1、ANSI/ASSE/ISO 31000 (Z690.2-2011)ANSI/ASSE/ISO 31000 (Z690.2-2011)ANSI/ASSE/ISO 31000 (Z690.2-2011)Risk Management Principles and GuidelinesNational Adoption of:ISO 31000:2009 AMERICAN SOCIETY OFSAFETY ENGINEERSAMERICAN NATIONAL STANDARDASSEThe information and materials contained in this publication
2、 have been developed from sources believed to be reliable. However, the American Society of Safety Engineers (ASSE) as secretariat of the ANSI accredited Z690 Committee or individual committee members accept no legal responsibility for the correctness or completeness of this material or its applicat
3、ion to specific factual situations. By publication of this standard, ASSE or the Z690 Committee does not ensure that adherence to these recommendations will protect the safety or health of any persons, or preserve property. ANSI ANSI/ASSE/ISO 31000 (Z690.2-2011) National Adoption of: ISO 31000:2009
4、American National Standard Risk Management Principles and Guidelines Secretariat American Society of Safety Engineers 1800 East Oakton Street Des Plaines, Illinois 60018-2187 Approved: January 11, 2011 American National Standards Institute, Inc. Approval of an American National Standard requires ver
5、ification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the ANSI Board of Standards Review, substantial agreement has been reached by directly and materially affect
6、ed interests. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made toward their resolution. The use of American National Standards is completely voluntary; thei
7、r existence does not in any respect preclude anyone, whether he/she has approved the standards or not, from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Institute does not develop standards and will
8、 in no circumstance give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests for interpretation should be addressed to
9、 the secretariat or sponsor whose name appears on the title page of this standard. Caution Notice: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute requires that action be taken periodically to reaffirm, revise, or w
10、ithdraw this standard. Purchasers of American National Standards may receive current information on all standards by calling or writing the American National Standards Institute. Published February 2011 by: American Society of Safety Engineers 1800 East Oakton Street Des Plaines, Illinois 60018-2187
11、 (847) 699-2929 www.asse.org Copyright 2009 by the International Organization for Standardization All Rights Reserved. Copyright 2011 by the American Society of Safety Engineers All Rights Reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or other
12、wise, without the prior written permission of the publisher. Printed in the United States of America American National Standard Foreword (This Foreword is not a part of American National Standard Z690.2-2011.) This standard was developed by an American National Standards Committee, national in scope
13、, functioning under the Essential Requirements Document of the American National Standards Institute with the American Society of Safety Engineers (ASSE) as Secretariat. This standard provides risk management principles and guidelines It is intended that the procedures and performance requirements d
14、etailed herein will be adopted by every employer whose operations fall within the scope and purpose of the standard. Neither the standards committee, nor the secretariat, feel that this standard is perfect or in its ultimate form. It is recognized that new developments are to be expected, and that r
15、evisions of the standard will be necessary as the art progresses and further experience is gained. It is felt, however, that uniform requirements are very much needed and that the standard in its present form provides for the minimum performance requirements necessary in developing and implementing
16、risk management programs. This standard is adopted from ISO 31000:2009, an international standard also titled “Risk Management Principles and Guidelines”. This document was approved as an international standard on November 15, 2009. In addition to ISO 31000 there are also two other documents address
17、ing risk management and risk assessment being adopted as American National Standards: ISO Guide 73:2009, Risk Management - Vocabulary IEC/ISO 31010:2009, Risk Management Risk Assessment Techniques During May 2010 the United States TAG (Technical Advisory Group) to ANSI for risk management reached co
18、nsensus that these three documents should be adopted as American National Standards. Due to the ongoing significant interest being focused on risk management at the international level, additional consensus was reached that there should also be a committee looking at risk management standards for th
19、e United States. Such a committee would function under accreditation of ASSE as a standards developing organization (SDO). ASSE applied for additional accreditation as a Standards Developing Organization, which was approved by ANSI during August of 2010. ASSE notified the public during August 2010 o
20、f its intention to adopt all three documents as American National Standards. This original announcement was made without the submission of any negative comments. Public review of the subject documents was then conducted during November 2010. There were no negative comments submitted to ASSE as the s
21、ecretariat. All committee votes for adoption were positive without any submitted negative comments. At the time this standard was approved, the Technical Advisory Group/Committee had the following members: Dorothy Gjerdrum, ARM-P, Chair Carol Fox, Vice Chair Timothy R. Fisher, CSP, CHMM, ARM, CPEA,
22、Administrator Jennie Dalesandro, Administrative Technical Support Organization Represented Name of Representative AH encourage proactive management; be aware of the need to identify and treat risk throughout the organization; improve the identification of opportunities and threats; comply with relev
23、ant legal and regulatory requirements and international norms; improve mandatory and voluntary reporting; improve governance; improve stakeholder confidence and trust; establish a reliable basis for decision making and planning; improve controls; effectively allocate and use resources for risk treat
24、ment; improve operational effectiveness and efficiency; enhance health and safety performance, as well as environmental protection; improve loss prevention and incident management; minimize losses; improve organizational learning; and improve organizational resilience. This standard is intended to m
25、eet the needs of a wide range of stakeholders, including: a) those responsible for developing risk management policy within their organization; b) those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or activity; c) tho
26、se who need to evaluate an organizations effectiveness in managing risk; and d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed within the specific context of these documents. The current management practices and processe
27、s of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances. In such cases, an organization can decide to carry out a critical review of its existing practices and processes
28、in the light of this standard. In this standard, the expressions “risk management” and “managing risk” are both used. In general terms, “risk management” refers to the architecture (principles, framework and process) for managing risks effectively, while “managing risk” refers to applying that archi
29、tecture to particular risks. Figure 1 Relationships Between the Risk Management Principles, Framework and Process Contents SECTION PAGE 1. Scope 10 2. Terms and Definitions . 10 3. Principles . 14 4. Framework 15 4.1 General 15 4.2 Mandate and Commitment 16 4.3 Design of Framework for Managing Risk
30、17 4.4 Implementing Risk Management . 19 4.5 Monitoring and Review of the Framework . 20 4.6 Continual Improvement of the Framework 20 5. Process . 20 5.1 General 20 5.2 Communication and Consultation . 21 5.3 Establishing the Context 22 5.4 Risk Assessment . 24 5.5 Risk Treatment 26 5.6 Monitoring
31、and Review 27 5.7 Recording the Risk Management Process 28 Annex A Attributes of Enhanced Risk Management 29 Bibliography . 31 AMERICAN NATIONAL STANDARD Z690.2-2011 10 AMERICAN NATIONAL STANDARD Z690.2 RISK MANAGEMENT PRINCIPLES AND GUIDELINES 1. SCOPE This standard provides principles and generic
32、guidelines on risk management. This standard can be used by any public, private or community enterprise, associ-ation, group or individual. Therefore, this standard is not specific to any industry or sector. NOTE: For convenience, all the different users of this standard are referred to by the gener
33、al term “organization”. This standard can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. This standard can be applied to any type of risk, whatever it
34、s nature, whether having positive or negative consequences. Although this standard provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and imple-mentation of risk management plans and frameworks will need to take into account the
35、varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed. It is intended that this standard be utilized to harmonize risk management processes in existing and fut
36、ure standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards. This standard is not intended for the purpose of certification. 2. TERMS AND DEFINITIONS For the purposes of this document, the following terms and d
37、efinitions apply. These terms and definitions are taken from ANSI/ASSE Z690.1, Vocabulary for Risk Management. (ISO Guide 73:2009) 2.1 Communication and Consul-tation. Continual and iterative processes that an organization conducts to provide, share or obtain information and to engage in dialogue wi
38、th stakeholders regarding the management of risk. NOTE 1: The information can relate to the existence, nature, form, likelihood, signif-icance, evaluation, acceptability and treatment of the management of risk. NOTE 2: Consultation is a two-way process of informed communication between an organizati
39、on and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is: a process which impacts on a decision through influence rather than power; and an input to decision making, not joint decision making. 2.2 Consequence. Outcome of an event affect
40、ing objectives. NOTE 1: An event can lead to a range of consequences. NOTE 2: A consequence can be certain or uncertain and can have positive or negative effects on objectives. AMERICAN NATIONAL STANDARD Z690.2-2011 11 NOTE 3: Consequences can be expressed qualitatively or quantitatively. NOTE 4: In
41、itial consequences can escalate through knock-on effects. 2.3 Control. Measure that is modifying risk. NOTE 1: Controls include any process, policy, device, practice, or other actions which modify risk. NOTE 2: Controls may not always exert the intended or assumed modifying effect. 2.4 Establishing
42、the Context. Defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy. 2.5 Event. Occurrence or change of a particular set of circumstances. NOTE 1: An event can be one or more occurrences, and c
43、an have several causes. NOTE 2: An event can consist of something not happening. NOTE 3: An event can sometimes be referred to as an “incident” or “accident”. NOTE 4: An event without consequences can also be referred to as a “near miss”, “incident”, “near hit” or “close call”. 2.6 External Context.
44、 External envi-ronment in which the organization seeks to achieve its objectives. NOTE: External context can include: the cultural, social, political, legal, regulatory, financial, technological, economic, nat-ural and competitive environ-ment, whether international, national, regional or local; key
45、 drivers and trends having impact on the objectives of the organization; and relationships with, and percep-tions and values of external stakeholders. 2.7 Internal Context. Internal environ-ment in which the organization seeks to achieve its objectives. NOTE: Internal context can include: governance
46、, organizational structure, roles and account-abilities; policies, objectives, and the strategies that are in place to achieve them; the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies); information systems, infor-mation f
47、lows and decision-making processes (both formal and informal); relationships with, and per-ceptions and values of, internal stakeholders; the organizations culture; standards, guidelines and models adopted by the organi-zation; and form and extent of contractual relationships. 2.8 Level of Risk. Mag
48、nitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood. AMERICAN NATIONAL STANDARD Z690.2-2011 12 2.9 Likelihood. Chance of something happening. NOTE 1: In risk management terminology, the word “likelihood” is used to refer to the chance
49、of something happening, whether defined, measured or determined objec-tively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period). NOTE 2: The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, in risk management termino
