ATTENTION: This page is intended to be viewed online and may not be printed or copied.
7. Confirming the Competence of Risk Assessors
The credibility of any risk assessment program is a function of the competence of the assessors. All persons involved in the risk assessment process should be competent to perform their roles and assigned tasks. Risk assessors should possess the technical expertise and interpersonal skills to effectively evaluate the application of risk management systems for a particular client. Assessors should evaluate the effectiveness of the risk management measures, not merely checking a box indicating measures exist. To add value to the client and organization, the assessors should understand the management and risk approaches from the client’s business and risk environment. Assessors should have a clear understanding of how to apply the risk criteria. Assessor competence is comprised of several elements:
- Personal traits and interpersonal skills;
- Assessment skills;
- Communication skills;
- Education, training, and knowledge; and
- Work experience.
The risk assessment team should have a proficient understanding of the business and disciplines they are assessing. The assessment team should project an image to the client and organization that they have the competence relevant to the appropriate technical area of the risk-based management system, risk-related disciplines, industry sector, and geographic location.
The risk manager and RTL should determine and document the competence required to evaluate each technical area and function in the risk assessment activity. When identifying competence requirements, the risk manager and RTL should tailor its competence requirements to the types of risks the client and organization face and locations of operations in order to:
Define the scope of the activities that it undertakes;
Identify any technical qualification of its assessors necessary for that particular type of risk, services, and location of operation;
Ensure that personnel have appropriate knowledge, skills and experience relevant to the types of services provided and geographic areas of operation; and
Select a suitably qualified assessment team.
The risk manager and RTL should determine the criteria and means for the demonstration of competence prior to carrying out specific functions. Records of the determination should be maintained and made available upon request by the client and/or organization.
7.2.2 Determination of Competence Criteria
The risk manager and RTL should have a documented process for determining the competence criteria for personnel with a demonstrated capacity for the management and performance of the risk assessment. Measurable criteria should be determined to demonstrate competence with regard to:
- The requirements of the risk management system and any risk-based management standard(s) used;
- Risk assessment and management consistent with legal obligations and accepted industry practices related to operations;
- The legal, cultural and operational context of the location of operation; and
- Functions in the risk assessment process.
The output of the process should be the documented criteria of required knowledge and skills necessary to effectively perform risk assessment tasks to be fulfilled to achieve the intended results and provide a basis for:
- Selection of assessment team members to cover all areas of required competence;
- Ascertain competence enhancement requirement for continuing improvement of assessor competence; and
- Determine performance indicators for assessors.
To determine the appropriate assessor competence, consider:
- Risk associated with the organizations operations and activities;
- Nature and complexity of the client’s risk management system;
- Risk management disciplines to be considered;
- Objectives and extent of the risk assessment program;
- Legal and other requirements, such as those imposed by external bodies, where appropriate;
- Role of the risk management process in the business management system of the organization;
- The need for balance and avoidance of bias in the assessment process;
- Complexity of the risk environment to be assessed; and
- Risk related to achieving risk assessment objectives.
When determining the competence criteria the risk manager and RTL should establish performance based evaluation criteria and a consistent documented method for evaluating competence. Examples of evaluation methods include (but are not limited to):
- Verifying the background, education and experience;
- Psychometric (quantitative) testing of knowledge and skills (may include variables such as intelligence, aptitude, and personality traits);
- Reviewing written samples of work;
- Interviews to evaluate knowledge, communications skills, and personal behavior;
- Observation of risk assessment skills;
- Competence-based certifications and professional credentialing; and
- Feedback and post-assessment review.
7.2.3 Training and Competence Evaluation
Persons conducting risk assessments should have successfully completed training, and be able to demonstrate competence in the understanding and application of:
- Risk management systems and risk disciplines being assessed;
- Risk management methodologies;
- Risk assessment and management principles;
- Legal, regulatory, and other relevant jurisdictional law;
- Liability and tort law associated with industry and risk profile; and
- Managing the risks of undesirable and disruptive events.
The risk manager and RTL should ensure persons conducting risk assessments have a working knowledge of the ISO 31000:2009 Risk management standard. Assessors should have the knowledge and skills corresponding to a post-secondary education that includes language and communications skills.
The risk manager and RTL should ensure that persons conducting risk assessments have experience in the risk-related industry, discipline, or sector, including work in risk management, or the equivalent based on industry standards and complexity of risk disciplines. The number of years of total work experience may be reduced if the person has completed appropriate and relevant post-secondary education.
The risk manager and RTL should establish, document, and maintain a process to evaluate and verify the training and competence of persons conducting risk assessments, including appropriate continual training according to their specific qualification requirements to maintain competence.
7.2.4 Monitoring of Competence
The risk manager and RTL should ensure the acceptable performance of all personnel involved in its risk assessment activities. The risk manager and RTL should establish documented procedures, metrics, and criteria for monitoring and measurement of the performance of all persons involved based the level of required risk-based knowledge linked to their activities. The risk manager and RTL should review, at least annually, the competence of its personnel based on their performance in order to identify training needs.
The monitoring procedures should include a combination of on-site observation, risk assessment report review, and feedback from clients or other affected parties. Monitoring should be designed in such a way as to minimize the disturbance of the normal operations, especially from the client’s viewpoint.
7.2.5 Improvement of Competence
Assessors should increase and improve their skills through continuing education and experience. Risks, organizational management practices, technologies, accepted industry practices, and standards change with time. Assessors should keep abreast of the need to hone their knowledge and skill sets with changing risk assessment conditions. Examples of continuing education and skills improvement methods include:
- Participation in risk assessments;
- Professional society and technical literature;
- Participation in professional associations and their workshops and conferences;
- Mentoring and peer review programs;
- Reading case studies; and
- Professional certification and formal education programs.
7.3 Validation and Personnel Records
The risk manager and RTL should maintain up-to-date records of relevant qualifications, training, experience, professional affiliations and memberships, professional status and competence of all personnel involved in its risk assessment activities.
The risk manager and RTL should ensure all persons working on its behalf assigned to perform risk assessments, as well as technical experts, can be trusted to maintain confidential information obtained during risk assessment work. These personnel must not create a security risk by betraying confidentiality or adversely impacting operations (evidenced by an executed non-disclosure/confidentiality agreement). This should be validated by appropriate background screening of persons involved in risk assessment activities.
All persons performing risk assessments should have as a minimum interpersonal skills and personal attributes to conduct a successful assessment. An assessor who lacks the necessary interpersonal skills and personal attributes will not be able to conduct a successful assessment; therefore the assessor should have good communication skills including:
- Good oral and written language skills;
- Being a good listener;
- Ability to handle stress and conflict to avoid an adversarial environment;
- Cultural sensitivity, including appropriate body language;
- Ability to conduct unbiased questioning, analysis, and problem-solving; and
- Tact and diplomacy.
Personal attributes of an assessor include:
- Humility - consciousness of the limits of one's knowledge, including sensitivity to bias, prejudice and limitations of one's viewpoint;
- Courage - need to address ideas, beliefs or viewpoints fairly regardless of potential negative consequences;
- Faith In Reason - think coherently and logically to persuade by reason;
- Fair-mindedness - treat all viewpoints alike, without reference to one's own feelings or vested interests;
- Empathetic - put oneself in the place of others in order to genuinely understand them;
- Integrity - honestly admit discrepancies and inconsistencies in one's own thought and action;
- Independent – free from real or perceived conflicts of interest or influence;
- Unbiased – free from preconceived notions and prejudice;
- Systematic – able to conduct an orderly and methodological investigation;
- Ethical and trustworthy – fair, discrete and honest;
- Persistent – tenacious and focused on achieving the assessment objectives;
- Curious and open-minded – inquisitive and willing to consider various points of view;
- Adaptable - agile in approach to change course when needed;
- Versatile – able to handle a variety of situations;
- Positive – to project an aura of positive attitude and non-negativity;
- Non-judgmental – to focus on evidence without interjecting value judgments;
- Observant and perceptive – aware of environment and able to understand the context;
- Decisive – able to make decisions based on facts and the situation; and
- Self-reliant – able to work autonomously while interacting with others.
Assessment team leaders should also be able to display leadership, manage time, understand communication formalities, handle conflict, and provide mentoring to less experienced assessors.
All personnel involved in the risk assessment activities should be able to display a tamper-resistant credential, consistent with a verifiable government identification that is easily distinguishable, with a unique number, showing the following:
- Full legal name;
- Period of validity; and
- Name of the issuing body.
7.3.2 Non-disclosure Agreements
All persons assigned to perform risk assessments should sign confidentiality and non-disclosure agreements and a code of ethics. The risk manager and RTL should establish, document, and maintain procedures on how to respect and protect the integrity of sensitive, confidential, and proprietary information. The risk manager and RTL should periodically review, as part of its own quality management system, the performance of its personnel with respect to taking appropriate steps to protect the sensitive, confidential or proprietary information.
When requested, confidentiality and non-disclosure agreements signed by personnel involved in its risk assessment activities should be made available to organizations undergoing the risk assessment.
The risk manager and RTL should establish, document and maintain procedures to make personnel involved in its risk assessment activities aware of infractions that could subject them to disciplinary actions, civil liability, and criminal prosecutions. The procedures should include a process to address infractions or procedures, the code of ethics, and confidentiality and non-disclosure agreements, including investigation procedure and disciplinary actions. Records should be kept of infractions, investigations, and any subsequent disciplinary actions.
The risk manager and RTL should establish, document, and maintain procedures to maintain records of personnel involved in its risk assessment activities. Records should be retained for periods that the risk manager and RTL deem appropriate and according to retention periods designated by national, international and other legal requirements.
7.4 Use of External Risk Assessors and Technical Experts
The risk manager and RTL should develop a documented process for outsourcing any risk assessment activities or using external subject matter experts to ensure compliance with risk assessment policies, procedures, and services, as well as respect for confidentiality and non-disclosure of client or organization information. Outsourcing and external expert agreements should be enforceable and reviewed by appropriate legal counsel.
Next: Annex A