Risk Assessment

Anything that has tangible or intangible value to the organization.

NOTE 1: Tangible assets include human, physical, and environmental assets.

NOTE 2: Intangible assets include information, intellectual property, brand, and reputation.

Systematic, independent, objective, and documented process for obtaining, examining, verifying, and evaluating information relative to a set of criteria.

Process of evaluating the

1) competence, aptitude, and experience of people and the organization,

2) suitability of technology, and

3) application of processes for particular purpose(s) to determine whether or not the expected output will fall within an acceptable range.

Organization or person that receives a product or service

NOTE 1: Examples include consumers, contractors, end-user, retailer, beneficiary and purchaser.

NOTE 2: A client can be internal (e.g., another division) or external to the organization.

Ongoing, iterative, and two-way processes for the exchange of information with and between stakeholders and decision-makers regarding the management of risk.

NOTE 1: Information may relate to the context of the organization, characteristics of the risks and its assessment, and the selection and evaluation of risk treatment options.

NOTE 2: Communication and consultation informs the decision-making process but does not infer joint decision-making.

A group of associated organizations and people sharing common interests.

Demonstrable ability to apply knowledge and skills to achieve intended results.

Consistency with a requirement.

Result or effect of an action, condition, or decision on achieving objectives and outcomes.

NOTE 1: Uncertainties interact and may result in singular or multiple consequences with a potential for positive or negative effects on objectives.

NOTE 2: Consequences should consider both tangible and intangible factors and can be expressed qualitatively or quantitatively, or both.

NOTE 3: Consequences may have cascading effects.

Action to rectify the causes of a detected nonconformity or other undesirable circumstances.

NOTE 1: There can be more than one cause for a nonconformity.

NOTE 2: Corrective action is taken to prevent recurrence, whereas preventive action is taken to prevent occurrence.

Of essential importance with respect to objectives and/or outcomes. [ANSI/ASIS SPC.1-2009]

A process designed to systematically identify, evaluate, and rank positive and negative impacts on an organization‘s stakeholders, assets, services, and activities based on the importance of its mission or function, or the significance of risks on the organization's ability to meet its objectives and expectations.

NOTE: Determines which qualities or degrees of risk are of the highest importance for successful execution of an organization’s objectives or which might represent a decisive turning point in strategy execution.

A point, step, or process at which controls can be applied to modify risk.

NOTE 1: A threat or hazard can be prevented, eliminated, or reduced to targeted levels.

NOTE 2: A point at which opportunity can be leveraged.

Change occurring in an interval of time with the potential to alter outcomes.

NOTE 1: Likelihood and consequences of an event may be predictable using qualitative or quantitative measures.

NOTE 2: An event may be due to singular or multiple causes and may have more than one occurrence.

NOTE 3: The non-occurrence of an anticipated change is also an event.

NOTE 4: An event is not a risk, rather it is the uncertainty in the outcomes that creates risk.

The positive or negative effect on someone or something (see consequence).

Process that identifies and evaluates the potential effects of change upon an organization. This may include an assessment of the pros and cons of pursuing a course of action in light of its possible consequences, or the extent and nature of further change (intended or unintended) that such change may cause.

An event with consequences that has the capacity to cause gains or losses/harm to objectives and/or assets (e.g., tangible, intangible and human assets, the environment, and rights of stakeholders).

Assuring the soundness, reliability, and completeness of tangible and intangible assets.

Chance or probability of something happening.

Framework of policies, processes, and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives.

NOTE: Management systems are used by organizations to establish their policies, objectives, and targets; determine and allocate resources; define roles and authorities; implement procedures; and evaluate performance in order to achieve desired outcomes and objectives.

Ongoing scrutiny, oversight, evaluation, and situational awareness for determining the current status and to identify changes in the internal and external environments as well as performance.

Failure to fulfill a requirement.

Process of identifying uncertainties that may be exploited and analyzing the organization’s capability and readiness to exploit them. The process may include identifying unmet or underserved customer/client needs, identifying target markets, analyzing competitive advantages, as well as analyzing the organization’s resource capacity to undertake an opportunity.

Effect of uncertainty on the achievement of strategic, tactical, and operational objectives.

NOTE 1: Risk is considered as potentially having positive and/or negative outcomes.

NOTE 2: Uncertainty is the state where outcomes are unknown, lacking sufficient information, or otherwise undetermined or undefined in the course of decision-making.

NOTE 3: Objectives may include strategic goals related to the whole or parts of the organization and its value chain, as well as operational and tactical issues at levels of the organization.

NOTE 4: Risk can be characterized by the effect of uncertainty on tangible and/or intangible assets and/or potential risk events.

NOTE 5: Risk is often expressed in terms of a combination of the consequences and likelihood of the outcomes of uncertainty.

NOTE 6: Sometimes risk is focused on negative outcomes where it is considered a function of threats, vulnerabilities, and consequences.

Informed action of consenting to retain, receive, or undertake a particular risk.

Process to characterize and understand the nature of risk and to define the level of risk.

NOTE: Risk analysis assesses the likelihood and consequences of a risk to provide the basis for risk evaluation and risk treatment decision-making.

The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes.

[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]

Overall and systematic process of evaluating the effects of uncertainty on achieving objectives.

NOTE: Risk assessment includes risk identification, risk analysis, and risk evaluation.

Organization’s or individual’s view/perspective of the perceived qualitative and quantitative value that may be gained in comparison to the related potential loss or losses.

[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]

Terms of reference used to measure and evaluate the significance and effects of risk.

NOTE 1: Risk criteria are a function of the organization’s objectives, values, and policies, as well as the external and internal environment.

NOTE 2: Risk criteria can be derived from jurisdictional laws, obligations, and other requirements.

Event, individual(s), process, or trends having impact on the objectives of the organization.

Process of equating the results of risk analysis with risk criteria to determine whether a particular risk level is within an acceptable tolerance or presents a potential opportunity.

NOTE: Risk evaluation provides the basis for decision about risk treatment methods.

Process for determining what risks are anticipated, their characteristics, time dependencies, frequencies, duration period, and possible outcomes. NOTE: Risk identification involves the identification of threats, opportunities, criticalities, weaknesses, and strengths, as well as identifying sources of risk and potential events and their causes and impacts.

A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

[RIMS Resources]

A compilation for all risks identified, analyzed, and evaluated in the risk assessment process. NOTE: The risk register includes information on likelihood, consequences, treatments, and risk owners.

A factor with the potential to create uncertainty in achieving objectives. NOTE: A risk source may include tangible or intangible factors alone or in combination.

The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category, or for a specific initiative.

NOTE: The level of tolerance or acceptable level of variation related to achieving objectives may be influenced by jurisdiction law and stakeholder requirements.

[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]

Process of selecting and implementing measures to modify risk to achieve objectives.

NOTE 1: Measures to modify risk may include: Avoiding the risk; Adapting internal or external parameters to change the nature of the risk; Exploiting a risk to pursue an opportunity; Eliminating or influencing the risk source; Modifying the likelihood; Modifying the consequences; Sharing the risk (e.g., insurance, contracts, outsourcing, etc.); and Accepting the risk by informed decision.

NOTE 2: Risk treatment can change the characteristics of existing risks or generate new risks.

NOTE 3: Risk treatment may require a reallocation of resources or modification of plans and priorities.

The condition of being protected against hazards, threats, risks, or loss.

NOTE 1: In the general sense, security is a concept similar to safety. The distinction between the two is an added emphasis on being protected from dangers that originate from outside.

NOTE 2: The term security means that something not only is secure, but that it has been secured. [ANSI/ASIS SPC.1-2009]

Person or organization with an interest or concern.

NOTE: A stakeholder can affect and may be affected by the organization and its achievement of its objectives (real or perceived).

A two-way relationship of organizations, people, activities, logistics, information, technology, and resources engaged in activities and creating value from point of origin to point of consumption, including transforming materials/components to products and services for end users.

NOTE: The supply chain may include vendors, subcontractors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.

[ANSI/ASIS SCRM.1-2014]

Process of identifying and quantifying the potential cause of an unwanted event which may result in harm to individuals, assets, a system or organization, the environment, or the community.

NOTE 1: Threats may be due to intentional, unintentional, or natural events.

NOTE 2: The term hazard refers to a [dangerous] condition or threat that may increase the frequency or severity of a loss. [Adapted from the Risk Management Principles and Practices textbook published by The Institutes, www.theinstitutes.org.]

Person or group of people responsible and accountable for formulating organizational goals, objectives, strategies, policies, and/or allocating resources.

Any event that has the potential to cause a negative impact on the achievement of objectives or assets whether tangible or intangible.

The series of functions, processes, or activities, from raw materials to the eventual end-user that creates and builds value at every step in order to deliver a product or service.