1、Risk ManagementGuidance for the Implementation of ISO 31000American Society of Safety Engineers1800 East Oakton StreetDes Plaines, IL 60018www.asse.org4Casselogo-1200dpi_vector-1c-outline.pdf 1 1/20/2012 1:31:55 PMISO/ANSI/ASSE TR-31004-2014National Adoption of: ISO/TR 31004:2013ISO/ANSI/ASSE TR-310
2、04-2014ISO/ANSI/ASSE Technical ReportThe information and materials contained in this publication have been developed from sources believed to be reliable. However, the American Society of Safety Engineers (ASSE) as secretariat of the ANSI accredited Z690 Committee or individual committee members acc
3、ept no legal responsibility for the correctness or completeness of this material or its application to specific factual situations. By publication of this standard, ASSE or the Z690 Committee does not ensure that adherence to these recommendations will protect the safety or health of any persons, or
4、 preserve property. ISO/ANSI/ASSE TR-31004 2014 National Adoption of: ISO/TR 31004:2013 ISO/ANSI/ASSE Technical Report Risk Management Guidance for the Implementation of ISO 31000 Prepared by the American Society of Safety Engineers Secretariat and Standards Developing Organization: American Society
5、 of Safety Engineers 1800 East Oakton Street Des Plaines, Illinois 60018-2187 (847) 699-2929 www.asse.org Published May, 2014 Copyright 2013 by the International Organization for Standardization All Rights Reserved. Copyright 2014 by the American Society of Safety Engineers All Rights Reserved. No p
6、art of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission of the publisher. Printed in the United States of America FOREWORD ISO (the International Organization for Standardization) is a worldwide federation of nationa
7、l standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. Internation
8、al organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those intended
9、for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.
10、org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will
11、be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressi
12、ons related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the Foreword Supplementary information page of the www.iso.org website. Publication of this Technical Report that has been registered with ANSI has bee
13、n approved by the Accredited Standards Developer, American Society of Safety Engineers (ASSE), 1800 E. Oakton Street, Des Plaines, Illinois 60018. This document is registered as a Technical Report according to the Procedures for the Registration of Technical Reports with ANSI. This document is not a
14、n American National Standard and the material contained herein is not normative in nature. Comments on the content of this document should be sent to the American Society of Safety Engineers, Attention: Secretariat, 1800 E. Oakton Street, Des Plaines, Illinois 60018. The committee responsible for th
15、is document is Technical Committee ISO/TC 262, Risk management. At the time this technical report was published, the United States Technical Advisory Group/Committee had the following members: Dorothy Gjerdrum, ARM-P, Chair Carol Fox, Vice Chair Timothy R. Fisher, CSP, CHMM, ARM, CPEA, Administrator
16、 Jennie Dalesandro, Administrative Technical Support Organization Represented Name of Representative AH an explanation of the underlying concepts of ISO 31000; guidance on aspects of the principles and risk management framework that are described in ISO 31000. This Technical Report can be used by an
17、y public, private or community enterprise, association, group or individual. NOTE For convenience, all the different users of this Technical Report are referred to by the general term “organization”. This Technical Report is not specific to any industry or sector, or to any particular type of risk,
18、and can be applied to all activities and to all parts of organizations. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated refere
19、nces, the latest edition of the referenced document (including any amendments) applies. ISO 31000:2009, Risk management Principles and guidelines 3 Implementing ISO 31000 3.1 General This clause provides guidance to organizations seeking to align their risk management approach and practices with ISO
20、 31000 and to maintain those practices in alignment on an ongoing basis. It provides a general methodology that is suitable for application, in a planned manner, by any organization irrespective of the nature of its current risk management arrangements. This methodology involves the following: ISO/A
21、NSI/ASSE TR-31004 2014 National Adoption of: ISO/TR 31004:2013 9 comparing current practice with that described in ISO 31000; identifying what needs to change and preparing and implementing a plan for doing so; maintaining ongoing monitoring and review to ensure currency and continuous improvement.
22、This will enable the organization to obtain a current and comprehensive understanding of its risks, and to ensure that those risks are consistent with its attitude to risk and its risk criteria. Regardless of the motive for implementing ISO 31000, doing so is expected to enable an organization to be
23、tter manage its risks, in support of its objectives. All organizations manage risk to some extent. The strategy for implementing ISO 31000 should recognize how an organization is already managing risk. The implementation process, as described in 3.2, will evaluate existing arrangements and, if neces
24、sary, adapt and modify to align with ISO 31000. ISO 31000 identifies various elements of a risk management framework. There are several advantages that can arise when elements of that framework are integrated into an organizations governance, functions and processes. These relate to organizational e
25、ffectiveness, sound decision making and efficiency. a) The framework for managing risk should be realized by integrating its components into the organizations overall system of management and decision making, irrespective of whether the system is formal or informal; existing management processes may
26、 be improved by reference to ISO 31000. b) The understanding and management of uncertainty becomes an integral component in the management system(s), establishing a common approach for the organization. c) Implementation of the risk management process can be proportionately tailored to the size and
27、requirements of the organization. d) The governance (i.e. direction and oversight) of the risk management policy, framework and process(s) can be integrated into existing organizational governance arrangements. e) Risk management reporting is integrated with other management reporting. f) Risk manag
28、ement performance becomes an integral part of the overall performance approach. g) Interaction and connection between the often separate risk management fields of an organization (e.g. enterprise risk management, financial risk management, project risk management, safety and security management, bus
29、iness continuity management, insurance management) can be ensured or improved, as the attention will now be primarily be focused on setting and achieving the organizations objectives, taking risk into account. h) The communication on uncertainty and risk between management teams and management level
30、s is improved. ISO/ANSI/ASSE TR-31004 2014 National Adoption of: ISO/TR 31004:2013 10 i) Silos of risk management activity within an organization center on the achievement of organizational objectives as a common focus. There may be indirect societal benefits as the organizations external stakeholde
31、rs may be motivated to improve their respective risk management activity. j) The risk treatment and controls can become an integral part of daily operations. 3.2 How to implement ISO 31000 Although ISO 31000 explains how to manage risk effectively, it does not explain how to integrate risk managemen
32、t into the organizations management processes. Even though organizations are different and their starting points may differ, a generic and systematic implementation approach is applicable in all cases. The organization should determine whether changes are needed to its existing framework for the man
33、agement of risk, before planning and implementing those changes, and then monitoring the ongoing effectiveness of the amended framework. This will allow the organization: to align its risk management activities with the principles for effective risk management described in ISO 31000:2009, Clause 3;
34、to apply the risk management process described in ISO 31000:2009, Clause 5; to satisfy the attributes of enhanced risk management in ISO 31000:2009, Clause A.3; thereby to achieve the key outcomes in ISO 31000:2009, Clause A.2. This approach is also applicable to organizations that are already consi
35、stent with ISO 31000, but that wish to continually improve their framework and the process for managing risk as recommended in ISO 31000:2009, 4.6 and 5.6. All aspects of transition may be helped by drawing on the experience of other organizations which manage similar types of risks or have gone thr
36、ough a similar process. 3.3 Integration of ISO 31000 into the organizations management processes 3.3.1 General ISO 31000 provides a framework and a generic process to manage risk in all or part of any type of organization. This subclause provides guidance for integrating the elements of ISO 31000 in
37、to an organizations management approach, including its activities, processes and functions. Organizations may choose to integrate ISO 31000 concepts with their existing processes, or they may choose to design and establish a new approach based on ISO 31000. This subclause describes the core elements
38、 of the framework and process, and the actions necessary for successful integration of these elements to meet its organizational objectives. There are many ways to integrate ISO 31000 into an organization. The choice and order of elements should be tailored to the needs of the organization and its s
39、takeholders. Care should be taken when applying this guidance to ensure that integration supports the overall business management strategy. This drives the effort to meet the organizations objectives of protection and creation of ISO/ANSI/ASSE TR-31004 2014 National Adoption of: ISO/TR 31004:2013 11
40、 value. The approach also needs to consider the organizations culture, as well as project and change management methodologies. This subclause describes the core elements of the framework and process, and the actions necessary for successful integration of these elements to meet its organizational ob
41、jectives. Implementing ISO 31000 is a dynamic and iterative ongoing process. Furthermore, implementation of the framework is interconnected with the risk management process described in ISO 31000:2009, Clause 5. Success is measured both in terms of the integration of the framework and in terms of th
42、e continual improvement of risk management throughout the organization. Integration takes place within a dynamic context. The organization should monitor both changes that are brought about by the implementation process and changes to its internal and external context. This may include the need for
43、change to its risk criteria. 3.3.2 Mandate and commitment Any business management activity begins with an analysis of the rationale and steps of the processes and a cost-benefit analysis. This is followed by a decision by top management and the oversight body to implement and to provide the necessar
44、y commitment and resources. Typically, the implementation process includes the following: a) acquiring mandate and commitment, if required; b) a gap analysis; c) tailoring and scale based on organizational needs, culture and creating and protecting value; d) evaluating risks associated with transiti
45、on; e) developing a business plan: setting objectives, priorities and metrics; establishing the business case, including alignment with organizational objectives; determining scope, accountabilities, timeframe and resources; f) identifying the context of implementation, including communication with
46、stakeholders. 3.3.3 Designing the framework 3.3.3.1 Existing approaches to risk management in the current organization should be evaluated, including context and culture. a) It is important to consider any legal, regulatory or customer obligations and certification requirements that arise from any m
47、anagement systems and standards that the organization has chosen to adopt. The purpose of this step is to permit careful tailoring of the design of ISO/ANSI/ASSE TR-31004 2014 National Adoption of: ISO/TR 31004:2013 12 the risk management framework and the implementation plan itself, and to permit a
48、lignment with the structure, culture and general system of management of the organization. b) It is important to consider both the process used to manage risks and the aspects of the existing risk management framework that enable this process to be applied. c) Appropriate risk criteria should be est
49、ablished. Risk criteria need to be consistent with the objectives of the organization and aligned with its risk attitude. If the objectives change, the risk criteria need to be adjusted accordingly. It is important for effective risk management that the risk criteria are developed to reflect the organizations risk attitude and objectives. For designing the new framework, specifically, the following should be evaluated: principles and attributes, as described in ISO 31000; the previous framework, the evaluation of which should com
