TheRi s kMa na g e me ntS t a nd a r d sa nd Gui d a nc eCo l l e c t i o n BSI S O3 000: 009 BS3 1 00: 01 BSE N3 01 0: 01 PDI S OGu i d e7 : 009 Ma n a g i n gRi s kt h eI S O3 000Wa y Using your enhanced PDF collection These instructions relate to Adobe Reader 9.3.2 and it should be noted that other versions of Adobe Reader, or other PDF viewing applications, might be configured differently However, the functions described below should still be available Please consult the documentation provided by your specific application for further guidance Hyperlinks Links between relevant clauses, references, terms and definitions within the collection are signified by blue underlines Click on a hyperlinked word to be taken instantly to the relevant location Links to other documents available in the BSI online shop are signified by blue rectangles Click on a hyperlinked word to be taken to the relevant page in the shop Navigation Having clicked on a hyperlink and been taken to the relevant destination, you might want to return to your previous location Browser-style navigation controls (i.e forward and back) are not displayed by default in some versions of Adobe Reader To enable these controls: From the menu bar, select View > Toolbars > More Tools Check the Previous View and Next View boxes, indicated in the screenshot below Select OK The Previous/Next View arrow controls will now appear on your toolbar Bookmarks Bookmarks provide a full list of sections and subsections for the entire file, enabling you to quickly and easily navigate the document(s) and go directly to specific clauses If you don't see bookmarks on the left of your screen, select View > Navigation panels > Bookmarks from the menu bar This will bring up a nested structure that allows you to drill down to the lowest level headings in the documents in the collection Find Select Edit > Find from the menu bar to use the Find function Type in the text you want to find and click through occurrences in the document in sequence Search For a more advanced search function select Edit > Search from the menu bar This enables you to specify additional criteria for your search and presents the results in a list, allowing you to click through to any occurrence Risk Management Standards There has never been a more important time for organizations to pay attention to managing their risks Fortunately, there have recently been substantial developments in the theory and application of risk management techniques, as well as substantially increased corporate governance expectations Several specialist areas of risk management have also developed, including financial, clinical and project risk management However, it was the Global Financial Crisis (GFC) in 2008 that demonstrated the true importance and value of effective risk management In order to avoid a repeat of the GFC, appropriate attention must be paid to risk management across all the activities and processes of an organization For financial institutions, credit and market risk management have been identified as priorities, as well as the more commonplace operational risks faced by all organizations Not only have organizations been paying increased attention to risk management in recent times, but standards bodies around the world have been developing standards for the management of risk In fact, the development of risk management standards was taking place before the GFC materialised If financial institutions had paid more attention to these developing risk management standards, there would have been greater awareness of risk and preparedness for the consequences - and the crisis may not have been as serious The most widely accepted of these standards is the international standard BS ISO 31000:2009, Risk management - Principles and guidelines This standard sets out the high-level principles that should apply to any application of the risk management process It sets out what risk management activities should be undertaken and provides a brief description of how they should be implemented and maintained The main objective of this standard is to provide an outline of what should be done BS 31100:2011, Risk management - Code of practice and guidance for the implementation of BS ISO 31000 provides guidance on how to undertake the actions described in BS ISO 31000 For example, BS ISO 31000 states that a risk management policy should be prepared, whilst BS 31100 outlines what should be included in such a policy, including what actions Risk Management Standards should be taken to integrate risk management with the other activities within the organization and how to improve risk management processes One of the most important steps in undertaking successful risk management is the risk assessment process BS EN 31010:2010, Risk management - Risk assessment techniques provides information on a wide range of risk assessment techniques There is reference to qualitative assessment techniques, such as brainstorming workshops and the use of checklists, as well as details of more quantitative approaches, such as hazard and operability studies and failure modes and effects analysis Underpinning risk management activities is the need for standardised vocabulary Risk vocabulary not only needs to be consistent throughout all standards directly concerned with risk, it also needs to be available for the wide range of other standards that make reference to risk and risk management The standardized vocabulary for use throughout all standards is set out in PD ISO Guide 73:2009, Risk management Vocabulary BRITISH STANDARD Risk management — Principles and guidelines ICS 03.100.01 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW BS ISO 31000:2009 BS ISO 31000:2009 National foreword This British Standard is the UK implementation of ISO 31000:2009 The UK participation in its preparation was entrusted to Technical Committee RM/1, Risk management A list of organizations represented on this committee can be obtained on request to its secretary This publication does not purport to include all the necessary provisions of a contract Users are responsible for its correct application Compliance with a British Standard cannot confer immunity from legal obligations This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 March 2010 © BSI 2010 ISBN 978 580 67571 Amendments/corrigenda issued since publication Date Comments INTERNATIONAL STANDARD BS ISO 31000:2009 ISO 31000 First edition 2009-11-15 Risk management — Principles and guidelines Management du risque — Principes et lignes directrices Reference number ISO 31000:2009(E) © ISO 2009 BS ISO 31000:2009 ISO 31000:2009(E) PDF disclaimer This PDF file may contain embedded typefaces In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy The ISO Central Secretariat accepts no liability in this area Adobe is a trademark of Adobe Systems Incorporated Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing Every care has been taken to ensure that the file is suitable for use by ISO member bodies In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below COPYRIGHT PROTECTED DOCUMENT © ISO 2009 All rights reserved Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland ii © ISO 2009 – All rights reserved BS ISO 31000:2009 ISO 31000:2009(E) Contents Page Foreword iv Introduction .v Scope Terms and definitions Principles 4.1 4.2 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.3.5 4.3.6 4.3.7 4.4 4.4.1 4.4.2 4.5 4.6 Framework .8 General Mandate and commitment Design of framework for managing risk 10 Understanding of the organization and its context 10 Establishing risk management policy .10 Accountability 11 Integration into organizational processes 11 Resources 11 Establishing internal communication and reporting mechanisms 12 Establishing external communication and reporting mechanisms .12 Implementing risk management 12 Implementing the framework for managing risk 12 Implementing the risk management process 13 Monitoring and review of the framework 13 Continual improvement of the framework 13 5.1 5.2 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.5 5.5.1 5.5.2 5.5.3 5.6 5.7 Process .13 General 13 Communication and consultation .14 Establishing the context .15 General 15 Establishing the external context 15 Establishing the internal context .15 Establishing the context of the risk management process 16 Defining risk criteria 17 Risk assessment 17 General 17 Risk identification 17 Risk analysis 18 Risk evaluation 18 Risk treatment 18 General 18 Selection of risk treatment options 19 Preparing and implementing risk treatment plans 20 Monitoring and review 20 Recording the risk management process .21 Annex A (informative) Attributes of enhanced risk management 22 Bibliography 24 © ISO 2009 – All rights reserved iii Chapter 13 - Self-assessment questionnaire m Integration Is the risk management system embedded in the overall management system? (Relates to Clause 4.3.4 of ISO 31000 – see Chapter 6, ‘Design of framework (and the process for managing risk)’ to assess whether you have fulfilled requirements, to score more than 1.) Risk management is seen as a stand-alone system very much like the quality system Risk management is embedded in such a way that it is relevant, effective and efficient and is part of the organizational processes, rather than independent, ensuring there is no conflict with other operational processes Risk management is an integral part of the overall management system m n Operational control Does your organization embrace relevant business treatment/controls in its operational control system? (Relates to Clause 4.3 and 5.5.3 of ISO 31000 – see Chapter 8, ‘Implementing risk treatment/control plans’ to assess whether you have fulfilled requirements, to score more than 1.) We focus exclusively on ‘business’ issues, e.g products, processes or services, and very little about risk control until it all goes wrong We integrate the controls necessary for risk treatment into every procedure and instruction covering our activities, processes and tasks, as appropriate We believe that it is essential we have an integrated approach for efficiency and consistency, and to avoid duplication and confusion n o Business continuity Has the organization established a business continuity system? (Relates to Clause 4.3.4 of ISO 31000 – see Chapter to assess whether you have fulfilled requirements, to score more than 1.) 169 Chapter 13 - Self-assessment questionnaire We not have any formal procedures for dealing with contingencies other than the fire alarm We have a fully fledged business continuity plan, which is regularly exercised to either prevent and/or mitigate any business interruption Employees are aware of their role and responsibilities in implementing the plan The system is certified to BS 25999 o p Resources Does your organization provide adequate resources for effective risk management? (Relates to Clause 4.3.5 of ISO 31000 – see Chapter 6, ‘Building capability and competence’ and Chapter to assess whether you have fulfilled requirements, to score more than 1.) We not allocate any resources other than specific roles for such matters as occupational health and safety We allocate resources and make budget provisions to ensure continual cost-effective improvement in risk management arrangements and in programmes, to ensure the culture of risk management is embedded in the organization p q Documentation Does your organization have a system for gathering relevant business information and keeping relevant records? (Relates to Clauses 4.3.5 and 5.5.3 of ISO 31000 – see Chapter 8, ‘Documentation and document control’ to assess whether you have fulfilled requirements, to score more than 1.) We not have a formal system We maintain a comprehensive system, appropriate to the organization It includes a risk management system manual, and documents, documentation management arrangements and records, to ensure the risk management arrangements are effective q 170 Chapter 13 - Self-assessment questionnaire r Internal communications and participation Does your organization provide information about relevant business risk matters to employees, and ensure that employees participate in developing appropriate risk management treatment/controls? (Relates to Clause 4.3.6 of ISO 31000 – see Chapter 6, ‘Communication’ to assess whether you have fulfilled requirements, to score more than 1.) Employees are not normally provided with information on any business issue We have an established communications system to keep employees informed and involved in discussions about relevant issues, including policy, risk treatment/controls, objectives, performance, remedial actions and future plans r s External communications Has the organization determined how it should engage with external stakeholders and provide effective exchange of information? (Relates to Clause 4.3.7 of ISO 31000 – see Chapter 6, ‘Communication’ to assess whether you have fulfilled requirements, to score more than 1.) We not disclose information as we believe this will put us at risk We have established procedures to inform all relevant interested parties about the organization’s business-related matters They, in turn, participate, where relevant, in our decision making about risk response and treatment s t Strategy Has the organization determined its strategy with respect to risk management? (Relates to Clause 4.4.1 of ISO 31000 – see Chapter 6, ‘Risk management strategy’ to assess whether you have fulfilled requirements, to score more than 1.) We not have an overall strategy for risk management 171 Chapter 13 - Self-assessment questionnaire The board (or equivalent) has developed a strategy for risk management It has also developed a comprehensive strategic plan for implementing its policy, through a framework and process that are embodied within the organization’s overall business plan and management system t u Monitoring Does the organization carry out monitoring, measurement, inspection, etc on a regular basis, in order to determine whether the arrangements are in place and working, and also to establish the progress on implementing the strategy, policy, objectives and targets? (Relates to Clause 4.5 of ISO 31000 – see Chapter 9, ‘Monitoring and measurement’ to assess whether you have fulfilled requirements, to score more than 1.) We have no formal or informal monitoring practices in operation We have scheduled audits and inspections, and undertake monitoring and measurements as necessary, in order to deliver objectives u v Audits Does your organization carry out risk management system audits? (See Chapter 10 to assess whether you have fulfilled requirements, to score more than 1.) We not carry out any audits We have a programme of regular audits undertaken at intervals appropriate to the risks in the various functions and areas of the organization Internal audits are seen by employees as a positive tool for improving the performance of the organization and adding value v w Risk identification Has the organization implemented a risk management system that is appropriate for the risks that it needs to manage? 172 Chapter 13 - Self-assessment questionnaire (Relates to Clause 5.4.2 of ISO 31000 – see Chapter to assess whether you have fulfilled requirements, to score more than 1.) We have not established a risk identification system, although we have a very basic system for occupational health and safety as required by law We have a risk management programme in place in order to proactively identify emerging risks, covering all activities and processes undertaken by the organization and those in the external environment in which the organization operates A risk management system has been embedded to control the risks that we have determined need to be managed in order for the organization to sustain itself w The above assessment should be used at various stages of implementation and assessed against a Gantt chart such as the one given below, to establish progress over time Performance assessment • • • • The maximum score is 92 and this should be the target for an organization to achieve, demonstrating commitment to risk management and resilience The organization should not score less than in any particular category Scores of less than 50 are indicative of either poor management commitment or that the organization is in an early stage of development of its risk management framework A score of over 70 is indicative of an organization that has made great strides and has the possibility of implementing a sound risk management framework 173 174 4 a a b b c c d d e e f f g g h h i i j j k k l Day x l Day m m n n o o p p q q r r s s t t u u v v w w Chapter 13 - Self-assessment questionnaire a b c d e f g h i j k l Day y m n o p q r s t u v w Chapter 13 - Self-assessment questionnaire 175 176 Risk analysis and evaluation ⻬ Risk Identification ⻬ ⻬ ⻬ Types of meeting/collaboration: interviews, focus groups, scenario analysis and planning, horizon scanning, brainstorming, Delphi technique, nominal group technique, SWOT (strengths, weaknesses, opportunities and threats) analysis, risk questionnaires For exploring and visualizing the context: stakeholder engagement matrices, PESTLE (political, economic, sociological, technological, legislation and environment) analysis, Boston grid, gap analysis, Pareto analysis Structural guidance for risk analysis: risk checklists/prompt lists, project profile model (PPM), risk breakdown structure, risk taxonomy Table A.1 — Examples of risk management tools (including techniques) Tool Appendix A ⻬ Risk treatment and decisions Appendix A BS 31100:2011, Annex A Decision bases: expected value, utility theory, cost-benefit analysis ⻬ ⻬ ⻬ ⻬ ⻬ Model analysis methods and tools: risk simulation (Monte Carlo/Latin Hypercube), sensitivity analysis, stress testing ⻬ ⻬ ⻬ Data analysis: descriptive statistics, model fitting Risk recording and visualization techniques and tools: heat maps, RAG status reports, graphs of distributions, bar chart/radar chart, risk mapping, risk profiling, probability and consequence grid, risk indicators, risk register/database ⻬ ⻬ ⻬ Modelling styles: process mapping, flow charts, cause-and-effect diagrams, hazard and operability study (HAZOPs), failure mode effects analysis (FMEA), fault and event tree modelling, probability trees, critical path analysis (CPA), cash flow analysis, portfolio analysis Risk treatment and decisions Risk analysis and evaluation Risk Identification Tool Appendix A 177 References BS 18004, Guide to achieving effective occupational health and safety performance BS 25999, Business continuity management BS 31100, Risk management — Code of practice and guidance for the implementation of BS ISO 31000 IEC/ISO 31010, Risk management — Risk assessment techniques ISO 9001:2008, Quality management systems — Requirements ISO 14001, Environmental management systems — Requirements with guidance for use ISO 14031, Environmental management — Environmental performance evaluation — Guidelines ISO 19011:2011, Guidelines for auditing management systems ISO 22000, Food safety management systems — Requirements for any organization in the food chain ISO 22301, Societal security — Business continuity management systems — Requirements ISO 31000, Risk management — Principles and guidelines ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements OHSAS 18001, Occupational health and safety management systems — Requirements PAS 99:2012, Specification of common management system requirements as a framework for integration SA 8000, Social Acountability ISO Guide 73, Risk management — Vocabulary 179 References ISO/IEC Directives, Part 1: Consolidated ISO Supplement – Procedures specific to ISO, Annex SL (the ISO High Level Structure) AIRMIC, Alarm, IRM (2010) A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000, London and Devon: AIRMIC, Alarm, IRM (available as a free download from http://www.theirm.org, http://www.airmic.com and http://www.Alarm-uk.org) Cabinet Office (2010) National Risk Register of Civil Emergencies, London: The Stationery Office Limited Coote and Lee Employee perception of safety at Sellafield Initial results of the safety survey carried out in 1991/92 BNFL, Risley, Warrington Global Reporting Initiative (GRI) – http://www.globalreporting.org Great Britain (1974) Health and Safety at Work, etc Act 1974, London: HMSO KPMG (2008) ‘Understanding and articulating risk appetite’, Advisory, Australia Marsh/Ipsos (2009) New risk management insights for financial institutions Mazars (2009) ’Review of the effectiveness of the combined code – Summary of the main points raised in responses to the March 2009 call for evidence’, London: Financial Reporting Council, July Turnbull, et al (1999) Internal Control – Guidance for directors on the combined code, London: The Institute of Chartered Accountants in England and Wales Financial Reporting Council (FRC) (2012) UK Corporate Governance Code USA, Sarbanes–Oxley Act of 2002 180 TheRi s kMa na g e me ntS t a nd a r d sa nd Gui d a nc eCo l l e c t i o n Ani nt e r a c t i v ea nds e a r c bl eRi s kMa na ge me nts y s t e mc ol l e c t i on, f e a t ur i ng t hef ul l upt oda t et e x tofI SO31 000, BS31 00, BSE N31 01 0, I SOGui de7 3, pl ust hebe s t s e l l i ngbookMa na gi ngRi s kt heI SO31 000Wa y T hi se a s y t ous epa c k a gepr ov i de st hef r a me wor ka ndgui da nc et oe na bl e a nor ga ni z a t i ont oputi npl a c eas t a nda r ds ba s e ds y s t e mf orr i s k ma na ge me ntt ti se f f e c t i v ebutnotbur de ns ome BSIo r d e rr e f : BI P3 093 BSI Gr oupHe a dqua r t e r s 389Chi s wi c kHi ghRoa d L ondonW44AL www bs i gr oup c om ©BSI c opy r i ght