ATTENTION: This page is intended to be viewed online and may not be printed or copied.
The principles in this Standard give guidance necessary to provide transparency, confidence, and trust in the risk assessment processes. A risk assessment is an effective tool for evaluating the organization’s risk and resilience challenges and maturity and to drive performance improvements. In addition the risk assessment provides assurance to decision-makers that the adopted risk- and resilience-based management system and risk management measures are achieving their intended objectives.
Examples of stakeholders in the risk assessment process include but are not limited to:
- Customers, clients, stockholders, employees, contractors, and supply chain partners (e.g., outsourced partners and critical infrastructure suppliers);
- Government and regulatory authorities;
- Non-governmental organizations;
- Civil society groups; and
- Members of the public (including the media).
The principles below apply to all the activities involved in the assessment program as well as during individual risk assessments. Use of these principles help validate that persons performing risk assessments independently yet in similar circumstances will arrive at similar and repeatable conclusions.
4.2 Impartiality, Independence, and Objectivity
Confidence in the risk assessment process is dependent on an impartial evaluation of the risk sources and management practices. Impartiality requires both actual and perceived objectivity. Assessment programs should implement measures to ensure and monitor impartiality.
Assessors should be impartial, have an unbiased attitude, and avoid any conflict of interest. Possible conflicts of interest should be identified, resolved, and documented before a risk assessment begins. Threats to impartiality include:
Self-interest – threats that arise from having a vested or financial self-interest;
Self-review – threats that arise from reviewing advice or work done by oneself on behalf of the organization;
Familiarity – threats that arise from being too familiar with the processes and/or persons being assessed to obtain unbiased evidence and conclusions;
Habituation – threats that arise from complacency or over-familiarity with the context of operating conditions;
Cognitive-bias – threats that arise from individuals creating their own subjective reality through their preconceived perception of the input; and
Intimidation – threats that arise from having a perception of being coerced or pressured.
Whether internal staff or external consultants, assessors should be independent and objective in performing their work. Risk assessment activities should be free from interference in conducting the assessment and reporting its conclusions. Also, assessors should evaluate if they can conduct a risk assessment in a culturally, professionally, organizationally, and technically unbiased fashion. Questions related to independence or objectivity should be analyzed, mitigated, and reported. Assessors should be aware of and sensitive to influences that may affect their judgment when conducting a risk assessment.
4.3 Trust, Competence, and Due Professional Care
Activities in risk assessment should be conducted with honesty, integrity, diligence, and responsibility. Interested parties should be confident in the assessor’s technical competence and integrity. Competence is the ability to apply knowledge, experience, and skills to achieve the intended purpose and accurate results. Risk assessments should be conducted with due professional care. Integrity provides the foundation for professionalism and trust. Assessors should demonstrate awareness of and compliance with applicable legal, regulatory, safety, and security requirements.
Many organizations have established a code of ethics that set standards of conduct in the performance of work. To instill trust, an assessor’s ethical principles and integrity may be codified by a formal set of ethical standards addressing issues of competence, independence, diligence, honesty, integrity, impartiality, and confidentiality.
4.4 Honest and Fair Representation
Risk assessment findings and conclusions should be based on evidence that accurately and honestly reflects the risk assessment activities, and that are truthfully presented in assessment documentation. Any impediments to achieving risk assessment objectives should be documented. Communications should be timely, accurate, unambiguous, unbiased, and complete. Evidence should be clearly documented.
4.5 Responsibility and Authority
Conformance to the requirements and controls of the risk management program is the responsibility of the risk makers and risk takers within the organization. It is the responsibility of the assessment team to objectively evaluate conformance to the criteria of the risk management program by collecting and documenting evidence of conformance or non-conformance to the program’s requirements. Sufficient documented evidence is necessary for a declaration of conformance and efficacy of the risk management measures; and to identify opportunities for improvement.
The authority to perform a risk assessment should be verified prior to the start of risk assessment activities. Authority to perform an assessment may be granted by either a single source or multiple sources inside or outside the organization. Specific and appropriate authority to conduct the assessment confers legitimacy to the assessment and permits the assessment to proceed. The relationship between the permitting authority and the assessment team should be clearly understood and documented.
4.6 Consultative Approach
Communication and consultation facilitate accurate, truthful, relevant, and comprehensible two-way exchanges of information throughout the organization. Communication and consultation with external and internal stakeholders should take place throughout the risk assessment process. Identifying and consulting relevant internal and external stakeholders is needed to understand the context and identify risks. Perceptions of risk can vary among different internal and external stakeholders due to differences in values, needs, assumptions, concepts, experience, and priorities. Communication and consultation with relevant stakeholders is needed in order to understand stakeholders' perceptions and determine how these need to be taken into account in the decision-making process. Given the sensitive nature of risk assessment information it is essential to take into account aspects of confidential and personal integrity.
4.7 Fact-based Approach
Assessment conclusions should be based on verifiable evidence, where available, gathered through a systematic risk assessment process that ensures reliability and reproducibility. It should be recognized that an assessment is a snapshot in time conducted with finite resources; therefore any sampling techniques should be based on a defined methodology that provides a representative sample. Monitoring and surveillance of conformity should be defined for a meaningful duration of time or as an ongoing process and included in the risk assessment program to ensure continued awareness, conformance, and to drive process improvements. If the evidence falls short of fact because there is insufficient information available, or of a type that limits its ability to be verified, then its credibility should be supported by other reliable information.
The importance of agreeing to the validity of the underlying information is key in a risk assessment. A clear process should be agreed as to what constitutes verifiable evidence and, when unavailable, what constitutes reliable information or estimates.
Persons involved in the risk assessment process should keep confidential any sensitive, proprietary, and risk-related information about an organization and its management system, as well as information that may cause harm to the interviewees, clients, customers, supply chain partners, persons who work on their behalf, complainants, and other external stakeholders. The risk assessment and its associated data may be considered confidential and, if so, should only be shared with persons who have a genuine need to know. Information exchange should be based on established procedures. A mechanism should be in place to ensure all relevant information is protected and only provided to the appropriate people and organizations. Confidentiality arrangements should consider legal obligations, including those for protecting information as well as requirements related to disclosure.
4.9 Change Management
As part of its risk management process, an organization should regularly review and improve its risk assessment processes, including a review of what prompts a renewed risk assessment such as a change in the internal or external environment.
The organization should establish a defined and documented change management program to ensure that any internal or external changes that impact the organization are reviewed in relation to the risk assessment. The organization should identify any triggers of deviations from expected outcomes and new critical activities that need to be included in the change management program.
4.10 Continual Improvement
Managers improve their risk assessment processes through the monitoring, measurement, review, and subsequent modification of assessment program, processes, procedures, capabilities, and information within a continual PDCA improvement cycle. Formal, documented reviews are conducted regularly. The findings of such reviews should be considered by top management and action taken where necessary to identify opportunities for improvement.