Skip to content

Risk Assessment

For a limited time, ASIS International is allowing open access to this standard to help organizations in response to the COVID-19 pandemic.

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Approved August 3, 2015
American National Standards Institue, Inc.
ASIS International and The Risk and Insurance Management Society, Inc.


This Standard provides guidance on developing and sustaining a coherent and effective risk assessment program including principles, managing an overall risk assessment program, and performing individual risk assessments, along with confirming the competencies of risk assessors and understanding biases. This Standard describes a well-defined risk assessment program and individual assessments to provide the foundation for the risk management process. Seven annexes provide additional guidance for applying risk assessments and potential treatments.


The information in this publication was considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document.

ASIS and RIMS standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications.

ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else.  ASIS and RIMS do not accept or undertake a duty to any third party because they do not have the authority to enforce compliance with their standards or guidelines.  They assume no duty of care to the general public, because their works are not obligatory and because they do not monitor the use of them.

ASIS and RIMS disclaim liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS and RIMS disclaim and make no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any person’s or entity’s particular purposes or needs.  ASIS and RIMS do not undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of this standard or guide.

In publishing and making this document available, ASIS and RIMS are not undertaking to render professional or other services for or on behalf of any person or entity, nor are ASIS and RIMS undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication.

ASIS and RIMS have no power, nor do they undertake to police or enforce compliance with the contents of this document.  ASIS and RIMS have no control over which of their standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct that purports to conform to their standards.  ASIS and RIMS do not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards.  They merely publish standards to be used as guidelines that third parties may or may not choose to adopt, modify, or reject.  Any certification or other statement of compliance with any information in this document should not be attributable to ASIS and RIMS and is solely the responsibility of the certifier or maker of the statement.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner.  


Copyright © 2015 ASIS International and The Risk and Insurance Management Society, Inc. All rights reserved.

ISBN: 978-1-934904-75-6


The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard.

ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages.

ASIS International and The Risk Management Society, Inc. collaborated in the development of this Risk Assessment standard.

About ASIS

ASIS International (ASIS) is the largest membership organization for security management professionals that crosses industry sectors, embracing every discipline along the security spectrum from operational to cybersecurity. Founded in 1955, ASIS is dedicated to increasing the effectiveness of security professionals at all levels.

With membership and chapters around the globe, ASIS develops and delivers board certifications and industry standards, hosts networking opportunities, publishes the award-winning Security Management magazine, and offers educational programs, including the Annual Seminar and Exhibits—the security industry’s most influential event. Whether providing thought leadership through the CSO Roundtable for the industry’s most senior executives or advocating before business, government, or the media, ASIS is focused on advancing the profession, and ensuring that the security community has access to intelligence, resources, and technology needed within the business enterprise.

The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development Organization (SDO), ASIS actively participates in the International Organization for Standardization (ISO). The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry.

About RIMS

As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™, is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals who are located in more than 60 countries.

Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818.

Next: ASIS Commission on Standards and Guidelines

Table of Contents

RA Standard Home

  • General
  • Definition of Risk Assessment
  • Quantitative and Qualitative Analysis
  • Managing Organizational and Specific Risk Assessments
  • Plan-Do-Check-Act Model


  • Scope
  • Normative References
  • Terms and Definitions
  • General
  • Impartiality, Independence, and Objectivity
  • Trust, Competence, and Due Professional Care
  • Honest and Fair Representation
  • Responsibility and Authority
  • Consutative Approach
  • Fact-Based Approach
  • Confidentiality
  • Change Management
  • Continual Improvement
Managing A Risk Assessment Program
  • General
  • Understanding the Organization and Its Objectives
  • Establishing the Framework
  • Establishing the Program
  • Implementing the Risk Assessment Program
  • Monitoring the Risk Assessment Program
  • Review and Improvement
Performing Individual Risk Assessments
  • General
  • Commencing the Risk Assessment
  • Planning Risk Assessment Activities
  • Conducting Risk Assessment Activities
  • Post Risk Assessment Activities
  • General
  • Competence

Annex A: Risk Assessment Methods, Data Collection, and Sampling

  • General
  • Types of Interactions
  • Assessment Paths
  • Sampling

Annex B: Root Cause Analysis

  • General
  • Applying Root Cause Techniques
  • Ten Steps for Effective Root Cause Analysis

Annex C: Background Screening and Security Clearances

  • General
  • Background Checks
  • Interviews
  • Privacy Protection

Annex D: Contents of the Risk Assessment Report

Annex E: Confidentiality and Document Protection

Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization

  • General
  • Prevention and Mitigation Procedures
  • Response Procedures
  • Continuity Procedures
  • Recovery Procedures

Annex G: Business Impact Analysis

Annex H: Bibliography