SANS 31000-2009 Risk management - Principles and guidelines《风险管理 风险管理的原则及实施指南》.pdf

1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA

2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any

3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-23641-0 SANS 31000:2009Edition 1 ISO 31000:2009Edition 1SOUTH AFRICAN NATIONAL STANDARD Risk management Principles and guidelines This nat

4、ional standard is the identical implementation of ISO 31000:2009, and is adopted with the permission of the International Organization for Standardization. Published by SABS Standards Division 1 Dr Lategan Road Groenkloof Private Bag X191 Pretoria 0001Tel: +27 12 428 7911 Fax: +27 12 344 1568 www.sa

5、bs.co.za SABS SANS 31000:2009 Edition 1 ISO 31000:2009 Edition 1 Table of changes Change No. Date Scope National foreword This South African standard was approved by National Committee SABS TC 178, Risk management, in accordance with procedures of the SABS Standards Division, in compliance with anne

6、x 3 of the WTO/TBT agreement. This SANS document was published in December 2009. Reference numberISO 31000:2009(E)ISO 2009INTERNATIONAL STANDARD ISO31000First edition2009-11-15Risk management Principles and guidelines Management du risque Principes et lignes directrices SANS 31000:2009This s tandard

7、 may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 31000:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which

8、 are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Inco

9、rporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event th

10、at a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanic

11、al, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.or

12、g Published in Switzerland ii ISO 2009 All rights reservedSANS 31000:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 31000:2009(E) ISO 2009 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Terms and definitio

13、ns .1 3 Principles7 4 Framework .8 4.1 General .8 4.2 Mandate and commitment 9 4.3 Design of framework for managing risk10 4.3.1 Understanding of the organization and its context .10 4.3.2 Establishing risk management policy.10 4.3.3 Accountability11 4.3.4 Integration into organizational processes11

14、 4.3.5 Resources 11 4.3.6 Establishing internal communication and reporting mechanisms 12 4.3.7 Establishing external communication and reporting mechanisms .12 4.4 Implementing risk management 12 4.4.1 Implementing the framework for managing risk 12 4.4.2 Implementing the risk management process .1

15、3 4.5 Monitoring and review of the framework 13 4.6 Continual improvement of the framework 13 5 Process.13 5.1 General .13 5.2 Communication and consultation .14 5.3 Establishing the context.15 5.3.1 General .15 5.3.2 Establishing the external context 15 5.3.3 Establishing the internal context.15 5.

16、3.4 Establishing the context of the risk management process 16 5.3.5 Defining risk criteria17 5.4 Risk assessment .17 5.4.1 General .17 5.4.2 Risk identification17 5.4.3 Risk analysis18 5.4.4 Risk evaluation 18 5.5 Risk treatment18 5.5.1 General .18 5.5.2 Selection of risk treatment options .19 5.5.

17、3 Preparing and implementing risk treatment plans 20 5.6 Monitoring and review 20 5.7 Recording the risk management process.21 Annex A (informative) Attributes of enhanced risk management22 Bibliography24 SANS 31000:2009This s tandard may only be used and printed by approved subscription and freemai

18、ling clients of the SABS .ISO 31000:2009(E) iv ISO 2009 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO t

19、echnical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates clos

20、ely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draf

21、t International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this docum

22、ent may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 31000 was prepared by the ISO Technical Management Board Working Group on risk management. SANS 31000:2009This s tandard may only be used and printed by approved subscription

23、 and freemailing clients of the SABS .ISO 31000:2009(E) ISO 2009 All rights reserved vIntroduction Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an

24、organizations objectives is “risk”. All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Throughout this process, they communicate a

25、nd consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required. This International Standard describes this systematic and logical process in detail. While all organizations manage risk to some de

26、gree, this International Standard establishes a number of principles that need to be satisfied to make risk management effective. This International Standard recommends that organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing r

27、isk into the organizations overall governance, strategy and planning, management, reporting processes, policies, values and culture. Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities. Althoug

28、h the practice of risk management has been developed over time and within many sectors in order to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organization. The gen

29、eric approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context. Each specific sector or application of risk management brings with it individual needs, audie

30、nces, perceptions and criteria. Therefore, a key feature of this International Standard is the inclusion of “establishing the context” as an activity at the start of this generic risk management process. Establishing the context will capture the objectives of the organization, the environment in whi

31、ch it pursues those objectives, its stakeholders and the diversity of risk criteria all of which will help reveal and assess the nature and complexity of its risks. The relationship between the principles for managing risk, the framework in which it occurs and the risk management process described i

32、n this International Standard are shown in Figure 1. When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example: increase the likelihood of achieving objectives; encourage proactive management; be aware of the need t

33、o identify and treat risk throughout the organization; improve the identification of opportunities and threats; comply with relevant legal and regulatory requirements and international norms; improve mandatory and voluntary reporting; improve governance; improve stakeholder confidence and trust; SAN

34、S 31000:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 31000:2009(E) vi ISO 2009 All rights reserved establish a reliable basis for decision making and planning; improve controls; effectively allocate and use resources for risk treat

35、ment; improve operational effectiveness and efficiency; enhance health and safety performance, as well as environmental protection; improve loss prevention and incident management; minimize losses; improve organizational learning; and improve organizational resilience. This International Standard is

36、 intended to meet the needs of a wide range of stakeholders, including: a) those responsible for developing risk management policy within their organization; b) those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or ac

37、tivity; c) those who need to evaluate an organizations effectiveness in managing risk; and d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed within the specific context of these documents. The current management practice

38、s and processes of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances. In such cases, an organization can decide to carry out a critical review of its existing practices

39、and processes in the light of this International Standard. In this International Standard, the expressions “risk management” and “managing risk” are both used. In general terms, “risk management” refers to the architecture (principles, framework and process) for managing risks effectively, while “ma

40、naging risk” refers to applying that architecture to particular risks. SANS 31000:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 31000:2009(E) ISO 2009 All rights reserved viiMandateand commitment (4.2)Implementing risk management(4.

41、4)Design of framework formanaging risk(4.3)Continual improvement of the framework(4.6)Monitoringand reviewof the framework(4.5)Framework(Clause 4)a) Creates valueb) Integral partof organizational processesc) Part of decision makingd) Explicitlyaddresses uncertaintye) Systematic, structured and timel

42、y f) Based on the best available information g) Tailoredh) Takes human and cultural factors into account i) Transparent and inclusivej) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organizationPrinciples(Clause 3)Process(Clause 5)Establishin

43、g the context (5.3)Risk assessment (5.4)Risk identification (5.4.2)Risk analysis (5.4.3)Risk evaluation (5.4.4)Risk treatment (5.5)Communication and consultation (5.2)M o nitor i ng and r e v i e w (5. 6 )Figure 1 Relationships between the risk management principles, framework and process SANS 31000

44、:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .SANS 31000:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .INTERNATIONAL STANDARD ISO 31000:2009(E) ISO 2009 All rights reserve

45、d 1Risk management Principles and guidelines 1 Scope This International Standard provides principles and generic guidelines on risk management. This International Standard can be used by any public, private or community enterprise, association, group or individual. Therefore, this International Stan

46、dard is not specific to any industry or sector. NOTE For convenience, all the different users of this International Standard are referred to by the general term “organization”. This International Standard can be applied throughout the life of an organization, and to a wide range of activities, inclu

47、ding strategies and decisions, operations, processes, functions, projects, products, services and assets. This International Standard can be applied to any type of risk, whatever its nature, whether having positive or negative consequences. Although this International Standard provides generic guide

48、lines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, proce

49、sses, functions, projects, products, services, or assets and specific practices employed. It is intended that this International Standard be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards. This International Standard is not intended for the purpose of certification. 2 Terms and definitions For the purposes of this document, the following te