Risk Assessment

AA SS II SS II N
N TT EE RR N
N AA TT II O
O N
N AA LL
Risk Assessment
Supply Chain Risk Management:
A Compilation of Best Practices
ANSI/ASIS SCRM.1-2014
ANSI/ASIS/RIMS RA.1-2015
S TA N D A R D
The
The worldwide
worldwide leader
leader in
in security
security standards
standards
and
and guidelines
guidelines development
development
an American National Standard
RISK ASSESSMENT
Approved August 3, 2015

American National Standards Institute, Inc.
ASIS International and The Risk and Insurance Management Society, Inc.
Abstract
This Standard provides guidance on developing and sustaining a coherent and effective risk assessment program including
principles, managing an overall risk assessment program, and performing individual risk assessments, along with confirming
the competencies of risk assessors and understanding biases. This Standard describes a well-defined risk assessment program
and individual assessments to provide the foundation for the risk management process. Seven annexes provide additional
guidance for applying risk assessments and potential treatments.
NOTICE AND DISCLAIMER

The information in this publication was considered technically sound by the consensus of those who engaged in the
development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is
unanimous agreement among the participants in the development of this document.
ASIS and RIMS standards and guideline publications, of which the document contained herein is one, are developed through a
voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of
persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and
establishes rules to promote fairness in the development of consensus, it does not write the document and it does not
independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments
contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or
anyone else. ASIS and RIMS do not accept or undertake a duty to any third party because they do not have the authority to
enforce compliance with their standards or guidelines. They assume no duty of care to the general public, because their works
are not obligatory and because they do not monitor the use of them.
ASIS and RIMS disclaim liability for any personal injury, property, or other damages of any nature whatsoever, whether special,
indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on
this document. ASIS and RIMS disclaim and make no guaranty or warranty, expressed or implied, as to the accuracy or
completeness of any information published herein, and disclaims and makes no warranty that the information in this document
will fulfill any person’s or entity’s particular purposes or needs. ASIS and RIMS do not undertake to guarantee the performance
of any individual manufacturer or seller’s products or services by virtue of this standard or guide.
In publishing and making this document available, ASIS and RIMS are not undertaking to render professional or other services
for or on behalf of any person or entity, nor are ASIS and RIMS undertaking to perform any duty owed by any person or entity
to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the
advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and
other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult
for additional views or information not covered by this publication.
ASIS and RIMS have no power, nor do they undertake to police or enforce compliance with the contents of this document. ASIS
and RIMS have no control over which of their standards, if any, may be adopted by governmental regulatory agencies, or over
any activity or conduct that purports to conform to their standards. ASIS and RIMS do not list, certify, test, inspect, or approve
any practices, products, materials, designs, or installations for compliance with its standards. They merely publish standards
to be used as guidelines that third parties may or may not choose to adopt, modify, or reject. Any certification or other statement
of compliance with any information in this document should not be attributable to ASIS and RIMS and is solely the responsibility
of the certifier or maker of the statement.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright
owner.
Copyright © 2015 ASIS International and The Risk and Insurance Management Society, Inc. All rights reserved.
ISBN: 978-1-934904-75-6
ii
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed
in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected
to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are
designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a
recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having
distinct compatibility or performance advantages.
ASIS International and The Risk Management Society, Inc. collaborated in the development of this Risk Assessment standard.
About ASIS
ASIS International (ASIS) is the largest membership organization for security management professionals that crosses industry
sectors, embracing every discipline along the security spectrum from operational to cybersecurity. Founded in 1955, ASIS is
dedicated to increasing the effectiveness of security professionals at all levels.
With membership and chapters around the globe, ASIS develops and delivers board certifications and industry standards, hosts
networking opportunities, publishes the award-winning Security Management magazine, and offers educational programs,
including the Annual Seminar and Exhibits—the security industry’s most influential event. Whether providing thought
leadership through the CSO Roundtable for the industry’s most senior executives or advocating before business, government,
or the media, ASIS is focused on advancing the profession, and ensuring that the security community has access to intelligence,
resources, and technology needed within the business enterprise. www.asisonline.org
The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines
Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development
Organization (SDO), ASIS actively participates in the International Organization for Standardization (ISO). The mission of the
ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards
and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge,
experience, and expertise of ASIS membership, security professionals, and the global security industry.
About RIMS
As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™,
is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government
entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education
opportunities to its membership of more than 11,000 risk management professionals who are located in more than 60 countries.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street,
Alexandria, VA 22314-2818.
Commission Members
Charles Baley, Farmers Insurance Group, Inc.
Michael Bouchard, Sterling Global Operations, Inc.
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance LLC
Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc.
F. Mark Geraci, CPP, Purdue Pharma L.P., Chair
iii
Bernard Greenawalt, CPP, Securitas Security Services USA, Inc.

Robert Jones, Socrates Ltd
Glen Kitteringham, CPP, Kitteringham Security Group Inc.
Michael Knoke, CPP, Express Scripts, Inc., Vice Chair
Bryan Leadbetter, CPP, Alcoa Inc.
Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Jose Miguel Sobron, United Nations
Roger Warwick, CPP, Pyramid International Temi Group
Allison Wylde, Consultant
At the time it approved this document, RA, which is responsible for the development of this Standard, had the following
members:
Committee Members
Committee Co-Chair: Carol Fox, ARM, Director of Strategic and Enterprise Practice, RIMS
Committee Co-Chair: Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Commission Liaison: Glen Kitteringham, CPP, Kitteringham Security Group Inc.
Committee Secretariat: Sue Carioti, ASIS Secretariat
Kaleem Ahmed, Independent

Sean Ahrens, M.A., CPP, BSCP, CSC, Aon Corporation
Ian Alderson, CPP, Independent
Christopher Aldous, Dip SP&C (Open), CPP, PSP, Design Security Ltd
Lyle Alexander, CPP, A.R.M Specialists Ltd
Rex Alexander, HeliExperts International LLC
Kanch Algama, DynCorp International, LLC
Frank Amoyaw, LandMark Security Limited
Edgard Ansola, CISA, CISSP, CEH, CCNA, Asepeyo MATEPSS nº151
Gina Arbeau, Cadillac Fairview Ltd.
Julie Ashley, The MITRE Corporation
Paul Aube, CPP, Dessau
Don Aviv, CPP, PSP, PCI, Interfor Inc.
Pradeep Bajaj, Eagle Hunter Solutions Limited
Mark Baker, CPP, Macatoma Security Inc.
Guillaume Banville, PSP, Bell Canada
Serge Barbeau, CPP, Chartand-Barbeau
Shayne Bates, CPP, LMC Consulting Group
Mark Beaudry, CPP, Independent
Jay Beighley, CPP, CFE, Nationwide Insurance
Dan Belai, CPP, PSP, Independent
Frank Bellomo, Business Risks International
Ray Bernard, PSP, RBCS, Inc.
iv
William Besse, Andrews International LLC

John Biddy, CPP, Independent
Robert Birdsall, CPP, Independent
Ingeborg (Inge) Black, CPP, CFE, CPOI, Appollo International
Dennis Blass, CPP, PSP, CISSP, CFE, Children’s of Alabama
John Boal, CPP, PCI, Independent
Michael Bouchard, Security Dynamics Group LLC
Gertrude Branch, American National Red Cross
Patrick Brennan, Crivello Carlson
Mitchell Brockbank, CISSP, CISA, Independent
John Brown, CPP, Thomson Reuters
Michael Brzozowski, PSP, CPP, Symcor
Dirk Buerhaus, KOETTER GmbH & Co. KG Security
David Bunch, CPP, Independent
Donald Byrne, CBCP, CDCP, Independent
James Calder, Ph.D, CPP, Independent
Herbert Calderon, CPP, PSP, CFE, Talisman Energy
John Casas, PSP, John Casas & Associates LLC
Laurie Champion, CPCU, Aon Corporation
Chee-Seng Chan, CBCP, Spot Management Services Pte., Ltd.
Antony Chattin, IRCA 9001 Lead Auditor, Maritime Security Solutions Global Ltd.
Albert Concordia, CPP, ACE Group Insurance
Bill Cooper, Northwest University
Amaury Cooper, International Relief & Development (IRD)
Jose Correa, CPP, PSP, Independent
Georges Cowan, Business Continu-IT Partners
Geoffrey Craighead, CPP, Universal Protection Service
Michael Crocker, CPP and CSC, Michael Crocker, CPP & Assoc., Inc.
Kenneth Crowther, The MITRE Corporation
Dana Curtiss, Cook County Department of Homeland Security & Emergency Management
Ali Dalipi, Villanova University
Allan Davis, Sizemore Inc.
Frank Davis, CPP, MSc. Trident Manor
Eric Davoine, Independent
Robert Day, CPP, PCI, CSP, CRSP, CHRP, CPMSIA, Office of Regulatory Change Management
Debra Decker, Independent
Donald Decker, CPP, CPM, Robson Forensic, Inc.
Sean Denson, World Vision International
Mark DeWitt, Independent
Anthony DiSalvatore, CPP, PSP, PCI, REVEL
Anthony Dobson, Independent
Richard Dobson, Luxottica
Maria Dominguez, CPP, Bank of America
Bobby Dominguez, CPP, CISSP, PMP, Infinite Computer Systems, Inc.
v
Daniel Donohue, CPP, Caterpillar Inc.

Jack Dowling, CPP, PSP, JD Security Consultants, LLC
Kristen Drobnis, PMP, CBCP, CSOX, CGRM, CGRM-IT, TD Bank
David Droster, The Briggs & Stratton Corporation
Johan Du Plooy, CPP, Temi Group
Jason Dury, Independent
William Eardley, Independent
Nicholas Economou, M.B.A., Cablevision Systems Corporation
Michael Edgerton, CPP, Independent
Eduard Emde, CPP, CISSP, BMKISS Europe
Robert Fay Sr., IOSSI Unexploded Ordinance, Inc.
David Feeney, CPP, AlliedBarton Security Services
Ali Ferrer, PSP, Independent
Joseph Finley, Jr., Ph.D., CPP, G4S Secure Solutions, (USA), Inc.
Windom Fitzgerald, CPP, CHS-III, CFE, Fitzgerald Technology Group
Lawrence Fitzgerald, CPP, PSP, TRC Corporation
William Foos, CPP, Gannett Fleming, Inc.
Kevin Foster, CPEng, PhD, Foster Risk Management Ptg Ltd.
Thomas Frank, CPP, AbbVie Inc.
Sherryl Fraser, Algonquin College
Rudolf Friederich, CPP, Independent
Andrew Gale, CPP, CFE, PCIP, Independent
Francis Gallagher, PSP, Good Harbor Techmark, LLC
Nanpon Gambo, CSS, Nigerian Army
Scott Gane, CPP, CRISC, Gane Security Solutions
Douglas Glenn, PMP, SimplexGrinnell LP
Salvatore Grasso, Independent
Harold Grimsley, CPP, Blue Cross Blue Shield of Florida
Jeffrey Gruber, CPP, CHS-IV, Independent
Phillip Guffey, CPP, Roche Diagnostics
Carlos Guzman, Security 101
Mark Hankewycz, CPP, The Protection Engineering Group, Inc.
Steven Harback, CPP, Independent
Jerry Hart, MSc, SGS
Jeffrey Hauk, CPP, El Paso Water Utilities
Jeffrey Hawley, ARES Security Corporation
Patrick Hayden, Monsanto
Henri Hemery, PhD, RISK&CO
Alistair Hogg, CPP and MSc, Independent
Robert Holm, McDonald's USA
Diane Huberman-Arnold, Independent
George Huff, CBCP, BCMS Auditor, MBCI, Association of Contingency Planners (ACP)
Robert Hulshouser, CPP, Independent
John Hunepohl, PSP, ASSA ABLOY
vi
Russell Hunt, Independent

Adam Incher, CPP, ACT Government, Shared Services
Scott Jack, CPP, Baylor Health Care System
Calvin Jaeger, Independent
Celia Jarvis, SPHR, MCR, LLC
Katherine Johnson, Harsco Corporation
Tyson Johnson, CPP, Independent
Roger Johnston, CPP, Argonne National Laboratory
Nicholas Jones, CPP, Independent
Edward Jopeck, Independent
Matthew Jordan, CPP, Parsons Corporation
Richard Kibbey, CPP, PSP, Independent
Glen Kitteringham, CPP, Kitteringham Security Group, Inc.
Kelly Klatt, CPP, Loews Hotels
Don Knox, CPP, CITRMS, Caterpillar Inc.
Daniel Kropp, CPP, Towers Watson
Ellen Ku, CBCP, Association of Contingency Planners (ACP)
Michael Kuras, CBCP, CHP, AIM Specialty Health
Keith Kushner, TRC Corporation
Eliot Kushner, CPP, CHS-V, NICET, Pacific Gas & Electric
Henrik Laidlow-Petersen, Siemens Wind Power
Mukesh Lakhanpal, CPP, G4S Secure Services India Pvt. Ltd.
Ronald Lander, CPP, Ultrasafe Security Solutions
Robert Lang, Kennesaw State University
Laura Langone, JD, Juniper Networks, Inc.
Russell Law, PSP, Gralion, LLC
Donald Lee, Jr., CPP, First Citizens Bank of North Carolina
James Leflar, Jr., CPP, CBCP, MBCI, Zantech IT Services
Vickie Leighton, AMBCI, Avanade Inc.
Jeffrey Leonard, CPP, PSP, Securitas Critical Infrastructure Services, Inc.
Vincent Lombardi, Jr., E*TRADE Financial
Christopher Lowery, Celgene Corporation
James Lukaszewski, Risdall Public Relations
Grant Lundberg, First Citizens Bank of North Carolina
William Lutz, Jr., Security On-Line Systems, Inc.
Ashley MacDonald, NCSO (ACSA) CPO (IFPO), United Protection Services, Inc.
Anthony Macisco, CPP, The Densus Group
Virginia MacSuibhne, J.D., CCEP, Roche Molecular Systems
Tracy Male, CFCP, CBCA, Independent
Peter Marotto, M.Ed., Independent
Ronald Martin, CPP, Open Security Exchange
Jan Mattingly, CRM, RF, CIP, RiskResults Consulting Inc.
Christopher Mayer, Department of Defense
Joe Mazza, CHPP, Independent
vii
Lachlan McConnell, Orion Support, Inc. (OSI)

Timothy McCreight, Government of Alberta
Daniel McGarvey, Global Skills Exchange
Raymond McGill, CPP, Care Security Systems
James McGuffey, CPP, PSP, PCI, A.C.E. Security Consultants, LLC
Russell McGuire, Riskonnect, Inc.
Victoria McKenney, ACADEMI LLC
James Mecsics, Independent
Mohamed Fadhel Meddeb, Offline Solutions LLC
Paul Michaels, CISSP, CPP, ISP, PSP, PCI, CB&I Federal Services
Murray Mills, CPP, Independent
William Minear, II, CPP, West Virginia Military Authority
Mark Mirek, Beecher Carlson
George Mitchell, Independent
David Moore, PE, CSP, AcuTech Consulting Group
William Moore, PSP, Jacobs Engineering Inc.
Pedro Moreno, AMPM Mensajería
Andrew Morey, Independent
Dennis Morgan, DMMS Solutions
Andrew Morgan, STOPline Pty Ltd.
Juan Muñoz, CPP, Associated Projects International
Francisco Muñoz, CPP, Occidental Oil and Gas Corporation
Patrick Murphy, CPP, PSP, Marriott International Inc.
Drew Neckar, CPP, Mayo Clinic Health System
Joseph Nelson, CPP, State Street
Peter Nevins, ARM, ALCM, Independent
W. Barry Nixon, SPHR, National Institute for Prevention of Workplace Violence, Inc.
Curtis Noffsinger, CPP, PSP, Independent
Thomas Norman, CPP, PSP, Protection Partners International
Augustine Okereke, CPP, PZ Cussons Nigeria PLC
Joe Olmeda, CPP, PCI, Independent
Alexandros Paraskevas, Ph.D., Independent
Jeff Peck, PSP, City of Toronto
Jean Perois, CPP, PSP, Risk & Co.
Gene Perry, CPP, Independent
Kevin Peterson, CPP, CPOI, Innovative Protection Solutions, LLC
Axel Petri, Deutsche Telekom AG
Russ Phillips, MMTS Group
John Piper, Bearing LLC
Jose Piscione, CPP, PSP, West Corp
Frank Pisciotta, CPP, Business Protection Specialists, Inc.
Kurt Raffai, SaskGaming Corporation
Bala Ramanan, CISM, CRISC, CBCI, Microland Ltd.
Joseph Rector, CPP, PSP, PCI, 11th Security Forces Group
viii
Brett Reddock, M.Sc., ABCP, SEM, Unparalleled Technologies

James Reese, TigerSwan
Vince Regan, CPP, PSP, PCI, Anixter, Inc.
Shawn Reilly, CPP, CHPA, Tech Systems, Inc.
John Richardson, Initiative for Human Rights in Business
Thomas Rohr Sr., CPP, Carestream Health, Inc.
Ronald Ronacher, PSP, Arup
Craig Rydalch, CISSP, CISM, PMP, AIM Specialty Health
Michael Saad, CPP, Gane Security Solutions
Ed Schlichtenmyer, ABCP, ImpactWeather
Brian Schmidt, CPP, Independent
Michael Schroeder, CBCP, MBCI, US Equities Asset Management
Josh Schubring, CPP, Mulva International Inc.
Michael Severin, Independent
Alister Shepherd, Allen & Overy LLP
Maya Siegel, M. Siegel Associates
Jeffrey Slotnick, CPP, PSP, Setracon Inc.
Jeff Snider, The MITRE Corporation
Jose Miguel Sobron, United Nations
Christopher Spillman, PSP, Port Authority of NY & NJ, Office of Emergency Management
Gregory Staisiunas, CPP, CTI, FISSM, Independent
Teresa Stanford, CPP, Security Engineers, Inc.
Barry Stanford, CPP, Independent
J. Kelly Stewart, Newcastle Consulting LLC
Peter Stiernstedt, CPP, Cikraitz AB
John St-Ilma, PSP, NCSPF, Health Canada
Jeremy Sturgeon, CPP, CFE, Apple
Robert Summers, CPP, Summers Associates, LLC
Timothy Sutton, CPP, CHSS, Sorensen, Wilder & Associates (SWA)
Kenneth Szalontay, CPP, AlliedBarton Security Services
Scott Taylor, CPP, Exact Security Pty Ltd.
Scott Tezak, Professional Engineer, TRC Corporation
Rajeev Thykatt, Infosys BPO Ltd.
Yoriko Tobishima, InterRisk Research Institute & Consulting, Inc.
Lina Tsakiris, CPP, TD Bank
Ruth Unks, ARM, Maricopa County Community College District
Karim Vellani, CPP, Threat Analysis Group, LLC
Joop Verdonk, CPP, CPOI, European Security Academy
Heather Viccione, PSP, (RBS) Citizens Bank
Corey Vitello, Ph.D., Visa Inc.
Taz Wake, CISSP, CISM, CRISC, Halkyn Consulting
Todd Warren, Spring Hill College
Andrew Weaver, PSP, PMP, Markon, Inc.
Jerry Werries, First Citizens Bank of South Carolina
ix
Michael White, CPP, CRM, Security Risk Canada

Allan Wick, CFE, CPP, PSP, PCI, CBCP, Tri-State Generation & Transmission Association, Inc.
William Wills, CPP, Independent
Wei-Ning Wong, Ph.D., CBCP, MBCI, Instramax
Loftin Woodiel, CPP, Missouri Baptist University
Greg Wurm, CPP, Anthem
Allison Wylde, SRM, Independent
Mark Yeakley, CPP, Bank of America
Michael Yip, BFL CANADA
Paul Yung, Ph.D., Deloitte Touche Tohmatsu
Davoud Zahedi, Transportation Security Administration Air Cargo Division
Richard Zijdemans, Medtronic Inc.
Mohamad Zineddin, Khalifa University
Jeffrey Zwirn, CPP, CFPS, CFE, IDS Research & Development, Inc.
Working Group Members

Committee Co-Chair: Carol Fox, ARM, Director of Strategic and Enterprise Practice, RIMS
Committee Co-Chair: Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Shayne Bates, CPP, LMC Consulting Group

Dennis Blass, CPP, PSP, CISSP, CFE, Children’s of Alabama
David Bunch, CPP, Independent
John Casas, PSP, John Casas & Associates LLC
Albert Concordia, CPP, ACE Group Insurance
Michael Crocker, CPP and CSC, Michael Crocker, CPP & Assoc., Inc.
Frank Davis, CPP, MSc. Security and Risk Management, Trident Manor
Donald Decker, CPP, CPM, Robson Forensic, Inc.
Sean Denson, World Vision International
Kristen Drobnis, PMP, CBCP, CSOX, CGRM, CGRM-IT, TD Bank
Johan Du Plooy, CPP, Temi Group
Jason Dury, Independent
Windom Fitzgerald, CPP, CHS-III, CFE, Fitzgerald Technology Group
Kevin Foster, CPEng, PhD, Foster Risk Management Ptg Ltd.
Thomas Frank, CPP, AbbVie Inc.
Jeffrey Gruber, CPP, CHS-IV, Independent
Alistair Hogg, CPP and MSc, Independent
George Huff, CBCP, BCMS Auditor, MBCI, Association of Contingency Planners (ACP)
Scott Jack, CPP, Baylor Health Care System
Calvin Jaeger, Independent
Glen Kitteringham, CPP, Kitteringham Security Group Inc.
James Leflar, Jr, CPP, CBCP, MBCI, Zantech IT Services
Vickie Leighton, AMBCI, Avanade Inc.
Jeffrey Leonard, CPP, PSP, Securitas Critical Infrastructure Services, Inc.
x
Anthony Macisco, CPP, The Densus Group

Jan Mattingly, CRM, RF, CIP, RiskResults Consulting Inc.
William Minear, II, CPP, West Virginia Military Authority
Curtis Noffsinger, CPP, PSP, Independent
Kevin Peterson, CPP, CPOI, Innovative Protection Solutions, LLC
Vince Regan, CPP, PSP, PCI, Anixter, Inc.
Jeffrey Slotnick, CPP, PSP, Setracon Inc.
J. Kelly Stewart, Newcastle Consulting LLC
Jeremy Sturgeon, CPP, CFE, Apple
Andrew Weaver, PSP, PMP, Markon, Inc.
William Wills, CPP, Independent
xi
This page intentionally left blank.
xii
TABLE OF CONTENTS
0 INTRODUCTION ......................................................................................................................................................... XV
0.1 GENERAL ........................................................................................................................................................................... XV
0.2 DEFINITION OF RISK ASSESSMENT ...........................................................................................................................................XVI
0.3 QUANTITATIVE AND QUALITATIVE ANALYSIS ............................................................................................................................ XVII
0.4 MANAGING ORGANIZATIONAL AND SPECIFIC RISK ASSESSMENTS ................................................................................................ XVIII
0.5 PLAN-DO-CHECK-ACT MODEL ............................................................................................................................................... XIX
1 SCOPE ......................................................................................................................................................................... 1
2 NORMATIVE REFERENCES ............................................................................................................................................ 1
3 TERMS AND DEFINITIONS ............................................................................................................................................ 2
3.1 DEFINITIONS ......................................................................................................................................................................... 2
4 PRINCIPLES.................................................................................................................................................................. 8
4.1 GENERAL ............................................................................................................................................................................. 8
4.2 IMPARTIALITY, INDEPENDENCE, AND OBJECTIVITY ........................................................................................................................ 9
4.3 TRUST, COMPETENCE, AND DUE PROFESSIONAL CARE .................................................................................................................. 9
4.4 HONEST AND FAIR REPRESENTATION ....................................................................................................................................... 10
4.5 RESPONSIBILITY AND AUTHORITY ............................................................................................................................................ 10
4.6 CONSULTATIVE APPROACH .................................................................................................................................................... 10
4.7 FACT-BASED APPROACH ........................................................................................................................................................ 10
4.8 CONFIDENTIALITY ................................................................................................................................................................ 11
4.9 CHANGE MANAGEMENT ....................................................................................................................................................... 11
4.10 CONTINUAL IMPROVEMENT ................................................................................................................................................. 11
5 MANAGING A RISK ASSESSMENT PROGRAM ............................................................................................................. 11
5.1 GENERAL ........................................................................................................................................................................... 11
5.2 UNDERSTANDING THE ORGANIZATION AND ITS OBJECTIVES ......................................................................................................... 12
5.3 ESTABLISHING THE FRAMEWORK............................................................................................................................................. 16
5.4 ESTABLISHING THE PROGRAM ................................................................................................................................................ 22
5.5 IMPLEMENTING THE RISK ASSESSMENT PROGRAM ..................................................................................................................... 28
5.6 MONITORING THE RISK ASSESSMENT PROGRAM ........................................................................................................................ 38
5.7 REVIEW AND IMPROVEMENT.................................................................................................................................................. 39
6 PERFORMING INDIVIDUAL RISK ASSESSMENTS .......................................................................................................... 40
6.1 GENERAL ........................................................................................................................................................................... 40
6.2 COMMENCING THE RISK ASSESSMENT ..................................................................................................................................... 40
6.3 PLANNING RISK ASSESSMENT ACTIVITIES .................................................................................................................................. 45
6.4 CONDUCTING RISK ASSESSMENT ACTIVITIES.............................................................................................................................. 56
6.5 POST RISK ASSESSMENT ACTIVITIES ......................................................................................................................................... 79
7 CONFIRMING THE COMPETENCE OF RISK ASSESSORS ................................................................................................ 82
7.1 GENERAL ........................................................................................................................................................................... 82
7.2 COMPETENCE ..................................................................................................................................................................... 82
A RISK ASSESSMENT METHODS, DATA COLLECTION, AND SAMPLING ........................................................................... 88
A.1 GENERAL ........................................................................................................................................................................... 88
A.2 TYPES OF INTERACTIONS ....................................................................................................................................................... 88
A.3 ASSESSMENT PATHS............................................................................................................................................................. 89
A.4 SAMPLING ......................................................................................................................................................................... 89
B ROOT CAUSE ANALYSIS ............................................................................................................................................. 93
xiii
B.1 GENERAL ........................................................................................................................................................................... 93

B.2 APPLYING ROOT CAUSE TECHNIQUES ...................................................................................................................................... 93
B.3 TEN STEPS FOR EFFECTIVE ROOT CAUSE ANALYSIS ..................................................................................................................... 94
C BACKGROUND SCREENING AND SECURITY CLEARANCES ............................................................................................ 97
C.1 GENERAL ........................................................................................................................................................................... 97
C.2 BACKGROUND CHECKS ......................................................................................................................................................... 97
C.3 INTERVIEWS........................................................................................................................................................................ 98
C.4 PRIVACY PROTECTION........................................................................................................................................................... 99
D CONTENTS OF THE RISK ASSESSMENT REPORT ........................................................................................................ 100
E CONFIDENTIALITY AND DOCUMENT PROTECTION..................................................................................................... 102
F EXAMPLES OF RISK TREATMENT PROCEDURES THAT ENHANCE RESILIENCE OF THE ORGANIZATION......................... 103
F.1 GENERAL.......................................................................................................................................................................... 103
F.2 PREVENTION AND MITIGATION PROCEDURES ........................................................................................................................... 103
F.3 RESPONSE PROCEDURES ...................................................................................................................................................... 104
F.4 CONTINUITY PROCEDURES ................................................................................................................................................... 105
F.5 RECOVERY PROCEDURES ..................................................................................................................................................... 106
G BUSINESS IMPACT ANALYSIS ................................................................................................................................... 113
H BIBLIOGRAPHY........................................................................................................................................................ 116
TABLE OF FIGURES
FIGURE 1: RISK MANAGEMENT PROCESS (BASED ON ISO 31000) ...........................................................................................................XVI
FIGURE 2: PLAN-DO-CHECK-ACT MODEL............................................................................................................................................ XIX
FIGURE 3: FORMAL VS. INFORMAL RISK ASSESSMENTS ............................................................................................................................ 30
FIGURE 4: INFLUENCE DIAGRAM EXAMPLE .......................................................................................................................................... 37
FIGURE 5: RISK PORTFOLIO DESIGN FORMAT ...................................................................................................................................... 47
FIGURE 6: MANAGING UNCERTAINTY IN CONTEXT ................................................................................................................................ 48
FIGURE 7: ELEMENTS OF THREAT ....................................................................................................................................................... 65
FIGURE 8: DETERMINING THREAT LEVELS ............................................................................................................................................ 66
FIGURE 9: CRITICALITY AND CONSEQUENCE ANALYSIS ............................................................................................................................ 70
FIGURE 10: DETERMINING THE LEVEL OF RISK ..................................................................................................................................... 71
FIGURE 11: RISK EVALUATION FUNNEL ............................................................................................................................................... 74
FIGURE 12: CONCEPTUAL RISK “FRONTIER” ........................................................................................................................................ 75
FIGURE 13: SAMPLE MATRIX ............................................................................................................................................................ 76
FIGURE 14: SAMPLING PROCESS ....................................................................................................................................................... 90
FIGURE 15: DEFINE, ANALYZE AND SOLVE ........................................................................................................................................... 94
FIGURE 16: BUSINESS IMPACT ANALYSIS (BIA) .................................................................................................................................. 114
FIGURE 17: EXAMPLE OF BIA METHODOLOGY .................................................................................................................................. 115
FIGURE 18: EXAMPLE OF BIA PROCESS ............................................................................................................................................. 115
xiv
0 INTRODUCTION
0.1 General
A risk assessment provides the analytical foundation for risk management, therefore, a risk assessment
step of the overall risk assessment process is used to inform decision-making. By using a logical,
structured and consistent approach to assessing risk, persons responsible for decision-making can
systematically select from possible choices that are based on reason and best available information. In
order to achieve the organization’s overall and risk management objectives, those responsible for
conducting the risk assessment should follow a structured approach to review and analyze relevant facts,
observations, and possible outcomes. The output of the risk assessment process provides a basis for
informed decision-making to determine a particular course or courses of action.
The risk management process of an organization should support enterprise-wide strategic and
operational activities, as well as program and project-related activities. A risk assessment provides the
cornerstone for informed decision-making about how to address uncertainties in achieving an
organization’s objectives. Therefore, a comprehensive risk assessment is designed to consider the
organization’s vision, mission, values, and culture, as well as strategic and tactical objectives. It may
consider an organization's broader objectives and activities or some specific goals and objectives but in
all cases it assesses what can affect the achievement of these both positively or negatively.
In this Standard, we focus on risk assessments from the viewpoint that risk – the effect of uncertainty on
achieving objectives (particularly uncertainty with respect to future outcomes) – is a dynamic concept.
Therefore, risk assessments require proactive and ongoing monitoring of the internal and external
context of the organization, as well as its risks and treatment measures. Uncertainty is inseparable from
likelihood: the future plays out in various and differing scenarios, some more likely than others.
Throughout this Standard, risk is considered from the perspective of achievement of objectives and
outcomes; therefore, the effect of uncertainty on objectives may result in opportunities with potential
gains (“improving”), as well as threats that may result in potential losses (“worsening”). Risk assumes
that things will change, whether in the environment or in other circumstances.
This risk assessment standard provides guidance on developing and sustaining a coherent and effective
risk assessment program, including principles, managing an overall risk assessment program, and
performing individual risk assessments, along with confirming the competencies of risk assessors. This
standard is complementary to the standards noted in the normative references and follows the risk
assessment process outlined in the ISO 31000:2009 Risk management — Principles and guidelines and
illustrated in Figure 1. A well-defined risk assessment program and individual assessments provide the
foundation for the risk management process.
This Standard provides a generic model for conducting risk assessments (including impact analyses) for
risk management decision-making and for use with risk-based management system standards. Risk-
based management system standards require a defined, repeatable, and documented risk assessment
process. It provides the foundation for planning the management of issues addressed by a management
system standard, as well as identifies opportunities for improvements. Therefore, following the approach
described in this Standard, meets the requirements for the risk assessment process in management system
standards.
xv
Figure 1: Risk Management Process (based on ISO 31000)
0.2 Definition of Risk Assessment

Risk assessment is the identification, analysis, and evaluation of uncertainties to objectives and outcomes.
It provides a comparison between the desired/undesired outcomes and expected rewards/losses of
organizational objectives. The risk assessment analyzes whether the uncertainty is within acceptable
boundaries and within the organization’s capacity to manage risk. The results of the risk assessment
inform the responsible and accountable decision maker(s) of choices available to effectively manage risk
to achieve the organization’s objectives. A risk assessment is a careful and methodical examination of
what could cause uncertainty, providing the basis to determine whether sufficient actions have been
taken to prevent negative outcomes, or enhance the opportunities to generate positive outcomes. It is
not possible to eliminate all risk and uncertainty, so the risk assessment helps prioritize the risks that
impact the quest to achieve organizational objectives. The context of the organization and risk
assessment provide the foundational information for:
 Calculating the effects of uncertainty which impact desired outcomes;
 Protecting an organization’s tangible and intangible assets including people; tangible assets
that are physical (i.e., site, building, equipment); intangible assets that are intellectual (i.e.,
information, processes, trade secrets); and abstract (i.e., image, reputation);
 Safeguarding the integrity and continuity of its supply chain, services, and activities;
 Understanding of the relative exposure to risk for current and planned activities;
 Enhancing the achievement of objectives and identifying untapped opportunities;
 Providing a mechanism for understanding the impact of a possible event;
xvi
 Complying with the law and regulations; and

 Identifying reasonable control measures needed to treat risk and their associated
cost/benefit.
The risk assessment is conducted in order to determine whether if, how, and to what extent the
organization’s objectives, desired outcomes, and assets may be impacted. A risk assessment is tailored
to the context in which the organization operates.
0.3 Quantitative and Qualitative Analysis

Risk assessments can be accomplished in varying degrees of detail. The level of detail is dependent upon
the type of risk, purpose of the analysis, resource limitations, the information available to the assessor,
and communicating the risk assessment findings. Risk may be assessed using a quantitative
computational approach or a qualitative subjective approach, or a combination of both. In all cases the
underlying assumptions should be understood and documented. The types of analysis and context for
use are:
a) Qualitative analysis – relies on the reasoning and experiential judgment of assessment team
members and subject matter experts using terms, words, and images as descriptors of risk;
b) Quantitative analysis – relies on probabilities and statistics using mathematical formulas and
calculations to interpret numbers, data, and estimates; and
c) Combined approaches – can be complementary when the risk is better described and
communicated by a combination of subjective and numerical values.
In some cases, a qualitative analysis precedes a quantitative analysis in order to obtain an indication of
the level of risk and to identify principal risk factors as well as existing controls.
When choosing a qualitative analysis, quantitative analysis, or a combination of both, the reliability and
validity of the available data should be considered. The nature of the risk factors and if they are
quantifiable should also be considered. For example, the value of intangible assets and likelihood of a
threat are often difficult to quantify and require qualitative analysis. Furthermore, consideration should
be given to the target audience for the receipt of the risk assessment outputs. Decision-makers respond
to the presentation of risk assessment outputs differently, depending on the type of analysis.
Quantitative assessments can be translated into qualitative terms for communicating with stakeholders
and management. Therefore, the analysis method should consider if one analysis method is more
understandable and usable than another method.
0.3.1 Qualitative Analysis

A qualitative analysis uses descriptive terms and phrases such as “minor”, “moderate”, “major”, or
“critical” to describe potential likelihoods and consequences of risk events, and the possibility of the
consequences occurring. The terms used to describe different risks and consequences should be clearly
defined, recognizing the same phrase may not be understood the same way when describing different
risks or by different people. Qualitative analyses can be used when numerical data is inadequate,
uncertain, or unavailable to properly describe the risk. They can also be implemented when an empirical
method of analysis for decision-making is appropriate, and when initial risk screening is deemed
acceptable in lieu of quantifiable methods.
xvii
A qualitative risk assessment may have advantages when:

a) Management and the governance body will better understand a descriptive presentation of risk;
b) Communicating and consulting risk with internal and external stakeholders will be more
effective verbalizing or visualizing the risk information;
c) Underlying or historical data are not available or uncertain;
d) Resources limitations make quantitative data gathering impractical;
e) A risk is not well-defined or understood;
f) Quantification would be unnecessarily complex and may be based on potentially erroneous
assumptions;
g) Multiple risks may drive business objectives; and
h) Addressing strategic risks, which tend to be harder to quantify than operational or financial
risks.
0.3.2 Quantitative Analysis

Quantitative analysis uses numeric comparisons to describe potential likelihoods and consequences
(including the likelihood of the consequences/impact occurring). The goal is to calculate objective
numeric values for each of the components of risk evaluated in the risk assessment (e.g., threat,
vulnerability, consequence). A cost/benefit analysis may also be included in the quantitative analysis.
More than a single numerical value may be used in this method of analysis, as the analysis may apply to
more than one category of risk or consequence.
A quantitative risk assessment may have advantages when:
a) The risk lends itself to quantification in numerical terms;
b) Numerical precision and presentation is required for a particular decision;
c) Quantitative metrics are used to measure performance and success in the organization;
d) Sufficient and appropriate data is available or can be readily obtained and is relevant for
predictive assessments;
e) Risk can be better communicated and understood through quantitative comparisons; and
f) There is general agreement on underlying assumptions.
0.4 Managing Organizational and Specific Risk Assessments

Organizational risk assessments encompass the overarching organizational structure, resources,
commitment, and documented methods used to plan and execute risk assessments. An effective program
is built by clearly defining the risk assessment objectives. A competent person with the appropriate
knowledge and experience should manage the risk assessment program and the organization should be
committed to allocating the necessary resources, people, and time to effectively administer the program
and its objectives. Priority should be given to assessing risks significant to the mission of the organization
xviii
and the uncertainties in achieving desired outcomes (e.g., exploiting an opportunity, meeting obligations,
or managing risk-related events).
A comprehensive risk assessment program may comprise many different strategic and tactical risk
assessments – either ad-hoc or conducted at defined intervals or change(s) in circumstance(s). Individual
assessments within the overall risk assessment program are conducted within a clearly defined scope
and consistent with achieving the objectives of the overall risk assessment program. This Standard also
provides guidance on the preparation for and the execution of individual risk assessments.
0.5 Plan-Do-Check-Act Model

Similar to ISO 31000, this Standard utilizes the "Plan-Do-Check-Act" (PDCA) model for both the overall
risk assessment program as well as individual risk assessments. Figure 2 illustrates the PDCA model.
Figure 2: Plan-Do-Check-Act Model

The PDCA model is a clear, systematic, and documented approach to:
a) Set measurable policies, objectives, and targets;
b) Methodically implement the program;
c) Monitor, measure, and evaluate progress;
d) Identify, prevent, or remedy problems as they occur;
e) Assess competence requirements and train persons working on the organization’s behalf;
xix
f) Provide top management with a feedback loop to assess progress and make appropriate
changes to the risk assessment program; and
g) Manage information within the organization, thereby improving operational efficiency.
In conjunction with the PDCA model, this Standard uses a process approach for the risk assessment
program. A risk assessment program is a compilation of a system of interrelated activities; their
identification, linkages, and interactions can be referred to as a “process approach”. When designing a
risk assessment program, it is necessary to identify and manage many activities in order to function
effectively. Any activity using resources and managed in order to enable the transformation of inputs
into outputs can be considered to be a process. In developing the risk assessment program and individual
risk assessments, it is important to recognize that often the output from one process directly influences
the input of another process.
xx
AMERICAN NATIONAL STANDARD ANSI/ASIS/RIMS RA.1-2015
Risk Assessment
1 SCOPE
This Standard:
a) Provides guidance for establishing a risk assessment program and conducting individual risk
assessments consistent with ISO 31000:2009 Risk management — Principles and guidelines, and the
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk
Management (ERM) framework;
b) Provides guidance on conducting risk assessments for risk- and resilience-based management
system standards for the disciplines of risk, resilience, security, crisis, continuity, and recovery
management, including principles of risk assessments, managing the risk assessment program,
and conducting risk assessments, as well as evaluation of competence of persons involved in
the risk assessment process;
c) Describes the process for conducting risk assessments consistent with the Plan-Do-Check-Act
Model; and
d) Provides the informational basis necessary for decision-makers to make informed decisions
about managing risks in the organization and its supply chain.
Organizations of all types and sizes can use the concepts and guidance of this Standard to conduct risk
assessments supporting their risk management activities. It is recommended that organizations
implementing risk- and resilience-based management system standards use the procedures described in
this Standard in conjunction with ISO 31000:2009 to conduct their risk management activities (see Figure
1).
This Standard is a guidance document and not intended as a specification for third-party certification. It
provides a comprehensive approach to establishing a risk assessment program and the conduct of
individual assessments. Implementation of this Standard should be tailored to the needs of the
organization.
2 NORMATIVE REFERENCES
The following standards contain provisions which, through reference in this text, constitute provisions
of this American National Standard. At the time of publication, the editions indicated were valid. All
standards are subject to revision, and parties to agreements based on this American National Standard
are encouraged to investigate the possibility of applying the most recent editions of the standards
indicated below.
a) ISO 31000:2009, Risk management — Principles and guidelines;
b) ISO/IEC 31010:2009, Risk management — Risk assessment techniques; and
c) ISO Guide 73:2009, Risk management — Vocabulary.
1
3 TERMS AND DEFINITIONS
3.1 Definitions
For the purposes of this Standard, the following terms and definitions apply:
Term Definition
3.1 asset Anything that has tangible or intangible value to the organization.
NOTE 1: Tangible assets include human, physical, and
environmental assets.
NOTE 2: Intangible assets include information, intellectual
property, brand, and reputation.
3.2 audit Systematic, independent, objective, and documented process for
obtaining, examining, verifying, and evaluating information relative to a
set of criteria.
3.3 capability analysis Process of evaluating the 1) competence, aptitude, and experience of
people and the organization, 2) suitability of technology, and 3)
application of processes for particular purpose(s) to determine whether or
not the expected output will fall within an acceptable range.
3.4 client Organization or person that receives a product or service
NOTE 1: Examples include consumers, contractors, end-user,
retailer, beneficiary and purchaser.
NOTE 2: A client can be internal (e.g., another division) or
external to the organization.
3.5 communication and Ongoing, iterative, and two-way processes for the exchange of
consultation information with and between stakeholders and decision-makers
regarding the management of risk.
NOTE 1: Information may relate to the context of the
organization, characteristics of the risks and its assessment,
and the selection and evaluation of risk treatment options.
NOTE 2: Communication and consultation informs the decision-
making process but does not infer joint decision-making.
3.6 community A group of associated organizations and people sharing common
interests.
3.7 competence Demonstrable ability to apply knowledge and skills to achieve intended
results.
3.8 conformity Consistency with a requirement.
3.9 consequence Result or effect of an action, condition, or decision on achieving objectives
and outcomes.
NOTE 1: Uncertainties interact and may result in singular or
multiple consequences with a potential for positive or negative
effects on objectives.
NOTE 2: Consequences should consider both tangible and
intangible factors and can be expressed qualitatively or
quantitatively, or both.
NOTE 3: Consequences may have cascading effects.
3.10 continual improvement Ongoing processes to improve products, services, and management
practices to enhance the ability to fulfill requirements
NOTE: Changes may be incremental or comprehensive.
2
Term Definition
3.11 corrective action Action to rectify the causes of a detected nonconformity or other
undesirable circumstances.
NOTE 1: There can be more than one cause for a
nonconformity.
NOTE 2: Corrective action is taken to prevent recurrence,
whereas preventive action is taken to prevent occurrence.
3.12 criticality Of essential importance with respect to objectives and/or outcomes.
[ANSI/ASIS SPC.1-2009]
3.13 criticality analysis A process designed to systematically identify, evaluate, and rank positive
and negative impacts on an organization‘s stakeholders, assets, services,
and activities based on the importance of its mission or function, or the
significance of risks on the organization's ability to meet its objectives and
expectations.
NOTE: Determines which qualities or degrees of risk are of the
highest importance for successful execution of an organization’s
objectives or which might represent a decisive turning point in
strategy execution.
3.14 critical control point A point, step, or process at which controls can be applied to modify risk.
(CCP) NOTE 1: A threat or hazard can be prevented, eliminated, or
reduced to targeted levels.
NOTE 2: A point at which opportunity can be leveraged.
3.15 disruptive event An event that interrupts planned activities, operations, or functions,
whether anticipated or unanticipated.
3.16 document Information and supporting medium in any format.
3.17 effectiveness Extent to which planned activities accomplish a purpose thereby
producing the intended or expected outcomes.
3.18 event Change occurring in an interval of time with the potential to alter
outcomes.
NOTE 1: Likelihood and consequences of an event may be
predictable using qualitative or quantitative measures.
NOTE 2: An event may be due to singular or multiple causes
and may have more than one occurrence.
NOTE 3: The non-occurrence of an anticipated change is also
an event.
NOTE 4: An event is not a risk, rather it is the uncertainty in the
outcomes that creates risk.
3.19 impact The positive or negative effect on someone or something (see
consequence).
3.20 impact analysis Process that identifies and evaluates the potential effects of change upon
an organization. This may include an assessment of the pros and cons of
pursuing a course of action in light of its possible consequences, or the
extent and nature of further change (intended or unintended) that such
change may cause.
3.21 incident An event with consequences that has the capacity to cause gains or
losses/harm to objectives and/or assets (e.g., tangible, intangible and
human assets, the environment, and rights of stakeholders).
3
Term Definition
3.22 integrity Assuring the soundness, reliability, and completeness of tangible and
intangible assets.
3.23 likelihood Chance or probability of something happening.
3.24 management system Framework of policies, processes, and procedures used to ensure that an
organization can fulfill all tasks required to achieve its objectives.
NOTE: Management systems are used by organizations to
establish their policies, objectives, and targets; determine and
allocate resources; define roles and authorities; implement
procedures; and evaluate performance in order to achieve
desired outcomes and objectives.
3.25 monitoring Ongoing scrutiny, oversight, evaluation, and situational awareness for
determining the current status and to identify changes in the internal and
external environments as well as performance.
3.26 nonconformity Failure to fulfill a requirement.
3.27 opportunity analysis Process of identifying uncertainties that may be exploited and analyzing
the organization’s capability and readiness to exploit them. The process
may include identifying unmet or underserved customer/client needs,
identifying target markets, analyzing competitive advantages, as well as
analyzing the organization’s resource capacity to undertake an
opportunity.
3.28 organization Group of people and facilities with an arrangement of responsibilities,

authorities, and relationships.
NOTE: An organization can be a government or public entity,
company, corporation, firm, enterprise, institution, charity, sole
trader, association, or parts or combinations thereof.
3.29 planning Part of a management process focused on setting objectives, projecting
risks to these objectives, and ensuring resources and systems are in place
to ensure objectives are achieved.
3.30 prevention Measures that enable an organization to avoid, preclude, or limit the
impact of an undesired or potentially disruptive event.
3.31 preventive action Proactive change or improvement implemented to address a weakness
that is not yet responsible for causing nonconformity.
NOTE 1: A potential nonconformity which may have one or
more root causes.
NOTE 2: Preventive action is taken to avoid occurrence
whereas corrective action is taken to rectify a problem and
prevent recurrence.
3.32 procedure An established or specified way to conduct an activity or a process.
3.33 record A document set down in writing or some other permanent form for later
reference.
3.34 residual risk Remaining risk after risk treatment.
NOTE: Residual risk may include risk retained by informed
decision, untreatable risk, and/or unidentified risk.
3.35 resilience Adaptive capacity of an organization in a complex and changing
environment. [ANSI/ASIS SPC.1-2009]
4
Term Definition
3.36 resources Any asset (human, physical, information, or intangible), facilities,
equipment, materials, products, or waste that has potential value and can
be used. [ANSI/ASIS SPC.1-2009]
3.37 review Activity undertaken to determine the suitability, adequacy, and
effectiveness of the management system and its component elements to
achieve established objectives.
3.38 risk Effect of uncertainty on the achievement of strategic, tactical, and
operational objectives.
NOTE 1: Risk is considered as potentially having positive and/or
negative outcomes.
NOTE 2: Uncertainty is the state where outcomes are
unknown, lacking sufficient information, or otherwise
undetermined or undefined in the course of decision-making.
NOTE 3: Objectives may include strategic goals related to the
whole or parts of the organization and its value chain, as well as
operational and tactical issues at levels of the organization.
NOTE 4: Risk can be characterized by the effect of uncertainty
on tangible and/or intangible assets and/or potential risk events.
NOTE 5: Risk is often expressed in terms of a combination of
the consequences and likelihood of the outcomes of uncertainty.
NOTE 6: Sometimes risk is focused on negative outcomes
where it is considered a function of threats, vulnerabilities, and
consequences.
3.39 risk acceptance Informed action of consenting to retain, receive, or undertake a particular
risk.
3.40 risk analysis Process to characterize and understand the nature of risk and to define the
level of risk.
NOTE: Risk analysis assesses the likelihood and
consequences of a risk to provide the basis for risk evaluation
and risk treatment decision-making.
3.41 risk appetite The total exposed amount that an organization wishes to undertake on
the basis of risk-return trade-offs for one or more desired and expected
outcomes. [RIMS Executive Report on Exploring Risk Appetite and Risk
Tolerance]
3.42 risk assessment Overall and systematic process of evaluating the effects of uncertainty on
achieving objectives.
NOTE: Risk assessment includes risk identification, risk
analysis, and risk evaluation.
3.43 risk attitude Organization’s or individual’s view/perspective of the perceived
qualitative and quantitative value that may be gained in comparison to the
related potential loss or losses. [RIMS Executive Report on Exploring Risk
Appetite and Risk Tolerance]
3.44 risk criteria Terms of reference used to measure and evaluate the significance and
effects of risk.
NOTE 1: Risk criteria are a function of the organization’s
objectives, values, and policies, as well as the external and
internal environment.
NOTE 2: Risk criteria can be derived from jurisdictional laws,
obligations, and other requirements.
5
Term Definition
3.45 risk driver Event, individual(s), process, or trends having impact on the objectives of
the organization.
3.46 risk evaluation Process of equating the results of risk analysis with risk criteria to
determine whether a particular risk level is within an acceptable tolerance
or presents a potential opportunity.
NOTE: Risk evaluation provides the basis for decision about
risk treatment methods.
3.47 risk identification Process for determining what risks are anticipated, their characteristics,
time dependencies, frequencies, duration period, and possible outcomes.
NOTE: Risk identification involves the identification of threats,
opportunities, criticalities, weaknesses, and strengths, as well
as identifying sources of risk and potential events and their
causes and impacts.
3.48 risk management A strategic business discipline that supports the achievement of an
organization’s objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an interrelated risk
portfolio. [RIMS Resources]
3.49 risk register A compilation for all risks identified, analyzed, and evaluated in the risk
assessment process.
NOTE: The risk register includes information on likelihood,
consequences, treatments, and risk owners.
3.50 risk source A factor with the potential to create uncertainty in achieving objectives.
NOTE: A risk source may include tangible or intangible factors
alone or in combination.
3.51 risk tolerance The amount of uncertainty an organization is prepared to accept in total
or more narrowly within a certain business unit, a particular risk category,
or for a specific initiative.
NOTE: The level of tolerance or acceptable level of variation
related to achieving objectives may be influenced by jurisdiction
law and stakeholder requirements.
[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]
6
Term Definition
3.52 risk treatment Process of selecting and implementing measures to modify risk to achieve
objectives.
NOTE 1: Measures to modify risk may include:
 Avoiding the risk;
 Adapting internal or external parameters

to change the nature of the risk;
 Exploiting a risk to pursue an

opportunity;
 Eliminating or influencing the risk

source;
 Modifying the likelihood;
 Modifying the consequences;
 Sharing the risk (e.g.,insurance,

contracts, outsourcing, etc.); and
 Accepting the risk by informed decision.

NOTE 2: Risk treatment can change the characteristics of
existing risks or generate new risks.
NOTE 3: Risk treatment may require a reallocation of resources
or modification of plans and priorities.
3.53 security The condition of being protected against hazards, threats, risks, or loss.
NOTE 1: In the general sense, security is a concept similar to
safety. The distinction between the two is an added emphasis
on being protected from dangers that originate from outside.
NOTE 2: The term security means that something not only is
secure, but that it has been secured.
[ANSI/ASIS SPC.1-2009]
3.54 stakeholder Person or organization with an interest or concern.
NOTE: A stakeholder can affect and may be affected by the
organization and its achievement of its objectives (real or
perceived).
3.55 supply chain A two-way relationship of organizations, people, activities, logistics,
information, technology, and resources engaged in activities and creating
value from point of origin to point of consumption, including
transforming materials/components to products and services for end
users. .
NOTE: The supply chain may include vendors, subcontractors,
manufacturing facilities, logistics providers, internal distribution
centers, distributors, wholesalers, and other entities that lead to
the end user.
[ANSI/ASIS SCRM.1-2014]
7
Term Definition
3.56 threat analysis Process of identifying and quantifying the potential cause of an
unwanted event which may result in harm to individuals, assets, a
system or organization, the environment, or the community.
NOTE 1: Threats may be due to intentional, unintentional, or
natural events.
NOTE 2: The term hazard refers to a [dangerous] condition or
threat that may increase the frequency or severity of a loss.
[Adapted from the Risk Management Principles and Practices
textbook published by The Institutes, www.theinstitutes.org.]
3.57 top management Person or group of people responsible and accountable for formulating
organizational goals, objectives, strategies, policies, and/or allocating
resources.
3.58 undesirable event Any event that has the potential to cause a negative impact on the
achievement of objectives or assets whether tangible or intangible.
3.59 value chain The series of functions, processes, or activities, from raw materials to the
eventual end-user that creates and builds value at every step in order to
deliver a product or service.
NOTE: For further information on risk vocabulary, please consult the ISO lexicon of terminology:
 See ISO Online Browsing Platform for ISO Guide 73 definitions:

<https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en>. Accessed August 2015.
 Additional risk related definitions can be found in the ISO Online Browsing Platform for ISO
31000:
<https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en>. Accessed August 2015.
4 PRINCIPLES
4.1 General
The principles in this Standard give guidance necessary to provide transparency, confidence, and trust in
the risk assessment processes. A risk assessment is an effective tool for evaluating the organization’s risk
and resilience challenges and maturity and to drive performance improvements. In addition the risk
assessment provides assurance to decision-makers that the adopted risk- and resilience-based
management system and risk management measures are achieving their intended objectives.
Examples of stakeholders in the risk assessment process include but are not limited to:
a) Customers, clients, stockholders, employees, contractors, and supply chain partners
(e.g., outsourced partners and critical infrastructure suppliers);
b) Government and regulatory authorities;
c) Non-governmental organizations;
d) Civil society groups; and
e) Members of the public (including the media).
8
The principles below apply to all the activities involved in the assessment program as well as during
individual risk assessments. Use of these principles help validate that persons performing risk
assessments independently yet in similar circumstances will arrive at similar and repeatable conclusions.
4.2 Impartiality, Independence, and Objectivity

Confidence in the risk assessment process is dependent on an impartial evaluation of the risk sources
and management practices. Impartiality requires both actual and perceived objectivity. Assessment
programs should implement measures to ensure and monitor impartiality.
Assessors should be impartial, have an unbiased attitude, and avoid any conflict of interest. Possible
conflicts of interest should be identified, resolved, and documented before a risk assessment begins.
Threats to impartiality include:
a) Self-interest – threats that arise from having a vested or financial self-interest;
b) Self-review – threats that arise from reviewing advice or work done by oneself on behalf of the
organization;
c) Familiarity – threats that arise from being too familiar with the processes and/or persons being
assessed to obtain unbiased evidence and conclusions;
d) Habituation – threats that arise from complacency or over-familiarity with the context of
operating conditions;
e) Cognitive-bias – threats that arise from individuals creating their own subjective reality through
their preconceived perception of the input; and
f) Intimidation – threats that arise from having a perception of being coerced or pressured.
Whether internal staff or external consultants, assessors should be independent and objective in
performing their work. Risk assessment activities should be free from interference in conducting the
assessment and reporting its conclusions. Also, assessors should evaluate if they can conduct a risk
assessment in a culturally, professionally, organizationally, and technically unbiased fashion. Questions
related to independence or objectivity should be analyzed, mitigated, and reported. Assessors should
be aware of and sensitive to influences that may affect their judgment when conducting a risk assessment.
4.3 Trust, Competence, and Due Professional Care

Activities in risk assessment should be conducted with honesty, integrity, diligence, and responsibility.
Interested parties should be confident in the assessor’s technical competence and integrity. Competence
is the ability to apply knowledge, experience, and skills to achieve the intended purpose and accurate
results. Risk assessments should be conducted with due professional care. Integrity provides the
foundation for professionalism and trust. Assessors should demonstrate awareness of and compliance
with applicable legal, regulatory, safety, and security requirements.
Many organizations have established a code of ethics that set standards of conduct in the performance
of work. To instill trust, an assessor’s ethical principles and integrity may be codified by a formal set of
ethical standards addressing issues of competence, independence, diligence, honesty, integrity,
impartiality, and confidentiality.
9
4.4 Honest and Fair Representation

Risk assessment findings and conclusions should be based on evidence that accurately and honestly
reflects the risk assessment activities, and that are truthfully presented in assessment documentation.
Any impediments to achieving risk assessment objectives should be documented. Communications
should be timely, accurate, unambiguous, unbiased, and complete. Evidence should be clearly
documented.
4.5 Responsibility and Authority

Conformance to the requirements and controls of the risk management program is the responsibility of
the risk makers and risk takers within the organization. It is the responsibility of the assessment team to
objectively evaluate conformance to the criteria of the risk management program by collecting and
documenting evidence of conformance or non-conformance to the program’s requirements. Sufficient
documented evidence is necessary for a declaration of conformance and efficacy of the risk management
measures; and to identify opportunities for improvement.
The authority to perform a risk assessment should be verified prior to the start of risk assessment
activities. Authority to perform an assessment may be granted by either a single source or multiple
sources inside or outside the organization. Specific and appropriate authority to conduct the assessment
confers legitimacy to the assessment and permits the assessment to proceed. The relationship between
the permitting authority and the assessment team should be clearly understood and documented.
4.6 Consultative Approach

Communication and consultation facilitate accurate, truthful, relevant, and comprehensible two-way
exchanges of information throughout the organization. Communication and consultation with external
and internal stakeholders should take place throughout the risk assessment process. Identifying and
consulting relevant internal and external stakeholders is needed to understand the context and identify
risks. Perceptions of risk can vary among different internal and external stakeholders due to differences
in values, needs, assumptions, concepts, experience, and priorities. Communication and consultation
with relevant stakeholders is needed in order to understand stakeholders' perceptions and determine
how these need to be taken into account in the decision-making process. Given the sensitive nature of
risk assessment information it is essential to take into account aspects of confidential and personal
integrity.
4.7 Fact-based Approach

Assessment conclusions should be based on verifiable evidence, where available, gathered through a
systematic risk assessment process that ensures reliability and reproducibility. It should be recognized
that an assessment is a snapshot in time conducted with finite resources; therefore any sampling
techniques should be based on a defined methodology that provides a representative sample.
Monitoring and surveillance of conformity should be defined for a meaningful duration of time or as an
ongoing process and included in the risk assessment program to ensure continued awareness,
conformance, and to drive process improvements. If the evidence falls short of fact because there is
insufficient information available, or of a type that limits its ability to be verified, then its credibility
should be supported by other reliable information.
10
The importance of agreeing to the validity of the underlying information is key in a risk assessment. A
clear process should be agreed as to what constitutes verifiable evidence and, when unavailable, what
constitutes reliable information or estimates.
4.8 Confidentiality
Persons involved in the risk assessment process should keep confidential any sensitive, proprietary, and
risk-related information about an organization and its management system, as well as information that
may cause harm to the interviewees, clients, customers, supply chain partners, persons who work on
their behalf, complainants, and other external stakeholders. The risk assessment and its associated data
may be considered confidential and, if so, should only be shared with persons who have a genuine need
to know. Information exchange should be based on established procedures. A mechanism should be in
place to ensure all relevant information is protected and only provided to the appropriate people and
organizations. Confidentiality arrangements should consider legal obligations, including those for
protecting information as well as requirements related to disclosure.
4.9 Change Management

As part of its risk management process, an organization should regularly review and improve its risk
assessment processes, including a review of what prompts a renewed risk assessment such as a change
in the internal or external environment.
The organization should establish a defined and documented change management program to ensure
that any internal or external changes that impact the organization are reviewed in relation to the risk
assessment. The organization should identify any triggers of deviations from expected outcomes and
new critical activities that need to be included in the change management program.
4.10 Continual Improvement

Managers improve their risk assessment processes through the monitoring, measurement, review, and
subsequent modification of assessment program, processes, procedures, capabilities, and information
within a continual PDCA improvement cycle. Formal, documented reviews are conducted regularly. The
findings of such reviews should be considered by top management and action taken where necessary to
identify opportunities for improvement.
5 MANAGING A RISK ASSESSMENT PROGRAM
5.1 General
The risk assessment program establishes a framework for the overall risk assessment steps in the risk
management process. The risk assessment program sets the parameters for the overarching
organizational structure, resources, commitment, and documented methods used to plan and execute
risk assessments. An effective program has a foundation of clearly defined objectives. A competent
person possessing the necessary training, skills, and experience should manage the risk assessment
program. The necessary resources should be identified and committed to meet the program objectives
(including qualified personnel, financial allocations, and sufficient time). Priority should be given to
11
assessing matters significant to the organization’s mission and the achievement of its objectives. The risk
assessment program should also consider legal, regulatory, contractual, and societal obligations. A
comprehensive risk assessment program should identify opportunities to maximize favorable outcomes
as well as minimize the likelihood and consequences of undesirable and disruptive events.
The risk assessment program should define:
a) Objectives and purpose of the risk assessment;
b) Scope, activities, areas, and locations to be covered by the risk assessment;
c) Duration, number, schedule, and frequency of the risk assessment;
d) Responsibilities and authorities associated with managing and conducting the risk assessments;
e) Risk assessment criteria (standards, policies, assessment metrics, and other criteria);
f) Assessor competence and selection of teams;
g) Business management issues related to risk assessment criteria and the risk assessment itself;
h) Resources (human, time and scheduling, financial, technology, equipment, travel, etc.);
i) Confidentiality, safety, and security issues;
j) Methods of how the risk assessment will be conducted;
k) Communication of risk assessment findings;
l) Monitoring risk assessment activities;
m) Documentation, records, and documentation procedures; and
n) Risk assessment evaluation and continual improvement.
A goal of a risk assessment program is to review the risk management controls and system, as well as to
identify opportunities for improvement. When developing the risk assessment program the following
issues should be considered:
a) The management approach and the management system standard(s) being used;
b) The size and nature of the organization being assessed;
c) The complexity and volatility of the operating environment;
d) The scope, complexity, and level of maturity of the risk and business management system(s)
being assessed;
e) The risks associated with the organization being assessed and its applicable industry sector;
f) Business attributes and priorities of the organization being assessed; and
g) Allocation of resources required to adequately evaluate the management system.
5.2 Understanding the Organization and its Objectives

The key task of the persons planning and conducting a risk assessment program is to develop an
understanding of the organization to be assessed. This does not mean that the assessor must become an
12
expert in the operation of the enterprise to be evaluated, but must acquire enough of an understanding
of how the organization operates to appreciate its complexities and nuances.
Understanding the organization should include (but is not limited to), factors such as:
a) Organization mission and business objectives;
b) Nature of the business activity;
c) Tangible and intangible assets and its value chain;
d) Governance, authority, and management style;
e) Current risk control measures;
f) Types of services provided or products produced, manufactured, stored, or otherwise supplied;
g) Stakeholders and their objectives;
h) Types of clients, clientele, and customers served;
i) Information flow;
j) Roles, responsibilities, and accountabilities;
k) Supply chain and critical infrastructure dependencies and interdependencies;
l) Legal and regulatory environment;
m) Voluntary commitments of the organization;
n) Competitive nature of the industry;
o) Enterprise culture;
p) Geographic spread of the enterprises;
q) Any special issues raised by the production, administration and service processes (e.g.,
environmental waste, disposal of defective goods, etc.);
r) Type of labor (e.g., labor union, unskilled, use of temporary workers, outsourcing, use of
immigrants, etc.);
s) Hours of operation;
t) Sensitivity of information; and
u) Perception of risk tolerance and acceptance (internally and externally).
When evaluating the objectives of an organization, some questions to consider include:
a) What are the explicit and implicit strategic objectives of the organization and the divisions
within?
b) What is the state of development, size, industry sector, geographical spread, maturity of its
business management style, and complexity of the organization and its activities?
c) What is the nature and extent of the significant risks associated with achieving the
organization’s objectives?
13
d) What are the boundaries for risk taking, what risks are they willing to take, and which are they
not?
e) What is the attitude towards governance in the organization and in the management of risk?
f) Is there an organizational structure to facilitate the management of risk?
g) What is the risk management culture in the organization?
h) Is the organization progressive and innovative or conservative and adverse to change?
i) Are there resources and systems to support the risk management processes?
j) What are the determining factors to consider in risk appetite and risk tolerance?
5.2.1 Enterprise Value of Tangible and Intangible Assets and Services

In order to understand the organization it is necessary to identify the people, assets, and services that
provide the enterprise tangible and intangible value. People involved in or affected by the organization
include employees, customers, visitors, vendors, patients, guests, passengers, tenants, contract
employees, and any other persons who are lawfully present on the property being assessed.
Unauthorized persons (such as trespassers) need to be considered in the risk assessment. Property
includes real estate, land and buildings, facilities; tangible property such as cash, precious metals, and
stones; monitoring, control, data, and communication systems; support infrastructure, instruments;
materials (e.g., raw materials, process materials, finished goods, and hazardous materials); high theft
items (e.g., drugs, securities, cash, etc.); as well as almost anything that can be stolen, damaged, or
otherwise affected.
Intangible assets include the brand, goodwill, or reputation of an enterprise that could be impacted.
Another high value intangible asset is information. Information includes intellectual property and
proprietary data, such as trade secrets, marketing plans, social media interaction, business expansion
plans, plant closings, confidential personal information about employees, customer lists, and other data
that if stolen, altered, or destroyed could cause harm to the organization.
Services provided to the internal and external stakeholders are important parts of the organization’s
value chain and may be affected. For example, non-availability of IT or accounting services may have an
impact on the organization; its operations and assets.
The enterprise value of assets and services should be considered within the context of:
a) Value relative to critical mission activities, services, and products;
b) Exclusive possession;
c) Utility;
d) Cost of creation or re-creation;
e) Criticality and competitive edge;
f) Critical human resources and knowledge;
g) Operational and business impact (including dependencies and interdependencies);
h) Cost of lost opportunity;
14
i) Shelf life of the asset;

j) Reputation and brand impact; and
k) Other considerations important to management or clients.
The value of an asset and service should be considered within the context of how the assets contribute to
the organization’s achievement of its objectives. While organizations may have a myriad of assets,
products and services, typically not all are mission critical. Therefore, in addition to considering the
monetary value of assets, valuation should consider how the asset fits within the value chain of the
organization and its relative value in achieving strategic and tactical objectives.
5.2.2 Considering Risk Criteria

The organization should understand and define its criteria to evaluate the significance of risk. The risk
criteria should reflect the organization’s values, objectives, and resources. While risk criteria should be
established at the beginning of the risk assessment process, they are dynamic and should be continually
reviewed. When defining the risk criteria the organization should consider:
a) Critical activities, functions, services, products, and stakeholder relationships;
b) The operating environment and inherent uncertainty in operating in specific regions;
c) The potential impact related to a disruptive or undesirable event;
d) Views and perceptions of stakeholders;
e) Legal and regulatory requirements and other requirements (e.g., contractual obligations, human
rights commitments) to which the organization subscribes;
f) The organization’s overall risk management policy;
g) The nature and types of threats and consequences that can occur to its assets, business, and
operations;
h) How the likelihood, consequences, and level of risk will be defined and determined;
i) Needs of, and impacts on, stakeholders;
j) Establish the relative timeframes for evaluating likelihoods and consequences;
k) Reputational and perceived risk;
l) Level of risk tolerance or risk aversion of the organization and its clients (define the boundaries
for when risk is acceptable or tolerated);
m) How the level of risk will be determined; and
n) How combinations and sequence of multiple risks will be taken into account.
When setting the risk criteria, the organization should understand the risk it is willing to pursue, retain,
or take (risk appetite), as well as the risk it is ready to bear after risk treatment (risk tolerance), and the
risk it is not willing to undertake (risk aversion) in order to achieve its objectives. When setting the risk
appetite it is important to understand the nature of the uncertainty and whether the organization is able
to manage the risk to the level it is willing to pursue. Risk appetite, risk tolerance, and risk aversion have
temporal and environmental components and will change over time as circumstances change. For
15
example, changes in the economic or socio-political environment may be monitored for their effects on
how acceptable a risk may be. Also, when evaluating the impact of a risk on the enterprise it is important
to revisit the designated levels of risk appetite and risk tolerance to determine if factors (e.g., reputational
impacts) were fully understood when making the initial estimates. Risk appetite, risk tolerance, and risk
aversions also may vary among different enterprise levels and elements of the value chain, but should
be aligned.
Risk appetite, risk tolerance, and risk aversions need to be articulated concepts. Risk appetite has to be
set in the context of the maturity of the business and risk management processes of the organization. The
organization needs to have the competence and capability to manage risk within the boundaries it sets.
Therefore, the boundaries should be tailored and proportionate to the size, nature, and maturity of the
business and risk management processes.
5.2.3 Understanding Bias

Biases may sometimes lead to perceptual distortion, inaccurate judgment, and illogical analysis of
information. There is a common tendency to acquire and process information by filtering it through
one's own likes, dislikes, and experiences. The person managing the assessment should identify and
understand the inherent and cognitive biases within the organization and the individuals conducting the
assessment. The inherent bias is the effect of underlying factors and assumptions that impact information
collection and analysis. Cognitive biases are tendencies to think in certain ways or a failure to imagine
plausible alternatives. Types of biases to consider include (but are not limited to):
a) Social and cultural biases;
b) Familiarity and confirmation biases;
c) Perception, observational selection, and memory biases;
d) Belief and behavioral biases;
e) Relational, group-think, and tribal biases;
f) Confirmation and post-rationalization biases;
g) Information availability biases;
h) Decision-making biases; and
i) Illusion-of-control biases.
5.3 Establishing the Framework

Establishing the framework begins with identifying the internal and external context, including the
internal and external operating environments, and other factors inside and outside the organization that
may influence the risk assessment program. The framework provides the foundation and rationale for
designing, implementing, monitoring, maintaining, reviewing and continually improving the risk
assessment program.
16
5.3.1 Context of the Organization

Conducting a risk assessment of an organization requires knowledge of the internal and external factors
that can influence an organization’s performance in managing risks. When planning the risk assessment
process it is important to consider:
a) Risks associated with the industry sector and the organization’s processes;
b) Internal factors affecting the operating environment of the organization;
c) External factors affecting the operating environment of the organization;
d) Internal and external stakeholders who are risk-makers and risk-takers;
e) Internal and external stakeholders that are impacted by risks; and
f) Factors that influence the acceptance of risk in the organization and by its stakeholders.
Understanding the key factors, drivers, and issues that influence an organization’s ability to achieve its
objectives and meet its obligations is an integral part of any strategic or tactical planning process. The
context will provide a foundation for risk management activities. It is a complex undertaking,
particularly in organizations with less mature systems for managing risk. Therefore, the steps outlined
in this Standard should not be viewed as a linear set of sequential steps but rather as an iterative process
where the context of the organization is re-evaluated as more information becomes available.
5.3.2 Internal Context

The organization should identify, evaluate, and document its internal context, including:
a) Strategies, policies, objectives, plans, and guidelines to achieve objectives;
b) Governance, roles and responsibilities, and accountabilities;
c) Organizational values, ethos, morale, and culture;
d) Financial arrangements and restraints;
e) Information flow and decision-making processes;
f) Internal stakeholders who are the owners, contributors, impacted parties, and managers of risk
(enterprise-wide and by sub-divisions);
g) Capabilities, resources, and assets (tangible and intangible);
h) Procedures and practices;
i) Activities, functions, services, and products including their value streams; and
j) Brand and reputation.
5.3.3 External Context

The organization should define and document its external context, including:
a) The cultural and political context;
b) Legal, regulatory, technological, economic, natural, and competitive environment;
c) Contractual agreements, including other organizations within the contract scope;
17
d) Infrastructure dependencies and operational interdependencies;

e) Supply chain and contractor relationships and commitments;
f) External stakeholders who are the owners, contributors, impacted parties, and managers of risk
(within the value chain, vested interests, impacted communities, and the media);
g) Key issues and trends that may impact the processes and/or objectives of the organization;
h) Perceptions, values, needs, and interests of external stakeholders (including local communities
in areas of operation);
k) Operational forces and lines of authority; and
i) Brand and reputation.
In establishing its external context, the organization should ensure that the objectives and concerns of
external stakeholders are considered in the risk management criteria.
5.3.4 Supply Chain and Subcontractor Mapping and Analysis

Managing risks in the supply chain, including subcontractors, requires an understanding of the
organization’s culture and environment as well as the context of the global environment of its supply
chain. Each node of the organization’s supply chain involves a set of risks and management processes.
The organization should identify and document its upstream and downstream supply chain, including
its use of subcontractors, to identify significant risks and the potential to cause a risk event. Analysis of
supply chain risk should be included in an organization’s overall risk assessment program. The
organization should define and document the nodes and tiers in their supply chain and subcontractors
to include in their risk assessment program.
5.3.5 Risk Management Context

The risk management context of the organization describes the scope, as well as risk control parameters,
methods, and plans currently in place for the risk management activities. Before starting the design and
implementation of the risk assessment program, it is important to understand the objectives of the risk
management program and to evaluate and understand both the extent and efficacy of the current risk
control measures and system.
When determining the current state of affairs issues to consider include:
a) The defined objectives of the risk management programs.
b) The risk management program objectives aligned with the overall business management
objectives of the organization.
c) What are the nodes in the value chain that are responsible for the greatest measure of value?
d) What are the identified activities, products, and services considered essential for achieving the
organization’s objectives?
e) What are the identified threats and vulnerabilities?
f) What are the risk control methods in place, the efficacy in controlling identified risk, the
residual risk, and the perceived cost-benefit of the control measures?
18
g) Were there specific exclusions to the risks identified and treated?

h) What are the data, information, and intelligence sources used to determine risks and their
perceived reliability?
i) What are the responsibilities, accountabilities, and resources for the management of risk?
j) What are the information, reporting, and records management requirements?
k) What are the interdependencies between the internal, external, and risk management contexts?
5.3.6 Needs and Requirements

The person(s) conducting the risk assessment should understand the reason and purpose for the
assessment. There should be a clear understanding between the risk manager and top management as
to the purpose of the risk assessment program and intended use of the outcomes. Various purposes of
risk assessment exist. Examples are:
a) Determine if the organization is achieving its overall management objectives;
b) Provide input for decision-making processes;
c) Identify actual, potential, and perceived risks and evaluate risk treatment processes;
d) Protect tangible and intangible assets;
e) Use of a systematic process to identify weaknesses in the organization’s processes and risk
management approaches;
f) Evaluate risk treatment measures;
g) Identify opportunities for improvement;
h) Verify accepted industry practices;
i) Promote consistency in processes across business units;
j) Promote and evaluate training and awareness programs;
k) Provide visible management support for risk management programs;
l) Conduct due diligence for purchases and supply chain partnerships;
m) Evaluate and improve the allocation of resources;
n) Understand risk exposures related to activities, projects, and operations;
o) Identify business opportunities (including launching new partnerships, products, and services);
p) Demonstrate regulatory compliance;
q) Reduce liabilities;
r) Address consumer and supply chain needs and concerns; and
s) Demonstrate reliability of product and service delivery.
When developing the risk assessment program, the risk manager should understand the organization’s
intended use of the assessment results. The intended use of the risk assessment outcomes may influence
the attitude of the participants to the risk assessment process.
19
5.3.7 Objectives of the Risk Assessment Program

Clearly defined risk assessment objectives are crucial to implementing a successful risk assessment
program. Risk assessments will provide more value to the organization if the risk assessment program
objectives are aligned with organizational and management objectives. The risk manager and top
management should clearly define and agree upon the risk assessment objectives.
When defining the risk assessment program objectives, the following factors should be considered:
a) Management and decision-making requirements;
b) Tangible and intangible assets to be protected;
c) Business management system requirements;
d) Organizational, business, and operational goals;
e) Legal and contractual obligations;
f) Risk management priorities and performance;
g) Perceptions and expectations of stakeholders and other interested parties, including supply
chain needs;
h) Previous risk events including exercises, drills, minor and major incidents including near
misses; and
i) Level of maturity of the organization’s management system.
Examples of risk assessment program objectives include (but are not limited to):
a) Perform gap analysis for determining improvements to business and risk management
processes;
b) Verify conformance of a management system to the requirements of relevant standards;
c) Demonstrate effectiveness of risk treatment measures and identify opportunities for
improvement;
d) Validate organizational risk management for internal and external stakeholders;
e) Demonstrate consistency with accepted industry practices; and
f) Evaluate alignment of risk management with the overall business management approach in
order to achieve the overall organizational objectives.
5.3.8 Evaluating the Criticality of Decisions

A decision-maker's response to an organizational situation with variable outcomes is a function of
perceived risk and perceived decision criticality. It is important to know the underlying psychological,
social, and emotional components that influence decision-making (assessor’s decisions or the decisions
of others). Some factors to consider:
a) Accurately defining a problem and its context is a large part of making a good decision, not just
solving a problem;
20
b) Framing a decision in terms of potential loss or gain will influence the criticality of the decisions
and perceived level of acceptable risk;
c) Timeframes for decision-making will influence the criticality of decision-making (shorter
timeframe usually results in higher criticality);
d) Quickly changing environments require revisiting the relevance of past experience and
expertise; and
e) Uncertainties, not just obvious problems, affect critical decision-making.
One risk may have compound effects on other risks. In the decision-making process, it is important to
assess risk so that interaction between multiple risks is understood. The impact of various decisions in
the assessment and treatment of risks should be considered throughout the risk assessment process, as
well as the potential for unintended consequences when addressing risk decisions.
5.3.9 Establishing the Scope of the Risk Assessment Program

The scope of the risk assessment program should be defined in order to achieve the risk assessment
objectives and consider the context of the organization, its needs, and requirements. The scope should
define the processes, functions, activities, physical boundaries (facilities and locations), and stakeholders
included within the boundaries of the risk assessment program. The scope of the risk assessment
program will have a direct effect on the resource and time requirements needed for the individual risk
assessments. When setting the scope of the risk assessment program, resource and time requirements
are directly proportional to the size of the scope. The risk manager and top management should agree
to the risk assessment program scope prior to commencing any assessments. Any subsequent changes
in scope should be mutually agreed upon and documented.
The scope of the risk assessment program may consist of one or more individual risk assessments. If
conformance to a management system standard is the objective of the risk assessment program, the scope
of the program should be in alignment with the scope of the management system with any divergence
noted and understood.
Additional factors to consider in setting the scope:
a) Size and complexity of the organization;
b) Results of previous risk assessments;
c) The likelihood and consequences of known undesirable and disruptive events (including
consideration of previous incidents and weaknesses of the management system);
d) Emerging risks and business opportunities;
e) Reports and concerns of internal and external stakeholders;
f) Supply chain nodes to be included;
g) Complexity and maturity of the risk management system; and
h) Factors related to timing, logistics, communications, and information accessibility.
21
5.4 Establishing the Program

5.4.1 Roles and Responsibilities
The roles and responsibilities of the parties conducting the risk assessment and the client should be
clearly defined and understood, including:
a) Risk manager (RM) – the person responsible for managing the risk assessment program and
assuring the necessary financial, human, physical, and time resources are committed to conduct
an effective risk assessment;
b) Risk assessment team leader (RTL) – the person designated as leading the risk assessment team;
c) Risk assessor (RA) – a person conducting the risk assessment, individually, or as a member of a
team;
d) Technical expert – a subject matter expert with specific knowledge or expertise supporting the
risk assessment team but does not act as an assessor (e.g., a legal or industry sector expert,
threat assessor, physical security specialist, information technology specialist, supervisory
control and data acquisition, SCADA, specialist);
e) Observer – a person who accompanies the risk assessment team (e.g., a client’s representative,
client liaison, or guide); and
f) Client – top management or business division of an organization that requests the risk
assessment. A client may be internal or external to an organization being assessed.
NOTE: All persons performing functions should demonstrate competence in the roles they are conducting. Depending on the
size and complexity of the scope, some or all of these roles may be combined. The combined competence of the team should
be sufficient to cover all areas of expertise needed to conduct an effective assessment. See section 7.2 on competence.
The risk manager is responsible for the planning, management, and conduct of the risk assessment
program, while the RTL is responsible for the conduct of individual assessments. They are both
responsible for the professional and ethical behavior of the risk assessment team members. The RM and
RTL are responsible for:
a) Defining the objectives, criteria, and scope of the risk assessment program as individual
assessments;
b) Communicating and consulting with relevant parties to the risk assessment;
c) Ensuring the risk assessment team and its members have the necessary competence to
successfully conduct the risk assessment;
d) Ensuring the allocation of adequate resources for risk assessment;
e) Ensuring the risk assessment program is executed as planned in a timely fashion;
f) Ensuring the completeness and integrity of documentation;
g) Ensuring risks to the client and risk assessment team of conducting the risk assessment program
are appropriately managed;
h) Reviewing work product(s) assigned to assessors for completeness and accuracy; and
i) Ensuring the integrity and confidentiality of information.
22
The client should appoint at least one representative from top management to interface with the
assessment team. The client’s representative should have the authority to provide the assessors:
a) Authority to conduct assessment and make decisions;
b) Appropriate organizational, functional, stakeholder, and historical information to evaluate
risks;
c) Access to areas and activities to be assessed;
d) Access to relevant persons;
e) Access to information;
f) Facilities for the risk assessment team use (e.g., private work space, telecommunications, safety
and hygiene facilities, etc.);
g) Support personnel if needed;
h) Safety, security, and regulatory requirements; and
i) Information needed for protection of proprietary rights and confidentiality.
5.4.2 Legal and Other Requirements

Assessors should perform professional duties in accordance with the law and the highest ethical
principles. An assessor should observe the principles as listed in section 4 to be faithful and diligent in
conducting professional responsibilities. Assessors should safeguard confidential information and
exercise due care to prevent its improper disclosure. The assessors should not maliciously injure the
professional reputation or practice of colleagues, clients, or employers.
Risk managers and RTLs should be mindful of legal and liability issues related to the assessment.
Assessors should understand their responsibilities to:
a) Avoid conflicts of interest and to protect real and perceived impartiality;
b) Not use information learned during the course of the risk assessment for personal gain or the
gain of others;
c) Not share information beyond a need to know basis or that can be used to restrict competition;
d) Exercise responsible care and competence to avoid violation of the principle of due care;
e) Report findings honestly;
f) Observe environmental, safety, and security regulations; and
g) Not disclose proprietary information.
Assessors should be apprised of their responsibilities to report illegal and unsafe activities within or
outside the scope of the risk assessment, including legal requirements for disclosure. Once discovered,
an assessor should not ignore illegal or unsafe activities. Assessors should inform the RTL – who informs
the client and risk manager. The RTL should verify and create a record of the condition. If the team is
endangered, the risk assessment should be stopped, and not resume until the endangering condition is
rectified.
23
5.4.3 Competence Requirements

Competence and ability to apply knowledge and skills to achieve intended results is necessary of all
parties involved in the conduct of the risk assessment. Competence is the demonstrated sum of personal
attributes, generic risk assessment knowledge and skills, risk management knowledge and industry
sector specific knowledge and skills.
To conduct an effective risk assessment, the RM, RTL, and assessors should demonstrate skills and
knowledge in the following areas:
a) Interpersonal and communications skills;
b) Systems, PDCA, and process approaches to risk management;
c) Standards being used, as well as normative documents;
d) Principles of risk management based on ISO 31000;
e) Cultural awareness and understanding, including respect for individual’s rights;
f) Technical knowledge of the activity being assessed;
g) Risk assessment and management from a mission and operational perspective;
h) General knowledge of regulatory requirements; and
i) Industry sector and risk discipline specific good practices.
The RM and RTL should ensure assessors provide risk assessment services only in those areas where
they have the necessary knowledge, skills, and experience.
5.4.4 Identifying and Managing Uncertainty in the Risk Assessment Program

Changes both internal and external to the organization may affect risk. Therefore, analysis of the
uncertainty related to the risk assessment processes is an integral part of developing and improving the
risk assessment program. To effectively assess any organization, it is important to understand the risks
related to:
a) Complexity and dynamic nature of the external and internal environment;
b) Achieving the objectives of the assessments;
c) Real and perceived impartiality;
d) Legal and regulatory issues;
e) Execution of the assessment on the client’s organization and its activities;
f) Health safety and security of the assessment teams; and
g) Perceptions of interested parties.
There is a need to understand the uncertainties related to the risk assessment program to achieve its
objectives and assure credibility.
24
5.4.4.1 Risk to the Organization of the Assessment

Risk assessments involve evaluating inherently sensitive information of organizations. This introduces
an element of uncertainty to the risk assessment process. The risk manager should evaluate the potential
tangible and intangible impacts of the conduct of the risk assessment client.
The risk manager should consider:
a) Information security and confidentiality needs;
b) Protection of information sources;
c) Background of the risk assessment team;
d) Clearances;
e) Exposures of vulnerabilities;
f) Reporting requirements; and
g) Disruption to operations.
5.4.4.2 Risk to Achieving the Assessment Objectives

Persons conducting risk assessment should understand the uncertainties that may have an impact on the
achievement of the objectives of the risk assessment. It is also important to allocate available time and
resources to the areas with higher levels of risk. The planning process should prioritize resources
commensurate with the associated level of risk and ensure important risk factors are not overlooked.
In identifying, analyzing, and evaluating risks to the assessment program, the risk manager should
consider:
a) Planning;
b) Organizational and leadership buy-in to the process;
c) Overall competence of the assessment team and team members;
d) Sufficiency of allocated resources;
e) Implementation of the risk assessment plan;
f) Communication between team members as well as between the assessment team and client;
g) Appropriate documentation and recordkeeping (and documentation control) consistent with
jurisdictional requirements; and
h) Monitoring of program outcomes.
5.4.4.3 Risk to Real and Perceived Impartiality

The risk manager should establish and document a procedure for identifying, analyzing, evaluating, and
treating (e.g., reducing) risks associated with real and perceived threats to impartiality. Consideration
should be given to biases described in section 5.2.3, as well as factors related to criticality of decisions.
25
5.4.4.4 Legal and Regulatory

When planning the risk assessment program the risk manager should consider the jurisdictional
requirements related to:
a) Authorities and accountabilities;
b) Security (physical and information);
c) Safety;
d) Disclosure and non-disclosure requirements;
e) Duty of care; and
f) Contractual obligations.
5.4.4.5 Health, Safety, and Security of the Risk Assessment Teams

When there is the potential for exposure of the assessment team to threats and hazards during the risk
assessment, the risk manager should evaluate health, safety, and security-related risks and take
appropriate actions. For example, specialized training or protective equipment may be needed or
required for specific assignments and tasks.
5.4.4.6 Perceptions of Stakeholders and Other Interested Parties

The perceptions of external interested parties may impact the design and implementation of the risk
assessment program. Therefore, during the design of the risk assessments, the risk manager should be
aware of and consider the perceptions of:
a) Key stakeholders (e.g., workers, unions, and labor organizations, customers, investors, etc.);
b) Supply chain partners;
c) Government regulators;
d) Neighboring communities and adjacencies;
e) Civil society groups and organizations; and
f) The media.
5.4.5 Program Approach and Procedures

Design of effective risk assessment procedures should consider the adequacy and effectiveness of the
risk management controls and identify changes in risk profiles and priorities. The level of confidence in
the assessment outcomes will be based on the evidence and facts collected, not perceptions and
assumptions.
The risk manager should develop one or more procedures for managing the risk assessment program.
When developing the procedures the risk manager should identify performance metrics that will be used
to determine if the procedures were effective and successfully applied. Procedures should be developed
for:
a) Planning the assessments to evaluate the organization’s risks and controls;
b) Identify and maintain the appropriate level of assessor competence;
26
c) Selection of assessment team members and appointment of RTL;

d) Ensure effective communication between all parties involved in the assessment;
e) Evaluating required resources, logistics, and feasibility of assessment success;
f) Conduct of the assessment including data collection and sampling techniques;
g) Evaluation of the assessment data, definition of priorities, and improvement of risk treatment
methods;
h) Performance assessment of the assessment process to identify opportunities for improvement;
i) Integrity, confidentiality, and protection of information;
j) Handling, chain of custody, access control, and archiving of records; and
k) Monitoring, review, and continual improvement of the risk assessment program.
5.4.6 Commitment of Resources

Once the objectives and scope have been established for the risk management program, the risk manager
should identify and assure the commitment of resources necessary to conduct a successful risk
assessment program. The risk manager should provide resources in terms of personnel, time, travel, and
the financial resources necessary to develop, implement, manage, and improve the risk assessment
activities (including assuring assessor competence). From the organization’s perspective, the tangible
and intangible benefits of increasing the likelihood of achieving organizational objectives should
outweigh the costs of conducting the risk assessment.
Personnel resources include the designation of appropriate and adequate full and part-time assessors, as
well as accompanying technical experts. The makeup of the assessment team should reflect the objectives
of the risk assessment program and the complexity of the organization’s system to manage risk. The risk
manager should calculate the personnel hours required to successfully complete each portion of the risk
assessment.
Factors that will affect the allocation of resource requirements (particularly personnel and time
requirements) include (but are not limited to):
a) Complexity of risk criteria and range of risks to be assessed;
b) Risks associated with the organization, its activities, and its context;
c) Complexity and size of the organization to be assessed (e.g., technologically complex or labor-
intense organizations may increase the personnel hours needed);
d) Maturity of the existing risk management system;
e) Risks associated with the risk assessment program (including minimizing bias);
f) Desired timeframe in which the assessment is to be conducted;
g) Risk assessment methodologies and sampling methods;
h) Results of prior risk assessments;
i) Extent of changes in operating environment;
27
j) Review of documentation;
k) Availability and accessibility of information;
l) Number of sites, multi-site considerations and diversity of stakeholders;
m) Single or multiple shifts, as well as weekends and off-hours;
n) Physical size and layout of the organization to be assessed;
o) Meeting requirements (opening and closing meetings, top management briefings, and
assessment team meetings);
p) Communications (including availability of information and communications technologies and
methods);
q) Safety and security arrangements and equipment;
r) Travel and logistics (including lodging, meals, and breaks);
s) Data analysis and report preparation;
t) Availability of competent personnel to conduct the risk assessments; and
u) Anticipated scheduling delays.
5.5 Implementing the Risk Assessment Program

5.5.1 Setting Criteria for Individual Risk Assessments
The risk assessment program may consist of one or more risk assessments, the sum of which achieves
the overall objectives of the risk assessment program. The objectives, scope, and criteria of the individual
risk assessments within the program should be consistent with the overall objectives of the risk
assessment program. The objectives of the individual risk assessments should be clearly defined and
documented. Examples of individual risk assessment objectives may include (but are not limited to),
determining:
a) Performance evaluation of the risk management system, including consistency of risk treatment
measures with the output of the risk assessment;
b) Evaluation of the conditions underlying the risk(s);
c) Extent of compliance with legal and other requirements;
d) Efficacy of the organization’s risk treatment processes;
e) Adequacy of risk management controls in a changing operational environment;
f) A basis for risk-based spending;
g) Awareness and promotion of a risk management culture in the organization; and
h) Opportunities for improvement.
The scope of the individual assessments should be clearly defined and documented. Examples of
individual risk assessment scope include (but are not limited to):
28
a) Specific facilities and physical locations;

b) Individual divisions and organizational units;
c) A value chain in the organization;
d) A specific set of risks;
e) Evaluation risks related to new products and services; and
f) Specific processes.
The criteria of the individual risk assessments should be clearly defined and documented. Examples of
individual risk assessment criteria include (but are not limited to):
a) Risk management goals established by top management;
b) Management system standards requirements of one or more standards;
c) Accepted industry practices;
d) Headquarters or supply chain requirements;
e) Legal requirements;
f) Security requirements;
g) Concerns and perceived risks of stakeholders; and
h) Risk management policies and procedures.
The scope and depth of a risk assessment should be determined and documented by the organization.
The objectives and decision timeline drive specific types of risk assessments to be applied in different
situations. Figure 3 illustrates different scopes and depths of risk assessments based on specific
applications.
29
Adapted from A Cultural Approach to Decision Making Presentation at RIMS 2011 ERM Conference by Dr. Carl Spetzler.
Copyright © 2013. Risk and Insurance Management Society, Inc. All rights reserved.
Figure 3: Formal vs. Informal Risk Assessments
30
Risk assessments become an automatic and informal part of the decision-making process when risk
management is fully integrated into the organization’s culture. When decisions become more significant
or complex, a moderate deliberative risk assessment process is needed. In these situations, limited risk
assessment techniques may be used in order to reach a decision in a shortened timeframe. When
decisions are strategic in nature and complex, a more rigorous deliberative effort is needed. In such
cases, multiple risk assessment techniques can be applied when there is a longer decision timeframe.
5.5.2 Identifying Risk Assessment Methods

The risk manager should determine the appropriate methodology for conducting an assessment to
achieve the objectives, scope and criteria. The level of detail and complexity of the risk assessment should
be tailored to the decisions that it is intended to support. Methods chosen will be a function of the size
and nature of the organization as well as risk, human, cultural, infrastructure, and geographic factors.
The risk assessment methodology employed will drive the skill sets and competence required of
assessors. Additional guidance is given in ISO 31010 and in section 6 of this Standard.
When choosing a risk assessment methodology, care should be given to remaining within the
organization’s capabilities. The methodology should follow a logical process by which the inputs into
an assessment are evaluated to produce the outputs that inform the decision-making processes. When
trying to determine the methodology, previous assessments or an industry accepted approach may be a
good starting point, but should be reevaluated for appropriateness and tailored to the current
circumstances. Choice of methodology should also consider, data availability, and resource constraints.
When selecting a methodology, it is important to understand the reliability and confidence levels of the
available data, particularly estimates of likelihood and consequences. There is no single methodology
that is appropriate for measuring the likelihood and consequences of various risks. Each methodology
requires independent judgment regarding its design. In some cases, it may not even be possible, or
necessary, to explicitly determine likelihood and consequence. As a general rule, simple methodologies
are less prone to errors and are easier for stakeholders to understand, as well as more likely to fulfill the
principles of transparency and practicality. The methodology that best meets the decision-maker’s needs
is generally the best choice, whether quantitative or qualitative.
5.5.3 Competence, Evaluation and Selection of Risk Assessors

The credibility of any risk assessment program is dependent on the experience, knowledge, and
interpersonal skills of the assessment team. The risk manager should select team members and a RTL
based on the competence needed to achieve the objectives of the risk assessment and with the
interpersonal skills necessary to interface well with persons in the organization being assessed. The size
and composition of the team will be dependent on the objectives, scope, and criteria of the risk
assessment and the size and complexity of the organization being assessed.
The team members are responsible to collect data to support analysis and evaluation of risks and any
proposed control measures to treat risk. Team members should be able to gather information efficiently,
objectively, and with due consideration of potential disruption to the organization’s normal routine.
The risk manager should establish well-defined criteria for selection of individuals and assigning work.
Procedures should be developed to evaluate particular assessor qualifications, including:
a) Knowledge;
31
b) Experience; and
c) Personal skills and traits.
Factors to consider in selecting members of an assessment team include:
a) Overall competence of the assessment team needed to achieve the risk assessment objectives;
b) Nature of the risk management system and what specific risk disciplines have been addressed
(e.g., compliance, safety, security, crisis and continuity management – assessors may have a
specific discipline focus and bias so discipline balance should be considered);
c) Knowledge of industry sector and the risks the sector faces, including understanding the
specific context of the organization and its dependencies;
d) Complexity of the risk management activities, including the use of single or multiple
management system standards;
e) Risk assessment methods to be used;
f) Legal, regulatory and other requirements keeping in mind jurisdictional variations;
g) Independence, impartiality and avoidance of perceived or real conflict of interest;
h) Personal, cultural, social and language skills required to deal with diversity in the organization;
i) Security, clearances, citizenship, and safety requirements of the team members;
j) Dynamics of the team members and their ability to work together and with the client;
k) Logistics and availability of personnel; and
l) Leadership requirements and the need to oversee and train new assessors.
When considering the selection of assessors, the risk manager should evaluate the qualifications,
knowledge, experience, personal skills, and traits of the assessors needed to achieve the risk assessment
objectives. The risk manager should have a documented process for evaluating and selecting assessors.
See section 7 for additional details.
Technical experts may supplement the competence of the team. At all times the technical experts should
operate in conjunction with the risk assessors. Technical experts are intended to supplement the overall
expertise of a risk assessment team to provide subject matter expertise. Technical experts are not a
substitute for assessors having competence in the risk disciplines being assessed.
Assessors-in-training may also be included in the team. Assessors-in-training should have knowledge
of conducting risk assessments, the risks associated with the organization, and risk management. They
should participate under the direction and guidance of an experienced assessor.
The risk manager and RTL, may make adjustments to the team during the course of the assessment
depending on the necessity for additional competencies.
5.5.4. Establishing Roles and Responsibilities of Risk Assessment Team Leader

The risk manager should assign an individual to be risk assessment team leader (RTL) well in advance
of commencement of the assessments to allow for sufficient preparation time. Since the RTL is tasked
with conducting the assessment, as well as directing and monitoring the team, the individual should be
32
an experienced assessor and familiar with the business and industry sector being assessed, as well as
risk-based disciplines being managed. The RTL is responsible for:
a) Satisfactory performance of all phases and activities of the assessment;
b) Representing the assessment team with the client and/or organization’s management team;
c) Initiating and maintaining communication with the client and/or organization’s management
team;
d) Encouraging diversity of views while maintaining professional behavior and harmony amongst
the assessment team members;
e) Developing the risk assessment plan;
f) Managing risks during the risk assessment process;
g) Leading, organizing and directing assessment team members (particularly assessors-in-
training);
h) Making effective use of resources during the risk assessment and time management;
i) Conducting opening and closing meetings;
j) Conducting regular meetings and briefings with the risk assessment team as well as client
and/or organization’s management team;
k) Protecting the health, safety and security of the assessment team;
l) Assuring the confidentiality and protection of sensitive and proprietary information;
m) Preventing and resolving conflicts;
n) Reviewing the evidence and observations of the assessors and leading the team in determining
the findings and conclusion; and
o) Preparing and submitting the risk assessment report, assuring its factual accuracy and clarity of
recommendations.
Specific assessment assignments should be based on the experience and knowledge of the individual
assessors and reflect the complexity of the assessment tasks. There should be a balance in the assessment
team between technical, legal, industry, administrative, and risk-based discipline management
knowledge. The RTL should assign and communicate assessment responsibilities prior to commencing
the assessment.
5.5.5 Managing and Maintaining Program Documentation, Records, and Document Control
The risk manager should identify the documentation needs of the risk assessment. Procedures should
be established for the use and handling of documents and records created for the risk assessment
program by the risk manager. Clear procedures should be outlined for obtaining and handling client
and organizational documentation. The client and organizational management must explicitly approve
copying of any information or photography. Assessors should not remove, modify, delete, or destroy
documents (including electronic files) without explicit written permission to do so.
33
The risk manager should establish, implement, and maintain procedures to protect the sensitivity,
confidentiality, and integrity of documents and records including access to, identification, storage,
protection, retrieval, retention, and disposal of records. Documents should be clearly labelled as to their
status and version (e.g., draft or final, active or archival) as well as level of sensitivity and confidentiality.
Records should be maintained of access to information and documents.
In instances where reports are deemed confidential, the risk manager should establish computer and
network controls over files and risk assessment information to prevent access by unauthorized users.
When confidential information is collected the risk manager should establish procedures and provide
technology to assessment team members to use encrypted storage devices or laptops to secure this
information.
Records and documentation should be created, maintained, and appropriately stored for both the overall
risk assessment program and individual assessments, including;
a) Program objectives, criteria, and scope
b) Risk assessment and treatment methods, and measures;
c) Evaluation of achievement of risk assessment objectives; and
d) Risk assessment program effectiveness and opportunities for improvement.
For individual risk assessments, records should include:
a) Plans and reports;
b) Assumptions, stakeholders, and information sources;
c) Risk criteria and risk appetite;
d) Safety, security, and confidentiality requirements and conditions;
e) Agenda and minutes from opening and closing meetings;
f) Non-conformance and corrective action reports;
g) Modification of risk treatment methods; and
h) Risk assessment follow-up reports.
Procedures should be established to create and maintain records of risk assessment performance.
Performance review records should be used to drive continual improvement of risk assessment process
and assessment team competence. Examples of performance records include:
a) Feedback from the organization and client;
b) Selection criteria and competence of assessment team members;
c) Performance evaluations of the assessment team members and team leader;
d) Effectiveness of time management; and
e) Needs for continuing training and competence improvement of assessment team members.
34
5.5.6 Performing the Risk Assessment and Operational Control

The risk manager, in conjunction with the RTL, should identify the documentation necessary to assess
risks to the organization and its value chain. The RTL should contact the appropriate internal and
external stakeholders to assess the availability of documents related to the risk assessment within the
scope of the assessment.
The organization’s risk management policies and procedures are reviewed first to determine if the risk
management system has been clearly and completely defined and designed. Organizational and client
documentation should be reviewed to determine if it conforms to risk management requirements as well
as legal and regulatory requirements. Document review is not a checklist approach, rather it is an
examination of how the elements of the risk management system interrelate and integrate to meet
objectives. For example, assessors should examine and evaluate the interrelationships and integration
of the organizational objectives, value chain, business management, and risk management approaches.
When conducting the initial document review, attention should be given to:
a) Scope of the organization’s risk management system;
b) Parameters addressed by the risk assessment program;
c) Context of the risk environment;
d) The organization’s risk criteria;
e) Methodology and key outcomes of previous risk assessments;
f) Selection and effectiveness of risk treatment measures;
g) Internal audits and management review; and
h) Availability of current documents and responsible duties.
The document review should provide input into planning the second stage of the risk assessment: the
on-site activities. The document review should provide indications of areas needing more focus and
resources in conducting the second stage of the risk assessment, as well as the organization’s readiness
for the second stage.
The document review will indicate the likelihood of achieving the risk assessment objectives and may
indicate the need for changes in the assessment approach and team composition. Any changes should
be made in consultation with the risk manager, RTL, client, and organization’s management.
The second stage of the risk assessment consists of information and evidence gathering to substantiate
risk assessment outcomes. It should consider:
a) Are all requirements of the risk management system effectively implemented and achieving the
policy and performance objectives set forth by the organization?
b) Are issues identified in the risk assessments effectively being addressed and are they
consistently reflected through all the elements of the risk management system?
c) Are legal, regulatory, and contractual obligations being met?
d) Is management committed and leading by example?
35
e) Has the organization acted on identified risks, internal audit findings, exercise results, and
lessons learned from events by implementing appropriate corrective and preventive actions?
f) Is there a change management mechanism?
5.5.7 Decision Models

Decision-makers need to evaluate alternatives in terms of values and uncertainty in assessing risks.
Decision analysis provides insight into how the defined alternatives differ from one another and
provides a basis for considering new and improved alternatives. This involves understanding the
foundation of values used for probabilities, the value functions for evaluating alternatives, the value
weights for measuring the trade-off objectives, and the risk preference. The risk manager should
evaluate the sensitivity of the outcomes, weigh the reliability for key probabilities, and assess the weight
and risk preference parameters.
Scenario analysis is a process of analyzing possible and plausible future events by considering alternative
scenarios and outcomes. It provides a basis for making decisions in the context of the different conditions
and outcomes. Creating scenarios challenges assumptions about what may and may not happen. Basing
decisions and plans on more likely scenarios helps determine if decisions are reasonable even if
conditions and circumstances change. Developing and evaluating alternative scenarios reduces
uncertainty in decision-making and elucidates unknowns that may occur.
Alternatives can also be evaluated using the Pareto analysis which assumes for risk events that roughly
80% of the effects come from 20% of the causes. It is a simple technique for prioritizing possible changes
by identifying the problems that will be resolved by making these changes. This allows the risk manager
to focus on the most effective areas of risk assessment while downplaying the rest. For example, Pareto
analysis can help organizations identify the proportion of goods and suppliers on which it is most
dependent in terms of cost, value creation, production, and failure, and hence the goods and services
that can pose the most risk to the organization and its supply chain. Pareto analysis is designed for users
to identify which small set of practices, functions, suppliers, staff, etc. have the greatest impact. However,
it can be limited by its exclusion of problems which may be small initially, but may grow with time.
5.5.8 Influencing Factors

Stakeholder influence, such as the impact of government regulation, generally is fairly obvious when
assessing risks. However, there are individuals or groups within an organization's sphere of activity or
geographic space that exert less obvious conforming influences on it.
Using influence diagrams can help identify the strength of these influencing factors and help the RLT
determine potential weighting for consideration.
At their simplest and most basic, influence diagrams are a representation of the influencers on objectives
and risks. Charting influencing factors and what they impact can offer critical insights. The diamonds in
the diagram represent influential variables and the connections indicate varying levels of dependence
(see Figure 4). The higher the number of connections reveals a high dependency node. Tracing these
dependencies can lead to greater understanding of how multiple influencers may affect performance.
36
Adapted from Risk and Insurance Management Society, Inc. Copyright © 2014. All rights reserved.
Figure 4: Influence Diagram Example
5.5.9 Managing and Reporting Program Outcomes

The risk manager is responsible for review and approval of the assessment findings and the final risk
assessment report. For credibility, any recommendation for changes should come from the assessment
team and be re-submitted for approval. In addition the risk manager is responsible for:
a) Appropriateness of corrective and preventive actions for non-conformities in the risk
assessment process;
b) Ensuring the distribution of the risk assessment report to authorized parties only;
c) Maintaining the confidentiality of sensitive and proprietary information; and
37
d) Assuring proper risk assessment follow-up where necessary.
5.6 Monitoring the Risk Assessment Program

5.6.1 Monitoring Measurement Evaluation of Program Performance
The risk manager should establish performance metrics and measure the effectiveness of the risk
assessment program. Performance metrics should be used to evaluate the performance of both the overall
risk assessment program as well as individual risk assessments. Performance monitoring and
evaluations should include:
a) Response and implementation of corrective and preventive actions for identified
nonconformances in the risk assessment process;
b) Achievement of risk assessment objectives;
c) Value-added for the organization and client;
d) Risk-based management;
e) Time management;
f) Resource management;
g) Ability to achieve objectives and implement individual risk assessment plans;
h) Competence and professionalism of assessment team members; and
i) Effectiveness of communication between all parties involved in the risk assessment.
5.6.2 Evaluating Program Risk Management Outcomes

The risk manager and RTL should revisit the risks identified during the risk assessment process of both
the risk assessment program and individual risk assessments to determine if the identified risks have
been adequately managed and if any risk emerged that were not previously identified.
5.6.3 Nonconformity, Corrective, and Preventive Action

The risk manager should establish, implement, and maintain procedures for dealing with
nonconformities and for taking corrective and preventive action for issues identified in the conduct of
the risk assessment program. The procedures should include:
a) Identifying and correcting nonconformities and taking actions to mitigate their consequences;
b) Evaluating the need for actions to prevent nonconformities and implementing appropriate
actions designed to avoid their occurrence;
c) Investigating nonconformities, determining their root causes, and taking actions in order to
avoid their recurrence;
d) Recording the results of corrective and preventive actions taken; and
e) Reviewing the effectiveness of corrective and preventive actions taken.
38
5.6.4 Risk Assessor Competence and Skills Improvement

Assessors should enhance their knowledge, skills, and competence through continuing professional
development. The RTL should evaluate the performance of all the members of the assessment team, with
the risk manager evaluating the RTL. Evaluations should recognize both strengths and weakness to help
with assessor selection for future risk assessments.
The RTL and risk manager should provide feedback to assessors, particularly assessors-in-training, to
help them enhance and maintain their proficiency. Evaluations should consider:
a) Personal behaviors and professionalism;
b) Communication skills;
c) Interactions with other team members and the client;
d) Ability to follow instructions;
e) Strengths and weaknesses at accomplishing specific assessment tasks and assignments;
f) Knowledge and evaluation skills related to the assessment criteria and any discipline specific
management system standards;
g) Risk-based management knowledge; and
h) Industry sector expertise.
5.7 Review and Improvement

5.7.1 Adequacy and Effectiveness
The risk manager should review the risk assessment program to assess whether the risk assessment
objectives are being met and to ensure the program’s continuing suitability, adequacy, and effectiveness.
Reviews should include assessing opportunities for improvement and the need for changes in the risk
assessment program.
Risk assessment program review should include a review of:
a) Appropriateness of objectives, criteria, and scope;
b) Effectiveness of risk assessment and treatment measures of the risk assessment program;
c) Conformity to risk assessment program procedures;
d) Effectiveness and accuracy of risk assessment methods;
e) Resource allocations (including human resources);
f) Maintenance of records and documentation; and
g) Protection and integrity of information.
5.7.2 Need for Changes

The risk manager should monitor the context of the risk assessment program and manage change.
Factors that may trigger the need for changes in the risk assessment program include changes in the:
39
a) Needs, perceptions, and expectations of stakeholders and other interested parties;

b) Organizational structure, governance, or business models;
c) Risk related to impartiality and conflict of interest (real and perceived);
d) Risk environment of the client and the assessors;
e) Sector and industry trends, including identification of accepted industry practice;
f) Legal and regulatory requirements;
g) Skills required for effective assessing of risk; and
h) Availability of resources.
5.7.3 Opportunities for Improvement

The risk manager should review the overall implementation of the risk assessment program to identify
areas for improvement. Continual improvement and risk assessment program maintenance should
reflect changes in the risks, activities, and operation of the program that will affect the achievement of
objectives. The risk manager should ensure that any risk assessment program problems and their root
causes have been identified and that corrective measures have been initiated to prevent or minimize
recurrence. Any changes resulting from implementing opportunities for improvement that will impact
the on-going risk assessment program should be identified by the RTL to the client or organizational top
management prior to implementation to ensure their understanding of potential benefits and any
consequential process changes.
The risk manager should address issues related to improvement of the risk assessment program
implementation and the improvement of assessor competences. When appropriate, request for client
feedback for possible risk assessment process improvements may be considered.
6 PERFORMING INDIVIDUAL RISK ASSESSMENTS
6.1 General
This section focuses on individual risk assessments, both the preparation for, and the execution of these
risk assessments. Depending on the scope of the assessment, not all provisions in this section are
applicable to all risk assessments.
Risk assessments can be conducted by an internal team, external team, or combination depending on the
needs and resources of the organization and depth of expertise. A risk assessment often follows the order
described in this section. However this is not always the case depending on the circumstances of the
assessment, particularly the definition of assessment objectives.
6.2 Commencing the Risk Assessment

6.2.1 Setting Objectives
Objectives of the individual risk assessment should be clearly understood and documented in order to
focus tasks, resources, and goals of the assessment activities. All risk assessments should include an
40
analysis and evaluation of the effectiveness of current risk treatment measures and opportunities for
improvement. Objectives are set within the context of achieving the organization’s overall business and
risk management objectives. Objectives should be anchored in key value drivers. In defining the
objectives for individual assessments, consider:
a) Nature of the organization’s objectives;
b) Events that could affect the achievement of enterprise-wide objectives (positively or negatively);
c) Clear outcomes to achieve from the assessment;
d) Use of the risk assessment outcomes and dissemination of results;
e) Risk categories to be considered;
f) How the individual assessment relates to the overall risk assessment program;
g) Current control measures to manage risk and to protect tangible and intangible assets;
h) Indicators for measuring risk levels;
i) Timeframes for the risk assessment; and
j) Resources needed to achieve the objectives.
Objectives of individual assessments may be broadly defined to consider enterprise-wide strategic or
operational requirements; or more narrowly focused to consider risks related to specific products,
activities, process, or functions. The objectives can consider issues related to the organization and/or all
or part of its supply chain (however, in today’s world few organizations are not affected by their supply
chain and dependencies).
Individual risk assessments may identify, analyze, and evaluate risks related to one or more issues
contributing to uncertainty in achieving the organization’s objectives, including (but not limited to):
a) Mission and strategic vision;
b) Operational aspects (e.g., people, processes, and systems);
c) Legal and regulatory compliance and ethical practices;
d) Contractual obligations;
e) Ability to meet project objectives;
f) Product design, development, manufacturing, distribution, use, and disposal (including
services);
g) Information access, protection, and use;
h) Brand and reputation;
i) Financial, credit, and market factors;
j) Security (tangible and intangible asset protection);
k) Safety issues;
l) Undesirable and disruptive events (e.g., criminal activities, natural disasters, technology
failures, mismanagement);
41
m) Socio-economic and political factors; and

n) Supply chain and dependencies (upstream and downstream).
Once defined, the objective(s) of the individual risk assessment should be written in a concise statement
and referred to in defining the scope, assumptions, procedures, and outcomes.
6.2.2 Identification of Stakeholders

Stakeholders should be identified who are the internal and external risk-makers and risk-takers. A
stakeholder is any individual or organization that is directly or indirectly involved with or affected by
an organization’s decisions and activities. Clearly identifying the internal and external stakeholders
should be conducted in tandem with identifying uncertainties in achieving the organization’s objectives
and protection of its tangible and intangible assets.
Examples of stakeholders include (but are not limited to):
a) Internal
i. Persons working on behalf of the organization, such as employees (and their families);
ii. Business owners/partners;
iii. Boards of directors;
iv. Trustees;
v. Management (enterprise-wide as well as organizational units and functions level);
vi. Labor unions and workers’ associations; and
vii. Onsite contractors/vendors.
b) External
i. Customers/clients: present and potential;
ii. Contractors/vendors/distributors;
iii. Investors/shareholders/donors/venture capitalists;
iv. Competition;
v. Financial institutions and creditors;
vi. Trade associations and international consortium;
vii. Analysts;
viii. Civil society and non-governmental organizations (NGOs);
ix. Media;
x. Government and regulatory agencies;
xi. Local law enforcement;
xii. Emergency responders; and
xiii. Surrounding communities and community leaders.
42
6.2.3 Identification of Internal Context and Variables

In setting the parameters of a risk assessment, consider the interrelated conditions in which objective(s)
exist or occur, as well as what the variables might be. Establishing the internal context involves
understanding how the following interrelated conditions apply to assessing risks:
a) Capabilities of the organization in terms of resources and knowledge;
b) Information flows and decision-making processes;
c) SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats);
d) Performance metrics and key performance indicators;
e) Internal stakeholders;
f) Objectives and the strategies that are in place to achieve them;
g) Perceptions, values, and culture;
h) Policies and processes;
i) Standards and reference models adopted by the organization; and
j) Structures (e.g., governance, roles, and accountabilities).
The value drivers and varying perceptions of risk-taking held by the internal and external stakeholders
should be understood. Variables to be considered in assessing the risks these stakeholders perceive might
include:
a) Likelihood: The frequency, relative frequency, or probability;
b) Severity: The impact of the consequence (may be expressed in multiple terms: financial, human,
reputation, property, ability to continue operations, etc.);
c) Opportunities;
d) Timing: Speed to onset (velocity), when the event/trend occurs (trigger), how long it lasts
(duration), and resumption of operations (recovery time);
e) Vulnerability: susceptibility related to the entity’s preparedness, agility, and adaptability;
f) Expected value: Mean, mode, or median for forecasts, budgets;
g) Variability: Range, standard deviation, and probability distribution;
h) Ratios: How much of one thing there is compared to another thing;
i) Capacity and resiliency (i.e. the capacity of the organization to adapt to a changing
environment);
j) Controllability;
k) Visibility (for monitoring);
l) Interdependencies;
m) Readiness; and
n) Degree of confidence and reliability of the assessment and each of its variables.
43
6.2.4 Documenting Assumptions

Assumptions are an integral part of assessment and problem solving. When conducting risk
assessments, assumptions (both one’s own and others) should be clearly defined and documented. A
risk assessment can potentially misinterpret information if the assumptions are not clearly understood.
Furthermore, reviewing risk assessment outcomes is not reliable unless they are considered within the
context of the assumptions made by the risk assessment team. Interpretation of data and evidence by
different stakeholders is shaped by their assumptions. Therefore, assumptions should be identified,
clearly stated, justified, and documented.
Assumptions are often linked to an individual’s perspective and point of view. They provide a window
into how the persons conducting the risk assessment perceive and interpret the evidence and data
gathered. Persons conducting the risk assessment should consider:
a) What are the assumptions based on?
b) How are the underlying assumptions of risk assessment impacting the outcomes?
c) How is the assumption affected by the level of uncertainty?
d) Are the assumptions a reflection of the assessors’ biases?
e) Are assumptions that something is a “given” based on opinions or evidence?
f) How do the assumptions affect the confidence in the interpretation of evidence?
g) Are assumptions about likelihood balanced by potential consequences in achieving objectives?
h) Could the assumptions be different if made by another individual?
i) Would the outcomes be different if they were based on different assumptions?
j) Were the assumptions made when setting the risk criteria still valid in light of the evidence and
data gathered?
Identifying a potential risk event as a risk provides a basis to put a proactive plan in place to manage the
risk. All risk assumptions should be monitored and validated throughout the project to ensure a
continued understanding of their nature.
6.2.5 Defining Scope and Statement of Work

The scope may be enterprise-wide or limited to an organizational unit, geographic location, product flow,
or a particular activity, function, or source of risk. The scope defines the boundary conditions of the
individual risk assessment (what is in and out of the assessment). As with any project, scope is a function
of needs, resources, authorities, and time.
Care should be taken not to over-scope or under-scope the risk assessment. When defining the
boundaries of the assessment, the scope should be in sync with the objectives and needs of the client, as
well as the objectives and scope of the overall risk assessment program. Under-scoping may result in
some organizational objectives, assets, stakeholders, or threats being overlooked. Under-scoping may
result in tunnel vision with regard to the interaction of sources of risk (e.g., the close interaction between
physical and cyber security when assessing the organizational objectives related to information security).
Over-scoping may result in a waste of time and resources without being able to provide enough focus to
the needs of the client.
44
A scope statement should be prepared clearly defining the boundaries of the risk assessment. This
should include a statement of work highlighting what are the organizational, physical, operational,
logical, and risk disciplines included in the boundaries so to explicitly delineate what is in and what is
out of the risk assessment.
The RTL should obtain from the client verification or permission and access to conduct the risk
assessment within the approved scope.
During the course of the risk assessment, the RTL should notify the client if any significant conditions
exist outside of the scope of the assessment that otherwise may impact risk to the organization or
constitute an additional risk.
6.2.6 Policy and Management Commitment

Prior to commencing any on-site risk assessment activities, the RTL should obtain the appropriate
authorization and support of the client and/or top management in the form of a policy statement. The
policy statement should include statements of:
a) Risk assessment objectives, scope, and timing;
b) Importance of assessment to the organization being assessed;
c) Clear authorization to conduct the assessment within the stated scope;
d) Need for confidentiality and information integrity;
e) Client and/or top management commitment to engage in setting criteria and reviewing output;
f) Commitment of persons working on behalf of the organization to share information with
assessors; and
g) Commitment of the client to communicate the importance of participation in the risk
assessment to persons working on their behalf within the scope.
6.2.7 Commitment of Resources

The RTL should obtain the appropriate resources from the client and/or top management to conduct the
risk assessment activities. If the RTL determines that there is insufficient time and resources allocated to
conduct the assessment, the client should be notified. If additional resources cannot be secured, then the
objectives and scope of the assessment should be modified accordingly with the agreement of the client.
6.3 Planning Risk Assessment Activities

6.3.1 Gap Analysis
A gap analysis is a technique that can be used to determine what steps might need to be taken to improve
the organization’s capacity to conduct a risk assessment to move from a current state to a desired, future
state. Also referenced as need-gap analysis, needs analysis, and needs assessment, gap analysis seeks to
answer the questions: "where are we?" – the current state; and "where do we want to be?" – the future
state. The gap analysis includes an evaluation of the suitability of the current process for assessing risk
and if it is sufficient to manage risks. Gap analysis can also be used within the individual risk assessment.
45
Gap analysis consists of three steps:

1. Noting currently available factors, such as abilities, competencies, time, and performance levels
given the current resource situation ("what is");
2. Listing success factors needed to achieve future, desired objectives ("what should be"); and
3. Highlighting the gaps - that is, the amount by which the need exceeds the resources - that exist
and what gaps may need to be filled to be successful (“what to consider”).
6.3.2 Legal and Other Requirements

When conducting individual risk assessments, the RTL should review the legal and other requirements
discussed in section 5.4.2 relative to the objective and scope of the individual assessment.
6.3.3 Objectives, Targets, and Strategies
6.3.3.1 General: Objectives, Targets, and Timelines

A challenge in conducting risk assessments in order to achieve the objectives is time. The RTL needs to
develop an assessment strategy, or “path”, to collect data in a representative, logical, and methodical
manner. Effective planning is necessary to make efficient use of time to provide an informative risk
assessment. Depending on the desired outcomes for the risk assessments and whether the scope is
enterprise-wide or limited to a specific area, process or project, reasonable targets and timelines should
be established within the constraints of available resources and funding.
6.3.3.2 Analysis Approach Using a Risk Portfolio Design Format

An entity’s risk portfolio is a complete collection and range of uncertainties that affect an organization’s
future. Risk portfolios sometimes are referenced as a “risk universe”. In essence, it is an “uncertainty”
portfolio based on the organization’s internal and external context, timeframe and strategic and
operational objectives. It is a generally accepted principle that a risk portfolio is designed according to
the entity's risk appetite, risk tolerances, timeframes and return objectives. The expected value of each
objective may influence the risk/reward ratio of the entire portfolio. The potential impact of each risk
may influence other risks as well as the overall objectives of the planned strategy. Certain risks may
hedge other risks naturally which may alter the overall response/control allocation.
In the example given in Figure 5, the risk portfolio for the internal context is categorized into three areas
for which the organization may have certain objectives: strategic, operations, and financial. A fourth
category is used for the external context. While this type of design format does not address the range or
impact of the risks, nor the interconnectedness of the risks within the risk portfolio, it does provide an
approach for the risk assessment team to consider the breadth and depth of penetration the assessments
should cover given the general objectives, targets, and timelines contemplated.
46
Copyright © 2013. Risk and Insurance Management Society, Inc. All rights reserved.
Figure 5: Risk Portfolio Design Format

In this type of design, there may be sub-risks within each of the subcategories. For example, under
Operations/Infrastructure, one might include Information Technology, which could have further sub-
risks such as technology infrastructure, under processes with sub-risks such as data availability, data
integrity, data/privacy, systems development, and systems implementation, and under Talent with sub-
risks such as skill requirements.
6.3.3.3 Analysis Methodology

Risk assessment methods, definitions and goals may vary widely according to whether the risk
management technique is being used in the context of operational, project, strategic, or other risk
management environments.
Similarly, outcomes and solutions may differ depending on whether risk assessments are used in
operational, project or strategic settings (see Figure 6).
47
Adapted from 2012 RIMS Conference presentation by Joanna Makomaski. Copyright © 2012. Risk and Insurance Management
Society, Inc. All rights reserved.
Figure 6: Managing Uncertainty in Context

For example, operational risk assessments may be limited to uncertainties associated with existing
operations and operational plans – the assets, processes, people, and systems in place – in order to deliver
a particular outcome from the organization’s operations, such as planned earnings. Project risk
assessments typically are used to assess uncertainties and potential consequences related to expected
outcome(s) of a particular project or initiative, such as delivering the project within the planned time,
budget and scope. Strategic risk assessments, on the other hand, focus on the broader deliberation and
actions regarding uncertainties and untapped opportunities that affect an organization’s planned
strategy and strategy execution, such as growth (e.g., opening new markets) or contraction objectives
(e.g., eliminating certain product or service lines).
Each assessment method has its benefits and drawbacks. When choosing a particular methodology, the
assessors first need to consider the goal and objectives outcome that the organization is seeking, view the
risks as deviations from that outcome (whether positive or negative) before evaluating available
solutions and recommending actions that best suit the entity’s overall risk profile (position) and desired
level of risk.
48
6.3.4 Data Gathering

It is the assessment team’s responsibility to collect factual information/evidence and analyze it against
the risk criteria. Based on the factual evidence, the assessment team will determine its findings. Reliable
information should be used as evidence. The assessment team should have a well-developed data
collection strategy and sampling plan to ensure the gathering of comprehensive information that reflects
the scope of the risk assessment. In dynamic, unstable, or uncertain conditions where evidence may be
limited, indirect and corroborating information should be sought to proximate information reliability.
Information and data can be gathered from various sources, including (but not limited to):
a) Review of documents, performance indicators, and records;
b) Websites and databases;
c) External reports (e.g., Industry publications, crime statistics, and government reports);
d) Interviews with persons (internal and external stakeholders);
e) Subject matter experts;
f) Physical evidence; and
g) Observation of operational processes.
The RTL, in consultation with assessment team members, should determine how much information
needs to be gathered. When developing a sampling plan it is important to keep in mind that the
assessment is trying to find systematic weaknesses and opportunities for improvement and not just
isolated occurrences. Sampling examines selected items and elements from the overall population. The
method of sampling should be defined and documented using sampling practice and procedures
appropriate for the data collection objectives. If contradictory data is collected or possible systemic
problems are identified, the sampling size may be increased to determine if there is a trend or pattern.
See Annex C for more information on sampling.
6.3.4.1 Types and Methods

Gathering data is the first step in the risk assessment process of finding, recognizing, and recording risks.
The purpose of data gathering is to identify what might happen or what situations might exist that may
affect the achievement of the objectives of the system or organization. The process includes identifying
the causes and sources of the risk, events, situations, or circumstances which may have a material impact
upon objectives, and the nature of that impact. Such methods can include:
a) Evidence-based methods, examples of which are observations, interviews, checklists, and
reviews of historical data;
b) Systematic team approaches where a team of experts follow a systematic process to elicit risks
by means of a structured set of prompts or questions;
c) Inductive reasoning techniques such as scanning, scenario analysis, key performance
indicator(s), and event tree logic diagrams; and
d) Other methods that may not fall directly into one of the three methods noted above.
49
Various techniques can be used to improve the accuracy and completeness of data gathering for
assessment purposes. Irrespective of the actual techniques employed, it is important that in the overall
risk assessment process recognition is given to human and organizational factors.
Interactions during the course of the assessment between the assessment team and those who best
understand the risks facing the organization may take a number of forms. In identifying and evaluating
the risks that are relevant and important to the organization’s objectives, the assessment team may gather
data by exploring procedures, processes, activities, technologies (including information systems), and
the interaction between human and technological performance. Gathering data can be accomplished
through direct contact or through indirect review.
Direct contact – between stakeholders and the assessment team, such as:
a) Conducting interviews (in-person, telephone, or on-line) including completing surveys and
questionnaires with stakeholder participation;
i. Open-ended questions (structured interview).
ii. Close-ended questions (checklists).
b) Conducting document reviews with stakeholder participation;
c) Brainstorming in group sessions, involves stimulating and encouraging free-flowing
conversation amongst a group of knowledgeable people to identify potential failure modes and
associated risks;
d) Facilitated workshops, or Delphi methodology, a means of combining expert opinions that may
support source and effects identification, likelihood and consequence estimation, and risk
evaluation. It is a collaborative technique for building consensus involving independent
analysis and voting by experts;
e) Scenario co-development; and
i. What If Questions.
ii. Scenario analysis - a process using descriptive models to ascertain and analyze possible
events that may occur in the future and their potential outcomes. It can be used to
identify risks by considering possible future developments and exploring their
implications. Sets of scenarios reflecting (for example) ‘best case’, ‘worst case’ and
‘expected case’ may be used to analyze potential consequences and their probabilities
for each scenario as a form of sensitivity analysis when analyzing risk.
iii. Exercising (e.g., table-top, war gaming, red-teaming, and adversary path development).
f) Envisioning multiple potential outcomes.
Indirect review – assessment team review of available data and documentation, such as:
a) Conducting document repository reviews (e.g., loss data and near-miss records, customer
satisfaction reports, internal audit, security, and management reports);
b) On-line risk survey results;
c) Industry and analyst reports;
50
d) Competitor risk factors in business reports (e.g., 10ks);

e) Publicly available risk surveys;
f) Meteorological and geological data and reports;
g) Technical disaster and failure reports; and
h) Media sources.
Methods used in analyzing risks may be qualitative, semi-quantitative or quantitative. The degree of
detail required will depend upon the particular application, the availability of reliable data and the
decision-making needs of the organization. Some methods and the degree of detail of the analysis may
be prescribed by legislation. Additional discussion of risk identification sources may be found in section
6.4.4 Implementation.
6.3.4.2 Error Analysis

When conducting risk assessment it is important to take into consideration that certain information and
measurements are subject to uncertainties. In order to draw valid conclusions the error must be
understood, indicated, and dealt with properly. Error analysis considers the kind and quantity of error
that may occur. An indication of how accurate the results and level of uncertainty should be included
with the conclusions of the risk assessment.
Errors arise from measurement and sampling inaccuracies as well as inherent variability of complex
natural, human, physical, social, and economic factors, some of which are subject to random influences.
It is important to differentiate when conclusions are based on objective or subjective probabilities and/or
if variability is the result of inherent fluctuations. When events are described subjectively they should
be based on best available data, insight, and judgment.
Sampling errors can be either systematic or random. Systematic errors are inaccuracies which tend to
shift all measurements in a systematic way so that their mean value is displaced. This may be due to such
things as biased questionnaires or preconceived notions of the person conducting the measurements.
Random errors are inaccuracies which fluctuate from one measurement to the next. They yield results
where the mean value varies. They can occur for a variety of reasons including a lack of focus of
questions, imprecise definition of terminology, or lack of sensitivity of the analysis models.
Many statistical methods exist for quantifying error. The key to understanding the reliability and level
of confidence in risk assessment outcomes is to clearly understand the sources of error and the extent of
their influence on the conclusions.
6.3.4.3 Sensitivity Analysis

Sensitivity analysis is any systematic technique used to understand how risk estimates and risk-based
decisions are dependent on variability and uncertainty in the factors contributing to risk. Sensitivity
generally refers to the variation in output of a risk analysis model with respect to changes in the values
of the model’s inputs. Sensitivity analysis attempts to provide a ranking of the model inputs based on
their relative contributions to model output variability and uncertainty.
There are many analytical methods that may be referred to as sensitivity analysis, some of which are very
simple and intuitive. At its simplest, the assessor may compare outcomes from an analytical approach
using different input assumptions and values. Evaluate the level of uncertainty by using a different
51
plausible estimate for each calculation. Sensitivity analysis can also involve more complex mathematical
and statistical techniques to determine which factors in a risk analysis model contribute most to the
variance in risk estimates. Complexity generally is due to the fact that multiple sources of variability and
uncertainty are influencing the estimate at the same time, rather than acting independently.
When making decisions based on the sensitivity analysis, the following should be considered:
a) Most systems are dynamic;
b) Previous assumptions and values may not apply to changing conditions;
c) Model outputs may be very sensitive to certain parameters and assumptions (particularly
subjective likelihood estimations);
d) Model parameters may better describe some risks better than others; and
e) Complexity of the model may actually be sensitive to multiple variables.
It should be kept in mind that risk analysis models are based on certain assumptions and premises;
therefore, the analysis is only as accurate as the reliability of the variables and parameters used.
6.3.4.4 Stress Analysis

Stress tests are a form of simulation used to determine reactions to different situations. Stress tests are
also used to gauge how certain stressors will affect a company or industry. Computational analysis is
used to test hypothetical scenarios for stress testing to evaluate the effect of uncertainty on systems in a
wide range of situations. They are typically used to evaluate the range of possible outcomes and the
relative frequency of values in that range for quantitative measures of a system such as cost, duration,
throughput, demand and similar measures. Such simulations may be used for two different purposes:
a) Uncertainty propagation on conventional analytical models; and
b) Probabilistic calculations when analytical techniques do not work.
In general, computational analysis simulations will be used to assess either the entire distribution of
outcomes that could arise or key measures from a distribution such as:
a) The probability of a defined outcome arising; and
b) The value of an outcome in which the problem owners have a certain level of confidence that it
will not be exceeded or beaten, a cost that there is less than a 10% chance of exceeding, or a
duration that is 80% certain to be exceeded. An analysis of the relationships between inputs and
outputs can throw light on the relative significance of the factors at work and identify useful
targets for efforts to influence the uncertainty in the outcome.
Performance testing differs from stress testing. Performance testing is conducted within the “normal”
operating environment, whereas stress testing occurs at maximum capacity and outside of “normal”
parameters.
6.3.5 Review of Documentation

Before performing the risk assessment, the RTL should obtain initial documentation about the
organization to be assessed in order to prepare for the assessment activities. The RTL and assessment
team should review relevant documents to determine the risk assessment activities and better
52
understand the client and organization. This includes organizational policy documents, mission
statements, company profiles, organizational structure, management system(s), and industry practices.
It also includes information related to products, services, processes, and activities, as well as
understanding the geographic extent, interactions, and dependencies.
The RTL should obtain any risk management system descriptions, including manuals, for study by the
team. Previous risk assessment reports are also useful but should not bias current assessment efforts.
Proprietary concerns and non-disclosure agreements may need to be addressed. Document review
should examine the scope and policy statements of the client’s risk management system to check
consistency with the risk assessment objectives, criteria, and scope. Any inconsistencies should be
clarified with the client.
Sufficient documentation should be obtained in preparation of the risk assessment to determine if the
risk management system is properly designed and if there are any significant gaps that would indicate
the risk management system is neither complete or being properly maintained.
6.3.6 Preparing the Risk Assessment Plan

The RTL prepares a risk assessment plan based on objectives, scope, and criteria in the risk assessment
program and the documentation and information provided by the client. The risk assessment plan
should be reviewed and accepted by the client according to the stipulations of the risk assessment
program. The risk assessment plan should be presented to the client prior to onsite activities. Any issues
raised by the client to the risk assessment plan should be resolved between the RTL and the client.
The risk assessment plan identifies, where relevant:
a) Objectives and scope of the risk assessment;
b) Risk assessment criteria such as risk criteria, standards, contracts, regulations, manuals, and
reference documents to be used in the risk assessment;
c) Follow-up activities from previous risk assessments;
d) The client, management representative, guides, and the divisions, facilities, and functions to be
assessed;
e) Assessment team members (e.g., RTL, assessors, technical experts, observers), their
competencies, roles and responsibilities;
f) Allocation of appropriate resources;
g) Risk assessment logistics including date and place of the risk assessment, travel, lodging, and
risk assessment facilities;
h) Timeframe and overall schedule of risk assessment activities;
i) Communication procedures including meetings with client and assessment team;
j) Risk assessment methods including evidence collection and sampling methods;
k) Risks identified related to the risk assessment, the client, organization, and assessment team;
l) Confidentiality, safety, health, and security measures;
m) Conditions that warrant stopping the risk assessment;
53
n) Language of the risk assessment and report;

o) Risk assessment report topics; and
p) Specific exclusions and assumptions.
The risk assessment plan should:
a) Provide the basis for the agreement with the client for the conduct of the risk assessment;
b) Consider the effect that the risk assessment activities may have on the client and its functions;
c) Facilitate efficient communication, coordination and scheduling of the risk assessment activities
to most efficiently and effectively achieve the objectives;
d) Take into consideration the competence and composition of the assessment team (including
whether technical or security experts are needed); and
e) Outline appropriate assessment methods and practices (e.g., sampling and interview
techniques).
The complexity and scope of the risk assessment and the confidence level of achieving the risk assessment
objective, determines the amount of detail needed in the risk assessment plan. The scope of the risk
assessment may differ between initial and following assessments. The risk assessment plan should
include some room for flexibility to allow for changes as the risk assessment progresses.
6.3.7 Establishing the Risk Assessment Team

The RTL delegates responsibility to each team member regarding the specific processes, activities,
locations, and functions of the risk assessment. When delegating the roles and responsibilities, the
individual assessment team members’ competencies, strengths, and weaknesses are taken into
consideration, as well as the effective use of resources.
Assessment team briefings are held to best ensure that the risk assessment objectives are achieved. This
can be done by allocating work assignments and deciding upon possible amendments. The frequency of
assessment team briefings is determined by the RTL.
Throughout the risk assessment, the assessment team should be aware of changed and new
circumstances or risks. Assessors should notify the RTL who should consult with assessor team members
to address these changes in order to achieve risk assessment objectives. The RTL should communicate to
the client any identified significant risks (particularly threats to health, safety, and security of the
assessment team and client’s organization) as well as any significant changes from the risk assessment
plan.
6.3.8 Determining Feasibility

The RTL should determine the feasibility of achieving the risk assessment objectives. If the risk
assessment is considered feasible there should be reasonable confidence that the risk assessment
objectives can be realized. If the assessment is not feasible, the RTL should notify the risk manager, client,
and organizational management. Risk assessment preparation should be suspended until all parties
agree to subsequent changes.
54
Within the defined scope and objectives, factors that contribute to the feasibility of the risk assessment
include:
a) Adequate resources committed to the risk assessment;
b) Adequate time within scheduling constraints;
c) Availability of assessment team personnel with the mix of characteristics, competences, and
necessary clearances;
d) Cooperation with the client and a conducive work environment;
e) Access to adequate and relevant information for preparing and conducting the assessment;
f) Logistical expenses; and
g) Language requirements.
6.3.9 Documentation and Document Control

The organization should establish and maintain records to support risk assessment activities. All
assessment documentation should state when it was conducted, produced, period of time covered, dates
of any revisions or addendums, and the assessors who contributed to, produced, and authorized the
document.
Documentation may include, among others:
a) Records required by the client and organization;
b) Objectives, scope, criteria, and assumptions;
c) Stakeholders consulted in risk assessment process;
d) Asset characterization and identification;
e) Risk assessment methodology used;
f) Inspection, maintenance, and calibration records;
g) Pertinent subcontractor and supplier records;
h) Incident reports;
i) Records of incident investigations and their disposition;
j) Risk assessment results;
k) Management review results;
l) External communications decision;
m) Records of applicable legal requirements;
n) Catalog of significant risks, likelihoods, and impacts;
o) Personnel screening;
p) Training records;
q) Process monitoring records; and
55
r) Communications with stakeholders.

The organization should establish, implement, and maintain procedures to protect the sensitivity,
confidentiality, and integrity of records including access to, identification, storage, protection, retrieval,
retention, and disposal of records. Records should be retained for a minimum designated period or as
otherwise required or limited by law. The organization should establish, implement, and maintain
procedures to:
a) Approve documents for adequacy prior to issue;
b) Protect sensitivity and confidentiality of information;
c) Review, update as necessary, and re-approve documents;
d) Record amendments to documents;
e) Make updated and approved documents readily available;
f) Ensure that documents remain legible and readily identifiable;
g) Ensure that documents of external origin are identified and their distribution controlled;
h) Prevent the unintended use of obsolete documents; and
i) Ensure the appropriate, lawful, and transparent destruction of obsolete documents.
Organizations should ensure the integrity of documents by rendering them securely backed-up,
accessible only to authorized personnel, and protected from unauthorized disclosure, modification,
deletion, damage, deterioration, or loss.
6.4 Conducting Risk Assessment Activities

6.4.1 Preparing Work Documents
Assessment team members prepare work documents to facilitate and record their investigation and
report its results. Work documents provide a flexible roadmap for conducting the assessment activities
and record observations for risk assessment evidence. Work documents should show what was
evaluated, how it was evaluated, what was examined, and what was observed. Work documents can
include checklists, assessment sampling plans, and forms for recording information including
assessment findings and records from meetings.
Well-prepared work documents can help improve assessment time management. The use of checklists,
forms, process maps, and log sheets should provide structure for the various assessment activities.
However, the use of checklists should not restrict what an assessor needs to do and should be flexible to
consider changes that take place throughout the assessment. Through the RTL, the organization and
client should be made aware that the use of checklists does not restrict what an assessor needs to do.
When developing the work documents, procedures should be specified for their retention, access, and
the need to protect confidential and proprietary information. The integrity of the information should be
ensured at all times.
Effective work documents should:
a) Be tailored to the user;
56
b) Indicate background information needed;

c) Guide the assessor about what objective evidence needs to be examined;
d) Record the process of evidence collection;
e) Outline the types of questions to ask;
f) Provide a means to record which parts of the program were sampled;
g) Include space to document samples taken, documents reviewed, as well as record comments
and observations;
h) Provide evidence of the thoroughness of the assessment; and
i) Be reviewed at the end of the assessment for effectiveness and improvement.
An example of an assessment checklist is to build a matrix listing the specific risks that the assessor
wishes to verify for assessment and treatment. In the columns, the assessor can record evidence related
to the criteria and additional notes:
a) Risk criteria used and evidence related to criteria;
b) Existing risk controls and their effectiveness;
c) Level of criticality;
d) Level of threat;
e) Level of vulnerability;
f) Level of risk;
g) Documents;
h) Finding of full treatment needs and/or opportunity for improvement;
i) Conclusions; and
j) Comments.
Checklists should be reviewed before each assessment to determine if they are still relevant and
appropriate. When preparing checklists they should be designed to:
a) Maintain clarity of the assessment’s objectives;
b) Provide structure;
c) Help ensure thoroughness;
d) Maintain the rhythm and continuity of assessment;
e) Reduce the assessor’s bias thereby increasing objectivity in evidence;
f) Reduce the workload during assessing;
g) Provides formatted evidence collection; and
h) Provide a record of assessment and evidence collection.
57
Checklists should be revisited before each assessment to evaluate if they are appropriate for the job at
hand.
6.4.2 Assigning Roles and Facilitating Communication Among Team Members

The RTL should make specific assessment assignments based on the competence of the individual
assessors and the complexity of the risk assessment tasks. There should be a balance in the assessment
team between technical, legal, industry, administrative, and risk management knowledge. The RTL
should assign and communicate risk assessment responsibilities prior to commencing the assessment.
Formal channels of communication between the assessment team, client, and external bodies (where
applicable) may be necessary during the assessment. This may be especially necessary where legal
requirements require the mandatory reporting of certain risk and regulatory violations.
Communication within the assessment team should occur regularly to assess the progress of the risk
assessment, reassign work among the assessment teams, and exchange information as needed.
Frequency of the communication should be at least daily or based on the complexity of the assessment
and the needs of the assessment team. Team briefings confirm the observations of the day’s assessment
and provide the RTL the opportunity to clarify the assessment team member’s evidence and their
interpretation. This is particularly important in cases where team members will not be on-site through
the end of the assessment. If there is a concern about an issue outside the assessment scope, it should be
noted and reported to the RTL. It is up to the discretion of the RTL to communicate the concerns with
the client.
The progress of the assessment and any concerns regarding the assessment should be communicated by
the RTL to the client preferably on a daily basis, or as needed. The purposes of the updates are to:
a) Ensure the client is kept informed of the assessment progress and results;
b) Solicit additional input and information from the client; and
c) Make sure there are no surprises during the closing meeting.
If evidence collected during the assessment suggests or indicates an immediate and significant risk to the
organization, client, or assessment team, the client should be informed of the risk without delay.
The RTL should report and provide an explanation to the client if the available assessment evidence
suggests that the assessment objectives are unattainable. The RTL and client should determine the
appropriate action (e.g., modify the assessment plan, change the assessment scope or objective, and
terminate the assessment). The need for a change in the assessment plan may become apparent through
the progression of the assessment and should be reviewed and approved by the client and risk manager,
where appropriate.
6.4.3 Conducting a Pre-Assessment Meeting

The pre-assessment meeting typically initiates the data collection phase at the site of the risk assessment.
The purpose of the pre-assessment meeting is to:
a) Confirm the risk assessment plan – review the purpose, scope and outline of the assessment
process and methods;
58
b) Introduce the assessment team and meet counterparts of the organization or client participating
in the assessment;
c) Confirm and explain risk criteria;
d) Confirm communication channels;
e) Verify clearances and approval to conduct the risk assessment;
f) Verify the feasibility of risk assessment activities; and
g) Provide an opportunity for the client to ask questions about the assessment.
The RTL chairs the pre-assessment meeting. A designated assessment team member should record
attendance and minutes. It should be held with the client’s management. Those who are responsible for
the services, functions, or processes being assessed may be present as well.
The pre-assessment meeting should be as detailed as necessary to ensure everyone present understands
the assessment process. The pre-assessment meeting is where, at a minimum, the nature of the
assessment is explained. The formality of the meeting is dependent on the type of assessment being
conducted.
The following items are appropriate for the pre-assessment meeting (where applicable):
a) Introduction of members of the assessment team to client representatives, including experts,
observers, and guides. Each of their roles should also be explained;
b) Confirm the risk assessment plan - scope, criteria, reference standards, objectives, and methods
used in the assessment;
c) Confirm the logistics of the assessment including:
i. Schedules – especially site visits and meetings;
ii. Communication channels between the client and the assessment team;
iii. Language to be used during the assessment;
iv. Issues of health and safety;
v. Review security and emergency procedures for the assessment team;
vi. Any issues related to information security and confidentiality; and
vii. An overall assessment schedule, showing topics, assessors, and approximate times to
complete.
d) Inform the client how the risk assessment findings will be reported including the method of
grading non-conformities and method of presenting assessment findings;
e) Confirm how the client will be informed of the progress of the assessment throughout the risk
assessment;
f) Confirm what resources and facilities will be made available to the assessment team;
g) Express the conditions in which the assessment may be terminated;
h) Explain possible ways to address the possible findings in the assessment; and
59
i) Give information regarding the systems for feedback from the client on the results of the
assessment, as well as the system for complaints and appeals.
The pre-assessment meeting sets the tone for the assessment and establishes a rapport between the client
and the assessment team. The RTL should prepare an agenda for the pre-assessment meeting and project
both knowledge and confidence in the assessment activities. Assessment team members should
participate in the pre-assessment meeting only if called upon by the RTL.
6.4.4 Implementation
6.4.4.1 Risk Identification

Risk identification ascertains the sources and nature of risk and the effect of uncertainty on achieving the
organization’s objectives. A thorough risk identification process will consider the myriad of
uncertainties that may affect organizational objectives. These may include natural, intentional, and
unintentional events such as malevolent, criminal, technical, institutional, logistical, logical,
demographic, environmental, or social/political events. It is more than asking “what can go wrong” but
also includes asking which risks may be pursued as an opportunity.
While different risk disciplines use a range of techniques for identifying the nature and sources of risk,
they all should contain the following components along with an understanding of the interplay between
these components for a comprehensive identification and characterization of the risks:
a) Asset and service identification, valuation, and characterization;
b) Threat and opportunity analysis;
c) Vulnerability and capability analysis; and
d) Criticality and impact analysis.
Risk identification can be conducted using qualitative or quantitative analyses or a combination of both.
Regardless of the method of evaluation the assumptions, level of precision in estimating parameters, and
reliability of information used should be noted.
Risk identification is part of a good business and risk management strategy. Therefore, when conducting
the risk identification the business SWOT (strengths, weaknesses, opportunities, and threats) analysis
should be consulted as a key input.
Identifying risks should answer the following questions:
a) Why could something happen?
 A cause or factor creating risk.
 Effectiveness of risk treatments.
b) Who could be involved?
 Individuals or groups associated with threat, control of risk, and/or impacted by risk.
c) How could it happen?
 A source of risk.
60
d) What could happen?

 Potential event and likelihood.
 Potential consequences and likelihood.
e) When could something happen?
f) Where could it happen?
Information sources related to the risk identification process include (but are not limited to):
a) SWOT analysis;
b) Business plans;
c) Intelligence;
d) Threat advisories;
e) Meteorological and geological reports;
f) Significant fluctuations in the availability and pricing of basic commodities such as food, water,
and natural resources ;
g) Previous, current, and emerging data and trends;
h) Political, social, and economic trends;
i) Insurance information;
j) Internal and external stakeholders;
k) Audit findings and exercise reports;
l) Internal crime, loss, and risk event data;
m) External risk event and crime data;
n) Industry risk data;
o) Law enforcement agencies;
p) Government/international agencies;
q) Industry associations;
r) Media, internet, and public reports;
s) In-house systems; and
t) Informal and personal relationships.
Methods for soliciting input include (but are not limited to):
a) Conducting an exercise;
b) Scenario evaluations;
c) Questionnaires;
d) One-on-one structured interviews;
61
e) Incident, exercise or audit reports;

f) Brainstorming sessions;
g) Group discussions;
h) Workshops;
i) Stakeholder and focus group discussions; and
j) Expert testimonials (including public and private sector sources).
When conducting risk identification activities it should be noted that some risks are continuous and some
vary with time. Additionally, threat, opportunity, vulnerability, and criticality levels may be time-
dependent. At times, dependencies that will affect consideration of the level of risk and the need for
treatment include:
a) Duration of an event;
b) Cultural context of time;
c) Day, week, or month of the year;
d) Time of day (e.g., break periods, business hours, shift work);
e) Timelines for service and product delivery;
f) Supply chain context of time; and
g) Time restrictions on travel.
6.4.4.1.1 Asset Identification, Valuation and Characterization

Usually the preliminary step is to identify and evaluate sources of uncertainty in achieving
organizational objectives. Asset characterization identifies what assets may be at risk, what is their
criticality to the organizational objectives, and what are the potential consequences of those assets being
compromised. Questions that should be answered:
a) What are the activities, functions, and assets that contribute to achieving the organization’s
objectives?
b) What is the value chain of the organization and what are the activities, functions, and assets that
contribute to the critical value generators?
c) What is the tangible and intangible value of the asset for the organization and its supply chain?
d) What are the dependencies of the organization’s activities and functions on the asset?
e) Is there a potential for significant positive, neutral, or negative consequences related to the
asset?
The loss of the most valuable assets or disruption of critical value generating activities and functions may
result in unacceptable damage to the organization and/or disruption of dependent activities and
functions. The value of an asset is frequently measured relative to more than one consequence. For
example, minor harm to people may result in major harm to brand and reputation. Furthermore, when
characterizing the activity, function, or asset, consideration should be given to its value relative to the
organization and its supply chain, as well as its potential value to an adversary or competitor.
62
All activities, functions, and assets that contribute to achieving the organization’s objectives, and within
the scope of the risk assessment, should be considered. Tangible and intangible assets include (but are
not limited to):
a) Internal and external human resources;
b) Property (e.g., facilities, equipment, materials, products, physical systems);
c) Process controls (physical and cyber);
d) Financial and administrative processes (e.g., funds, inventory, accounting, and recordkeeping
systems);
e) Information and telecommunication systems;
f) Transportation systems;
g) Access to critical infrastructure and support utilities;
h) Intellectual property and proprietary information; and
i) Brand, image, and reputation.
After identifying activities, functions, and assets that contribute to achieving the organization’s objectives
for each activity, function, and asset consider:
a) Its contribution to the value chain of the organization and the achievement of objectives;
b) The potential for risk to be exploited for the advantage of the organization;
c) Severity and timeframes of the consequences if activities, functions, or assets were lost, or offer
a potential opportunity;
d) Critical infrastructures, dependencies, and interdependencies (internal and external);
e) Functions and countermeasures that currently exist for protection and support;
f) Criticality to value chain and achieving the organization’s objectives; and
g) Priority and critical value relative to other activities, functions, and assets.
6.4.4.1.2 Threat and Opportunity Analysis

Sources of risk and related threats and opportunities should be identified and analyzed once priority and
critical activities, functions, and assets have been identified. This will provide a basis for understanding
what risk events may contribute to uncertainty in achieving the organization’s objectives. The process
should consider both threats and potential opportunities.
Threat analysis considers impacts, timeframes, and factors that may prevent achievement of objectives.
Unintentional events look at the possibilities of human error. Threats can be intentional and
unintentional and may occur through errors of commission and omission.
Opportunity analysis typically looks at the potential for change that an organization might undergo to
improve its overall results. Opportunities might increase the overall demand or discrete price points for
its products and services, broaden or restrict its offerings, as well as increase efficiencies through expense
reductions and operational improvements. Whatever the goal, undertaking an opportunity analysis
63
helps to provide an understanding of what potential effects, positive and negative, are likely to take place
if different decisions are taken.
Threat and opportunity analysis can be conducted using either quantitative, qualitative, or a combined
approach. Regardless of the method, a common set of metrics and scales should be defined so that the
calculations can be performed and reported using consistent scales and parameters. Comparisons will
only be valid if values are determined using the same methods and metrics. All priority and critical
activities, functions, and assets should be analyzed.
Sources of risk give rise to potential threats and opportunities. Threat and opportunity analysis sets the
boundaries as to the type of threats and opportunities that can be addressed, therefore, the range of risk
sources associated with the achievement of organizational objectives should be considered. Threat and
opportunity analysis often contains subjective estimates, therefore the confidence in the predictions
should be considered within the context of the reliability of the information. Likelihood estimates are
particularly sensitive to the information and assumptions they are based on.
Using the output from the asset identification, valuation and characterization, consider sources of risk
that create uncertainty in achieving the organization’s objectives. Consider both intentional and
unintentional risk events that may affect the achievement of the organization’s objectives (natural and
man-made hazards; social, economic, and political factors; as well as actions with mal-intent). Determine
what are the threats and/or opportunities associated with potential risk events. The output of the threat
and opportunity analysis assessment should be comprehensive list of threats and opportunities focusing
on prioritizing the most relevant to the achievement of objectives.
Threats may be identified in terms of “threats from” and “threats to”. “Threat from” is based on the
nature and attributes of the threat and how the threat may cause harm and/or uncertainty. “Threat to”
considers the locations of the potential assets and services. In assessing the threat, the nature of the threat
should be considered (e.g., is it malevolent, naturally occurring, or accidental). For a malevolent threat
the assessment should consider “who/why” (e.g., description of the adversary), “what” (e.g., the material
used by the adversary), and the “how/when/where” (e.g., the characteristics of scenario and related
tactics).
Malevolent threat is assessed by evaluating the combination of motivation/intent and capability of an
adversary to impact priority or critical asset, function, activity, or capability. Figure 7 illustrates the
interaction of these elements.
64
Figure 7: Elements of Threat

Threat analysis can be conducted using threat tree analysis. Three types of mapping or matrix techniques
include:
a) Asset tree – asset, means of access, internal or external threat actor, intentional or unintentional
motive, capability, event, consequence;
b) Threat type tree – type of threat, act, resultant event, consequence; and
c) Adversary tree – type of adversary, motivation, capability, methods, event, consequences.
In order to determine a realistic threat level, consider the following flow diagram, Figure 8.
65
Figure 8: Determining Threat Levels

The likelihood of threat should be considered as part of the threat analysis. There are many different
approaches which can be used. One is a narrative approach which basically uses a qualitative description
for the threat level and threat characteristics. Subject matter experts may provide input based on an
analysis of events, trends and other indicators or analysis of specific threat characteristics (e.g., intentions,
capabilities, and other attributes). Another approach is the threat ranking approach which is generally a
semi-quantitative approach for estimating the components of threat and then combining them into some
value and/or ranking with some description. The attributes that are rated for each threat should be
orthogonal (e.g., should not overlap such that there is double counting). In some cases the rating scores
can be used to represent a "risk-like likelihood".
Threat profiles are usually dynamic. Therefore, threats should be monitored on an on-going basis.
Specific information for individual facilities is often lacking. When estimating the threat levels it is
important to understand the internal and external context of the location being assessed, as well as the
unique sources of risk for the location. For example, sympathy in local communities for the acts of
violence may influence the likelihood of the threat of terrorism and violent crime. Organizations
operating in a cultural setting where there is little sympathy or acceptance of violence would face
different threat levels than a society that condones the use of violence as a means to justify perceived
wrongdoings.
66
Threat and opportunity characterization seeks to identify general and specific sources of risk and
describe how they manifest themselves. Scenarios can be developed to analyze how the threat or
opportunity will materialize and what are the various factors and stakeholders at play. Once a scenario
has been identified it can be evaluated for differing magnitudes of the risk event. Similar scenarios may
be triggered by events resulting in similar consequences. By evaluating the different possibilities it is
possible to identify risk treatment options that focus on both likelihood and consequences.
When evaluating the potential for intentional threats, consideration should be given to the presence and
proximity of “hard” and “soft” targets. A resilient and determined adversary will consider the same
factors illustrated in Figure 8 in order to successfully carry out a threat to cause a risk event.
6.4.4.1.3 Vulnerability/Capability Analysis

Vulnerability/capability analysis evaluates the efficacy of the risk measures in place (deliberate and/or
inherent) that will have an effect on the likelihood of a threat or opportunity materializing and the
likelihood and extent of consequences. Vulnerability is dependent on the risk control measures (e.g.,
countermeasures) deployed to manage a risk event. Capability is dependent on the adaptability of the
entity and its ability to respond to negative events and to take advantage of potentially positive ones.
Risk control measures can be either physical or virtual (e.g., technologies, physical barriers,
administrative procedures, etc.) It should be recognized that some risk treatment measures may reduce
the likelihood of an event taking place but do not make the target less vulnerable.
Analysis of vulnerability includes analyzing the attributes of the event and assets, services, and activities.
Factors to consider include:
a) Efficiency of risk control measures;
b) Level of profile, recognition, visibility, and iconic status;
c) Value of assets (including symbolic and reputational);
d) Understanding which parties support the objectives of the organization and those that don’t;
e) Alignment with potential adversaries’ intent and motivations;
f) Timing, intensity, and duration of the event;
g) Accessibility;
h) Interdependencies and dependencies;
i) Perceived and actual recovery times;
j) Cascading affects (e.g., a toxic release compounded by wind currents);
k) Demographics and local culture; and
l) Potential for collateral damage.
Steps to consider in determining the level of vulnerability:
a) Identify risk scenarios (from asset valuations and threat analysis);
b) Define how the risk scenario will be manifested (single or multiple paths);
c) Determine the effectiveness of the risk control measures;
67
d) Determine the vulnerability based on attributes of the scenario events and potential outcomes;
and
e) Determine the level of vulnerability based on severity of the consequences and recovery time
periods.
Level of vulnerability is determined based on metrics designed to measure the achievement of the
organization’s objectives. Therefore, not only is the value of the asset, service or activity considered, but
also the timeframes that asset, service or activity may be unavailable. When determining the
vulnerability consider:
a) Is the vulnerability due to a single weakness or multiple weaknesses?
b) Does the nature of the vulnerability make it difficult to exploit?
c) What is the time dependent nature of the vulnerability, cascading effects, and recovery time?
d) Is the vulnerability lessened by multiple layers of countermeasures?
Event trees can be helpful tools in evaluating the vulnerability. Although many models exist, a simplified
example is to:
a) Assume a risk scenario;
b) Identify threat actors and methods;
c) Identify targets and potential consequences;
d) Identify accessibility;
e) Identify countermeasures;
f) Determine if single or multiple layers of defense exist;
g) Determine the efficiency of countermeasures (consider the conditions of deployment); and
h) Determine level of vulnerability.
6.4.4.1.4 Criticality and Consequence (Impact) Analysis

Criticality and consequence analysis provide a measure of impact of the risk event relative to achieving
the organization’s objectives and the impact of losing a tangible or intangible asset, activity, or function
will have on the operations of the organization and its stakeholders, respectively. A well done criticality
and consequence analysis will allow the analysis to focus on those assets, activities, and functions that
are of most importance to the organization and stakeholders.
It is important to understand the criticalities and consequences in order to develop a cost-effective risk
management strategy. The consequences will depend on the nature, location, and other factors of the
event. Scenarios are often used in calculating plausible, implausible, and catastrophic consequences.
This should be done evaluating the consequences against the criticality of the asset, activity, or function.
The criticality of an asset, activity, or function can be intrinsic or derivative. The intrinsic criticality
indicates the direct value of the asset, activity, or function in achieving the objectives of the organization.
The derivative criticality indicates the indirect consequences of risk event and how the resultant
68
consequences indirectly related to the asset, activity, or function will affect the organization achieving its
objectives. In evaluating the criticality consider:
a) The value of the asset, activity or function to on-going operations and value generation;
b) The value of the asset, activity or function to internal and external stakeholders including
competitors and adversaries;
c) Timeframe of criticality – time period an asset, activity, or function can be unavailable before
effects are significant;
d) Derivative affects – the effect on other assets, activities, or functions;
e) Impact on brand, image and reputation;
f) Exclusive possession;
g) Availability of alternatives for the assets, activities, and functions; and
h) Perception of criticality of supply chain partners and other stakeholders.
Many scales exist for grading consequences. The exact scale should be determined by the accuracy of
the predictions, whether a consequence is quantifiable, and the intended use of the information. The
scales should be determined also based on their utility to the risk managers and decision-makers.
Regardless of the scale used, it should be consistent throughout the risk assessment process. When
assessing the consequences of a risk event consider:
a) Human impact: Physical and psychological harm to employees, customers, suppliers, and other
stakeholders;
b) Physical asset impact: Property losses and replacement costs;
c) Information asset impact: Loss of sensitive, proprietary, or personal information;
d) Financial impact: Lost or deferred sales/business, loss of market share, lawsuits, regulatory
fines/penalties, overtime pay, stock devaluation;
e) Reputational impairment impact: Diminished standing in the community, negative press;
f) Community/societal impact: Indirect impacts on the regional economy, reduction in the
regional net economy, losses to the tax base of local jurisdictions; and
g) Environmental impact: Degradation to the quality of the environment.
An example of a flow diagram for considering the consequences of a risk event illustrating the
importance of time considerations is given in Figure 9.
69
Figure 9: Criticality and Consequence Analysis
6.4.4.2 Risk Analysis

Risk analysis is a process to understand the nature and level of risk to determine its significance. The
organization takes the information generated during the risk identification process and evaluates this
within the context of its operations and the risk criteria. The risk analysis process assesses the likelihood
and consequence to determine the level of risk and prioritize risk treatments. To begin, organizations
may choose to rank risk events with varying degrees of detail, depending on the risk, and the
information, data, and resources available.
As seen in Figure 10 the output from risk identification provides the input to risk analysis.
70
Figure 10: Determining the Level of Risk

Likelihood and consequence can be expressed qualitatively or quantitatively (or a combination of
methods). The decision on which approach works best for an organization is based on the:
a) Availability and reliability of information;
b) Scales and level of detail of the risk identification process;
c) Methods for determining threats and impacts to tangible and intangible assets, as well as
tangible and intangible impacts (intangible assets and impacts may not lend themselves to
numeric evaluations);
d) Other risk analysis processes and methodologies used by the organization; and
e) Most effective method for communicating level of risk to decision-makers.
Regardless of the method used to determine the level of risk, care should be taken to assure a consistent
approach and consider the level of confidence, particularly for aggregated data. Units and scales of
measuring risk determined during the definition of risk criteria should be used consistently throughout
71
the analysis. The risk analysis method used should meet the needs of the risk evaluation and treatment
decision-making process.
6.4.4.3 Risk Evaluation and strategies

Risk evaluation uses the risk criteria and outputs from the risk identification and risk analysis steps, to
determine what risks are acceptable with existing risk treatments and which require additional risk
treatment. The level of risk determined during risk analysis will indicate the priorities for risk treatment.
Evaluating the level of risk before and after treatment combined with value driver analysis provides the
basis for determining if the residual risk levels fall within an acceptable level of risk set by the risk criteria.
Risk treatment prioritization should also be predicated on an understanding of the risk tolerance. If the
level of residual risks is found to be greater than the acceptable level of risk set by the risk criteria, the
organization should consider alternative or additional risk treatments to reduce the level of residual risk.
Initial treatment decisions will be driven by tolerance, not just addressing residual risk. Risk evaluation
considers the cost and benefits of different treatment options. Care should be taken during the risk
evaluation stage to make sure treating one risk is not creating another risk.
Risk evaluation considerations include:
a) Objectives of projects and opportunities;
b) Tangible and intangible impacts;
c) Legal, regulatory, and contractual requirements;
d) Critical control points;
e) Tolerability of risks to others;
f) Whether a risk needs treatment;
g) Deciding whether risk can be tolerated;
h) Whether an activity should be undertaken; and
i) Priorities for treatment.
Acceptable risk levels will be unique to each organization and its value chain. They may vary by project,
commodity, product, or service, as well as over time. The organization may have varying levels of risk-
tolerance for different divisions, subsidiaries and partners. It may not be practical to eliminate all risk
due to costs. It may be desirable to accept risk to gain an opportunity (e.g., to increase market share, or
pursue labor or location benefits). To achieve as low as reasonably practical risk, a typical target of risk
evaluation is to determine the most cost effective treatments.
Examples of reasons an organization may tolerate risk (by informed decision) include:
a) The level of the risk is so low that specific treatment is not appropriate within the constraints of
available resources;
b) The risk is such that there is no treatment available. For example, the risk causes may not be
within the control of an organization;
c) The cost of treatment, including insurance costs, is so manifestly excessive compared to the
benefit that toleration is the only option. This applies particularly to lower ranked risks;
72
d) The opportunities presented outweigh the threats to such a degree that the risk is justified; and
e) Organizations may also determine to accept a risk by informed decision-making or to maximize
a business opportunity.
Regardless of the method used to evaluate risk treatment(s) to achieve a level of risk as low as reasonably
possible, it is important to understand that this is an iterative process where the risk manager can pick
multiple layers of risk treatment measures including:
a) Eliminating the risk exposure;
b) Isolating the risk source or potential targets;
c) Technical modifications and substitutions;
d) Administrative and procedural controls;
e) Protective, preventive, and mitigation measures;
f) Risk sharing; and
g) Accepting or exploiting risk by informed decision.
During the risk evaluation process, the proposed risk treatment methods should be evaluated to consider
the cost/benefit of the measure to reduce risk and whether the risk treatment changes or introduces new
risk to the organization and its value chain. Figure 11 illustrates how the output from the risk
identification and analysis steps can be represented by a funnel approach where intolerable risk must be
treated at any reasonable costs. Treatment measures are applied to bring the risk to a level that is as low
as reasonably possible where further task treatments are disproportionate to the cost/benefit. Risks reach
a tolerable level where risk is within the level of tolerance of the risk criteria. Contingency measures
might be considered for risks that remain after treatment.
73
Figure 11: Risk Evaluation Funnel

One way an organization may wish to assess its risk tolerance is through a risk “frontier” graph, plotting
the likelihood of events by their consequence (Figure 12). Organizations may find some risks to be of
such low likelihood or to have such limited consequence, that they do not warrant any further treatment
or consideration. For those of greater likelihood or consequence, the organization may wish to use
resource management to reduce volatility. Such mechanisms may seek to reduce the likelihood,
duration, or consequence of a risk event. Organizations may also determine to accept a risk by informed
decision-making to maximize a business opportunity.
74
Figure 12: Conceptual Risk “Frontier”

A two-dimensional means of representing the risk levels is to use a matrix showing risk events defining
likelihood and consequence (sometimes referred to as a heat map, risk matrix, or event matrix). This
technique allows managers to easily see the relative likelihood and consequence of differing risks. To
use this method effectively it is critical to have well-defined and consistently used criteria for the different
likelihood and consequence levels. Various scales are used by different organizations; the gradations,
scaling, and terms used should be based on what is best understood by the users and the decision-
makers. Figure 13 shows a sample matrix illustrating the concept.
75
Adapted from RIMS workshop on Risk Management Techniques. Copyright © Risk and Insurance Management Society, Inc.
All rights reserved.
Figure 13: Sample Matrix

Figure 13 illustrates a two-dimensional depiction of identified risks related to a fictional organization’s
objectives. The sample depiction considers risks from both an opportunity and threat perspective. This
type of qualitative assessment assumes that the terms used in the matrix have been defined, and that the
assessment team has analyzed the likelihood and potential impacts/consequences of each of the risks in
the context of the organization’s noted objectives for placement on the matrix.
The matrix shows how organizations may wish to prioritize risks by likelihood and consequence. Scales
for the matrix should be defined when setting risk criteria. The type of scale, parameters, and level of
detail will be dependent on the requirements of decision-makers.
A risk registry may also be used to catalog risks. A risk registry is a list of identified risks and
characteristics of the risk, the severity of the consequences and the likelihood of their occurrences. Risk
registries are often used to compare risks from many different sources. A risk registry should include
(but not limited to):
76
a) Name of risk;
b) Description of risk;
c) Time period for estimates;
d) Risk Owner;
e) Likelihood or frequency of occurrence;
f) Impacts, severity or consequence of occurrence;
g) Interdependencies and dependencies; and
h) Actions and/or countermeasures to reduce the likelihood and consequences.
Note: For additional risk analysis methodologies, see the ISO 31010:2009 Risk management – Risk
assessment techniques.
6.4.4.4 Cost-Benefit Analysis

Cost-benefit analysis provides a method for evaluating and comparing the value and cost of risk
treatment options. The analysis should consider both direct and indirect costs and benefits. Examples
of these are:
a) Benefit:
 Direct benefits—arising from reduction in the likelihood or harmful consequences of the
risk; and
 Indirect benefits—arising from collateral effects of the treatment such as reduced
insurance premiums, improved management and staff confidence, and enhanced
reputation.
b) Cost:
 Direct costs—of implementing the proposed treatment and/or that could arise if the risk
eventuates (e.g., loss of an asset); and
 Indirect costs—arising from the loss of productivity, business disruption, diversion of
management attention, loss of reputation or brand value.
6.4.4.5 Risk Control and Treatments

Once an organization understands its context and has analyzed its potential risks, it can begin the process
to modify and reduce risk. It is important to keep in mind when developing a risk treatment strategy
that risk treatments have the potential to create new risks or modify existing risks.
After an organization has identified and prioritized the risks that it faces, it can devise risk treatment
plans. Plans include developing strategies and measures to protect value chains from sources of risks,
responding to events that these risks may cause, and continuing operations and recovering from
undesirable and disruptive events. Risk treatments seek to:
a) Remove the risk source, where possible;
b) Remove or reduce the likelihood of the risk event occurring;
77
c) Remove or reduce negative consequences;

d) Share the risk with other parties, including risk insurance;
e) Accept risk through informed decision or to exploit an opportunity; and/or
f) Avoid activities that give rise to the risk.
For organizations to cost-effectively manage risk they should develop balanced strategies to adaptively,
proactively and reactively address minimization of both the likelihood and consequences of undesirable
and/or disruptive events. Furthermore, the selection of risk treatment controls should be integrated with
the overall risk management programs with its priority stakeholders. Such a program should have at
least three elements: 1) protecting the organization and its value chain; 2) responding to events; and 3)
continuing operations while recovering from events. Plans should also involve determining ways to
measure risks as well as testing the effectiveness of the plan itself and its ability to limit risks.
The organization should establish, implement and maintain procedures to prevent and manage
undesirable and disruptive events to prevent negative consequences, and exploit positive consequences
to the organization, its key stakeholders including supply chain partners, and the environment.
Procedures should be concise and accessible to those responsible for their implementation. Plans and
procedures should be accepted across all different management areas and risk disciplines to avoid a silo
approach (e.g., a business continuity plan needs to take into consideration how security measures within
an incident response will impact continuity of operations). Operations and plans should be examined
to ensure appropriate integration and coordination is used to capitalize on limited resources. Examples
of risk treatment procedures are provided in Annex F.
6.4.5 Generating Findings and Conclusions

Risk assessment findings should be determined by evaluating the data and evidence collected against
the risk criteria. Risk assessment findings indicate the level of risk and the needs for acceptance and/or
treatment. Findings should be based on substantiated, documented evidence that classifies and
prioritizes the risk assessment evidence to indicate the significance of any risks, as well as identify
opportunities for improvement and alignment current accepted industry practices and legal
requirements. This will help the client and organization understand the effect of a risk on the
organization. Significance of risks can be based on:
a) The needs to exploit opportunities to protect and create value;
b) Whether there are single or repeated occurrences;
c) How the risk affects the achievement of the organization’s objectives;
d) Level of the risk; and
e) If singular or multiple risks lead to high risk situations in the organization.
Levels of risk and their priority for treatment should be directly linked to the supporting risk assessment
evidence and should be recorded. Risk may be graded on a qualitative and/or quantitative scale.
Individual risks can be grouped to provide evidence of systemic issues within the risk management
system. This will help identify the issues that indicate the need for the system and processes to be
changed. The need and imperative for change is based on the risk to the organization being assessed, as
78
well as its stakeholders. Clear classification and documentation of observations will help identify follow-
up actions.
Risk assessment findings are generated by the RTL in conjunction with assessment team members. At
appropriate stages throughout the assessment, the assessment team should meet to review the
assessment findings up to that point. Aspects which should be considered when determining assessment
findings include, requirements of the client and organization, sample size, follow-up actions from
previous assessment findings and conclusions, and categorization of the assessment findings where
necessary.
When creating records of levels of risk and treatment needs, the assessment team should identify the risk
criteria being used, risks assessed, evaluate the assessment evidence to support the level of confidence
in the finding, and state whether the evidence is consistent with the risk criteria (particularly risk attitude
of the organization). When creating records on specific risks, the assessment team should identify the
risk being assessed, show the risk assessment evidence to support risk treatment decisions, and include
related assessment evidence to support the findings. Every level of risk determination should be
traceable back to evidence gathered for a specific risk.
6.5 Post Risk Assessment Activities

6.5.1 Conducting Post-Assessment Debriefing
The post-assessment meeting ends the on-site activities of the assessment and presents a draft or
preliminary assessment report to the client. The post-assessment meeting should be facilitated by the
RTL. The purpose is to present the assessment team’s conclusions and findings to the management of
the organization, and those responsible for the areas being assessed (where applicable). The post-
assessment meeting should present areas of both upside and downside risks, as well as strengths and
weaknesses in the risk management system, starting with strengths, providing sufficient information for
the client and organizational management to understand the findings. A designated assessment team
member should record attendance and minutes.
The level of detail is dependent on the level of familiarity the client has with the assessment process. Also
the formality of the meeting is dependent on the type of assessment. In some cases, a formal meeting is
necessary with records of attendance and minutes, while in other situations the meeting may be a less
formal communication of the assessment findings.
If situations arose during the assessment that might call the results of the assessment into question, the
assessment team should advise those present of the situation. Furthermore, any differences in opinion
regarding the assessment conclusions or findings between the assessment team and the client should be
discussed. The parties should try to resolve any disagreements. If the parties cannot resolve their
differing views, that should be recorded.
Participants should discuss an expeditious time frame for an action plan to address assessment findings
and adapt the risk management system, where needed. Recommendations for improvements may be
presented if specified by the assessment objectives. It should be clear that any recommendations are non-
binding, and should be noted that in subsequent assessments these may bias an impartial evaluation.
The following should be addressed with the organization’s management so that they are acknowledged
and understood at the post-assessment meeting (where appropriate):
79
a) The assessment findings and conclusions;

b) The method of reporting
c) Information and report handling and dissemination;
d) The handling of assessment findings and possible consequences; and
e) Post-assessment activities (where applicable).
6.5.2 Reports and Records

The risk assessment report communicates the results of the assessment to the client and organization, as
well as provides a complete and concise record of the assessment.
6.5.2.1 Overview
The risk assessment report is prepared by the RTL, with input from the assessment team, and is provided
to the risk manager as soon as possible after post-assessment meeting. The assessment report is approved
and reviewed by the risk manager prior to distribution. For credibility, any changes to the report,
including findings, should be made by the RTL. The client determines who will receive copies of the
assessment report. The purpose of the assessment report is to:
a) Provide information about the assessment findings and conclusions;
b) Initiate a request for corrective actions to significant risk requiring immediate attention;
c) Serve as a basis for identifying opportunities for improvement of the risk management system;
and
d) Provide a record of the assessment.
6.5.2.2 Distributing the Assessment Report

The risk assessment report should be issued without delay within an agreed timeframe. If the assessment
team is unable to do this, the reasons should be promptly communicated to the client, organization, and
the person(s) responsible for the risk management program. In compliance with good project
management procedures, the assessment report should be reviewed, approved, and dated. Distribution
of the risk assessment report is at the discretion of the client and organization. The risk manager should
not send a copy of the risk assessment report to anyone unless explicitly approved in writing by the client
and organization. The organization conducting the assessment maintains a copy for its records as per
agreement with the client and organization. Retention of a copy of the report should be consistent with
legal and liability requirements and needs.
In some instances, reports may be required to be submitted and transmitted digitally in a secure fashion.
In these instances, the risk manager should control the release and accessibility of this information by
using appropriate information security methods. Passwords and encryption should comply with
accepted government or industry practices and methods for securing this type of information.
The client and organization should treat the risk assessment report as protected information and provide
document handling safeguards.
80
6.5.3 Follow-up and Monitoring

It is the responsibility of the organization and client to apply corrective, preventive, or improvement
actions indicated in the assessment report. The client should implement these actions in a timely manner.
The client should keep the RTL and risk manager informed of these actions to facilitate on-going
monitoring of risk. These actions should be documented and verifiable so they may be included in a
future assessment. Verification that the corrective, preventive, or improvement actions have been
conducted and are effective should be documented before the follow-up assessment commences.
The organization should establish a defined and documented risk monitoring and change management
program to ensure that any internal or external changes that impact the organization risks are reviewed
in relation to the risk criteria. It should identify any new critical activities that need to be included in the
risk management program. The change management program should define the frequency at which the
risk assessment should be updated as well as the events that would trigger the conduct of a new
assessment.
6.6 Checking and Review
6.6.1 Assessment evaluation

The RTL should establish, implement, and maintain performance metrics and procedures to monitor and
measure those characteristics of the risk assessment that have material impact on its performance. The
procedures should include the documenting of information to monitor performance, applicable
operational controls, and conformity with the organization’s risk assessment program objectives and
targets.
6.6.1.1 Identifying Opportunities for Improvement

The RTL should monitor, evaluate, and exploit opportunities for improvement in risk assessment
performance and eliminate the causes of potential problems, including:
a) Ongoing monitoring of the operational landscape to identify potential problems and
opportunities for improvement;
b) Determining and implementing action needed to improve assessment performance; and
c) Reviewing the effectiveness of any actions taken to improve performance.
Actions taken should be appropriate to the impact of the potential problems, and resource realities.
The risk manager and RTL should ensure that actions are taken without undue delay to initiate
opportunities for improvement. Where existing arrangements are revised and new arrangements
introduced that could impact on the risk assessment program, the RTL should consider the associated
outcomes before their implementation.
The results of the reviews and actions taken should be clearly documented and records should be
maintained. Follow-up activities should include the verification of the actions taken and the reporting
of verification results.
81
6.6.2 Improvement
The review of the risk assessment should include assessing opportunities for improvement and the need
for changes to the risk assessment program. The results of the reviews should be clearly documented and
records should be maintained. The organization should continually improve the effectiveness of the risk
assessment activities.
7 CONFIRMING THE COMPETENCE OF RISK ASSESSORS
7.1 General
The credibility of any risk assessment program is a function of the competence of the assessors. All
persons involved in the risk assessment process should be competent to perform their roles and assigned
tasks. Risk assessors should possess the technical expertise and interpersonal skills to effectively
evaluate the application of risk management systems for a particular client. Assessors should evaluate
the effectiveness of the risk management measures, not merely checking a box indicating measures exist.
To add value to the client and organization, the assessors should understand the management and risk
approaches from the client’s business and risk environment. Assessors should have a clear
understanding of how to apply the risk criteria. Assessor competence is comprised of several elements:
a) Personal traits and interpersonal skills;
b) Assessment skills;
c) Communication skills;
d) Education, training, and knowledge; and
e) Work experience.
The risk assessment team should have a proficient understanding of the business and disciplines they
are assessing. The assessment team should project an image to the client and organization that they have
the competence relevant to the appropriate technical area of the risk-based management system, risk-
related disciplines, industry sector, and geographic location.
7.2 Competence
7.2.1 General
The risk manager and RTL should determine and document the competence required to evaluate each
technical area and function in the risk assessment activity. When identifying competence requirements,
the risk manager and RTL should tailor its competence requirements to the types of risks the client and
organization face and locations of operations in order to:
a) Define the scope of the activities that it undertakes;
b) Identify any technical qualification of its assessors necessary for that particular type of risk,
services, and location of operation;
c) Ensure that personnel have appropriate knowledge, skills and experience relevant to the types
of services provided and geographic areas of operation; and
82
d) Select a suitably qualified assessment team.

The risk manager and RTL should determine the criteria and means for the demonstration of competence
prior to carrying out specific functions. Records of the determination should be maintained and made
available upon request by the client and/or organization.
7.2.2 Determination of Competence Criteria

The risk manager and RTL should have a documented process for determining the competence criteria
for personnel with a demonstrated capacity for the management and performance of the risk assessment.
Measurable criteria should be determined to demonstrate competence with regard to:
a) The requirements of the risk management system and any risk-based management standard(s)
used;
b) Risk assessment and management consistent with legal obligations and accepted industry
practices related to operations;
c) The legal, cultural and operational context of the location of operation; and
d) Functions in the risk assessment process.
The output of the process should be the documented criteria of required knowledge and skills necessary
to effectively perform risk assessment tasks to be fulfilled to achieve the intended results and provide a
basis for:
a) Selection of assessment team members to cover all areas of required competence;
b) Ascertain competence enhancement requirement for continuing improvement of assessor
competence; and
c) Determine performance indicators for assessors.
To determine the appropriate assessor competence, consider:
a) Risk associated with the organizations operations and activities;
b) Nature and complexity of the client’s risk management system;
c) Risk management disciplines to be considered;
d) Objectives and extent of the risk assessment program;
e) Legal and other requirements, such as those imposed by external bodies, where appropriate;
f) Role of the risk management process in the business management system of the organization;
g) The need for balance and avoidance of bias in the assessment process;
h) Complexity of the risk environment to be assessed; and
i) Risk related to achieving risk assessment objectives.
When determining the competence criteria the risk manager and RTL should establish performance
based evaluation criteria and a consistent documented method for evaluating competence. Examples of
evaluation methods include (but are not limited to):
a) Verifying the background, education and experience;
83
b) Psychometric (quantitative) testing of knowledge and skills (may include variables such as
intelligence, aptitude, and personality traits);
c) Reviewing written samples of work;
d) Interviews to evaluate knowledge, communications skills, and personal behavior;
e) Observation of risk assessment skills;
f) Competence-based certifications and professional credentialing; and
g) Feedback and post-assessment review.
7.2.3 Training and Competence Evaluation

Persons conducting risk assessments should have successfully completed training, and be able to
demonstrate competence in the understanding and application of:
a) Risk management systems and risk disciplines being assessed;
b) Risk management methodologies;
c) Risk assessment and management principles;
d) Legal, regulatory, and other relevant jurisdictional law;
e) Liability and tort law associated with industry and risk profile; and
f) Managing the risks of undesirable and disruptive events.
The risk manager and RTL should ensure persons conducting risk assessments have a working
knowledge of the ISO 31000:2009 Risk management standard. Assessors should have the knowledge and
skills corresponding to a post-secondary education that includes language and communications skills.
The risk manager and RTL should ensure that persons conducting risk assessments have experience in
the risk-related industry, discipline, or sector, including work in risk management, or the equivalent
based on industry standards and complexity of risk disciplines. The number of years of total work
experience may be reduced if the person has completed appropriate and relevant post-secondary
education.
The risk manager and RTL should establish, document, and maintain a process to evaluate and verify
the training and competence of persons conducting risk assessments, including appropriate continual
training according to their specific qualification requirements to maintain competence.
7.2.4 Monitoring of Competence

The risk manager and RTL should ensure the acceptable performance of all personnel involved in its risk
assessment activities. The risk manager and RTL should establish documented procedures, metrics, and
criteria for monitoring and measurement of the performance of all persons involved based the level of
required risk-based knowledge linked to their activities. The risk manager and RTL should review, at
least annually, the competence of its personnel based on their performance in order to identify training
needs.
84
The monitoring procedures should include a combination of on-site observation, risk assessment report
review, and feedback from clients or other affected parties. Monitoring should be designed in such a way
as to minimize the disturbance of the normal operations, especially from the client’s viewpoint.
7.2.5 Improvement of Competence

Assessors should increase and improve their skills through continuing education and experience. Risks,
organizational management practices, technologies, accepted industry practices, and standards change
with time. Assessors should keep abreast of the need to hone their knowledge and skill sets with
changing risk assessment conditions. Examples of continuing education and skills improvement
methods include:
a) Participation in risk assessments;
b) Professional society and technical literature;
c) Participation in professional associations and their workshops and conferences;
d) Mentoring and peer review programs;
e) Reading case studies; and
f) Professional certification and formal education programs.
7.3 Validation and Personnel Records

The risk manager and RTL should maintain up-to-date records of relevant qualifications, training,
experience, professional affiliations and memberships, professional status and competence of all
personnel involved in its risk assessment activities.
The risk manager and RTL should ensure all persons working on its behalf assigned to perform risk
assessments, as well as technical experts, can be trusted to maintain confidential information obtained
during risk assessment work. These personnel must not create a security risk by betraying confidentiality
or adversely impacting operations (evidenced by an executed non-disclosure/confidentiality agreement).
This should be validated by appropriate background screening of persons involved in risk assessment
activities.
All persons performing risk assessments should have as a minimum interpersonal skills and personal
attributes to conduct a successful assessment. An assessor who lacks the necessary interpersonal skills
and personal attributes will not be able to conduct a successful assessment; therefore the assessor should
have good communication skills including:
a) Good oral and written language skills;
b) Being a good listener;
c) Ability to handle stress and conflict to avoid an adversarial environment;
d) Cultural sensitivity, including appropriate body language;
e) Ability to conduct unbiased questioning, analysis, and problem-solving; and
f) Tact and diplomacy.
Personal attributes of an assessor include:
85
a) Humility - consciousness of the limits of one's knowledge, including sensitivity to bias,

prejudice and limitations of one's viewpoint;
b) Courage - need to address ideas, beliefs or viewpoints fairly regardless of potential negative
consequences;
c) Faith In Reason - think coherently and logically to persuade by reason;
d) Fair-mindedness - treat all viewpoints alike, without reference to one's own feelings or vested
interests;
e) Empathetic - put oneself in the place of others in order to genuinely understand them;
f) Integrity - honestly admit discrepancies and inconsistencies in one's own thought and action;
g) Independent – free from real or perceived conflicts of interest or influence;
h) Unbiased – free from preconceived notions and prejudice;
i) Systematic – able to conduct an orderly and methodological investigation;
j) Ethical and trustworthy – fair, discrete and honest;
k) Persistent – tenacious and focused on achieving the assessment objectives;
l) Curious and open-minded – inquisitive and willing to consider various points of view;
m) Adaptable - agile in approach to change course when needed;
n) Versatile – able to handle a variety of situations;
o) Positive – to project an aura of positive attitude and non-negativity;
p) Non-judgmental – to focus on evidence without interjecting value judgments;
q) Observant and perceptive – aware of environment and able to understand the context;
r) Decisive – able to make decisions based on facts and the situation; and
s) Self-reliant – able to work autonomously while interacting with others.
Assessment team leaders should also be able to display leadership, manage time, understand
communication formalities, handle conflict, and provide mentoring to less experienced assessors.
7.3.1 Credentials
All personnel involved in the risk assessment activities should be able to display a tamper-resistant
credential, consistent with a verifiable government identification that is easily distinguishable, with a
unique number, showing the following:
a) Photograph;
b) Full legal name;
c) Period of validity; and
d) Name of the issuing body.
86
7.3.2 Non-disclosure Agreements

All persons assigned to perform risk assessments should sign confidentiality and non-disclosure
agreements and a code of ethics. The risk manager and RTL should establish, document, and maintain
procedures on how to respect and protect the integrity of sensitive, confidential, and proprietary
information. The risk manager and RTL should periodically review, as part of its own quality
management system, the performance of its personnel with respect to taking appropriate steps to protect
the sensitive, confidential or proprietary information.
When requested, confidentiality and non-disclosure agreements signed by personnel involved in its risk
assessment activities should be made available to organizations undergoing the risk assessment.
7.3.3 Accountability
The risk manager and RTL should establish, document and maintain procedures to make personnel
involved in its risk assessment activities aware of infractions that could subject them to disciplinary
actions, civil liability, and criminal prosecutions. The procedures should include a process to address
infractions or procedures, the code of ethics, and confidentiality and non-disclosure agreements,
including investigation procedure and disciplinary actions. Records should be kept of infractions,
investigations, and any subsequent disciplinary actions.
7.3.4 Records
The risk manager and RTL should establish, document, and maintain procedures to maintain records of
personnel involved in its risk assessment activities. Records should be retained for periods that the risk
manager and RTL deem appropriate and according to retention periods designated by national,
international and other legal requirements.
7.4 Use of External Risk Assessors and Technical Experts

The risk manager and RTL should develop a documented process for outsourcing any risk assessment
activities or using external subject matter experts to ensure compliance with risk assessment policies,
procedures, and services, as well as respect for confidentiality and non-disclosure of client or
organization information. Outsourcing and external expert agreements should be enforceable and
reviewed by appropriate legal counsel.
87
Annex A
(informative)
A RISK ASSESSMENT METHODS, DATA COLLECTION,

AND SAMPLING
A.1 General
The challenge with optimizing risk assessment to achieve the assessment objectives is time. The assessor
needs to develop an assessment strategy, or “path”, to collect data in a representative, logical, and
methodical manner. Effective risk assessment planning is necessary to make efficient use of time to
provide a complete picture of risks and the level of risk. The RTL is responsible for the effective planning
and application of assessment strategy and methods. The RTL has the responsibility for oversight of
conducting the assessment activities.
A.2 Types of Interactions

There are two types of interactions between the assessment team and the organization being assessed
during the course of the risk assessment. In assessing risk, the assessment team will examine policies,
procedures, human activities, technologies (including information systems), and the interfaces between
human and technological activities. Types of interactions include:
a) Human interaction – between assessment team and the organization being assessed (including
internal and external stakeholders):
i. Conducting interviews;
ii. Completing checklists, surveys, and questionnaires with stakeholder participation;
iii. Conducting document review with stakeholder participation;
iv. Exercises, gaming, workshops, and scenario analysis;
v. Sampling; and
vi. Undercover investigations, hot lines, whistleblower and grievance programs, and
intelligence resources.
b) Minimal human interaction – assessment team review of equipment, technologies, policies,
procedures, facilities and documentation:
i. Conducting document review (e.g., records, data analysis);
ii. Physical examination and tests of risk control measures;
iii. Observation of work performed;
iv. Conducting on-site visit;
88
v. Completing checklists; and

vi. Sampling (e.g., products, equipment).
A.3 Assessment Paths

Assessments typically involve multiple interdependent processes. The assessor may therefore segment
the assessment by using tracing or discovery techniques and/or segment the assessment by risk, threat,
or consequence type; activities or functions; value generator; or department. Examples of assessment
paths include:
a) Tracing: Chronologically tracking a process or risk event:
i. Follow the path of an activity forward or backward through a processes starting at the
beginning, end or middle; and
ii. Follow the path of a risk event forward or backward through a sequence of causes and
effects, starting at the before, during or after the event.
b) Process Method: Test a sequence of steps, or interactions of activities and processes:
i. Use flowcharts of process flow diagrams;
ii. Evaluate process controls, interactions, effectiveness, and opportunities for
improvement;
iii. Objectives Method: Focuses on specific objectives and the associated risks;
iv. Risk Source Method: Focuses on specific risk sources;
v. Department Method: Focuses on a department, division, or functional level;
vi. Requirement Method: Focuses on needs and requirements of stakeholders (e.g., supply
chain partners); and
vii. Discovery Method: Random assessment.
Assessment trails can be used to better understand risk and the identify root causes of weaknesses, as
well as identify opportunities for improvement. This involves as progressive series of “why” and “what
if” questions to identify root causes. The assessor should keep detailed notes of the assessment trail and
recognize when the trail is heading for a dead-end.
A.4 Sampling
A.4.1 General
During an assessment, it is not always practical, in time or cost terms, to evaluate all available
information. Sampling, the process or technique of selecting a representative part of a population for the
purpose of determining parameters or characteristics of the whole population, may be necessary to
adequately assess the risk. The method and rationale for sampling and the numbers of samples from the
population should be tailored to the circumstances of the assessment to achieve the assessment
objectives. The sampling approach should provide a level of confidence that the assessment objectives
are achieved.
89
Completely random sampling may not always be appropriate. For example, in areas of known
operational deficiencies, high information uncertainty, or higher risk the assessor should select more
samples. Considerations in selecting sample size and sample selection include (but is not limited to):
a) Major areas and issues related to risk;
b) Areas of previous risk events, emerging risks, and historic weaknesses;
c) Elements serving as foundations of the risk and business management system;
d) Interactions between elements of the management system;
e) Issues known to be of greater significance to the organization and its stakeholders;
f) Activities liked to legal, regulatory or liability related issues;
g) Activities and functions where resources are overtaxed;
h) Complexity and interdependency of critical activities; and
i) New or significantly changed activities.
In order to assure that conclusions are correct in assessing risk, it is important to understand the
confidence factor that the results are unbiased and consistent with a sampling of the entire population.
Successful sampling is based on focused problem definition. In sampling, this includes defining the
population from which the sample is drawn. A population can be defined as including all people or items
with a specific characteristic that needs to be understood.
Sampling should consider the steps in Figure 14:
Determine the Objectives of the Sampling Plan Consistent with Assessment Objectives
Identify the Population to be Sampled
Determine the Appropriate Sampling Mix
Select Sampling Methods
Determine Sample Size
Conduct Sampling
Evaluate Sampling Process for Potential Biases and Competeness
Compile report and Document Results
Figure 14: Sampling Process
90
A.4.2 Sampling Methods

The selection of an appropriate sample should be based on both the sampling method and the type of
data required. There are two types of sampling methods:
a) Non-statistical sampling:
i. Relies on the knowledge, skills and experience of the assessment team;
ii. Focuses on areas where previous problems have been found or areas for specific
improvements;
iii. Can be used to identify a root cause of a problem;
iv. Emphasizes areas of high risk or high interest to the organization and its stakeholders;
v. Cannot make generalization about an entire population; and
vi. No statistical estimate of the effect of uncertainty in the findings of the assessment and
the conclusions reached.
b) Statistical sampling:
i. Sample selection process based on probability theory;
ii. Ensures each item of a population has an equal chance of being selected;
iii. Used when conclusions about a population are required;
iv. Attribute-based sampling is used when there are only two possible sample outcomes for
each sample (e.g., correct/incorrect or pass/fail);
v. Variable-based sampling is used when the sample outcomes occur in a continuous
range; and
vi. Provides statistical estimate of the effect of uncertainty in the findings of the assessment
and the conclusions reached.
A.4.3 Examples of Sampling Methods

Examples of non-statistical sampling methods include:
a) Judgmental sampling: based on deliberate choice and excludes any random process.
b) Convenience sampling: using those who are willing to volunteer, or cases which are presented
as a sample.
c) Haphazard sampling: samples are selected based on convenience but preferably should still be
chosen as randomly as possible.
Examples of statistical sampling methods include:
a) Random sampling: ensures every member of the population has an equal chance of selection.
b) Systematic sampling: after randomly selecting a starting point in the population between 1 and
n, every nth unit is selected, where n equals the population size divided by the sample size.
91
c) Stratified sampling: the population is sub-divided into homogenous groups, for example
regions, size or type of establishment. The strata can have equal sizes or there may be a higher
proportion in certain strata.
d) Cluster/Block sampling: units in the population can often be found in groups or clusters. The
population that is being sampled is divided into groups called clusters.
A.4.4 Sample Size and Margin of Error

In statistical sampling it is important to understand the level of confidence. Any percentage less than
100% is possible, but in order to have meaningful results, the numbers should be close to 100%. Common
levels of confidence are 90%, 95% and 99%. The value of α is determined by subtracting our level of
confidence from one, and writing the result as a decimal. So a 95% level of confidence would correspond
to a sampling risk of 5%, meaning the assessor is willing to accept the risk that 5 out of 100 of the samples
examined will not reflect the actual values if the entire population was examined.
92
Annex B
(informative)
B ROOT CAUSE ANALYSIS
B.1 General
Root cause analysis (RCA) refers to multiple risk assessment techniques and approaches, at times applied
as a series, which are designed to identify the underlying or initiating risk source(s) or driver(s). A
significant number of the techniques were originally developed in the process engineering and safety
fields. These techniques were intended to not only identify potential safety hazards and points of failure
during the design of new engineering processes, but also to determine why risk events occurred
following significant losses.
Root cause analysis has traditionally been viewed as an assessment method most appropriately used
following a major risk event or loss. Increasingly though, organizations with more mature risk
management programs are using the same techniques to support business and strategic planning as a
means of proactively managing risks before they can affect planned objectives.
B.2 Applying Root Cause Techniques

The use of RCA historically has been associated with reactive, rearwards-looking review situations.
Typically, a significant loss event will have occurred (such as a process failure leading to damage, loss or
injury) or a planned activity will not have achieved its expected outcomes. In this type of application,
various techniques will be used to try and identify what failure mode gave rise to the loss event, with
this information used to support recovery or future preventative actions.
In more straightforward cases, one might simply use what is known as the five whys approach of RCA.
A defined problem can be analyzed sequentially by asking "why" a factor contributed to the loss event
until no further explanation can be found. In more complex cases, this approach may be nested inside a
cause and effect analysis (sometimes called Ishikawa or fishbone) diagram. The use of cause and effect
diagrams support the analysis of more complex situations, particularly where there are multiple risk
drivers present, each of which requires a more detailed analysis in order to develop a comprehensive
picture of the situation.
These same techniques can also be used to identify the potential sources of risk during business or
strategic planning processes. By developing a picture of the potential risks associated with a planned
activity, initiative or objective, planners are able to better incorporate risk treatment activities right up
front, rather than as an "add-on" after the fact.
When used proactively, the focus of the analysis shifts from the question of what caused a loss to happen
to what could cause something to fail — or, perhaps more importantly — what will cause something to
succeed. This type of analysis can also include a range of other RCA techniques such as force field
analysis (designed to identify driving and restraining forces in the environment) and influence
93
diagramming, which is designed to pictorially show how the relative strengths of the risk or source inter-
dependencies can impact each other. Force field analyses and influence diagrams allow the experienced
user to align specific actions with specific risks (or people) as a means of leveraging (or overcoming)
existing dependencies.
The proactive application of RCA techniques can be problematic in some situations, particularly where
there is cultural skepticism about the value of future casting. One method of overcoming this skepticism
is by conducting a solutions effect analysis following the use of other RCA techniques. This approach is
similar to the cause and effect technique, but sees the proposed "answers" grouped thematically rather
than the risks. These solutions are then analyzed again to reveal any unintended consequences - or
untapped success drivers - resulting from the combination of proposed actions. By including the
proposed solution or action owners in this process, they are often able to see where their ideas may need
refinement, as well as giving them greater confidence that the process used to get to those answers was
robust.
Other extensively-used approaches to root causes analysis include concept fans, hazard and
interoperability studies, solution effects analysis, life cycle value analysis and hazard
identification/environmental identification, to name a few. While this list is not exhaustive, it provides a
good starting point for a deeper understanding of initiating or underlying risk sources.
B.3 Ten Steps for Effective Root Cause Analysis

Following a disciplined approach to RCA will lead to greater success.
Figure 15: Define, Analyze and Solve

Define:
1. Define the problem or describe the occurrence factually.
2. Gather data and evidence that can, for example, be plotted along the incident timeline to
the final failure or crisis or, for future focus, to the final desired outcome.
94
Analyze:
3. Use one or more techniques to analyze the evidence. For example, you may ask "why"
repeatedly and identify the causes associated with each step in the sequence towards the
defined problem or desired outcome.
4. Classify causes into causal factors that relate to an outcome in the sequence, and root
causes, that if applied can be agreed to have interrupted that step of the sequence chain.
5. If there are multiple root causes, which is often the case, note those clearly for additional
analysis.
Solve:
6. Identify potential solutions that will with certainty prevent recurrence of the problem or
event or, alternately, must be followed for greater odds of a successful outcome.
7. Identify solutions that prevent recurrence with reasonable certainty with consensus
agreement of the group, are within your control, meet your goals and objectives and do
not introduce other new, unforeseen problems.
8. Implement the recommended root cause correction(s).
9. Ensure effectiveness by observing, and possibly reporting on, whether the implemented
recommendation solutions achieved the intended result.
10. Other methodologies for problem solving may be considered and incorporated as
supplements to root cause analysis.
RCA (particularly steps 3, 4, and 5) forms the most critical part of developing successful solutions and
corrective action plans, because it directs the corrective action at the true root cause of the problem or
issue. The root cause analysis itself is secondary to achieving the intended goal. However, without
identifying and understanding the root cause(s), effective solutions or corrective actions may not be
identified or developed.
B.4 Summary of Root Cause Analysis

Root cause analysis, when done in a comprehensive and planned manner, provides organizations with
the opportunity to not only fully understand the causes of their past losses, but also to proactively plan
to prevent similar losses in the future. When used to identify the true cause of past losses, the use of RCA
techniques enables organizations to identify, and then treat the "disease" rather than simply applying a
temporary Band-Aid solution to the "symptoms". In doing so, most organizations will find that their total
cost of risk is reduced, as they are no longer required to repeatedly address the same problem.
Equally, by applying RCA techniques to the analysis of proposed actions, initiatives and objectives while
they are still in the planning phase, organizations are typically able to improve those solutions through
the integration of effective risk controls from the outset. This tends to not only improve the effectiveness
of the solutions themselves, but also helps to prevent the need (and cost) associated with adding
additional layers of risk control after implementation. This helps to reduce costs further, as post
implementation application is often less effective, and is sometimes too late to save a promising
opportunity from failure.
95
Organizations can improve the odds of successful future outcomes, by applying risk controls - and
previously unrecognized success drivers - that most effectively deal with the initiating or underlying
risk sources. In doing so, they reduce their overall cost of risk by reactively and proactively addressing
the actual root causes of risk exposures.
96
Annex C
(informative)
C BACKGROUND SCREENING AND SECURITY CLEARANCES
C.1 General
Risk assessments often contain some of the most sensitive information of an organization. Consistent
with information protection requirements, privacy legislation, human resource management policies,
and stakeholder needs, the risk manager and RTL should establish, document, and maintain a procedure
for screening and vetting of all personnel involved in its risk assessment activities. Requirements and
the conduct of background checks and security clearances vary significantly between the type of risk
assessment and the management practices of the organization. For example, security risk assessments
are typically considered high risk and the rigorous background and screening process is conducted by
the Chief Security Officer or designee. On the other hand, strategic business risk assessment background
checks and screening procedures are typically included as part of the general human resource employee
background check and screening process. The risk manager and RTL should review the organization’s
approach relative to the objectives and requirements of the type of risk assessment being conducted and
ensure that all personnel involved in its risk assessment activities meet these requirements. The vetting
and clearance process may include, but not be limited to, background checks, interviews and review of
work history.
NOTE: The details provided below represent the more rigorous approach typically required of a security risk assessment. For
other types of risk assessment, the level of rigor should be tailored to the objectives and requirements of the risk assessment
taking into consideration information protection requirements, privacy legislation, human resource management policies, and
stakeholder needs.
C.2 Background Checks

The risk manager and RTL should ensure the establishment of a documented procedure for background
checks and vetting of individuals conducting risk assessments on behalf of the organization. The
procedure for background checks and vetting should screen out personnel who do not meet minimum
qualifications established for positions and select appropriately qualified personnel based on their
knowledge, skills, abilities, and other attributes. The screening and selection procedures should be
consistent with data protection, privacy legislation, human resource management policies, and client
requirements. Where practicable, background checks may be conducted through national agencies or
authorities. When this is not practicable, the risk manager and RTL should establish, document, and
maintain a procedure to check suitability and integrity by an internal vetting process including records
checks and interviews, overseen by the organization’s top management and aligned with general security
and human resource policies.
Wherever possible, the screening and vetting process should include:
a) Identity verification;
97
b) Personal history verification; and

c) Credentialing.
Exclusions should be documented when information is unavailable, unreliable, or unsuitable.
Identity verification should include verification of the validity of personal history and should consider
(but not be limited to):
a) Home addresses;
b) Employment records;
c) Electronic media;
d) Criminal and civil record history;
e) Records of human rights violations;
f) Military or law enforcement service records;
g) Motor vehicle records;
h) Credit reports;
i) Sexual offender indices;
j) Government and industry sanctions lists; and
k) Industry specific licensing records.
Credentialing involves verifying the experience and qualifications that are presented by the candidate.
The organization should look for unexplained gaps. Credentialing provides information on (but is not
limited to):
a) Education verification;
b) Employment verification;
c) Licensure/certification/registration verification;
d) Personal references;
e) Supervisor and coworker interviews; and
f) Military history verification.
Candidates should provide two work-related references, as well as one probity reference relevant to their
work or local jurisdiction. The vetting process may also include a review of documented submissions by
the candidate.
C.3 Interviews
The risk manager and RTL should establish an interview procedure, including the hierarchy of
interviewers, which should be overseen by the risk manager. Top management should appoint a risk
manager who has been verified by interview and vetted as trustworthy and having the necessary
competence and judgment to vet personnel involved in its risk assessment activities. The responsible
manager should assess through review of documentation, submitted by candidates, and interviews and
98
on-going monitoring, the trustworthiness and appropriate behavioral characteristics of personnel

involved in its risk assessment activities.
C.4 Privacy Protection

The privacy and confidentiality of information about individuals should be protected. Personal
documents, such as passports, licenses, and original birth certificates should be returned to personnel
within a reasonable timeframe.
99
Annex D
(informative)
D CONTENTS OF THE RISK ASSESSMENT REPORT

The risk assessment report provides a concise evidence-based summary of the risk assessment activities
and salient conclusions and recommendations. The report typically includes the following:
a) Identification of the organization and risk manager conducting the risk assessment;
b) The name and address of the organization (including client, and the client’s management
representative) being assessed;
c) The type of risk assessment (e.g., initial, risk management system, strategic, surveillance, risk or
function specific);
d) The risk assessment objectives;
e) The risk criteria;
f) The assessment scope, specifically identification of the organizational or functional units or
processes assessed;
g) Assumptions, existing conditions, background, and qualifiers;
h) Identification of the RTL, assessment team members and any accompanying persons;
i) The dates and places where the assessment activities (on-site or off-site) were conducted;
j) Assessment methods;
k) Assessment findings, evidence and conclusions (opportunities and down-side risks), consistent
with the requirements of the type of assessment;
l) A risk register; and
m) Any unresolved issues, if identified.
The following may also be included or referenced in the assessment report:
a) An executive summary for lengthy assessment reports;
b) Areas within the assessment scope which were not covered;
c) Assessment plan;
d) Time schedule of the assessment plan;
e) Summary of the assessment process;
f) Identified accepted industry practices;
g) Risk treatment strengths and weakness;
h) Opportunities for improvement;
100
i) List of recommendations based on objectives;

j) Follow up action plans;
k) Reiterate the confidential nature of the contents;
l) Subsequent assessments;
m) Implications for the risk management program;
n) Distribution list of the assessment report;
o) Classification and dissemination of protected information related to the risk assessment; and
p) List of relevant reference materials.
101
Annex E
(informative)
E CONFIDENTIALITY AND DOCUMENT PROTECTION

There are numerous approaches and reference materials related to Sensitive Security Information (SSI)
control, document classification, custodial care, maintenance, methods of
distribution/transmittal/storage, and protection against disclosure to unauthorized entities. The
methods of classification and restrictions related to distribution may have many variables depending
upon the governing body, security clearance requirements and their contractual relationship with the
assessor organization.
Confidentiality and document protection procedures should as a minimum determine and define:
a) The relationship between stakeholders and assessor(s);
b) Minimum expectations related to classification of:
i. Information;
ii. Descriptive data or images, and photographic images;
iii. Plans;
iv. Media encryption; and
v. Methods in which information is to be controlled.
c) Control, classification and marking protocols;
d) Protection and custodial care of information, digital images, plans, notes and other site/facility
specific documentation while travelling, transmitting and in possession of the assessor(s);
e) Protective storage and accessibility requirements, for all information and data, while in
possession of the assessor(s) or stakeholder, method for obtaining access to, tracking
distribution, reproduction and destruction requirements of specific information; and
f) Penalties along with mitigation, reporting, investigative and recovery requirement related to
inadvertent or deliberate disclosure of SSI.
102
Annex F
(informative)
F EXAMPLES OF RISK TREATMENT PROCEDURES THAT ENHANCE

RESILIENCE OF THE ORGANIZATION
F.1 General
Building a resilient organization is part of any good business management strategy. In order to thrive
and survive, organizations need to adapt to an ever changing environment. To be agile and resilient in
order to achieve the organization’s objectives, the organization needs to leverage all the disciplines that
contribute to managing risk. For organizations to cost-effectively manage risk, they must develop
balanced strategies to adaptively, proactively, and reactively address maximizing opportunities and
minimizing the likelihood and consequences of potential, undesirable, and disruptive events (see
ANSI/ASIS SPC.1-2009).
The organization should establish, implement, and maintain procedures to prevent and manage
disruptive events which have the potential to harm the organization, its key stakeholders including
supply chain partners, and the environment.
Procedures should be concise and accessible to those responsible for their implementation. Flow charts,
diagrams, tables, and lists of action should be used rather than expansive text.
The purpose and scope of each procedure should be agreed by top management and understood by those
responsible for its implementation. Dependencies and interdependencies should be identified and the
relationships between procedures, including those of the emergency services and local authorities,
should be stated and understood. The following sections provide more information on selected
procedures. At the end of this annex are some templates for different plans.
F.2 Prevention and Mitigation Procedures

The purpose of a prevention or mitigation procedure is to define the measures to be taken by the
organization to minimize the likelihood of a disruptive event or to minimize the potential for the severity
of the consequences of the event.
Prevention procedures should describe how the organization will take proactive steps to protect its assets
by establishing architectural, administrative, design, operational, and technological approaches to avoid,
eliminate, or reduce the likelihood of risks materializing including the protection of assets from
unforeseen threats and hazards.
Mitigation procedures should describe how the organization will take proactive steps to protect its assets
by establishing immediate, interim, and long-term approaches to reduce the consequences of risks before
they materialize including the protection of assets from unforeseen threats and hazards.
103
Organizations may choose to have a single procedure with sections and/or annexes dealing with different
types of incidents. Alternatively, separate procedures may be written for each type of incident.
Each procedure should specify as a minimum:
a) The purpose and scope of the procedure;

b) Assets to be protected from the disruptive event;
c) Objectives and measures of success;
d) Implementation steps and the frequency with which the procedure is carried out;
e) Roles, responsibilities, and authorities;
f) Communication requirements and procedures;
g) Internal and external interdependencies and interactions;
h) Resource, competency, and training requirements; and
i) Information flow and documentation processes.
The organization should nominate a primary “owner” of each prevention and mitigation procedure and
should state who is responsible for reviewing, amending, and updating the procedure. The process of
reviewing, amending, updating, and distributing procedures should be controlled.
Examples of prevention and mitigation procedures include the following:
a) Eliminate the risk by complete removal of the threat or risk exposure;

b) Reduce the risk by modifying activities, processes, equipment or materials;
c) Isolation or separation of the risk from assets (human or physical);
d) Engineering controls to detect, deter, and delay a potential threat;
e) Administrative controls such as work practices or procedures that reduce risk; and
f) Protection of the asset if the risk cannot be eliminated or reduced.
F.3 Response procedures

The purpose of a response procedure is to define the initial measures to be taken by the organization in
response to a disruptive event.
Response procedures should describe how the organization will respond to one or more types of
disruptive events. Organizations may choose to have a single procedure with sections and/or annexes
dealing with different types of incidents. Alternatively, separate procedures may be written for each type
of incident.
Some response procedures may be implemented in advance of a disruptive event; for example in the
expectation of harm from a forthcoming tropical cyclone, wildfire, or malicious attack on the
organization or a supply chain partner. In such circumstances, emphasis will be given to protecting
and/or removing priority assets and to communicating the risk of harm to staff and to external
organizations and authorities.
104

b) Priority assets to be protected during the disruptive event;
c) Priority activities to be maintained during the disruptive event;
d) Measures to limit the form and extent of environmental damage caused by the disruptive event;
e) Situations/conditions in which each procedure will be implemented;
f) Criteria that will determine whether the disruptive event is to be classed as an incident, accident,
emergency, crisis, and/or a disaster;
g) Criteria that will indicate the end of the response phase;
h) Roles and responsibilities of individuals and groups required to implement the procedure;
i) The organizational structure to be used, including the establishment of an incident command center,
and links with external agencies such as the emergency services and occupational health and safety
bodies;
j) Procedures for communicating within the organization to key external stakeholders including supply
chain partners, the emergency services, local authorities, and the media; and
k) Contact details of all individuals responsible for implementing the procedure and others who need
to be notified that the procedure is to be, or has been, implemented.
The organization should nominate a primary “owner” of each response procedure and should state who
is responsible for reviewing, amending, and updating the procedure. The process of reviewing,
amending, updating, and distributing procedures should be controlled.
NOTE: Response procedures are sometimes referred to as emergency response procedures.
F.4 Continuity Procedures

The purpose of a continuity procedure is to define the measures to be taken by the organization to
maintain and/or re-establish priority activities of the organization and its supply chain partners.
Continuity procedures should describe how the organization will maintain and/or re-establish critical
activities in the period immediately following the response/emergency phase. Organizations may choose
to have a single procedure with sections and/or annexes dealing with different types of incident.
Alternatively, separate procedures may be written for each type of incident.

b) Priority assets to be protected during and immediately following the disruptive event;
c) Priority activities to be maintained during and immediately following the disruptive event;
d) Activities to be restored as a priority following the disruptive event;
e) Measures to limit the form and extent of environmental damage caused by the disruptive event;
105
f) Situations/conditions in which each continuity procedure will be implemented;

g) Criteria that will indicate the end of the continuity phase;
h) Roles and responsibilities of individuals and groups required to implement the procedure;
i) The organizational structure to be used including links with external agencies such as emergency
services and occupational health and safety bodies;
j) Procedures for communicating within the organization, to key external stakeholders including
supply chain partners, the emergency services, local authorities, loss adjusters/insurance companies,
and the media; and
k) Contact details of all individuals responsible for implementing the procedure and others who need
to be notified that the procedure is to be implemented.
The organization should nominate a primary “owner” of each continuity procedure and should state
who is responsible for reviewing, amending, and updating the procedure. The process of reviewing,
NOTE: Continuity procedures may run concurrently with response and recovery procedures.
F.5 Recovery Procedures

The purpose of a recovery procedure is to define the measures to be taken by the organization to recover
from a disruptive event and thus ensure it is able to meet its strategic and operational objectives.
Recovery procedures should describe how the organization will re-establish all necessary operational
and support activities, replace damaged and/or destroyed assets and information, rebuild the brand and
reputation of the organization, and assist staff to recover from the event. Organizations may choose to
have a single procedure with sections and/or annexes dealing with different types of incidents.
Alternatively, separate procedures may be written for each type of incident.

b) Operational and support activities to be re-established and/or restored, and the priority of such
restoration;
c) Assets including property, equipment, information, vehicles, and stores to be repaired and/or
replaced, and the priority for such repair and replacement;
d) Assistance to staff affected, either physically or psychologically, by the disruptive event;
e) Actions to be taken to rebuild the organization’s brand and reputation;
f) Actions to be taken to mitigate any environmental damage;
g) Situations/conditions in which each recovery procedure will be implemented;
h) Criteria that will indicate the end of the recovery phase;
106
i) Roles and responsibilities of individuals and groups who will be required to implement the
procedure. It may be necessary to modify the normal procurement procedures in order to rapidly
restore the organization’s activities and assets;
j) The organizational structure to be used, including links with external agencies such occupational
health and safety bodies, and loss adjusters/insurance companies; and
k) Procedures for communicating within the organization, to key external stakeholders including
supply chain partners, the emergency services, local authorities, and the media.
The organization should nominate a primary “owner” of each recovery procedure, and should state who
is responsible for reviewing, amending, and updating the procedure. The process of reviewing,
NOTE 1: Recovery procedures may run concurrently with continuity procedures.
NOTE 2: Recovery procedures are sometimes referred to as recovery and restoration procedures.
PREVENTION AND MITIGATION TREATMENT PLAN
Function / Activity:
Risk: Risk Reference Number:
Mitigation Procedure
The Purpose and Scope

of the Procedure
The Assets to be
Protected
Objectives and
Measures of Success
Implementation Steps
and Frequency
Roles, Responsibilities
and Authorities
Communications
Requirements
107
Internal and External

Interdependencies and
Interactions
Resource, Competency
and Training
Requirements
Informational Flow and

Documentation
Received by: Date: Reviewed / Approved by: Date:
108
RESPONSE TREATMENT PLAN
Response Procedure Owner
The Purpose and

Scope
Priority Assets to be
Protected
Priority Activities to
be Maintained
Measures to Limit
Damage
Situation /Conditions
in Which Plan Will be
Implemented
Criteria for Classifying

an Event
Criteria for Indicating

the End of The
Response Plan
Roles and
Responsibilities of
Individuals and
Groups
109
RESPONSE TREATMENT PLAN
Organization
Structure to be Used,
Including Incident
Command & External
Links
Procedures for
Communication
within the
Organization
Contact Details of All

Individuals
110
CONTINUITY TREATMENT PLAN
Continuity Procedure Owner
The Purpose and

Scope
Priority Assets to be
Protected
Priority Activities to
be Maintained
Activities to be
Restored as a Priority
After an Event
Measures to Limit the

Damages Caused by
the Event
Situation /Conditions
in Which Plan Will be
Implemented
Criteria for Indicating

the End of The
Continuity Plan
Roles and
Responsibilities of
Individuals and
Groups
Organization
Structure to be Used,
111
CONTINUITY TREATMENT PLAN
Including Incident
Command & External
Links
Procedures for
Communication
Within the
Organization
Contact Details of All

Individuals Involved
112
Annex G
(informative)
G BUSINESS IMPACT ANALYSIS

Elimination of all risk is not possible. The risk assessment provides a thorough analysis of the levels of
risk and the treatment methods required to bring risk to a level that is as low as reasonably practical.
The costs and benefits of treating a risk and the potential to exploit opportunities will affect the
determination of what treatment methods will bring risk to a level that is as low as reasonably
practical. Residual risks need further consideration to develop contingency plans.
A business impact analysis (BIA) provides a structured approach to gaining information about the
critical activities, functions, and processes of the organization and the associated resources necessary
for an organization to mitigate the impacts of undesirable and disruptive events. The BIA:
a) Evaluates critical activities, functions, and processes and their role in achieving organizational
objectives;
b) Determines the most critical activities, functions, and processes and the resources (assets) that
are needed to achieve the desired outcome;
c) Prioritizes the critical activities, functions, and processes that must be operational to maintain
an acceptable level of business functionality during and immediately following an unacceptable
business interruption; and
d) Determines the time frames and resource requirements to maintain critical activities, functions,
and processes following a risk event to restore operations to the level required to meet
organizational objectives.
The organization may conduct a BIA on critical activities, functions, and processes related to its
residual risk and develop contingency plans. The purpose of the BIA should be to determine:
a) Criticality - Every critical business function is identified (with related dependencies and
interdependencies) and the impact of an undesirable or disruption event determined.
b) Maximum Downtime - Estimate the maximum downtime that can be tolerated while still
maintaining viability. Management should determine the longest period of time that a critical
process can be disrupted before recovery becomes unlikely.
c) Resource Requirements - Realistic recovery efforts require a thorough evaluation of the
resources required to resume critical operations and related interdependencies as quickly as
possible.
Timeframes and recovery objectives are typically defined in terms of:
113
 Maximum Allowable Outage: Represents the maximum period of time that an organization can
tolerate the loss of capability of a critical business function, process, or asset.
 Recovery Time Objective: The period of time a business’ activities and resources must be
recovered to an acceptable capability after a disruptive event, often defined in hours or days.
 Recovery Point Objective: The point in time to which products, organizational activities, or data
in a known, valid or integral state, can be restored from. Often viewed as the maximum
amount of loss tolerance and defined in hours or days.
The output of a business impact analysis typically includes:
a) Recovery time objectives and associated justification
b) Recovery point objectives and associated justification
c) Recovery capacity or performance at the recovery time objective
d) Timeframe when the organization requires 100% of operational capability
e) Prioritization of recovery resources
f) Content for response and recovery strategies
g) Reset of product/service acceptable disruption periods, as needed
Many methodologies exist for conducting a BIA. The methodology should be tailored to the decision-
making needs of the organization and achievement of organizational objectives. The following three
figures present a generalized approach to conducting a business impact analysis.
• Identify and determine criticality (priority) of assets, activities, and

Confirm critical
assets, activities
function on achieving objectives and and the impact of a risk event
and functions
• Estimate the maximum acceptable downtime that the organization can

Identify outage
tolerate while still maintaining viability - enabling it to establish recovery
and recovery
times
time objectives.
• Evaluate resource requirement, activity and external interdependences to

Identify
interdependencies
resume operation within the recovery timescale identified.
and resources
• Provide parameters for the selection of appropriate risk control strategies

Determine that can satisfy the required recovery timescales identified.
strategies
Figure 16: Business Impact Analysis (BIA)
114
Determine
Determine Determine
Critical Interdependencies
Scope of BIA
Operations
Determine
Determine Determine
Impacts
Existing Control Outage and
(Tangible and
Measures Recovery Times
Intangible)
Develop
Determine Set Continuity
Response,
Resource and Restoration
Continuity and
Requirements Objectives
Recovery Plans
Figure 17: Example of BIA Methodology
Review existing Assess information

process, activity and Perform data collected for each product
and service to identify
resource gathering potential impacts and their
documentation respective disruptive events
Assign RTO and RPO Assess the potential

impact a disruption on Evaluate activity and
based on
employees and resource
product/service- customers, property, dependencies to
specific disruption and business prioritize recovery
guidance operations;
Assess the internal Present recovery objective

recommendations and Prepare other
and external justification to information for use in
resources available to management for evaluation strategy development
deal with disruptions and strategic determination
Figure 18: Example of BIA Process
115
Annex H
(informative)
H BIBLIOGRAPHY
H.1 ASIS International Publications

ANSI/ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness and Continuity Management
Systems — Requirements with Guidance for Use
H.2 ISO Standards Publications

ISO Guide 72:2001, Guidelines for the justification and development of management system standards
ISO Guide 73:2009, Risk management -- Vocabulary
ISO 9000:2009, Quality management systems -- Fundamentals and vocabulary
ISO/IEC 13335-1:2004, Information technology -- Security techniques -- Management of information and
communications technology security -- Part 1: Concepts and models for information and communications
technology security management
ISO 19011:2011, Guidelines for quality and/or environmental management systems auditing
ISO 31000:2009, Risk management – Principles and guidelines
ISO/IEC 31010:2009, Risk management -- Risk assessment techniques
116
1625
1625
1625Prince
Prince
PrinceStreet
Street
Street
Alexandria,
Alexandria,
Alexandria,Virginia
Virginia
Virginia22314-2882
22314-2882
22314-2882
USA
USA
USA
+1.703.519.6200
+1.703.519.6200
+1.703.519.6200
Fax:
Fax:
Fax:+1.703.519.6299
+1.703.519.6299
+1.703.519.6299
www.asisonline.org
www.asisonline.org
www.asisonline.org

Risk Assessment

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Assessment

Uploaded by

Copyright:

Available Formats

AA SS II SS II N

an American National Standard

Approved August 3, 2015

NOTICE AND DISCLAIMER

Bernard Greenawalt, CPP, Securitas Security Services USA, Inc.

Kaleem Ahmed, Independent

William Besse, Andrews International LLC

Daniel Donohue, CPP, Caterpillar Inc.

Russell Hunt, Independent

Lachlan McConnell, Orion Support, Inc. (OSI)

Brett Reddock, M.Sc., ABCP, SEM, Unparalleled Technologies

Michael White, CPP, CRM, Security Risk Canada

Working Group Members

Shayne Bates, CPP, LMC Consulting Group

Anthony Macisco, CPP, The Densus Group

This page intentionally left blank.

B.1 GENERAL ........................................................................................................................................................................... 93

Figure 1: Risk Management Process (based on ISO 31000)

0.2 Definition of Risk Assessment

 Complying with the law and regulations; and

0.3 Quantitative and Qualitative Analysis

0.3.1 Qualitative Analysis

A qualitative risk assessment may have advantages when:

0.3.2 Quantitative Analysis

0.4 Managing Organizational and Specific Risk Assessments

0.5 Plan-Do-Check-Act Model

Figure 2: Plan-Do-Check-Act Model

3 TERMS AND DEFINITIONS

3.23 likelihood Chance or probability of something happening.

3.28 organization Group of people and facilities with an arrangement of responsibilities,

 Adapting internal or external parameters

 Exploiting a risk to pursue an

 Eliminating or influencing the risk

 Modifying the likelihood;

 Modifying the consequences;

 Sharing the risk (e.g.,insurance,

 Accepting the risk by informed decision.

 See ISO Online Browsing Platform for ISO Guide 73 definitions:

4.2 Impartiality, Independence, and Objectivity

4.3 Trust, Competence, and Due Professional Care

4.4 Honest and Fair Representation

4.5 Responsibility and Authority

4.6 Consultative Approach

4.7 Fact-based Approach

4.9 Change Management

4.10 Continual Improvement

5 MANAGING A RISK ASSESSMENT PROGRAM

5.2 Understanding the Organization and its Objectives

5.2.1 Enterprise Value of Tangible and Intangible Assets and Services

i) Shelf life of the asset;

5.2.2 Considering Risk Criteria

5.2.3 Understanding Bias

5.3 Establishing the Framework

5.3.1 Context of the Organization

5.3.2 Internal Context

5.3.3 External Context

d) Infrastructure dependencies and operational interdependencies;

5.3.4 Supply Chain and Subcontractor Mapping and Analysis

5.3.5 Risk Management Context

g) Were there specific exclusions to the risks identified and treated?

5.3.6 Needs and Requirements

5.3.7 Objectives of the Risk Assessment Program

5.3.8 Evaluating the Criticality of Decisions

5.3.9 Establishing the Scope of the Risk Assessment Program