This International Standard recommends that organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk into the org
General
The effectiveness of a risk management framework is crucial for embedding risk management throughout an organization This framework facilitates the effective management of risks by applying the risk management process at various levels and within specific organizational contexts It ensures that risk-related information is properly reported and utilized for decision-making and accountability across all relevant levels of the organization.
This clause describes the necessary components of the framework for managing risk and the way in which they interrelate in an iterative manner, as shown in Figure 2
Design of framework for managing risk (4.3)
Understanding the organization and its context (4.3.1) Establishing risk management policy (4.3.2)
Accountability (4.3.3) Integration into organizational processes (4.3.4) Resources (4.3.5)
Establishing internal communication and reporting mechanisms (4.3.6)
Establishing external communication and reporting mechanisms (4.3.7)
Implementing the framework for managing risk (4.4.1)
Implementing the risk management process (4.4.2)
Continual improvement of the framework
Monitoring and review of the framework (4.5)
Figure 2 — Relationship between the components of the framework for managing risk
This framework aims to support organizations in integrating risk management into their overall management systems rather than prescribing a specific management system Consequently, organizations are encouraged to tailor the framework's components to meet their unique requirements.
Organizations should critically review and assess their current management practices and processes, particularly those that incorporate risk management elements, against the International Standard and the attributes in Annex A This evaluation is essential to determine the adequacy and effectiveness of their existing risk management strategies.
Mandate and commitment
Effective risk management necessitates a strong and continuous commitment from organizational leadership, alongside strategic and thorough planning to secure buy-in at all levels Management must prioritize these elements to ensure the ongoing success of risk management initiatives.
⎯ define and endorse the risk management policy;
⎯ ensure that the organization's culture and risk management policy are aligned;
⎯ determine risk management performance indicators that align with performance indicators of the organization;
⎯ align risk management objectives with the objectives and strategies of the organization;
⎯ ensure legal and regulatory compliance;
⎯ assign accountabilities and responsibilities at appropriate levels within the organization;
⎯ ensure that the necessary resources are allocated to risk management;
⎯ communicate the benefits of risk management to all stakeholders; and
⎯ ensure that the framework for managing risk continues to remain appropriate.
Design of framework for managing risk
Understanding of the organization and its context
Before designing and implementing a risk management framework, it is crucial to assess and comprehend the organization's external and internal contexts, as these factors can greatly impact the framework's design.
Assessing an organization's external context involves analyzing various factors, including the social, cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive environments at international, national, regional, or local levels It also requires identifying key drivers and trends that influence the organization's objectives, as well as understanding the relationships, perceptions, and values of external stakeholders.
Evaluating the organization's internal context may include, but is not limited to:
⎯ governance, organizational structure, roles and accountabilities;
⎯ policies, objectives, and the strategies that are in place to achieve them;
⎯ capabilities, understood in terms of resources and knowledge (e.g capital, time, people, processes, systems and technologies);
⎯ information systems, information flows and decision making processes (both formal and informal);
⎯ relationships with, and perceptions and values of, internal stakeholders;
⎯ standards, guidelines and models adopted by the organization; and
⎯ the form and extent of contractual relationships.
Establishing risk management policy
The risk management policy should clearly state the organization's objectives for, and commitment to, risk management and typically addresses the following:
⎯ the organization's rationale for managing risk;
⎯ links between the organization's objectives and policies and the risk management policy;
⎯ accountabilities and responsibilities for managing risk;
⎯ the way in which conflicting interests are dealt with;
⎯ commitment to make the necessary resources available to assist those accountable and responsible for managing risk;
⎯ the way in which risk management performance will be measured and reported; and
⎯ commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances
The risk management policy should be communicated appropriately.
Accountability
To effectively manage risk, organizations must establish clear accountability, authority, and the necessary expertise This includes implementing and maintaining a robust risk management process while ensuring that all controls are adequate, effective, and efficient.
⎯ identifying risk owners that have the accountability and authority to manage risks;
⎯ identifying who is accountable for the development, implementation and maintenance of the framework for managing risk;
⎯ identifying other responsibilities of people at all levels in the organization for the risk management process;
⎯ establishing performance measurement and external and/or internal reporting and escalation processes; and
⎯ ensuring appropriate levels of recognition.
Integration into organizational processes
Effective risk management must be integrated into all organizational practices and processes to ensure relevance and efficiency It should not exist as a standalone function but rather be woven into policy development, business and strategic planning, and change management processes.
An effective organization-wide risk management plan is essential for implementing the risk management policy and integrating risk management into all organizational practices and processes This plan can also be aligned with other key organizational strategies, such as the strategic plan, to enhance overall effectiveness.
Resources
The organization should allocate appropriate resources for risk management
Consideration should be given to the following:
⎯ people, skills, experience and competence;
⎯ resources needed for each step of the risk management process;
⎯ the organization's processes, methods and tools to be used for managing risk;
⎯ information and knowledge management systems; and
Establishing internal communication and reporting mechanisms
The organization should establish internal communication and reporting mechanisms in order to support and encourage accountability and ownership of risk These mechanisms should ensure that:
⎯ key components of the risk management framework, and any subsequent modifications, are communicated appropriately;
⎯ there is adequate internal reporting on the framework, its effectiveness and the outcomes;
⎯ relevant information derived from the application of risk management is available at appropriate levels and times; and
⎯ there are processes for consultation with internal stakeholders
These mechanisms should, where appropriate, include processes to consolidate risk information from a variety of sources, and may need to consider the sensitivity of the information.
Establishing external communication and reporting mechanisms
The organization should develop and implement a plan as to how it will communicate with external stakeholders This should involve:
⎯ engaging appropriate external stakeholders and ensuring an effective exchange of information;
⎯ external reporting to comply with legal, regulatory, and governance requirements;
⎯ providing feedback and reporting on communication and consultation;
⎯ using communication to build confidence in the organization; and
⎯ communicating with stakeholders in the event of a crisis or contingency
These mechanisms should, where appropriate, include processes to consolidate risk information from a variety of sources, and may need to consider the sensitivity of the information.
Implementing risk management
Implementing the framework for managing risk
In implementing the organization's framework for managing risk, the organization should:
⎯ define the appropriate timing and strategy for implementing the framework;
⎯ apply the risk management policy and process to the organizational processes;
⎯ comply with legal and regulatory requirements;
⎯ ensure that decision making, including the development and setting of objectives, is aligned with the outcomes of risk management processes;
⎯ hold information and training sessions; and
⎯ communicate and consult with stakeholders to ensure that its risk management framework remains appropriate.
Implementing the risk management process
Effective risk management requires the application of the process detailed in Clause 5 through a comprehensive risk management plan, integrated at all levels and functions within the organization as part of its standard practices and processes.
Monitoring and review of the framework
In order to ensure that risk management is effective and continues to support organizational performance, the organization should:
⎯ measure risk management performance against indicators, which are periodically reviewed for appropriateness;
⎯ periodically measure progress against, and deviation from, the risk management plan;
⎯ periodically review whether the risk management framework, policy and plan are still appropriate, given the organizations' external and internal context;
⎯ report on risk, progress with the risk management plan and how well the risk management policy is being followed; and
⎯ review the effectiveness of the risk management framework.
Continual improvement of the framework
To enhance the organization's risk management framework, policy, and plan, decisions must be informed by monitoring and review outcomes These strategic choices aim to strengthen the management of risk and foster a robust risk management culture within the organization.
General
The risk management process should be
⎯ an integral part of management,
⎯ embedded in the culture and practices, and
⎯ tailored to the business processes of the organization
It comprises the activities described in 5.2 to 5.6 The risk management process is shown in Figure 3
Communication and consultation
Communication and consultation with external and internal stakeholders should take place during all stages of the risk management process
Early development of communication and consultation plans is essential to address the risk, its causes, and potential consequences It is crucial to implement effective internal and external communication to ensure that those responsible for risk management and stakeholders comprehend the decision-making process and the rationale behind specific actions.
⎯ help establish the context appropriately;
⎯ ensure that the interests of stakeholders are understood and considered;
⎯ help ensure that risks are adequately identified;
⎯ bring different areas of expertise together for analyzing risks;
⎯ ensure that different views are appropriately considered when defining risk criteria and in evaluating risks;
⎯ secure endorsement and support for a treatment plan;
⎯ enhance appropriate change management during the risk management process; and
⎯ develop an appropriate external and internal communication and consultation plan
Effective communication and consultation with stakeholders are crucial, as their risk judgments are influenced by their individual perceptions These perceptions often differ due to varying values, needs, assumptions, and concerns Given that stakeholders' views can significantly affect decision-making, it is essential to identify, document, and consider their perceptions throughout the decision-making process.
Communication and consultation should facilitate truthful, relevant, accurate and understandable exchanges of information, taking into account confidential and personal integrity aspects.
Establishing the context
General
The organization defines its objectives and outlines both external and internal parameters essential for effective risk management It establishes the scope and criteria for assessing risks, ensuring a detailed examination of these parameters in relation to the specific risk management process This approach builds upon the foundational elements of the risk management framework, emphasizing the importance of context in the overall process.
Establishing the external context
The external context is the external environment in which the organization seeks to achieve its objectives
Recognizing the external context is crucial for incorporating the objectives and concerns of external stakeholders into the development of risk criteria This understanding is rooted in the broader organizational context while addressing specific legal and regulatory requirements, stakeholder perceptions, and unique risk factors relevant to the risk management process.
The external context can include, but is not limited to:
⎯ the social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
⎯ key drivers and trends having impact on the objectives of the organization; and
⎯ relationships with, perceptions and values of external stakeholders.
Establishing the internal context
The internal context is the internal environment in which the organization seeks to achieve its objectives
The risk management process must align with the organization's culture, structure, processes, and strategy, as internal context significantly influences risk management It is essential to establish this alignment because risk management operates within the framework of the organization's objectives Additionally, the objectives and criteria of specific projects or activities should be evaluated in relation to the overall goals of the organization Failure to recognize opportunities for achieving strategic, project, or business objectives can undermine organizational commitment, credibility, trust, and value.
It is necessary to understand the internal context This can include, but is not limited to:
⎯ governance, organizational structure, roles and accountabilities;
⎯ policies, objectives, and the strategies that are in place to achieve them;
⎯ capabilities, understood in terms of resources and knowledge (e.g capital, time, people, processes, systems and technologies);
⎯ the relationships with and perceptions and values of internal stakeholders;
⎯ information systems, information flows and decision making processes (both formal and informal);
⎯ standards, guidelines and models adopted by the organization; and
⎯ form and extent of contractual relationships.
Establishing the context of the risk management process
The organization must clearly define the objectives, strategies, scope, and parameters of its risk management activities Effective risk management should justify the resources allocated, ensuring that the necessary resources, responsibilities, authorities, and record-keeping requirements are explicitly outlined.
The context of the risk management process will vary according to the needs of an organization It can involve, but is not limited to:
⎯ defining the goals and objectives of the risk management activities;
⎯ defining responsibilities for and within the risk management process;
⎯ defining the scope, as well as the depth and breadth of the risk management activities to be carried out, including specific inclusions and exclusions;
⎯ defining the activity, process, function, project, product, service or asset in terms of time and location;
⎯ defining the relationships between a particular project, process or activity and other projects, processes or activities of the organization;
⎯ defining the risk assessment methodologies;
⎯ defining the way performance and effectiveness is evaluated in the management of risk;
⎯ identifying and specifying the decisions that have to be made; and
⎯ identifying, scoping or framing studies needed, their extent and objectives, and the resources required for such studies
Considering these and other significant factors is essential to ensure that the adopted risk management strategy is suitable for the specific circumstances, aligns with the organization's goals, and effectively addresses the risks that may impact the achievement of its objectives.
Defining risk criteria
To effectively evaluate risk significance, organizations must establish criteria that align with their values, objectives, and resources These criteria may also include legal and regulatory requirements, as well as other commitments the organization adheres to It is essential that the risk criteria are consistent with the organization's risk management policy, defined at the outset of the risk management process, and subject to ongoing review.
When defining risk criteria, factors to be considered should include the following:
⎯ the nature and types of causes and consequences that can occur and how they will be measured;
⎯ how likelihood will be defined;
⎯ the timeframe(s) of the likelihood and/or consequence(s);
⎯ how the level of risk is to be determined;
⎯ the level at which risk becomes acceptable or tolerable; and
⎯ whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered.
Risk assessment
General
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation
NOTE ISO/IEC 31010 provides guidance on risk assessment techniques.
Risk identification
To effectively manage risks, organizations must identify potential sources of risk, areas of impact, and events that could influence their objectives, including changes in circumstances This process aims to create a thorough list of risks that may enhance, prevent, degrade, accelerate, or delay the achievement of goals Additionally, it is crucial to recognize the risks associated with not pursuing opportunities A comprehensive identification of risks is essential, as any risk overlooked at this stage will be excluded from subsequent analysis.
Effective risk identification must encompass potential risks regardless of whether their sources are within the organization's control This process should involve analyzing the cascading and cumulative effects of specific consequences, while also considering a broad spectrum of outcomes, even when the origins of the risks are not immediately apparent In addition to identifying possible events, it is crucial to explore potential causes and scenarios that could lead to various consequences All significant causes and outcomes must be thoroughly evaluated to ensure comprehensive risk management.
To effectively identify risks, organizations must utilize tools and techniques that align with their objectives and capabilities, as well as the specific risks they encounter Access to relevant and current information is crucial for this process, including any pertinent background details Additionally, involving knowledgeable individuals in the risk identification process is essential for accurate assessment.
Risk analysis
Risk analysis is essential for understanding potential risks and informs risk evaluation, guiding decisions on whether to treat these risks and determining the most suitable treatment strategies Additionally, it aids in decision-making when faced with options that present varying types and levels of risk.
Risk analysis entails evaluating the causes and sources of risk, along with their potential positive and negative consequences and the probability of these outcomes occurring It is essential to identify the factors influencing both the consequences and their likelihood The analysis involves assessing these consequences, their probabilities, and other risk attributes A single event may lead to various consequences and impact multiple objectives Additionally, it is crucial to consider the existing controls and their effectiveness and efficiency in managing the identified risks.
The expression of consequences and likelihood, along with their combination to assess risk levels, must align with the specific type of risk, the available information, and the intended use of the risk assessment results Consistency with established risk criteria is essential, and it is crucial to acknowledge the interdependence of various risks and their sources.
Effective risk analysis must account for the confidence in determining risk levels and their sensitivity to assumptions, ensuring clear communication with decision makers and relevant stakeholders It is essential to address factors such as expert opinion divergence, uncertainty, and the availability, quality, and relevance of information, as well as any limitations in modeling.
Risk analysis can be conducted with different levels of detail based on the specific risk, the objectives of the analysis, and the available information and resources It may involve qualitative, semi-quantitative, or quantitative methods, or a combination of these approaches, tailored to the situation at hand.
Modeling event outcomes or extrapolating from experimental studies and available data can help determine the likelihood and consequences of various events These consequences can be categorized into tangible and intangible impacts Additionally, it may be necessary to provide multiple numerical values or descriptors to accurately represent consequences and their likelihood across different times, locations, groups, or situations.
Risk evaluation
The purpose of risk evaluation is to assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment and the priority for treatment implementation
Risk evaluation entails assessing the identified risk levels against predefined criteria established during the contextual analysis This comparison helps determine whether risk treatment is necessary.
When making decisions, it is essential to consider the broader context of risk, including the risk tolerance of all parties involved, not just the organization benefiting from the risk Additionally, these decisions must comply with legal, regulatory, and other relevant requirements.
Risk evaluation may prompt further analysis or determine that existing controls are sufficient, depending on the organization's risk attitude and established risk criteria.
Risk treatment
General
Risk treatment involves selecting one or more options for modifying risks, and implementing those options.Once implemented, treatments provide or modify the controls
Risk treatment involves a cyclical process of:
⎯ deciding whether residual risk levels are tolerable;
⎯ if not tolerable, generating a new risk treatment; and
⎯ assessing the effectiveness of that treatment
Risk treatment options are diverse and can be applied in various combinations depending on the situation These options include avoiding the risk by not engaging in the activity, accepting or increasing the risk to seize an opportunity, eliminating the source of the risk, altering the likelihood of its occurrence, modifying the potential consequences, sharing the risk with other parties through contracts or financing, and retaining the risk through informed decision-making.
Selection of risk treatment options
Choosing the right risk treatment option requires weighing the implementation costs and efforts against the benefits, while considering legal, regulatory, and social responsibility factors, as well as environmental protection Additionally, it is essential to address risks that may not be economically justifiable, such as severe but rare risks with high negative consequences.
A number of treatment options can be considered and applied either individually or in combination The organization can normally benefit from the adoption of a combination of treatment options
When choosing risk treatment options, organizations must take into account the values and perceptions of stakeholders, as well as the best methods for communication It is essential to involve stakeholders in decision-making when risk treatments may affect other areas within the organization or their interests While all risk treatments can be effective, their acceptability may vary among different stakeholders.
The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented
Risk treatment can inadvertently introduce new risks, particularly if the implemented measures fail or prove ineffective Therefore, it is essential to incorporate monitoring as a fundamental component of the risk treatment plan to ensure that these measures continue to function effectively.
Risk treatment may lead to secondary risks that require assessment, treatment, monitoring, and review It is essential to include these secondary risks in the same treatment plan as the original risk, rather than treating them as separate entities Maintaining the connection between the two risks is crucial for effective risk management.
Preparing and implementing risk treatment plans
The purpose of risk treatment plans is to document how the chosen treatment options will be implemented The information provided in treatment plans should include:
⎯ the reasons for selection of treatment options, including expected benefits to be gained;
⎯ those who are accountable for approving the plan and those responsible for implementing the plan;
⎯ reporting and monitoring requirements; and
Treatment plans should be integrated with the management processes of the organization and discussed with appropriate stakeholders
Decision makers and stakeholders must understand the nature and extent of residual risk following risk treatment It is essential to document this residual risk and subject it to ongoing monitoring, review, and, if necessary, additional treatment.
Monitoring and review
Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance It can be periodic or ad hoc
Responsibilities for monitoring and review should be clearly defined
The organization's monitoring and review processes should encompass all aspects of the risk management process for the purposes of:
⎯ ensuring that controls are effective and efficient in both design and operation;
⎯ obtaining further information to improve risk assessment;
⎯ analyzing and learning lessons from events (including near-misses), changes, trends, successes and failures;
⎯ detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and
Progress in implementing risk treatment plans provides a performance measure The results can be incorporated into the organization's overall performance management, measurement and external and internal reporting activities
Monitoring and review results must be documented and reported both internally and externally as necessary, and they should serve as input for evaluating the risk management framework.
Recording the risk management process
Risk management activities should be traceable In the risk management process, records provide the foundation for improvement in methods and tools, as well as in the overall process
Decisions concerning the creation of records should take into account:
⎯ the organization's needs for continuous learning;
⎯ benefits of re-using information for management purposes;
⎯ costs and efforts involved in creating and maintaining records;
⎯ legal, regulatory and operational needs for records;
⎯ method of access, ease of retrievability and storage media;
Attributes of enhanced risk management
Organizations must strive for an optimal performance level in their risk management framework, aligned with the significance of the decisions at hand The following attributes exemplify high performance in risk management, accompanied by specific indicators to help organizations assess their performance against these criteria.
A.2.1 The organization has a current, correct and comprehensive understanding of its risks
A.2.2 The organization's risks are within its risk criteria
Continual improvement in risk management is achieved by establishing organizational performance goals, measuring outcomes, reviewing results, and subsequently modifying processes, systems, resources, capabilities, and skills.
Explicit performance goals are essential for measuring both organizational and individual manager performance The organization's performance is typically documented and communicated, with at least an annual review to assess outcomes Following this review, processes are revised, and new performance objectives are established for the upcoming period.
This risk management performance assessment is an integral part of the overall organization's performance assessment and measurement system for departments and individuals
Enhanced risk management involves clear accountability for risks, controls, and treatment tasks Designated individuals are responsible, skilled, and equipped with the necessary resources to assess controls, monitor risks, enhance controls, and effectively communicate risk management strategies to both internal and external stakeholders.
All members of an organization must be fully informed about the risks, controls, and tasks for which they are responsible This information is typically documented in job descriptions, databases, or information systems Clearly defining risk management roles, accountabilities, and responsibilities should be an integral part of the organization's induction programs.
The organization empowers accountable individuals by granting them the necessary authority, time, training, resources, and skills to effectively fulfill their responsibilities.
A.3.3 Application of risk management in all decision making
All decision making within the organization, whatever the level of importance and significance, involves the explicit consideration of risks and the application of risk management to some appropriate degree
Records of meetings and decisions should demonstrate that explicit discussions on risks occurred, ensuring that all elements of risk management are integrated into key decision-making processes within the organization This includes decisions related to capital allocation, major projects, and organizational restructuring Consequently, robust risk management is recognized as essential for effective governance within the organization.
Enhanced risk management includes continual communications with external and internal stakeholders, including comprehensive and frequent reporting of risk management performance, as part of good governance
Effective communication with stakeholders is a crucial element of risk management It is a two-way process that enables informed decision-making regarding risk levels and the necessity for risk treatment based on well-defined and comprehensive risk criteria.
Comprehensive and frequent external and internal reporting on both significant risks and on risk management performance contributes substantially to effective governance within an organization
A.3.5 Full integration in the organization's governance structure
Risk management is integral to an organization's management processes, focusing on how uncertainty impacts objectives The governance framework is built around effective risk management, which managers consider crucial for achieving organizational goals.
This is indicated by managers' language and important written materials in the organization using the term
Uncertainty is closely linked to risks and is often evident in an organization's risk management policies This connection can typically be validated through interviews with managers, as well as through their actions and statements.
[1] ISO Guide 73:2009, Risk management — Vocabulary
[2] ISO/IEC 31010, Risk management — Risk assessment techniques
Price based on 24 pages © ISO 2009 – All rights reserved
Fax +44 (0)20 8996 7001 www.bsigroup.com/ standards
BSI, the independent national organization established by Royal Charter, is tasked with developing British Standards It represents the UK's perspective on standards both in Europe and globally.
British Standards are updated by amendment or revision Users of British Standards should make sure that they possess the latest amendments or editions.
It is the constant aim of BSI to improve the quality of our products and services.
If you encounter any inaccuracies or ambiguities while using this British Standard, please notify the Secretary of the responsible technical committee, whose contact information is available on the inside front cover You can reach them by telephone at +44 (0)20 8996 9000 or by fax at +44 (0)20 8996 7400.
BSI offers members an individual updating service called PLUS which ensures that subscribers automatically receive the latest editions of standards.
Orders for all BSI, international and foreign standards publications should be addressed to Customer Services Tel: +44 (0)20 8996 9001 Fax: +44 (0)20 8996
7001 Email: orders@bsigroup.com You may also buy directly using a debit/credit card from the BSI Shop on the Website http://www.bsigroup.com/shop
In response to orders for international standards, it is BSI policy to supply the BSI implementation of those that have been published as British Standards, unless otherwise requested.
BSI offers extensive information on national, European, and international standards through its Library and Technical Help to Exporters Service Additionally, BSI provides various electronic information services that detail its products and services For inquiries, you can contact the Information Centre at +44 (0)20 8996 7111, fax at +44 (0)20 8996 7048, or email info@bsigroup.com.
BSI subscribing members enjoy regular updates on standards developments and significant discounts on standard purchases For more information about these benefits, please reach out to Membership Administration at Tel: +44 (0)20.
8996 7002 Fax: +44 (0)20 8996 7001 Email: membership@bsigroup.com
Information regarding online access to British Standards via British Standards Online can be found at http://www.bsigroup.com/BSOL
Further information about BSI is available on the BSI website at http:// www.bsigroup.com
Copyright subsists in all BSI publications BSI also holds the copyright, in the
In the UK, reproducing, storing, or transmitting extracts from publications of international standardization bodies is prohibited without prior written permission from BSI, as outlined in the Copyright, Designs and Patents Act 1988.