Back to Risk Management component
Capability RA.11

Asset Impact Assessment

"Organization adequately assesses asset "impacts.""

This capability evaluates whether the organization has the ownership, process, evidence, methodology, and oversight needed to manage this area of insider-risk assessment.

Scope & Context

What This Capability Means

Asset Impact Assessment assesses whether the organization has a defined, repeatable, and evidence-supported approach to this risk-assessment capability. This includes the methodology, roles, workflows, data sources, risk artifacts, documentation practices, stakeholder inputs, and oversight needed to make the capability operational.

Strategic Importance

Why This Capability Matters

This capability matters because insider-risk programs need more than activity; they need a defensible way to identify exposure, compare priorities, and decide what to fix next. Weaknesses can create blind spots in Risk Prioritization & Scoring, Governance & Oversight, Process & Procedural Gaps, inconsistent residual-risk decisions, delayed investment, and weak executive evidence. A mature capability helps the organization move from informal concern to repeatable, risk-informed assessment and action.

AI & Automation Context

AI changes asset exposure because users can summarize, transform, copy, query, and disclose sensitive information faster. Asset impact and prioritization should consider AI-access paths, data sensitivity, model or prompt exposure, and business consequences.

Capability Assessment

Weakness vs. Maturity Indicators

Signs of Weak Capability
  • Critical assets are known informally but not classified by business impact, insider exploitability, and operational value.
  • Risk assessment is informal, undocumented, or dependent on individual judgment.
  • Scope, ownership, cadence, criteria, and evidence expectations are unclear.
  • Assets, users, threats, vulnerabilities, impacts, and controls are assessed in isolation.
  • Residual risk decisions are not clearly documented, accepted, assigned, or reviewed.
  • Assessment outputs do not consistently drive risk register updates, roadmap actions, or resource decisions.
  • AI-enabled workflows, AI-use expectations, or AI-assisted threat patterns are not reflected in assessment practices.
Signs of Mature Capability
  • Impact methodology factors financial, regulatory, reputational, safety criteria.
  • Impact scores validated by finance/legal; threshold table defines High/Med/Low.
  • Business-impact statements stored with asset record for audit.
  • The capability has a named owner, documented methodology, defined evidence expectations, and clear governance support.
  • Assessments connect assets, users, threats, vulnerabilities, impacts, controls, residual risk, and business-owner decisions.
  • Assessment results are reviewed by appropriate stakeholders across Security, HR, Legal, Privacy, IT, business units, and executive risk governance.
  • Outputs are connected to risk register items, prioritized recommendations, roadmap actions, and control improvements.
Governance Guidance

Questions Leaders Should Ask

Question 1

Who owns RA.11, and do they have authority to define scope, evidence, cadence, and escalation?

Question 2

Which assets, users, insider pathways, business processes, and third parties are in scope?

Question 3

How are threat, vulnerability, impact, control effectiveness, and residual risk connected?

Question 4

What evidence shows this assessment practice is operating, reviewed, and kept current?

Question 5

How are AI-enabled workflows, AI-use expectations, and AI-assisted threat patterns reflected in the assessment?

Question 6

How do results drive risk register updates, roadmap actions, funding decisions, and executive reporting?

Defensible Program Artifacts

Evidence Examples

Evidence Type

Risk assessment methodology and scope statement

Evidence Type

Insider-risk strategy or program procedures

Evidence Type

Asset inventory and critical asset classification records

Evidence Type

Risk register entries and exposure narratives

Evidence Type

Threat, vulnerability, impact, and control-effectiveness inputs

Evidence Type

Business-owner reviews, risk decisions, and residual-risk acceptance records

Evidence Type

Assessment reports, heat maps, dashboards, or executive summaries

Evidence Type

Roadmap actions, milestones, and control-enhancement records

Evidence Type

Version history, review logs, and triggering-event update records

Evidence Type

Data catalog, CMDB, crown-jewel asset list, or business-impact analysis records

Regulatory Context

Mapped Standards and Framework References

Standard / Framework ReferenceHow It Relates to This Capability
NIST 800-53, r5 (3.16, RA-2 (1))Reference mapping for RA.11; validate applicability based on assets, workforce, legal, privacy, data, AI-use, and operational context.
Standards mappings are provided for reference only. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.
RiskTKO® Bridge

How RiskTKO® Operationalizes This Capability

Assessment evidence

Methodology, scope, asset records, risk inputs, control reviews, scoring records, stakeholder decisions, workflows, or documents used to evaluate current capability.

Risk evidence

Risk register items or exposure narratives connected to asset priority, threat conditions, vulnerability gaps, residual risk, AI-enabled workflows, or control effectiveness.

Roadmap evidence

Recommended actions, owners, milestones, dependencies, control improvements, reassessment cycles, and completion status.

Executive evidence

Summaries showing current state, priority exposure, progress, remaining gaps, risk decisions, and risk reduction over time.

Assess, Prioritize, and Report with RiskTKO®

Protecting proprietary logic (scoring, weightings, and roadmap generation formulas) remains inside the software layer. RiskTKO® provides your team with the complete operational dashboard to evaluate this capability, document evidence, track actions, and deliver clean, executive-ready maturity metrics.