ANSI RIMS RA.1-2015 Risk Assessment.pdf

1、Risk Assessment ASIS INTERNATIONAL ANSI/ASIS/RIMS RA.1-2015STANDARDThe worldwide leader in security standards and guidelines development1625 Prince StreetAlexandria, Virginia 22314-2818 USA+1.703.519.6200Fax: +1.703.519.6299www.asisonline.orgSupply Chain Risk Management: A Compilation of Best Practi

2、ces ANSI/ASIS SCRM.1-2014S T A N D A R D Standard_SCRM_Cover_wSPINE.indd 1 5/5/2014 10:09:19 AMSupply Chain Risk Management: A Compilation of Best PracticesANSI/ASIS SCRM.1-2014orldwide leader in security standards and guidelines de1625 Prince StreetAlexandria, Virginia 22314-2818 USA+1.703.519.6200

3、Fax: +1.703.519.6299.asisonline.orgSupply Chain Risk Management: A Compilation of Best Practices ANSI/ASIS SCRM.1-2014S T A N D A R D Standard_SCRM_Cover_wSPINE.indd 1 5/5/2014 10:09:19 AMSupply Chain Risk Management: A Compilation of Best Practices ANSI/ASIS SCRM.1-2014S T A N D A R D Standard_SCRM

4、_Cover_wSPINE.indd 1 5/5/2014 10:09:19 AMANSI/ASIS/RIMS RA.1-2015 an American National Standard RISK ASSESSMENT Approved August 3, 2015 American National Standards Institute, Inc. ASIS International and The Risk and Insurance Management Society, Inc. Abstract This Standard provides guidance on devel

5、oping and sustaining a coherent and effective risk assessment program including principles, managing an overall risk assessment program, and performing individual risk assessments, along with confirming the competencies of risk assessors and understanding biases. This Standard describes a well-defin

6、ed risk assessment program and individual assessments to provide the foundation for the risk management process. Seven annexes provide additional guidance for applying risk assessments and potential treatments. ANSI/ASIS/RIMS RA.1-2015 ii NOTICE AND DISCLAIMER The information in this publication was

7、 considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document. ASIS and RIMS standards a

8、nd guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publicati

9、on. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its

10、standards and guideline publications. ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS and RIMS do not accept or undertake a duty to any third party because they do not have the authority to enforce complianc

11、e with their standards or guidelines. They assume no duty of care to the general public, because their works are not obligatory and because they do not monitor the use of them. ASIS and RIMS disclaim liability for any personal injury, property, or other damages of any nature whatsoever, whether spec

12、ial, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS and RIMS disclaim and make no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published here

13、in, and disclaims and makes no warranty that the information in this document will fulfill any persons or entitys particular purposes or needs. ASIS and RIMS do not undertake to guarantee the performance of any individual manufacturer or sellers products or services by virtue of this standard or gui

14、de. In publishing and making this document available, ASIS and RIMS are not undertaking to render professional or other services for or on behalf of any person or entity, nor are ASIS and RIMS undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document sh

15、ould rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, wh

16、ich the user may wish to consult for additional views or information not covered by this publication. ASIS and RIMS have no power, nor do they undertake to police or enforce compliance with the contents of this document. ASIS and RIMS have no control over which of their standards, if any, may be ado

17、pted by governmental regulatory agencies, or over any activity or conduct that purports to conform to their standards. ASIS and RIMS do not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. They merely publish st

18、andards to be used as guidelines that third parties may or may not choose to adopt, modify, or reject. Any certification or other statement of compliance with any information in this document should not be attributable to ASIS and RIMS and is solely the responsibility of the certifier or maker of th

19、e statement. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner. Copyright 2015 ASIS Int

20、ernational and The Risk and Insurance Management Society, Inc. All rights reserved. ISBN: 978-1-934904-75-6 ANSI/ASIS/RIMS RA.1-2015 iii FOREWORD The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSIs requir

21、ements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard. ANSI guidelines specify two categories of requirements: mandatory and recommend

22、ation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or per

23、formance advantages. ASIS International and The Risk Management Society, Inc. collaborated in the development of this Risk Assessment standard. About ASIS ASIS International (ASIS) is the largest membership organization for security management professionals that crosses industry sectors, embracing e

24、very discipline along the security spectrum from operational to cybersecurity. Founded in 1955, ASIS is dedicated to increasing the effectiveness of security professionals at all levels. With membership and chapters around the globe, ASIS develops and delivers board certifications and industry stand

25、ards, hosts networking opportunities, publishes the award-winning Security Management magazine, and offers educational programs, including the Annual Seminar and Exhibitsthe security industrys most influential event. Whether providing thought leadership through the CSO Roundtable for the industrys m

26、ost senior executives or advocating before business, government, or the media, ASIS is focused on advancing the profession, and ensuring that the security community has access to intelligence, resources, and technology needed within the business enterprise. www.asisonline.org The work of preparing s

27、tandards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development Organization (SDO), ASIS actively participates in the International Organization for St

28、andardization (ISO). The mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowled

29、ge, experience, and expertise of ASIS membership, security professionals, and the global security industry. About RIMS As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society, is a global not-for-profit organization representing more t

30、han 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals who are located in more than 60 countri

31、es. Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818. Commission Members Charles Baley, Farmers Insurance Group, Inc. Michael Bouchard, Sterling Global Operations, Inc. Cynthia P. Conlon, CPP, Conlon Co

32、nsulting Corporation William Daly, Control Risks Security Consulting Lisa DuBrock, Radian Compliance LLC Eugene Ferraro, CPP, CFE, PCI, SPHR, Convercent, Inc. F. Mark Geraci, CPP, Purdue Pharma L.P., Chair ANSI/ASIS/RIMS RA.1-2015 iv Bernard Greenawalt, CPP, Securitas Security Services USA, Inc. Rob

33、ert Jones, Socrates Ltd Glen Kitteringham, CPP, Kitteringham Security Group Inc. Michael Knoke, CPP, Express Scripts, Inc., Vice Chair Bryan Leadbetter, CPP, Alcoa Inc. Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative Jose Miguel Sobron, United Nations Roger Warwick, CPP, Pyramid I

34、nternational Temi Group Allison Wylde, Consultant At the time it approved this document, RA, which is responsible for the development of this Standard, had the following members: Committee Members Committee Co-Chair: Carol Fox, ARM, Director of Strategic and Enterprise Practice, RIMS Committee Co-Ch

35、air: Marc Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative Commission Liaison: Glen Kitteringham, CPP, Kitteringham Security Group Inc. Committee Secretariat: Sue Carioti, ASIS Secretariat Kaleem Ahmed, Independent Sean Ahrens, M.A., CPP, BSCP, CSC, Aon Corporation Ian Alderson, CPP, In

36、dependent Christopher Aldous, Dip SP therefore, the effect of uncertainty on objectives may result in opportunities with potential gains (“improving”), as well as threats that may result in potential losses (“worsening”). Risk assumes that things will change, whether in the environment or in other c

37、ircumstances. This risk assessment standard provides guidance on developing and sustaining a coherent and effective risk assessment program, including principles, managing an overall risk assessment program, and performing individual risk assessments, along with confirming the competencies of risk a

38、ssessors. This standard is complementary to the standards noted in the normative references and follows the risk assessment process outlined in the ISO 31000:2009 Risk management Principles and guidelines and illustrated in Figure 1. A well-defined risk assessment program and individual assessments

39、provide the foundation for the risk management process. This Standard provides a generic model for conducting risk assessments (including impact analyses) for risk management decision-making and for use with risk-based management system standards. Risk-based management system standards require a def

40、ined, repeatable, and documented risk assessment process. It provides the foundation for planning the management of issues addressed by a management system standard, as well as identifies opportunities for improvements. Therefore, following the approach described in this Standard, meets the requirem

41、ents for the risk assessment process in management system standards. ANSI/ASIS/RIMS RA.1-2015 xvi Figure 1: Risk Management Process (based on ISO 31000) 0.2 Definition of Risk Assessment Risk assessment is the identification, analysis, and evaluation of uncertainties to objectives and outcomes. It p

42、rovides a comparison between the desired/undesired outcomes and expected rewards/losses of organizational objectives. The risk assessment analyzes whether the uncertainty is within acceptable boundaries and within the organizations capacity to manage risk. The results of the risk assessment inform t

43、he responsible and accountable decision maker(s) of choices available to effectively manage risk to achieve the organizations objectives. A risk assessment is a careful and methodical examination of what could cause uncertainty, providing the basis to determine whether sufficient actions have been t

44、aken to prevent negative outcomes, or enhance the opportunities to generate positive outcomes. It is not possible to eliminate all risk and uncertainty, so the risk assessment helps prioritize the risks that impact the quest to achieve organizational objectives. The context of the organization and r

45、isk assessment provide the foundational information for: Calculating the effects of uncertainty which impact desired outcomes; Protecting an organizations tangible and intangible assets including people; tangible assets that are physical (i.e., site, building, equipment); intangible assets that are

46、intellectual (i.e., information, processes, trade secrets); and abstract (i.e., image, reputation); Safeguarding the integrity and continuity of its supply chain, services, and activities; Understanding of the relative exposure to risk for current and planned activities; Enhancing the achievement of

47、 objectives and identifying untapped opportunities; Providing a mechanism for understanding the impact of a possible event; ANSI/ASIS/RIMS RA.1-2015 xvii Complying with the law and regulations; and Identifying reasonable control measures needed to treat risk and their associated cost/benefit. The ri

48、sk assessment is conducted in order to determine whether if, how, and to what extent the organizations objectives, desired outcomes, and assets may be impacted. A risk assessment is tailored to the context in which the organization operates. 0.3 Quantitative and Qualitative Analysis Risk assessments

49、 can be accomplished in varying degrees of detail. The level of detail is dependent upon the type of risk, purpose of the analysis, resource limitations, the information available to the assessor, and communicating the risk assessment findings. Risk may be assessed using a quantitative computational approach or a qualitative subjective approach, or a combination of both. In all cases the underlying assumptions should be understood and documented. The types of analysis and context for use are: a) Qualitative analysis relies on the reasoning and expe