1、This British Standard gives recommendations for implementing the principles and guidelines in BS ISO 31000:2009, including the risk management framework and process. It provides a basis for understanding, developing, implementing and maintaining proportionate and effective risk management throughout
2、 an organization, in order to enhance the organizations likelihood of achieving its objectives.This British Standard is intended for use by anyone with responsibility for, or involved in, any of the following:a) ensuring an organization achieves its objectives;b) ensuring risks are proactively manag
3、ed in specific areas or activities;c) overseeing risk management in an organization;d) providing assurance about the effectiveness of an organizations risk management; and/ore) reporting to stakeholders, e.g. through disclosures in annual financial statements, corporate governance reports and corpor
4、ate social responsibility reports.BS 31100:2011Risk management Code ofpractice and guidance forthe implementation ofBS ISO 31000BSI 389 Chiswick High RoadLondon W4 4AL United KingdomTel: +44 (0)20 8996 9001Fax: +44 (0)20 8996 7001Website: Email: 9 780580 716072ISBN 978-0-580-71607-2BS 31100:2011Risk
5、 management Code ofpractice and guidance forthe implementation ofBS ISO 31000Publishing and copyright informationThe BSI copyright notice displayed in this document indicates when the documentwas last issued. BSI 2011ISBN 978 0 580 71607 2ICS 03.100.01The following BSI references relate to the work
6、on this standard:Committee reference RM/1Draft for comment 11/30228063 DCPublication historyFirst published October 2008Second (present) edition, June 2011Amendments issued since publicationDate Text affectedBS 31100:2011 BRITISH STANDARDContentsForeword iiIntroduction 11 Scope 32 Terms and definiti
7、ons 43 Framework 113.1 General 113.2 Mandate and commitment 133.3 Design of framework for managing risk 133.4 Implementing risk management 283.5 Monitoring and review of the framework 293.6 Continual improvement of the framework 304 Process 314.1 General 314.2 Communication and consultation 324.3 Es
8、tablishing the context 324.4 Risk assessment 334.5 Risk treatment 354.6 Monitoring and review 374.7 Monitoring performance of the instance of the risk managementprocess 374.8 Providing information to others 384.9 Recording the risk management process 38AnnexesAnnex A (informative) Risk management to
9、ols 40Annex B (normative) Incorporating potentially positive consequences ofrisk 42Annex C (informative) Effects of controls 42Bibliography 45List of figuresFigure 1 Risk management perspectives 2Figure 2 Relationships between the context, principles, framework andprocess 11Figure 3 Illustrative set
10、 of instances of the risk management process in a largerorganization 12Figure 4 Development of components of the risk management framework 12Figure 5 Typical documentation for risk management 15Figure 6 Items to include in the description of the framework 16Figure 7 The risk management process 32Lis
11、t of tablesTable 1 Examples of tailoring 3Table 2 One possible breakdown of roles 17Table 3 Leadership responsibilities 18Table 4 Minimum responsibilities for everyone in the organization 18Table 5 Role of a risk management function 19Table 6 Items to cover related to risk management competence 22Ta
12、ble 7 Features of risk identification 33Table A.1 Examples of risk management tools (including techniques) 41Summary of pagesThis document comprises a front cover, an inside front cover, pages i to iv,pages 1 to 46, an inside back cover and a back cover.BRITISH STANDARD BS 31100:2011 BSI 2011 iForew
13、ordPublishing informationThis British Standard was published by BSI and came into effect on 30 June 2011.It was prepared by technical Committee RM/1, Risk management. A list oforganizations represented on this committee can be obtained on request to itssecretary.This British Standard has been develo
14、ped by practitioners throughout the riskmanagement community, drawing upon their considerable academic, technicaland practical experiences of risk management.SupersessionBS 31100:2011 supersedes BS 31100:2008, which is withdrawn.Relationship with other documentsBS ISO 31000, Risk management Principl
15、es and guidelines on implementation,and ISO/IEC Guide 73, Risk management Vocabulary, were published after thefirst edition of BS 31100, so that there were some minor structural differencesbetween the documents. This edition was drafted to be consistent with theprinciples and guidelines on risk mana
16、gement in BS ISO 31000:2009 (seeIntroduction), and to acknowledge HM Treasurys Orange Book 1, the Office ofGovernment Commerce publication, “Management of risk: Guidance forpractitioners” 2, “Enterprise Risk Management Integrated Framework” andapplication techniques published by the Committee of Spo
17、nsoring Organizationsof the Treadway Commission (COSO) 3, and the risk management standarddeveloped by the Institute of Risk Management (IRM), the Association ofInsurance and Risk Managers (Airmic) and Alarm 4.Use of this documentAs a code of practice, this British Standard takes the form of guidanc
18、e andrecommendations. It should not be quoted as if it were a specification andparticular care should be taken to ensure that claims of compliance are notmisleading.The provisions in this standard are presented in roman (i.e. upright) type. Itsrecommendations are expressed in sentences in which the
19、principal auxiliaryverb is “should”.The word “may” is used in the text to express permissibility, e.g. as analternative to the primary recommendation of the clause. The word “can” isused to express possibility, e.g. a consequence of an action or an event.Commentary, explanation and general informati
20、ve material is presented insmaller italic type, and does not constitute a normative element.Any user claiming compliance with this British Standard is expected to be able tojustify any course of action that deviates from its recommendations.Presentational conventionsThe word “should” is used to expr
21、ess the recommendations of this standard,with which the user has to comply in order to comply with the standard. Theword “may” is used in the text to express permissibility, e.g. as an alternative tothe primary recommendation of the clause. The word “can” is used to expresspossibility, e.g. a conseq
22、uence of an action or an event.BRITISH STANDARDBS 31100:2011ii BSI 2011Contractual and legal considerationsThis publication does not purport to include all the necessary provisions of acontract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immuni
23、ty from legalobligations.BRITISH STANDARD BS 31100:2011 BSI 2011 iiiBRITISH STANDARDBS 31100:2011This page deliberately left blankiv BSI 2011IntroductionThis code of practice gives recommendations for implementing the principlesand guidelines on risk management in BS ISO 31000:2009.This edition of B
24、S 31100 closely matches the structure, terminology anddiagrams of BS ISO 31000:2009 and ISO Guide 73:2009 to make it easier to usethe three documents side by side. This edition also expands on therecommendations of BS 31100:2008.The principles in BS ISO 31000:2009 are as follows.a) Risk management c
25、reates and protects value.b) Risk management is an integral part of all organizational processes.c) Risk management is part of decision-making.d) Risk management explicitly addresses uncertainty.e) Risk management is systematic, structured and timely.f) Risk management is based on the best available
26、 information.g) Risk management is tailored.h) Risk management takes human and cultural factors into account.i) Risk management is transparent and inclusive.j) Risk management is dynamic, iterative and responsive to change.k) Risk management facilitates continual improvement of the organization.The
27、recommendations in this code of practice will help organizations implementthese principles in a way that is right for each organization. Therecommendations are more practical and specific than the principles andguidelines, but they focus on the key aspects of management and allow forvariations in th
28、e detail of techniques.Risks are best managed by people following a defined risk management process.In large organizations there could be many groups and many processes, eachwith its own scope, meetings, documents and methods. This could be becausethey are working at different management levels in t
29、he organization and havedifferent perspectives (see Figure 1), are working in different organizationalsub-units, or are focusing on different types of risks.The approach recommended here is to provide an outline risk managementprocess that can be followed and interpreted so that each group works in
30、a waythat is appropriate for them, and there is consistency and communication acrossthe organization.Each example of a risk management process within an organization is called aninstance of the risk management process.The outline risk management process is just one component of a broader riskmanagem
31、ent framework that also contains activities to govern one or moreinstances of the risk management process and to drive improvements over time.The recommendations cover the whole organization and all risks. This includesoutcomes that are better than expected, as well as those that are worse thanexpec
32、ted. In keeping with the definition of risk as ”the effect of uncertainty onobjectives” the approach encourages people to think widely about what mighthappen, not just to look for potential dangers. It also encourages greaterawareness of uncertainty.BRITISH STANDARD BS 31100:2011 BSI 2011 1This is a
33、chieved using a process and language that apply equally to all risks. Forexample, risks are “modified” by controls rather than “mitigated” because a riskwhose consequences are mostly desirable is one to promote or exploit ratherthan reduce.EXAMPLEA major construction project on a city site had very
34、little land for storing materialsand so needed many costly lorry deliveries. There was space on an adjacent sitewhere another developer was working. If a deal could be made it would be possibleto use that space to store materials. This possibility was recorded as a risk withpredominantly positive co
35、nsequences, and evaluated. Although there would be anup-front commitment to the other developer, there were possible beneficialconsequences from lower transport costs and reduced likelihood of interruptions towork due to late deliveries. Actions were identified to increase the likelihood of therisk
36、being realized, such as working out delivery times and access routes that wouldavoid interference between the projects. Subsequently, the risk was realized: a dealwas made benefiting both developers.Risk management needs to be integrated into all management activities. Thiscode of practice gives rec
37、ommendations on how to achieve this integration.The recommendations in this British Standard have been written fororganizations of all types and sizes, and include guidance on how to choose anapproach that is appropriate. Table 1 gives examples of how large and smallorganizations might tailor their
38、risk management.Figure 1 Risk management perspectivesKeySet of activitiesCommunicationBRITISH STANDARDBS 31100:20112 BSI 20111 ScopeThis British Standard gives recommendations for implementing the principlesand guidelines in BS ISO 31000:2009, including the risk management frameworkand process. It p
39、rovides a basis for understanding, developing, implementingand maintaining proportionate and effective risk management throughout anorganization, in order to enhance the organizations likelihood of achieving itsobjectives.This British Standard is intended for use by anyone with responsibility for, o
40、rinvolved in, any of the following:a) ensuring an organization achieves its objectives;b) ensuring risks are proactively managed in specific areas or activities;c) overseeing risk management in an organization;d) providing assurance about the effectiveness of an organizations riskmanagement; and/orT
41、able 1 Examples of tailoringPoint of difference Small organization Large organizationBusiness Law partnership Food manufacturerEmployees 10 15,000Business units andlocationsOne business unit in oneoffice36 business units in 27 countriesOngoing projects None (presently) HundredsRisk managementframewo
42、rk descriptionA 12-page document A database with several documents andtools, including risk analysis softwareDelegation of riskmanagement activities bythe board (or equivalent)Very little the partnersdo almost everythingThe main board delegates riskmanagement activities extensively tosub-committees,
43、 a risk managementsupport team, and business unitmanagement. Extra assurance is providedby internal auditors.Instances of the riskmanagement processOne Hundreds due to the many business unitsand projectsDetail in procedures forinitiating and terminatinginstances of the riskmanagement processDescribe
44、d in oneparagraph just in case aproject is started thatjustifies itDescribed in detail and this activity istracked using a databaseRange of risk analysistechniquesAlmost entirely byjudgement andconversations among thepartnersVaries from conversations and judgementto mathematical modelling (particula
45、rlyfor food safety risks and commodity pricehedging) and reliability analyses based onmodels of manufacturing systemsQuantity and usefulnessof risk data generated bythe businessLow volume and oflimited useHuge volume, providing a strong basis forquantitative analysesDetail in procedures forinternal
46、reporting aboutrisk managementDescribed in oneparagraph as a topic inthe regular partnermeetingsDescribed in detail, with committeesinvolved, help from the risk managementsupport team, and a computer systemRequired externalreporting about riskmanagementLimited for certainactivitiesExtensive, mainly
47、because of stock marketlistings and health and safety lawsBRITISH STANDARD BS 31100:2011 BSI 2011 3e) reporting to stakeholders, e.g. through disclosures in annual financialstatements, corporate governance reports and corporate social responsibilityreports.2 Terms and definitionsFor the purposes of
48、this British Standard the following terms and definitionsapply.2.1 board (or equivalent)organizations governing bodyNOTE This includes a board of directors, head of a legislative body or agency,supervisory board, or the board of trustees or governors of a not-for-profitorganization.2.2 business cont
49、inuity managementholistic management process that identifies potential threats to an organizationand the impacts to business operations that those threats, if realized, mightcause, and which provides a framework for building organizational resiliencewith the capability for an effective response that safeguards the interests of itskey stakeholders, reputation, brand and value-creating activitiesBS 25999, modified2.3 communication and consultationcontinual and iterative processes