1、Q31001-11Implementation guide to CAN/CSA-ISO 31000, Risk management Principles andguidelinesLegal Notice for StandardsCanadian Standards Association (CSA) standards are developed through a consensus standards development process approved by the Standards Council of Canada. This process brings togeth
2、er volunteers representing varied viewpoints and interests to achieve consensus and develop a standard. Although CSA administers the process and establishes rules to promote fairness in achieving consensus, it does not independently test, evaluate, or verify the content of standards.Disclaimer and e
3、xclusion of liabilityThis document is provided without any representations, warranties, or conditions of any kind, express or implied, including, without limitation, implied warranties or conditions concerning this documents fitness for a particular purpose or use, its merchantability, or its non-in
4、fringement of any third partys intellectual property rights. CSA does not warrant the accuracy, completeness, or currency of any of the information published in this document. CSA makes no representations or warranties regarding this documents compliance with any applicable statute, rule, or regulat
5、ion. IN NO EVENT SHALL CSA, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES, DIRECTORS, OR OFFICERS, BE LIABLE FOR ANY DIRECT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED, INCLUDING BUT NOT LIMITED TO SPECIAL OR CONSEQUENTIAL
6、 DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM ACCESS TO OR POSSESSION OR USE OF THIS DOCUMENT, EVEN IF CSA HAS B
7、EEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES.In publishing and making this document available, CSA is not undertaking to render professional or other services for or on behalf of any person or entity or to perform any duty owed by any person or entity to another p
8、erson or entity. The information in this document is directed to those who have the appropriate degree of experience to use and apply its contents, and CSA accepts no responsibility whatsoever arising in any way from any and all use of or reliance on the information contained in this document. CSA i
9、s a private not-for-profit company that publishes voluntary standards and related documents. CSA has no power, nor does it undertake, to enforce compliance with the contents of the standards or other documents it publishes. Intellectual property rights and ownershipAs between CSA and the users of th
10、is document (whether it be in printed or electronic form), CSA is the owner, or the authorized licensee, of all works contained herein that are protected by copyright, all trade-marks (except as otherwise noted to the contrary), and all inventions and trade secrets that may be contained in this docu
11、ment, whether or not such inventions and trade secrets are protected by patents and applications for patents. Without limitation, the unauthorized use, modification, copying, or disclosure of this document may violate laws that protect CSAs and/or others intellectual property and may give rise to a
12、right in CSA and/or others to seek legal redress for such use, modification, copying, or disclosure. To the extent permitted by licence or by law, CSA reserves all intellectual property rights in this document.Patent rightsAttention is drawn to the possibility that some of the elements of this stand
13、ard may be the subject of patent rights. CSA shall not be held responsible for identifying any or all such patent rights. Users of this standard are expressly advised that determination of the validity of any such patent rights is entirely their own responsibility.Authorized use of this documentThis
14、 document is being provided by CSA for informational and non-commercial use only. The user of this document is authorized to do only the following:If this document is in electronic form:.load this document onto a computer for the sole purpose of reviewing it;.search and browse this document; and.pri
15、nt this document if it is in PDF format. Limited copies of this document in print or paper form may be distributed only to persons who are authorized by CSA to have such copies, and only if this Legal Notice appears on each such copy.In addition, users may not and may not permit others to.alter this
16、 document in any way or remove this Legal Notice from the attached standard;.sell this document without authorization from CSA; or.make an electronic copy of this document.If you do not agree with any of the terms and conditions contained in this Legal Notice, you may not load or use this document o
17、r make any copies of the contents hereof, and if you do make such copies, you are required to destroy them immediately. Use of this document constitutes your acceptance of the terms and conditions of this Legal Notice.CSA Standards Update ServiceQ31001-11March 2011Title: Implementation guide to CAN/
18、CSA-ISO 31000, Risk management Principles andguidelinesPagination: 55 pages (viii preliminary and 47 text), each dated March 2011To register for e-mail notification about any updates to this publicationgo to www.ShopCSA.caclick on E-mail Services under MY ACCOUNTclick on CSA Standards Update Service
19、The List ID that you will need to register for updates to this publication is 2421115.If you require assistance, please e-mail techsupportcsa.ca or call 416-747-2233.Visit CSAs policy on privacy at www.csagroup.org/legal to find out how we protect your personal information.Published in March 2011 by
20、 Canadian Standards AssociationA not-for-profit private sector organization5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N61-800-463-6727 416-747-4044Visit our Online Store at www.ShopCSA.caQ31001-11Implementation guide to CAN/CSA-ISO 31000, Risk management Principles andguidelines
21、CSA Standard100%ISBN 978-1-55491-614-6 Canadian Standards Association 2011All rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission of the publisher.To purchase CSA Standards and related publications, visit CSAs Online Store at www.ShopCSA
22、.ca or call toll-free 1-800-463-6727 or 416-747-4044.The Canadian Standards Association (CSA) prints its publications on Rolland Enviro100, which contains 100%recycled post-consumer fibre, is EcoLogo and Processed Chlorine Free certified, and was manufactured using biogas energy.March 2011 iiiConten
23、ts Canadian Standards AssociationImplementation guide to CAN/CSA-ISO 31000,Risk management Principles andguidelinesCSA Technical Committee on Risk Management vPreface viii0Introduction 11Scope 52 Terms and definitions 53 Principles 124 Framework 144.1 General 144.2 Mandate and commitment 174.3 Desig
24、n of framework for managing risk 184.3.1 Understanding of the organization and its context 184.3.2 Establishing risk management policy 184.3.3 Accountability 194.3.4 Integration into organizational processes 204.3.5 Resources 204.3.6 Establishing internal communication and reporting mechanisms 214.3
25、.7 Establishing external communication and reporting mechanisms 214.4 Implementing risk management 234.4.1 Implementing the framework for managing risk 234.4.2 Implementing the risk management process 234.5 Monitoring and review of the framework 244.6 Continual improvement of the framework 245 Proce
26、ss 265.1 General 265.2 Communication and consultation 275.3 Establishing the context 305.3.1 General 305.3.2 Establishing the external context 305.3.3 Establishing the internal context 315.3.4 Establishing the context of the risk management process 315.3.5 Defining risk criteria 325.4 Risk assessmen
27、t 325.4.1 General 325.4.2 Risk identification 335.4.3 Risk analysis 345.4.4 Risk evaluation 355.5 Risk treatment 365.5.1 General 365.5.2 Selection of risk treatment options 365.5.3 Preparing and implementing risk treatment plans 375.6 Monitoring and review 385.7 Recording the risk management process
28、 38Q31001-11 Canadian Standards Associationiv March 2011AnnexesA Attributes of enhanced risk management 40Figures1 Relationships between the risk management principles, framework and process 32 Relationship between the components of the framework for managing risk 152A Illustrative elements of a fra
29、mework indicating linkages in a hypothetical organization 163 Risk management process 26 Canadian Standards AssociationImplementation guide to CAN/CSA-ISO 31000,Risk management Principles andguidelinesMarch 2011 vCSA Technical Committee on Risk ManagementA. Loubani Public Works and Government Servic
30、es, Gatineau, OntarioChairP. Heimler KPMG LLP, Toronto, OntarioVice-ChairJ. Mattingly Risk Results Consulting Inc., Ottawa, OntarioVice-ChairE. Alp Alp (b) provide an explanation of circumstances surrounding the actual field condition; and(c) where possible, phrase the request in such a way that a s
31、pecific “yes” or “no” answer will address the issue.Committee interpretations are processed in accordance with the CSA Directives and guidelines governing standardization and are published in CSAs periodical Info Update, which is available on the CSA website at http:/standardsactivities.csa.ca.(5) C
32、SA Standards are subject to periodic review, and suggestions for their improvement will be referred to the appropriate committee. To submit a proposal for change to CSA Standards, please send the following information to inquiriescsa.ca and include “Proposal for change” in the subject line:(a) Stand
33、ard designation (number);(b) relevant clause, table, and/or figure number;(c) wording of the proposed change; and(d) rationale for the change. Canadian Standards AssociationImplementation guide to CAN/CSA-ISO 31000,Risk management Principles andguidelinesMarch 2011 1Q31001-11Implementation guide to
34、CAN/CSA-ISO 31000, Risk management Principles andguidelinesHow to use this StandardThis CSA Standard is intended to provide guidance on the implementation of CAN/CSA-ISO 31000, Risk management Principles and guidelines , and is structured in the following manner:Informative guidance material to assi
35、st users in implementing the provisions of CAN/CSA-ISO 31000 is provided below the boxed text from CAN/CSA-ISO 31000. This guidance material comments and expands on the provisions of CAN/CSA-ISO 31000. Material identified as additional guidance supplements CAN/CSA-ISO 31000 with new definitions, fig
36、ures, and concepts. This Implementation guide also includes an example of a risk maturity model as Annex A.The text of CAN/CSA-ISO 31000 is reproduced in text boxes.0IntroductionOrganizations of all types and sizes face internal and external factors and influences that make it uncertain whether and
37、when they will achieve their objectives. The effect this uncertainty has on an organizations objectives is “risk”.All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in ord
38、er to satisfy their risk criteria. Throughout this process, they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required. This International Standard describes this systematic
39、 and logical process in detail.While all organizations manage risk to some degree, this International Standard establishes a number of principles that need to be satisfied to make risk management effective. This International Standard recommends that organizations develop, implement and continuously
40、 improve a framework whose purpose is to integrate the process for managing risk into the organizations overall governance, strategy and planning, management, reporting processes, policies, values and culture.Risk management can be applied to an entire organization, at its many areas and levels, at
41、any time, as well as to specific functions, projects and activities.Although the practice of risk management has been developed over time and within many sectors in order to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to ensure that risk is mana
42、ged effectively, efficiently and coherently across an organization. The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context.Q31001-11 Canadian
43、Standards Association2 March 2011Each specific sector or application of risk management brings with it individual needs, audiences, perceptions and criteria. Therefore, a key feature of this International Standard is the inclusion of “establishing the context” as an activity at the start of this gen
44、eric risk management process. Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the diversity of risk criteria - all of which will help reveal and assess the nature and complexity of its risks.The rela
45、tionship between the principles for managing risk, the framework in which it occurs and the risk management process described in this International Standard are shown in Figure 1.When implemented and maintained in accordance with this International Standard, the management of risk enables an organiz
46、ation to, for example:increase the likelihood of achieving objectives;encourage proactive management;be aware of the need to identify and treat risk throughout the organization;improve the identification of opportunities and threats;comply with relevant legal and regulatory requirements and internat
47、ional norms;improve mandatory and voluntary reporting;improve governance;improve stakeholder confidence and trust;establish a reliable basis for decision making and planning;improve controls;efectively allocate and use resources for risk treatment;improve operational effectiveness and efficiency;enh
48、ance health and safety performance, as well as environmental protection;improve loss prevention and incident management; minimize losses;improve organizational learning; andimprove organizational resilience.This International Standard is intended to meet the needs of a wide range of stakeholders, in
49、cluding:a) those responsible for developing risk management policy within their organization;b) those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or activity;c) those who need to evaluate an organizations effectiveness in managing risk; andd) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed within the specific context of these documents.The current management practices
