of threats and opportunities that can be addressed, therefore, the range of risk
sources associated with the achievement of organizational objectives should be considered. Threat and
opportunity analysis often contains subjective estimates, therefore the confidence in the predictions
should be considered within the context of the reliability of the information. Likelihood estimates are
particularly sensitive to the information and assumptions they are based on.
Using the output from the asset identification, valuation and characterization, consider sources of risk
that create uncertainty in achieving the organization’s objectives. Consider both intentional and
unintentional risk events that may affect the achievement of the organization’s objectives (natural and
man-made hazards; social, economic, and political factors; as well as actions with mal-intent). Determine
what are the threats and/or opportunities associated with potential risk events. The output of the threat
and opportunity analysis assessment should be comprehensive list of threats and opportunities focusing
on prioritizing the most relevant to the achievement of objectives.
Threats may be identified in terms of “threats from” and “threats to”. “Threat from” is based on the
nature and attributes of the threat and how the threat may cause harm and/or uncertainty. “Threat to”
considers the locations of the potential assets and services. In assessing the threat, the nature of the threat
should be considered (e.g., is it malevolent, naturally occurring, or accidental). For a malevolent threat
the assessment should consider “who/why” (e.g., description of the adversary), “what” (e.g., the material
used by the adversary), and the “how/when/where” (e.g., the characteristics of scenario and related
tactics).
Malevolent threat is assessed by evaluating the combination of motivation/intent and capability of an
adversary to impact priority or critical asset, function, activity, or capability. Figure 7 illustrates the
interaction of these elements.
64
ANSI/ASIS/RIMS RA.1-2015
65
ANSI/ASIS/RIMS RA.1-2015
66
ANSI/ASIS/RIMS RA.1-2015
Threat and opportunity characterization seeks to identify general and specific sources of risk and
describe how they manifest themselves. Scenarios can be developed to analyze how the threat or
opportunity will materialize and what are the various factors and stakeholders at play. Once a scenario
has been identified it can be evaluated for differing magnitudes of the risk event. Similar scenarios may
be triggered by events resulting in similar consequences. By evaluating the different possibilities it is
possible to identify risk treatment options that focus on both likelihood and consequences.
When evaluating the potential for intentional threats, consideration should be given to the presence and
proximity of “hard” and “soft” targets. A resilient and determined adversary will consider the same
factors illustrated in Figure 8 in order to successfully carry out a threat to cause a risk event.
67
ANSI/ASIS/RIMS RA.1-2015
d) Determine the vulnerability based on attributes of the scenario events and potential outcomes;
and
e) Determine the level of vulnerability based on severity of the consequences and recovery time
periods.
Level of vulnerability is determined based on metrics designed to measure the achievement of the
organization’s objectives. Therefore, not only is the value of the asset, service or activity considered, but
also the timeframes that asset, service or activity may be unavailable. When determining the
vulnerability consider:
a) Is the vulnerability due to a single weakness or multiple weaknesses?
b) Does the nature of the vulnerability make it difficult to exploit?
c) What is the time dependent nature of the vulnerability, cascading effects, and recovery time?
d) Is the vulnerability lessened by multiple layers of countermeasures?
Event trees can be helpful tools in evaluating the vulnerability. Although many models exist, a simplified
example is to:
a) Assume a risk scenario;
b) Identify threat actors and methods;
c) Identify targets and potential consequences;
d) Identify accessibility;
e) Identify countermeasures;
f) Determine if single or multiple layers of defense exist;
g) Determine the efficiency of countermeasures (consider the conditions of deployment); and
h) Determine level of vulnerability.
68
ANSI/ASIS/RIMS RA.1-2015
consequences indirectly related to the asset, activity, or function will affect the organization achieving its
objectives. In evaluating the criticality consider:
a) The value of the asset, activity or function to on-going operations and value generation;
b) The value of the asset, activity or function to internal and external stakeholders including
competitors and adversaries;
c) Timeframe of criticality – time period an asset, activity, or function can be unavailable before
effects are significant;
d) Derivative affects – the effect on other assets, activities, or functions;
e) Impact on brand, image and reputation;
f) Exclusive possession;
g) Availability of alternatives for the assets, activities, and functions; and
h) Perception of criticality of supply chain partners and other stakeholders.
Many scales exist for grading consequences. The exact scale should be determined by the accuracy of
the predictions, whether a consequence is quantifiable, and the intended use of the information. The
scales should be determined also based on their utility to the risk managers and decision-makers.
Regardless of the scale used, it should be consistent throughout the risk assessment process. When
assessing the consequences of a risk event consider:
a) Human impact: Physical and psychological harm to employees, customers, suppliers, and other
stakeholders;
b) Physical asset impact: Property losses and replacement costs;
c) Information asset impact: Loss of sensitive, proprietary, or personal information;
d) Financial impact: Lost or deferred sales/business, loss of market share, lawsuits, regulatory
fines/penalties, overtime pay, stock devaluation;
e) Reputational impairment impact: Diminished standing in the community, negative press;
f) Community/societal impact: Indirect impacts on the regional economy, reduction in the
regional net economy, losses to the tax base of local jurisdictions; and
g) Environmental impact: Degradation to the quality of the environment.
An example of a flow diagram for considering the consequences of a risk event illustrating the
importance of time considerations is given in Figure 9.
69
ANSI/ASIS/RIMS RA.1-2015
70
ANSI/ASIS/RIMS RA.1-2015
71
ANSI/ASIS/RIMS RA.1-2015
the analysis. The risk analysis method used should meet the needs of the risk evaluation and treatment
decision-making process.
72
ANSI/ASIS/RIMS RA.1-2015
d) The opportunities presented outweigh the threats to such a degree that the risk is justified; and
e) Organizations may also determine to accept a risk by informed decision-making or to maximize
a business opportunity.
Regardless of the method used to evaluate risk treatment(s) to achieve a level of risk as low as reasonably
possible, it is important to understand that this is an iterative process where the risk manager can pick
multiple layers of risk treatment measures including:
a) Eliminating the risk exposure;
b) Isolating the risk source or potential targets;
c) Technical modifications and substitutions;
d) Administrative and procedural controls;
e) Protective, preventive, and mitigation measures;
f) Risk sharing; and
g) Accepting or exploiting risk by informed decision.
During the risk evaluation process, the proposed risk treatment methods should be evaluated to consider
the cost/benefit of the measure to reduce risk and whether the risk treatment changes or introduces new
risk to the organization and its value chain. Figure 11 illustrates how the output from the risk
identification and analysis steps can be represented by a funnel approach where intolerable risk must be
treated at any reasonable costs. Treatment measures are applied to bring the risk to a level that is as low
as reasonably possible where further task treatments are disproportionate to the cost/benefit. Risks reach
a tolerable level where risk is within the level of tolerance of the risk criteria. Contingency measures
might be considered for risks that remain after treatment.
73
ANSI/ASIS/RIMS RA.1-2015
74
ANSI/ASIS/RIMS RA.1-2015
75
ANSI/ASIS/RIMS RA.1-2015
Adapted from RIMS workshop on Risk Management Techniques. Copyright © Risk and Insurance Management Society, Inc.
All rights reserved.
76
ANSI/ASIS/RIMS RA.1-2015
a) Name of risk;
b) Description of risk;
c) Time period for estimates;
d) Risk Owner;
e) Likelihood or frequency of occurrence;
f) Impacts, severity or consequence of occurrence;
g) Interdependencies and dependencies; and
h) Actions and/or countermeasures to reduce the likelihood and consequences.
Note: For additional risk analysis methodologies, see the ISO 31010:2009 Risk management – Risk
assessment techniques.
77
ANSI/ASIS/RIMS RA.1-2015
78
ANSI/ASIS/RIMS RA.1-2015
well as its stakeholders. Clear classification and documentation of observations will help identify follow-
up actions.
Risk assessment findings are generated by the RTL in conjunction with assessment team members. At
appropriate stages throughout the assessment, the assessment team should meet to review the
assessment findings up to that point. Aspects which should be considered when determining assessment
findings include, requirements of the client and organization, sample size, follow-up actions from
previous assessment findings and conclusions, and categorization of the assessment findings where
necessary.
When creating records of levels of risk and treatment needs, the assessment team should identify the risk
criteria being used, risks assessed, evaluate the assessment evidence to support the level of confidence
in the finding, and state whether the evidence is consistent with the risk criteria (particularly risk attitude
of the organization). When creating records on specific risks, the assessment team should identify the
risk being assessed, show the risk assessment evidence to support risk treatment decisions, and include
related assessment evidence to support the findings. Every level of risk determination should be
traceable back to evidence gathered for a specific risk.
6.5.2.1 Overview
The risk assessment report is prepared by the RTL, with input from the assessment team, and is provided
to the risk manager as soon as possible after post-assessment meeting. The assessment report is approved
and reviewed by the risk manager prior to distribution. For credibility, any changes to the report,
including findings, should be made by the RTL. The client determines who will receive copies of the
assessment report. The purpose of the assessment report is to:
a) Provide information about the assessment findings and conclusions;
b) Initiate a request for corrective actions to significant risk requiring immediate attention;
c) Serve as a basis for identifying opportunities for improvement of the risk management system;
and
d) Provide a record of the assessment.
80
ANSI/ASIS/RIMS RA.1-2015
81
ANSI/ASIS/RIMS RA.1-2015
6.6.2 Improvement
The review of the risk assessment should include assessing opportunities for improvement and the need
for changes to the risk assessment program. The results of the reviews should be clearly documented and
records should be maintained. The organization should continually improve the effectiveness of the risk
assessment activities.
7.1 General
The credibility of any risk assessment program is a function of the competence of the assessors. All
persons involved in the risk assessment process should be competent to perform their roles and assigned
tasks. Risk assessors should possess the technical expertise and interpersonal skills to effectively
evaluate the application of risk management systems for a particular client. Assessors should evaluate
the effectiveness of the risk management measures, not merely checking a box indicating measures exist.
To add value to the client and organization, the assessors should understand the management and risk
approaches from the client’s business and risk environment. Assessors should have a clear
understanding of how to apply the risk criteria. Assessor competence is comprised of several elements:
a) Personal traits and interpersonal skills;
b) Assessment skills;
c) Communication skills;
d) Education, training, and knowledge; and
e) Work experience.
The risk assessment team should have a proficient understanding of the business and disciplines they
are assessing. The assessment team should project an image to the client and organization that they have
the competence relevant to the appropriate technical area of the risk-based management system, risk-
related disciplines, industry sector, and geographic location.
7.2 Competence
7.2.1 General
The risk manager and RTL should determine and document the competence required to evaluate each
technical area and function in the risk assessment activity. When identifying competence requirements,
the risk manager and RTL should tailor its competence requirements to the types of risks the client and
organization face and locations of operations in order to:
a) Define the scope of the activities that it undertakes;
b) Identify any technical qualification of its assessors necessary for that particular type of risk,
services, and location of operation;
c) Ensure that personnel have appropriate knowledge, skills and experience relevant to the types
of services provided and geographic areas of operation; and
82
ANSI/ASIS/RIMS RA.1-2015
b) Psychometric (quantitative) testing of knowledge and skills (may include variables such as
intelligence, aptitude, and personality traits);
c) Reviewing written samples of work;
d) Interviews to evaluate knowledge, communications skills, and personal behavior;
e) Observation of risk assessment skills;
f) Competence-based certifications and professional credentialing; and
g) Feedback and post-assessment review.
84
ANSI/ASIS/RIMS RA.1-2015
The monitoring procedures should include a combination of on-site observation, risk assessment report
review, and feedback from clients or other affected parties. Monitoring should be designed in such a way
as to minimize the disturbance of the normal operations, especially from the client’s viewpoint.
85
ANSI/ASIS/RIMS RA.1-2015
7.3.1 Credentials
All personnel involved in the risk assessment activities should be able to display a tamper-resistant
credential, consistent with a verifiable government identification that is easily distinguishable, with a
unique number, showing the following:
a) Photograph;
b) Full legal name;
c) Period of validity; and
d) Name of the issuing body.
86
ANSI/ASIS/RIMS RA.1-2015
7.3.3 Accountability
The risk manager and RTL should establish, document and maintain procedures to make personnel
involved in its risk assessment activities aware of infractions that could subject them to disciplinary
actions, civil liability, and criminal prosecutions. The procedures should include a process to address
infractions or procedures, the code of ethics, and confidentiality and non-disclosure agreements,
including investigation procedure and disciplinary actions. Records should be kept of infractions,
investigations, and any subsequent disciplinary actions.
7.3.4 Records
The risk manager and RTL should establish, document, and maintain procedures to maintain records of
personnel involved in its risk assessment activities. Records should be retained for periods that the risk
manager and RTL deem appropriate and according to retention periods designated by national,
international and other legal requirements.
87
ANSI/ASIS/RIMS RA.1-2015
Annex A
(informative)
A.1 General
The challenge with optimizing risk assessment to achieve the assessment objectives is time. The assessor
needs to develop an assessment strategy, or “path”, to collect data in a representative, logical, and
methodical manner. Effective risk assessment planning is necessary to make efficient use of time to
provide a complete picture of risks and the level of risk. The RTL is responsible for the effective planning
and application of assessment strategy and methods. The RTL has the responsibility for oversight of
conducting the assessment activities.
88
ANSI/ASIS/RIMS RA.1-2015
A.4 Sampling
A.4.1 General
During an assessment, it is not always practical, in time or cost terms, to evaluate all available
information. Sampling, the process or technique of selecting a representative part of a population for the
purpose of determining parameters or characteristics of the whole population, may be necessary to
adequately assess the risk. The method and rationale for sampling and the numbers of samples from the
population should be tailored to the circumstances of the assessment to achieve the assessment
objectives. The sampling approach should provide a level of confidence that the assessment objectives
are achieved.
89
ANSI/ASIS/RIMS RA.1-2015
Completely random sampling may not always be appropriate. For example, in areas of known
operational deficiencies, high information uncertainty, or higher risk the assessor should select more
samples. Considerations in selecting sample size and sample selection include (but is not limited to):
a) Major areas and issues related to risk;
b) Areas of previous risk events, emerging risks, and historic weaknesses;
c) Elements serving as foundations of the risk and business management system;
d) Interactions between elements of the management system;
e) Issues known to be of greater significance to the organization and its stakeholders;
f) Activities liked to legal, regulatory or liability related issues;
g) Activities and functions where resources are overtaxed;
h) Complexity and interdependency of critical activities; and
i) New or significantly changed activities.
In order to assure that conclusions are correct in assessing risk, it is important to understand the
confidence factor that the results are unbiased and consistent with a sampling of the entire population.
Successful sampling is based on focused problem definition. In sampling, this includes defining the
population from which the sample is drawn. A population can be defined as including all people or items
with a specific characteristic that needs to be understood.
Sampling should consider the steps in Figure 14:
Determine the Objectives of the Sampling Plan Consistent with Assessment Objectives
Conduct Sampling
90
ANSI/ASIS/RIMS RA.1-2015
91
ANSI/ASIS/RIMS RA.1-2015
c) Stratified sampling: the population is sub-divided into homogenous groups, for example
regions, size or type of establishment. The strata can have equal sizes or there may be a higher
proportion in certain strata.
d) Cluster/Block sampling: units in the population can often be found in groups or clusters. The
population that is being sampled is divided into groups called clusters.
92
ANSI/ASIS/RIMS RA.1-2015
Annex B
(informative)
B.1 General
Root cause analysis (RCA) refers to multiple risk assessment techniques and approaches, at times applied
as a series, which are designed to identify the underlying or initiating risk source(s) or driver(s). A
significant number of the techniques were originally developed in the process engineering and safety
fields. These techniques were intended to not only identify potential safety hazards and points of failure
during the design of new engineering processes, but also to determine why risk events occurred
following significant losses.
Root cause analysis has traditionally been viewed as an assessment method most appropriately used
following a major risk event or loss. Increasingly though, organizations with more mature risk
management programs are using the same techniques to support business and strategic planning as a
means of proactively managing risks before they can affect planned objectives.
diagramming, which is designed to pictorially show how the relative strengths of the risk or source inter-
dependencies can impact each other. Force field analyses and influence diagrams allow the experienced
user to align specific actions with specific risks (or people) as a means of leveraging (or overcoming)
existing dependencies.
The proactive application of RCA techniques can be problematic in some situations, particularly where
there is cultural skepticism about the value of future casting. One method of overcoming this skepticism
is by conducting a solutions effect analysis following the use of other RCA techniques. This approach is
similar to the cause and effect technique, but sees the proposed "answers" grouped thematically rather
than the risks. These solutions are then analyzed again to reveal any unintended consequences - or
untapped success drivers - resulting from the combination of proposed actions. By including the
proposed solution or action owners in this process, they are often able to see where their ideas may need
refinement, as well as giving them greater confidence that the process used to get to those answers was
robust.
Other extensively-used approaches to root causes analysis include concept fans, hazard and
interoperability studies, solution effects analysis, life cycle value analysis and hazard
identification/environmental identification, to name a few. While this list is not exhaustive, it provides a
good starting point for a deeper understanding of initiating or underlying risk sources.
94
ANSI/ASIS/RIMS RA.1-2015
Analyze:
3. Use one or more techniques to analyze the evidence. For example, you may ask "why"
repeatedly and identify the causes associated with each step in the sequence towards the
defined problem or desired outcome.
4. Classify causes into causal factors that relate to an outcome in the sequence, and root
causes, that if applied can be agreed to have interrupted that step of the sequence chain.
5. If there are multiple root causes, which is often the case, note those clearly for additional
analysis.
Solve:
6. Identify potential solutions that will with certainty prevent recurrence of the problem or
event or, alternately, must be followed for greater odds of a successful outcome.
7. Identify solutions that prevent recurrence with reasonable certainty with consensus
agreement of the group, are within your control, meet your goals and objectives and do
not introduce other new, unforeseen problems.
8. Implement the recommended root cause correction(s).
9. Ensure effectiveness by observing, and possibly reporting on, whether the implemented
recommendation solutions achieved the intended result.
10. Other methodologies for problem solving may be considered and incorporated as
supplements to root cause analysis.
RCA (particularly steps 3, 4, and 5) forms the most critical part of developing successful solutions and
corrective action plans, because it directs the corrective action at the true root cause of the problem or
issue. The root cause analysis itself is secondary to achieving the intended goal. However, without
identifying and understanding the root cause(s), effective solutions or corrective actions may not be
identified or developed.
95
ANSI/ASIS/RIMS RA.1-2015
Organizations can improve the odds of successful future outcomes, by applying risk controls - and
previously unrecognized success drivers - that most effectively deal with the initiating or underlying
risk sources. In doing so, they reduce their overall cost of risk by reactively and proactively addressing
the actual root causes of risk exposures.
96
ANSI/ASIS/RIMS RA.1-2015
Annex C
(informative)
C.1 General
Risk assessments often contain some of the most sensitive information of an organization. Consistent
with information protection requirements, privacy legislation, human resource management policies,
and stakeholder needs, the risk manager and RTL should establish, document, and maintain a procedure
for screening and vetting of all personnel involved in its risk assessment activities. Requirements and
the conduct of background checks and security clearances vary significantly between the type of risk
assessment and the management practices of the organization. For example, security risk assessments
are typically considered high risk and the rigorous background and screening process is conducted by
the Chief Security Officer or designee. On the other hand, strategic business risk assessment background
checks and screening procedures are typically included as part of the general human resource employee
background check and screening process. The risk manager and RTL should review the organization’s
approach relative to the objectives and requirements of the type of risk assessment being conducted and
ensure that all personnel involved in its risk assessment activities meet these requirements. The vetting
and clearance process may include, but not be limited to, background checks, interviews and review of
work history.
NOTE: The details provided below represent the more rigorous approach typically required of a security risk assessment. For
other types of risk assessment, the level of rigor should be tailored to the objectives and requirements of the risk assessment
taking into consideration information protection requirements, privacy legislation, human resource management policies, and
stakeholder needs.
97
ANSI/ASIS/RIMS RA.1-2015
C.3 Interviews
The risk manager and RTL should establish an interview procedure, including the hierarchy of
interviewers, which should be overseen by the risk manager. Top management should appoint a risk
manager who has been verified by interview and vetted as trustworthy and having the necessary
competence and judgment to vet personnel involved in its risk assessment activities. The responsible
manager should assess through review of documentation, submitted by candidates, and interviews and
98
ANSI/ASIS/RIMS RA.1-2015
99
ANSI/ASIS/RIMS RA.1-2015
Annex D
(informative)
100
ANSI/ASIS/RIMS RA.1-2015
101
ANSI/ASIS/RIMS RA.1-2015
Annex E
(informative)
102
ANSI/ASIS/RIMS RA.1-2015
Annex F
(informative)
F.1 General
Building a resilient organization is part of any good business management strategy. In order to thrive
and survive, organizations need to adapt to an ever changing environment. To be agile and resilient in
order to achieve the organization’s objectives, the organization needs to leverage all the disciplines that
contribute to managing risk. For organizations to cost-effectively manage risk, they must develop
balanced strategies to adaptively, proactively, and reactively address maximizing opportunities and
minimizing the likelihood and consequences of potential, undesirable, and disruptive events (see
ANSI/ASIS SPC.1-2009).
The organization should establish, implement, and maintain procedures to prevent and manage
disruptive events which have the potential to harm the organization, its key stakeholders including
supply chain partners, and the environment.
Procedures should be concise and accessible to those responsible for their implementation. Flow charts,
diagrams, tables, and lists of action should be used rather than expansive text.
The purpose and scope of each procedure should be agreed by top management and understood by those
responsible for its implementation. Dependencies and interdependencies should be identified and the
relationships between procedures, including those of the emergency services and local authorities,
should be stated and understood. The following sections provide more information on selected
procedures. At the end of this annex are some templates for different plans.
Prevention procedures should describe how the organization will take proactive steps to protect its assets
by establishing architectural, administrative, design, operational, and technological approaches to avoid,
eliminate, or reduce the likelihood of risks materializing including the protection of assets from
unforeseen threats and hazards.
Mitigation procedures should describe how the organization will take proactive steps to protect its assets
by establishing immediate, interim, and long-term approaches to reduce the consequences of risks before
they materialize including the protection of assets from unforeseen threats and hazards.
103
ANSI/ASIS/RIMS RA.1-2015
Organizations may choose to have a single procedure with sections and/or annexes dealing with different
types of incidents. Alternatively, separate procedures may be written for each type of incident.
Response procedures should describe how the organization will respond to one or more types of
disruptive events. Organizations may choose to have a single procedure with sections and/or annexes
dealing with different types of incidents. Alternatively, separate procedures may be written for each type
of incident.
Some response procedures may be implemented in advance of a disruptive event; for example in the
expectation of harm from a forthcoming tropical cyclone, wildfire, or malicious attack on the
organization or a supply chain partner. In such circumstances, emphasis will be given to protecting
and/or removing priority assets and to communicating the risk of harm to staff and to external
organizations and authorities.
104
ANSI/ASIS/RIMS RA.1-2015
Continuity procedures should describe how the organization will maintain and/or re-establish critical
activities in the period immediately following the response/emergency phase. Organizations may choose
to have a single procedure with sections and/or annexes dealing with different types of incident.
Alternatively, separate procedures may be written for each type of incident.
105
ANSI/ASIS/RIMS RA.1-2015
Recovery procedures should describe how the organization will re-establish all necessary operational
and support activities, replace damaged and/or destroyed assets and information, rebuild the brand and
reputation of the organization, and assist staff to recover from the event. Organizations may choose to
have a single procedure with sections and/or annexes dealing with different types of incidents.
Alternatively, separate procedures may be written for each type of incident.
106
ANSI/ASIS/RIMS RA.1-2015
i) Roles and responsibilities of individuals and groups who will be required to implement the
procedure. It may be necessary to modify the normal procurement procedures in order to rapidly
restore the organization’s activities and assets;
j) The organizational structure to be used, including links with external agencies such occupational
health and safety bodies, and loss adjusters/insurance companies; and
k) Procedures for communicating within the organization, to key external stakeholders including
supply chain partners, the emergency services, local authorities, and the media.
The organization should nominate a primary “owner” of each recovery procedure, and should state who
is responsible for reviewing, amending, and updating the procedure. The process of reviewing,
amending, updating, and distributing procedures should be controlled.
NOTE 1: Recovery procedures may run concurrently with continuity procedures.
NOTE 2: Recovery procedures are sometimes referred to as recovery and restoration procedures.
Function / Activity:
Mitigation Procedure
The Assets to be
Protected
Objectives and
Measures of Success
Implementation Steps
and Frequency
Roles, Responsibilities
and Authorities
Communications
Requirements
107
ANSI/ASIS/RIMS RA.1-2015
Resource, Competency
and Training
Requirements
108
ANSI/ASIS/RIMS RA.1-2015
Function / Activity:
Priority Assets to be
Protected
Priority Activities to
be Maintained
Measures to Limit
Damage
Situation /Conditions
in Which Plan Will be
Implemented
Roles and
Responsibilities of
Individuals and
Groups
109
ANSI/ASIS/RIMS RA.1-2015
Organization
Structure to be Used,
Including Incident
Command & External
Links
Procedures for
Communication
within the
Organization
110
ANSI/ASIS/RIMS RA.1-2015
Function / Activity:
Priority Assets to be
Protected
Priority Activities to
be Maintained
Activities to be
Restored as a Priority
After an Event
Situation /Conditions
in Which Plan Will be
Implemented
Roles and
Responsibilities of
Individuals and
Groups
Organization
Structure to be Used,
111
ANSI/ASIS/RIMS RA.1-2015
Including Incident
Command & External
Links
Procedures for
Communication
Within the
Organization
112
ANSI/ASIS/RIMS RA.1-2015
Annex G
(informative)
A business impact analysis (BIA) provides a structured approach to gaining information about the
critical activities, functions, and processes of the organization and the associated resources necessary
for an organization to mitigate the impacts of undesirable and disruptive events. The BIA:
a) Evaluates critical activities, functions, and processes and their role in achieving organizational
objectives;
b) Determines the most critical activities, functions, and processes and the resources (assets) that
are needed to achieve the desired outcome;
c) Prioritizes the critical activities, functions, and processes that must be operational to maintain
an acceptable level of business functionality during and immediately following an unacceptable
business interruption; and
d) Determines the time frames and resource requirements to maintain critical activities, functions,
and processes following a risk event to restore operations to the level required to meet
organizational objectives.
The organization may conduct a BIA on critical activities, functions, and processes related to its
residual risk and develop contingency plans. The purpose of the BIA should be to determine:
a) Criticality - Every critical business function is identified (with related dependencies and
interdependencies) and the impact of an undesirable or disruption event determined.
b) Maximum Downtime - Estimate the maximum downtime that can be tolerated while still
maintaining viability. Management should determine the longest period of time that a critical
process can be disrupted before recovery becomes unlikely.
c) Resource Requirements - Realistic recovery efforts require a thorough evaluation of the
resources required to resume critical operations and related interdependencies as quickly as
possible.
Timeframes and recovery objectives are typically defined in terms of:
113
ANSI/ASIS/RIMS RA.1-2015
Maximum Allowable Outage: Represents the maximum period of time that an organization can
tolerate the loss of capability of a critical business function, process, or asset.
Recovery Time Objective: The period of time a business’ activities and resources must be
recovered to an acceptable capability after a disruptive event, often defined in hours or days.
Recovery Point Objective: The point in time to which products, organizational activities, or data
in a known, valid or integral state, can be restored from. Often viewed as the maximum
amount of loss tolerance and defined in hours or days.
The output of a business impact analysis typically includes:
a) Recovery time objectives and associated justification
b) Recovery point objectives and associated justification
c) Recovery capacity or performance at the recovery time objective
d) Timeframe when the organization requires 100% of operational capability
e) Prioritization of recovery resources
f) Content for response and recovery strategies
g) Reset of product/service acceptable disruption periods, as needed
Many methodologies exist for conducting a BIA. The methodology should be tailored to the decision-
making needs of the organization and achievement of organizational objectives. The following three
figures present a generalized approach to conducting a business impact analysis.
114
ANSI/ASIS/RIMS RA.1-2015
Determine
Determine Determine
Critical Interdependencies
Scope of BIA
Operations
Determine
Determine Determine
Impacts
Existing Control Outage and
(Tangible and
Measures Recovery Times
Intangible)
Develop
Determine Set Continuity
Response,
Resource and Restoration
Continuity and
Requirements Objectives
Recovery Plans
115
ANSI/ASIS/RIMS RA.1-2015
Annex H
(informative)
H BIBLIOGRAPHY
116
1625
1625
1625Prince
Prince
PrinceStreet
Street
Street
Alexandria,
Alexandria,
Alexandria,Virginia
Virginia
Virginia22314-2882
22314-2882
22314-2882
USA
USA
USA
+1.703.519.6200
+1.703.519.6200
+1.703.519.6200
Fax:
Fax:
Fax:+1.703.519.6299
+1.703.519.6299
+1.703.519.6299
www.asisonline.org
www.asisonline.org
www.asisonline.org