Many organisations claim their risk management structures and processes comply with the International Standard on Risk Management Principles and Guidelines, ISO31000:2009. However, if risk assessments used by these ‘compliant’ organisations are poor, then risk management failures will almost certainly occur. If a security manager guesses that a risk is low, medium or high, then questions need to be raised about whether or not this is a suitable risk assessment. It is common for security managers to have only some of the information needed for a comprehensive assessment. However, information gaps may not be documented in the assessments provided to decision makers in management roles (who may not have security expertise), so the latter may be unaware that they are making important decisions without all of the pertinent information.
Late in 2015, ASIS International and the Risk and Insurance Managers Society published a new American National Standard titled Risk Assessment. The standard is designated ANSI/ASIS/RIMS RA.1-2015. This attempts to provide guidance on how to establish and maintain a reliable risk assessment program. This new standard is intended to supplement ISO31000:2009 and provide more detailed guidance than the International Standard on Risk Assessment Techniques, ISO31010:2009.
RA.1-2015 provides more operational advice than ISO31000 on the risk identification, risk analysis and risk evaluation processes needed to produce a reasonable risk assessment. Similar to ISO31000, this new standard utilises the Plan-Do-Check-Act (PDCA) cyclic model:
- The Plan stage of the assessment cycle defines and analyses threats, hazards and consequential issues, and contexts.
- The Do stage focuses on solving problems by developing a detailed action plan that is then systematically implemented. This may involve, for example, finding more information to fill a knowledge gap, or determining options to reduce risk or to increase opportunities.
- The Check stage ensures quality control in the risk assessment process to make sure the assessment outcomes are in accordance with plans and, if necessary, initiates measures to rectify deviations from the plan.
- The Act stage aims to standardise solutions and define new issues that need to be addressed in the Plan stage of the next cycle of the assessment.
The risk assessment guidance provided by RA.1-2015 is structured in a way that makes sense to security practitioners and their managers. Firstly, the principles of risk assessment are explained. For example, the standard describes a risk assessment as “an effective tool for evaluating the organisation’s risk and resilience challenges and maturity and to drive performance improvements. In addition, the risk assessment provides assurance to decision makers that the adopted risk- and resilience-based management system and risk management measures are achieving their intended objectives.” The standard explains the principles that need to be followed to achieve this. These include impartiality and objectivity, trust and due professional care, honest and fair representation, responsibility and authority, a consultative approach, a fact-based approach, confidentiality, change management and continual improvement.
Following the principles section of the standard is a description on managing a risk assessment program. This goes into much more detail than ISO31000 and includes the roles and responsibilities of people who contribute to the risk assessment process. Note that the security manager should not perform all the roles on his or her own! The standard recognises that risks of strategic importance and complexity must be assessed differently to those that are routine, simple and frequent.
The standard has a section on performing individual risk assessments across a portfolio of risk categories, including strategic, operations, financial and external. This section includes a number of analysis ideas, including the T4RA model that was first used by some Australian Government security analysts in the early 1990s. There are many good ideas in this section of the standard, including guidance on how best to assess the level of risk and how to present risk assessments to decision makers.
Finally, there is a section on confirming the competence of risk assessors. There are also some appendices that provide additional information such as data gathering, ‘root cause analysis’, contents of a typical risk assessment report, document protection and business impact analysis.
This risk assessment standard, ANSI/ASIS/RIMS RA.1-2015, written by practitioners for practitioners, is well worth a read.