ATTENTION: This page is intended to be viewed online and may not be printed or copied.
Provides guidance for establishing a risk assessment program and conducting individual risk assessments consistent with ISO 31000:2009 Risk management — Principles and guidelines, and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) framework;
Provides guidance on conducting risk assessments for risk- and resilience-based management system standards for the disciplines of risk, resilience, security, crisis, continuity, and recovery management, including principles of risk assessments, managing the risk assessment program, and conducting risk assessments, as well as evaluation of competence of persons involved in the risk assessment process;
Describes the process for conducting risk assessments consistent with the Plan-Do-Check-Act Model; and
Provides the informational basis necessary for decision-makers to make informed decisions about managing risks in the organization and its supply chain.
Organizations of all types and sizes can use the concepts and guidance of this Standard to conduct risk assessments supporting their risk management activities. It is recommended that organizations implementing risk- and resilience-based management system standards use the procedures described in this Standard in conjunction with ISO 31000:2009 to conduct their risk management activities (see Figure 1).
This Standard is a guidance document and not intended as a specification for third-party certification. It provides a comprehensive approach to establishing a risk assessment program and the conduct of individual assessments. Implementation of this Standard should be tailored to the needs of the organization.
2. Normative References
The following standards contain provisions which, through reference in this text, constitute provisions of this American National Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below.
a) ISO 31000:2009, Risk management — Principles and guidelines;
b) ISO/IEC 31010:2009, Risk management — Risk assessment techniques; and
c) ISO Guide 73:2009, Risk management — Vocabulary.
3. Terms and Definitions
For the purposes of this Standard, the following terms and definitions apply:
Anything that has tangible or intangible value to the organization.
NOTE 1: Tangible assets include human, physical, and environmental assets.
NOTE 2: Intangible assets include information, intellectual property, brand, and reputation.
Systematic, independent, objective, and documented process for obtaining, examining, verifying, and evaluating information relative to a set of criteria.
Process of evaluating the
1) competence, aptitude, and experience of people and the organization,
2) suitability of technology, and
3) application of processes for particular purpose(s) to determine whether or not the expected output will fall within an acceptable range.
Organization or person that receives a product or service
NOTE 1: Examples include consumers, contractors, end-user, retailer, beneficiary and purchaser.
NOTE 2: A client can be internal (e.g., another division) or external to the organization.
|3.5||communication and consultation||
Ongoing, iterative, and two-way processes for the exchange of information with and between stakeholders and decision-makers regarding the management of risk.
NOTE 1: Information may relate to the context of the organization, characteristics of the risks and its assessment, and the selection and evaluation of risk treatment options.
NOTE 2: Communication and consultation informs the decision-making process but does not infer joint decision-making.
A group of associated organizations and people sharing common interests.
Demonstrable ability to apply knowledge and skills to achieve intended results.
Consistency with a requirement.
Result or effect of an action, condition, or decision on achieving objectives and outcomes.
NOTE 1: Uncertainties interact and may result in singular or multiple consequences with a potential for positive or negative effects on objectives.
NOTE 2: Consequences should consider both tangible and intangible factors and can be expressed qualitatively or quantitatively, or both.
NOTE 3: Consequences may have cascading effects.
|3.10||continual improvement||Ongoing processes to improve products, services, and management practices to enhance the ability to fulfill requirements NOTE: Changes may be incremental or comprehensive.|
Action to rectify the causes of a detected nonconformity or other undesirable circumstances.
NOTE 1: There can be more than one cause for a nonconformity.
NOTE 2: Corrective action is taken to prevent recurrence, whereas preventive action is taken to prevent occurrence.
Of essential importance with respect to objectives and/or outcomes. [ANSI/ASIS SPC.1-2009]
A process designed to systematically identify, evaluate, and rank positive and negative impacts on an organization‘s stakeholders, assets, services, and activities based on the importance of its mission or function, or the significance of risks on the organization's ability to meet its objectives and expectations.
NOTE: Determines which qualities or degrees of risk are of the highest importance for successful execution of an organization’s objectives or which might represent a decisive turning point in strategy execution.
|3.14||critical control point (CCP)||
A point, step, or process at which controls can be applied to modify risk.
NOTE 1: A threat or hazard can be prevented, eliminated, or reduced to targeted levels.
NOTE 2: A point at which opportunity can be leveraged.
|3.15||disruptive event||An event that interrupts planned activities, operations, or functions, whether anticipated or unanticipated.|
|3.16||document||Information and supporting medium in any format.|
|3.17||effectiveness||Extent to which planned activities accomplish a purpose thereby producing the intended or expected outcomes.|
Change occurring in an interval of time with the potential to alter outcomes.
NOTE 1: Likelihood and consequences of an event may be predictable using qualitative or quantitative measures.
NOTE 2: An event may be due to singular or multiple causes and may have more than one occurrence.
NOTE 3: The non-occurrence of an anticipated change is also an event.
NOTE 4: An event is not a risk, rather it is the uncertainty in the outcomes that creates risk.
The positive or negative effect on someone or something (see consequence).
Process that identifies and evaluates the potential effects of change upon an organization. This may include an assessment of the pros and cons of pursuing a course of action in light of its possible consequences, or the extent and nature of further change (intended or unintended) that such change may cause.
An event with consequences that has the capacity to cause gains or losses/harm to objectives and/or assets (e.g., tangible, intangible and human assets, the environment, and rights of stakeholders).
Assuring the soundness, reliability, and completeness of tangible and intangible assets.
Chance or probability of something happening.
Framework of policies, processes, and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives.
NOTE: Management systems are used by organizations to establish their policies, objectives, and targets; determine and allocate resources; define roles and authorities; implement procedures; and evaluate performance in order to achieve desired outcomes and objectives.
Ongoing scrutiny, oversight, evaluation, and situational awareness for determining the current status and to identify changes in the internal and external environments as well as performance.
Failure to fulfill a requirement.
Process of identifying uncertainties that may be exploited and analyzing the organization’s capability and readiness to exploit them. The process may include identifying unmet or underserved customer/client needs, identifying target markets, analyzing competitive advantages, as well as analyzing the organization’s resource capacity to undertake an opportunity.
|3.28||organization||Group of people and facilities with an arrangement of responsibilities, authorities, and relationships. NOTE: An organization can be a government or public entity, company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or combinations thereof.|
|3.29||planning||Part of a management process focused on setting objectives, projecting risks to these objectives, and ensuring resources and systems are in place to ensure objectives are achieved.|
|3.30||prevention||Measures that enable an organization to avoid, preclude, or limit the impact of an undesired or potentially disruptive event.|
|3.31||preventive action||Proactive change or improvement implemented to address a weakness that is not yet responsible for causing nonconformity. NOTE 1: A potential nonconformity which may have one or more root causes. NOTE 2: Preventive action is taken to avoid occurrence whereas corrective action is taken to rectify a problem and prevent recurrence.|
|3.32||procedure||An established or specified way to conduct an activity or a process.|
|3.33||record||A document set down in writing or some other permanent form for later reference.|
|3.34||residual risk||Remaining risk after risk treatment. NOTE: Residual risk may include risk retained by informed decision, untreatable risk, and/or unidentified risk.|
|3.35||resilience||Adaptive capacity of an organization in a complex and changing environment. [ANSI/ASIS SPC.1-2009]|
|3.36||resources||Any asset (human, physical, information, or intangible), facilities, equipment, materials, products, or waste that has potential value and can be used. [ANSI/ASIS SPC.1-2009]|
|3.37||review||Activity undertaken to determine the suitability, adequacy, and effectiveness of the management system and its component elements to achieve established objectives.|
Effect of uncertainty on the achievement of strategic, tactical, and operational objectives.
NOTE 1: Risk is considered as potentially having positive and/or negative outcomes.
NOTE 2: Uncertainty is the state where outcomes are unknown, lacking sufficient information, or otherwise undetermined or undefined in the course of decision-making.
NOTE 3: Objectives may include strategic goals related to the whole or parts of the organization and its value chain, as well as operational and tactical issues at levels of the organization.
NOTE 4: Risk can be characterized by the effect of uncertainty on tangible and/or intangible assets and/or potential risk events.
NOTE 5: Risk is often expressed in terms of a combination of the consequences and likelihood of the outcomes of uncertainty.
NOTE 6: Sometimes risk is focused on negative outcomes where it is considered a function of threats, vulnerabilities, and consequences.
Informed action of consenting to retain, receive, or undertake a particular risk.
Process to characterize and understand the nature of risk and to define the level of risk.
NOTE: Risk analysis assesses the likelihood and consequences of a risk to provide the basis for risk evaluation and risk treatment decision-making.
The total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes.
[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]
Overall and systematic process of evaluating the effects of uncertainty on achieving objectives.
NOTE: Risk assessment includes risk identification, risk analysis, and risk evaluation.
Organization’s or individual’s view/perspective of the perceived qualitative and quantitative value that may be gained in comparison to the related potential loss or losses.
[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]
Terms of reference used to measure and evaluate the significance and effects of risk.
NOTE 1: Risk criteria are a function of the organization’s objectives, values, and policies, as well as the external and internal environment.
NOTE 2: Risk criteria can be derived from jurisdictional laws, obligations, and other requirements.
Event, individual(s), process, or trends having impact on the objectives of the organization.
Process of equating the results of risk analysis with risk criteria to determine whether a particular risk level is within an acceptable tolerance or presents a potential opportunity.
NOTE: Risk evaluation provides the basis for decision about risk treatment methods.
Process for determining what risks are anticipated, their characteristics, time dependencies, frequencies, duration period, and possible outcomes. NOTE: Risk identification involves the identification of threats, opportunities, criticalities, weaknesses, and strengths, as well as identifying sources of risk and potential events and their causes and impacts.
A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
A compilation for all risks identified, analyzed, and evaluated in the risk assessment process. NOTE: The risk register includes information on likelihood, consequences, treatments, and risk owners.
A factor with the potential to create uncertainty in achieving objectives. NOTE: A risk source may include tangible or intangible factors alone or in combination.
The amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category, or for a specific initiative.
NOTE: The level of tolerance or acceptable level of variation related to achieving objectives may be influenced by jurisdiction law and stakeholder requirements.
[RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance]
Process of selecting and implementing measures to modify risk to achieve objectives.
NOTE 1: Measures to modify risk may include: Avoiding the risk; Adapting internal or external parameters to change the nature of the risk; Exploiting a risk to pursue an opportunity; Eliminating or influencing the risk source; Modifying the likelihood; Modifying the consequences; Sharing the risk (e.g., insurance, contracts, outsourcing, etc.); and Accepting the risk by informed decision.
NOTE 2: Risk treatment can change the characteristics of existing risks or generate new risks.
NOTE 3: Risk treatment may require a reallocation of resources or modification of plans and priorities.
The condition of being protected against hazards, threats, risks, or loss.
NOTE 1: In the general sense, security is a concept similar to safety. The distinction between the two is an added emphasis on being protected from dangers that originate from outside.
NOTE 2: The term security means that something not only is secure, but that it has been secured. [ANSI/ASIS SPC.1-2009]
Person or organization with an interest or concern.
NOTE: A stakeholder can affect and may be affected by the organization and its achievement of its objectives (real or perceived).
A two-way relationship of organizations, people, activities, logistics, information, technology, and resources engaged in activities and creating value from point of origin to point of consumption, including transforming materials/components to products and services for end users.
NOTE: The supply chain may include vendors, subcontractors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.
Process of identifying and quantifying the potential cause of an unwanted event which may result in harm to individuals, assets, a system or organization, the environment, or the community.
NOTE 1: Threats may be due to intentional, unintentional, or natural events.
NOTE 2: The term hazard refers to a [dangerous] condition or threat that may increase the frequency or severity of a loss. [Adapted from the Risk Management Principles and Practices textbook published by The Institutes, www.theinstitutes.org.]
Person or group of people responsible and accountable for formulating organizational goals, objectives, strategies, policies, and/or allocating resources.
Any event that has the potential to cause a negative impact on the achievement of objectives or assets whether tangible or intangible.
The series of functions, processes, or activities, from raw materials to the eventual end-user that creates and builds value at every step in order to deliver a product or service.
NOTE: For further information on risk vocabulary, please consult the ISO lexicon of terminology:
- See ISO Online Browsing Platform for ISO Guide 73 definitions:
<https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en>. Accessed August 2015.
- Additional risk related definitions can be found in the ISO Online Browsing Platform for ISO 31000:
<https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en>. Accessed August 2015.