Skip to content

Risk Assessment

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex D


D. Contents of the Risk Assessment Report

The risk assessment report provides a concise evidence-based summary of the risk assessment activities and salient conclusions and recommendations. The report typically includes the following:

  • Identification of the organization and risk manager conducting the risk assessment;

  • The name and address of the organization (including client, and the client’s management representative) being assessed;

  • The type of risk assessment (e.g., initial, risk management system, strategic, surveillance, risk or function specific);

  • The risk assessment objectives;

  • The risk criteria;

  • The assessment scope, specifically identification of the organizational or functional units or processes assessed;

  • Assumptions, existing conditions, background, and qualifiers;

  • Identification of the RTL, assessment team members and any accompanying persons;

  • The dates and places where the assessment activities (on-site or off-site) were conducted;

  • Assessment methods;

  • Assessment findings, evidence and conclusions (opportunities and down-side risks), consistent with the requirements of the type of assessment;

  • A risk register; and

  • Any unresolved issues, if identified.

The following may also be included or referenced in the assessment report:

  • An executive summary for lengthy assessment reports;
  • Areas within the assessment scope which were not covered;
  • Assessment plan;
  • Time schedule of the assessment plan;
  • Summary of the assessment process;
  • Identified accepted industry practices;
  • Risk treatment strengths and weakness;
  • Opportunities for improvement;
  • List of recommendations based on objectives;
  • Follow up action plans;
  • Reiterate the confidential nature of the contents;
  • Subsequent assessments;
  • Implications for the risk management program;
  • Distribution list of the assessment report;
  • Classification and dissemination of protected information related to the risk assessment; and
  • List of relevant reference materials.

Next: Annex E

Table of Contents

RA Standard Home

  • General
  • Definition of Risk Assessment
  • Quantitative and Qualitative Analysis
  • Managing Organizational and Specific Risk Assessments
  • Plan-Do-Check-Act Model


  • Scope
  • Normative References
  • Terms and Definitions
  • General
  • Impartiality, Independence, and Objectivity
  • Trust, Competence, and Due Professional Care
  • Honest and Fair Representation
  • Responsibility and Authority
  • Consutative Approach
  • Fact-Based Approach
  • Confidentiality
  • Change Management
  • Continual Improvement
Managing A Risk Assessment Program
  • General
  • Understanding the Organization and Its Objectives
  • Establishing the Framework
  • Establishing the Program
  • Implementing the Risk Assessment Program
  • Monitoring the Risk Assessment Program
  • Review and Improvement
Performing Individual Risk Assessments
  • General
  • Commencing the Risk Assessment
  • Planning Risk Assessment Activities
  • Conducting Risk Assessment Activities
  • Post Risk Assessment Activities
  • General
  • Competence

Annex A: Risk Assessment Methods, Data Collection, and Sampling

  • General
  • Types of Interactions
  • Assessment Paths
  • Sampling

Annex B: Root Cause Analysis

  • General
  • Applying Root Cause Techniques
  • Ten Steps for Effective Root Cause Analysis

Annex C: Background Screening and Security Clearances

  • General
  • Background Checks
  • Interviews
  • Privacy Protection

Annex D: Contents of the Risk Assessment Report

Annex E: Confidentiality and Document Protection

Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization

  • General
  • Prevention and Mitigation Procedures
  • Response Procedures
  • Continuity Procedures
  • Recovery Procedures

Annex G: Business Impact Analysis

Annex H: Bibliography