Skip to content

Risk Assessment

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

1. Scope

This Standard:

  • Provides guidance for establishing a risk assessment program and conducting individual risk assessments consistent with ISO 31000:2009 Risk management — Principles and guidelines, and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework;

  • Provides guidance on conducting risk assessments for risk- and resilience-based management system standards for the disciplines of risk, resilience, security, crisis, continuity, and recovery management, including principles of risk assessments, managing the risk assessment program, and conducting risk assessments, as well as evaluation of competence of persons involved in the risk assessment process;

  • Describes the process for conducting risk assessments consistent with the Plan-Do-Check-Act Model; and

  • Provides the informational basis necessary for decision-makers to make informed decisions about managing risks in the organization and its supply chain.

Organizations of all types and sizes can use the concepts and guidance of this Standard to conduct risk assessments supporting their risk management activities. It is recommended that organizations implementing risk- and resilience-based management system standards use the procedures described in this Standard in conjunction with ISO 31000:2009 to conduct their risk management activities (see Figure 1).

This Standard is a guidance document and not intended as a specification for third-party certification. It provides a comprehensive approach to establishing a risk assessment program and the conduct of individual assessments. Implementation of this Standard should be tailored to the needs of the organization.

2. Normative References

The following standards contain provisions which, through reference in this text, constitute provisions of this American National Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below.

a) ISO 31000:2009, Risk management — Principles and guidelines;
b) ISO/IEC 31010:2009, Risk management — Risk assessment techniques; and
c) ISO Guide 73:2009, Risk management — Vocabulary.

3. Terms and Definitions

3.1 Definitions

For the purposes of this Standard, the following terms and definitions apply:

  Term Definition
3.1   asset

Anything that has tangible or intangible value to the organization.

NOTE 1: Tangible assets include human, physical, and environmental assets.

NOTE 2: Intangible assets include information, intellectual property, brand, and reputation.

3.2 audit

Systematic, independent, objective, and documented process for obtaining, examining, verifying, and evaluating information relative to a set of criteria.

3.3 capability analysis

Process of evaluating the

1) competence, aptitude, and experience of people and the organization,

2) suitability of technology, and

3) application of processes for particular purpose(s) to determine whether or not the expected output will fall within an acceptable range.

3.4 client

Organization or person that receives a product or service

NOTE 1: Examples include consumers, contractors, end-user, retailer, beneficiary and purchaser.

NOTE 2: A client can be internal (e.g., another division) or external to the organization.

3.5 communication and consultation      

Ongoing, iterative, and two-way processes for the exchange of information with and between stakeholders and decision-makers regarding the management of risk.

NOTE 1: Information may relate to the context of the organization, characteristics of the risks and its assessment, and the selection and evaluation of risk treatment options.

NOTE 2: Communication and consultation informs the decision-making process but does not infer joint decision-making.

3.6 community

A group of associated organizations and people sharing common interests.

3.7 competence

Demonstrable ability to apply knowledge and skills to achieve intended results.

3.8 conformity

Consistency with a requirement.

3.9 consequence

Result or effect of an action, condition, or decision on achieving objectives and outcomes.

NOTE 1: Uncertainties interact and may result in singular or multiple consequences with a potential for positive or negative effects on objectives.

NOTE 2: Consequences should consider both tangible and intangible factors and can be expressed qualitatively or quantitatively, or both.

NOTE 3: Consequences may have cascading effects.

3.10 continual improvement Ongoing processes to improve products, services, and management practices to enhance the ability to fulfill requirements NOTE: Changes may be incremental or comprehensive.
3.11 corrective action

Action to rectify the causes of a detected nonconformity or other undesirable circumstances.

NOTE 1: There can be more than one cause for a nonconformity.

NOTE 2: Corrective action is taken to prevent recurrence, whereas preventive action is taken to prevent occurrence.

3.12 criticality

Of essential importance with respect to objectives and/or outcomes. [ANSI/ASIS SPC.1-2009]

3.13 criticality analysis

A process designed to systematically identify, evaluate, and rank positive and negative impacts on an organization‘s stakeholders, assets, services, and activities based on the importance of its mission or function, or the significance of risks on the organization's ability to meet its objectives and expectations.

NOTE: Determines which qualities or degrees of risk are of the highest importance for successful execution of an organization’s objectives or which might represent a decisive turning point in strategy execution.

3.14 critical control point (CCP)

A point, step, or process at which controls can be applied to modify risk.

NOTE 1: A threat or hazard can be prevented, eliminated, or reduced to targeted levels.

NOTE 2: A point at which opportunity can be leveraged.

3.15 disruptive event An event that interrupts planned activities, operations, or functions, whether anticipated or unanticipated.
3.16 document Information and supporting medium in any format.
3.17 effectiveness Extent to which planned activities accomplish a purpose thereby producing the intended or expected outcomes.
3.18 event

Change occurring in an interval of time with the potential to alter outcomes.

NOTE 1: Likelihood and consequences of an event may be predictable using qualitative or quantitative measures.

NOTE 2: An event may be due to singular or multiple causes and may have more than one occurrence.

NOTE 3: The non-occurrence of an anticipated change is also an event.

NOTE 4: An event is not a risk, rather it is the uncertainty in the outcomes that creates risk.

3.19 impact

The positive or negative effect on someone or something (see consequence).

3.20 impact analysis

Process that identifies and evaluates the potential effects of change upon an organization. This may include an assessment of the pros and cons of pursuing a course of action in light of its possible consequences, or the extent and nature of further change (intended or unintended) that such change may cause.

3.21 incident

An event with consequences that has the capacity to cause gains or losses/harm to objectives and/or assets (e.g., tangible, intangible and human assets, the environment, and rights of stakeholders).

3.22 integrity

Assuring the soundness, reliability, and completeness of tangible and intangible assets.

3.23 likelihood

Chance or probability of something happening.

3.24 management system

Framework of policies, processes, and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives.

NOTE: Management systems are used by organizations to establish their policies, objectives, and targets; determine and allocate resources; define roles and authorities; implement procedures; and evaluate performance in order to achieve desired outcomes and objectives.

3.25 monitoring

Ongoing scrutiny, oversight, evaluation, and situational awareness for determining the current status and to identify changes in the internal and external environments as well as performance.

3.26 nonconformity

Failure to fulfill a requirement.

3.27 opportunity analysis

Process of identifying uncertainties that may be exploited and analyzing the organization’s capability and readiness to exploit them. The process may include identifying unmet or underserved customer/client needs, identifying target markets, analyzing competitive advantages, as well as analyzing the organization’s resource capacity to undertake an opportunity.

3.28 organization Group of people and facilities with an arrangement of responsibilities, authorities, and relationships. NOTE: An organization can be a government or public entity, company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or combinations thereof.
3.29 planning Part of a management process focused on setting objectives, projecting risks to these objectives, and ensuring resources and systems are in place to ensure objectives are achieved.
3.30 prevention Measures that enable an organization to avoid, preclude, or limit the impact of an undesired or potentially disruptive event.
3.31 preventive action Proactive change or improvement implemented to address a weakness that is not yet responsible for causing nonconformity. NOTE 1: A potential nonconformity which may have one or more root causes. NOTE 2: Preventive action is taken to avoid occurrence whereas corrective action is taken to rectify a problem and prevent recurrence.
3.32 procedure An established or specified way to conduct an activity or a process.
3.33 record A document set down in writing or some other permanent form for later reference.
3.34 residual risk Remaining risk after risk treatment. NOTE: Residual risk may include risk retained by informed decision, untreatable risk, and/or unidentified risk.
3.35 resilience Adaptive capacity of an organization in a complex and changing environment. [ANSI/ASIS SPC.1-2009]
3.36 resources Any asset (human, physical, information, or intangible), facilities, equipment, materials, products, or waste that has potential value and can be used. [ANSI/ASIS SPC.1-2009]
3.37 review Activity undertaken to determine the suitability, adequacy, and effectiveness of the management system and its component elements to achieve established objectives.
3.38 risk

Effect of uncertainty on the achievement of strategic, tactical, and operational objectives.

NOTE 1: Risk is considered as potentially having positive and/or negative outcomes.

NOTE 2: Uncertainty is the state where outcomes are unknown, lacking sufficient information, or otherwise undetermined or undefined in the course of decision-making.

NOTE 3: Objectives may include strategic goals related to the whole or parts of the organization and its value chain, as well as operational and tactical issues at levels of the organization.

NOTE 4: Risk can be characterized by the effect of uncertainty on tangible and/or intangible assets and/or potential risk events.

NOTE 5: Risk is often expressed in terms of a combination of the consequences and likelihood of the outcomes of uncertainty.

NOTE 6: Sometimes risk is focused on negative outcomes where it is considered a function of threats, vulnerabilities, and consequences.

3.39 risk acceptance

Informed action of consenting to retain, receive, or undertake a particular risk.

3.40 risk analysis

Process to characterize and understand the nature of risk and to define the level of risk.

NOTE: Risk analysis assesses the likelihood and consequences of a risk to provide the basis for risk evaluation and risk treatment decision-making.

3.41 risk appetite

The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes.

[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]

3.42 risk assessment

Overall and systematic process of evaluating the effects of uncertainty on achieving objectives.

NOTE: Risk assessment includes risk identification, risk analysis, and risk evaluation.

3.43 risk attitude

Organization’s or individual’s view/perspective of the perceived qualitative and quantitative value that may be gained in comparison to the related potential loss or losses.

[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]

3.44 risk criteria

Terms of reference used to measure and evaluate the significance and effects of risk.

NOTE 1: Risk criteria are a function of the organization’s objectives, values, and policies, as well as the external and internal environment.

NOTE 2: Risk criteria can be derived from jurisdictional laws, obligations, and other requirements.

3.45 risk driver

Event, individual(s), process, or trends having impact on the objectives of the organization.

3.46 risk evaluation

Process of equating the results of risk analysis with risk criteria to determine whether a particular risk level is within an acceptable tolerance or presents a potential opportunity.

NOTE: Risk evaluation provides the basis for decision about risk treatment methods.

3.47 risk identification

Process for determining what risks are anticipated, their characteristics, time dependencies, frequencies, duration period, and possible outcomes. NOTE: Risk identification involves the identification of threats, opportunities, criticalities, weaknesses, and strengths, as well as identifying sources of risk and potential events and their causes and impacts.

3.47 risk management

A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

[RIMS Resources]

3.48 risk register

A compilation for all risks identified, analyzed, and evaluated in the risk assessment process. NOTE: The risk register includes information on likelihood, consequences, treatments, and risk owners.

3.49 risk source

A factor with the potential to create uncertainty in achieving objectives. NOTE: A risk source may include tangible or intangible factors alone or in combination.

3.50 risk tolerance

The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category, or for a specific initiative.

NOTE: The level of tolerance or acceptable level of variation related to achieving objectives may be influenced by jurisdiction law and stakeholder requirements.

[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]

3.51 risk treatment

Process of selecting and implementing measures to modify risk to achieve objectives.

NOTE 1: Measures to modify risk may include: Avoiding the risk; Adapting internal or external parameters to change the nature of the risk; Exploiting a risk to pursue an opportunity; Eliminating or influencing the risk source; Modifying the likelihood; Modifying the consequences; Sharing the risk (e.g., insurance, contracts, outsourcing, etc.); and Accepting the risk by informed decision.

NOTE 2: Risk treatment can change the characteristics of existing risks or generate new risks.

NOTE 3: Risk treatment may require a reallocation of resources or modification of plans and priorities.

3.52 security

The condition of being protected against hazards, threats, risks, or loss.

NOTE 1: In the general sense, security is a concept similar to safety. The distinction between the two is an added emphasis on being protected from dangers that originate from outside.

NOTE 2: The term security means that something not only is secure, but that it has been secured. [ANSI/ASIS SPC.1-2009]

3.53 stakeholder

Person or organization with an interest or concern.

NOTE: A stakeholder can affect and may be affected by the organization and its achievement of its objectives (real or perceived).

3.54 supply chain

A two-way relationship of organizations, people, activities, logistics, information, technology, and resources engaged in activities and creating value from point of origin to point of consumption, including transforming materials/components to products and services for end users.

NOTE: The supply chain may include vendors, subcontractors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.


3.55 threat analysis

Process of identifying and quantifying the potential cause of an unwanted event which may result in harm to individuals, assets, a system or organization, the environment, or the community.

NOTE 1: Threats may be due to intentional, unintentional, or natural events.

NOTE 2: The term hazard refers to a [dangerous] condition or threat that may increase the frequency or severity of a loss. [Adapted from the Risk Management Principles and Practices textbook published by The Institutes,]

3.56 top management

Person or group of people responsible and accountable for formulating organizational goals, objectives, strategies, policies, and/or allocating resources.

3.57 undesirable event

Any event that has the potential to cause a negative impact on the achievement of objectives or assets whether tangible or intangible.

3.58 value chain

The series of functions, processes, or activities, from raw materials to the eventual end-user that creates and builds value at every step in order to deliver a product or service.

NOTE: For further information on risk vocabulary, please consult the ISO lexicon of terminology:
  • See ISO Online Browsing Platform for ISO Guide 73 definitions:
    <>. Accessed August 2015.
  • Additional risk related definitions can be found in the ISO Online Browsing Platform for ISO 31000:
    <>. Accessed August 2015.

Next: Principles

Table of Contents

RA Standard Home

  • General
  • Definition of Risk Assessment
  • Quantitative and Qualitative Analysis
  • Managing Organizational and Specific Risk Assessments
  • Plan-Do-Check-Act Model


  • Scope
  • Normative References
  • Terms and Definitions
  • General
  • Impartiality, Independence, and Objectivity
  • Trust, Competence, and Due Professional Care
  • Honest and Fair Representation
  • Responsibility and Authority
  • Consutative Approach
  • Fact-Based Approach
  • Confidentiality
  • Change Management
  • Continual Improvement
Managing A Risk Assessment Program
  • General
  • Understanding the Organization and Its Objectives
  • Establishing the Framework
  • Establishing the Program
  • Implementing the Risk Assessment Program
  • Monitoring the Risk Assessment Program
  • Review and Improvement
Performing Individual Risk Assessments
  • General
  • Commencing the Risk Assessment
  • Planning Risk Assessment Activities
  • Conducting Risk Assessment Activities
  • Post Risk Assessment Activities
  • General
  • Competence

Annex A: Risk Assessment Methods, Data Collection, and Sampling

  • General
  • Types of Interactions
  • Assessment Paths
  • Sampling

Annex B: Root Cause Analysis

  • General
  • Applying Root Cause Techniques
  • Ten Steps for Effective Root Cause Analysis

Annex C: Background Screening and Security Clearances

  • General
  • Background Checks
  • Interviews
  • Privacy Protection

Annex D: Contents of the Risk Assessment Report

Annex E: Confidentiality and Document Protection

Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization

  • General
  • Prevention and Mitigation Procedures
  • Response Procedures
  • Continuity Procedures
  • Recovery Procedures

Annex G: Business Impact Analysis

Annex H: Bibliography