The document outlines principles and guidelines for risk management applicable to various organizations over their life cycle, emphasizing a systematic approach to managing risks. It covers essential components of risk management, including risk identification, analysis, evaluation, and treatment, while promoting accountability and integration within organizational processes. The effectiveness of risk management is highlighted as dependent on committed leadership, clear communication, and continuous improvement practices.

3. 3
Risk management
Principles and
guidelines

4.  Foreword
 Introduction
1. Scope
2. Terms and definitions
3. Principles
4. Framework
5. Process
 Annex A

6.  Principles and generic guidelines on risk
management
 Any public, private or community enterprise,
association
 Throughout the life of an organization, and to a
wide range of activities, including strategies and
decisions, operations, processes, functions,
projects, products, services and assets.
 Any type of risk

7.  2.1 Risk
Effect of uncertainty on objectives

8.  Coordinated activities to direct and control an
organization with regard to risk

9.  Set of components that provide the foundations
and organizational arrangements for designing,
implementing, monitoring , reviewing and
continually improving risk management
throughout the organization

10.  Statement of the overall intentions and
direction of an organization related to risk
management

11.  Organization's approach to assess and
eventually pursue, retain, take or turn away
from risk

12.  Amount and type of risk that an organization is
prepared to pursue, retain or take

13.  Attitude to turn away from risk

14.  Scheme within the risk management
framework specifying the approach, the
management components and resources to be
applied to the management of risk

15.  Person or entity with the accountability and
authority to manage the risk

16.  Systematic application of management
policies, procedures and practices to the
activities of communicating, consulting,
establishing the context, and identifying,
analyzing, evaluating, treating, monitoring
and reviewing risk

17.  Defining the external and internal parameters
to be taken into account when managing risk,
and setting the scope and risk criteria for the
risk management policy

18.  External environment in which the
organization seeks to achieve its objectives

19.  Internal environment in which the organization
seeks to achieve its objectives

20.  Continual and iterative processes that an
organization conducts to provide, share or
obtain information and to engage in dialogue
with stakeholders and others regarding the
management of risk

21.  Person or organization that can affect, be
affected by, or perceive themselves to be
affected by a decision or activity

22.  Overall process of risk identification , risk
analysis and risk evaluation

23.  process of finding, recognizing and describing
risks

24.  Element which alone or in combination has the
intrinsic potential to give rise to risk

25.  Occurrence or change of a particular set of
circumstances

26.  Outcome of an event affecting objectives

27.  Chance of something happening

28. 2.22 risk profile
 Description of any set of risks

29.  Process to comprehend the nature of risk and
to determine the level of risk

30.  Terms of reference against which the
significance of a risk is evaluated

31.  Magnitude of a risk , expressed in terms of the
combination of consequences and their
likelihood

32.  Process of comparing the results of risk
analysis with risk criteria to determine whether
the risk and/or its magnitude is acceptable or
tolerable

33.  Process to modify risk

34.  measure that is modifying risk

35.  Risk remaining after risk treatment

36.  continual checking, supervising, critically
observing or determining the status in order to
identify change from the performance level
required or expected

37. 2.31 review
• activity undertaken to determine the suitability,
adequacy and effectiveness of the subject
matter to achieve
• established objectives

44. Internal Context

45. a) Risk management creates and protects
value.
b) Risk management is an integral part of all
organizational processes.
c) Risk management is part of decision
making.
d) Risk management explicitly addresses
uncertainty.

46. e) Risk management is systematic, structured
and timely.
f) Risk management is based on the best
available information.
g) Risk management is tailored.
h) Risk management takes human and
cultural factors into account.

47. j) Risk management is transparent and
inclusive.
k) Risk management is dynamic, iterative and
responsive to change.
l) Risk management facilitates continual
improvement of the organization.

48.  4.1 General
 The success of risk management will depend
on the effectiveness of the management
framework providing
 the foundations and arrangements that will
embed it throughout the organization at all
levels.

50.  The introduction of risk management and
ensuring its on-going effectiveness require
strong and sustained
 commitment by management of the
organization, as well as strategic and rigorous
planning to achieve
 commitment at all levels.

51. • 4.3.1 Understanding of the organization and its context
• 4.3.2 Establishing risk management policy
• 4.3.3 Accountability
• 4.3.4 Integration into organizational processes
• 4.3.5 Resources
• 4.3.6 Establishing internal communication and reporting
mechanisms
• 4.3.7 Establishing external communication and
reporting mechanisms

52. • 4.4.1 Implementing the framework for
managing risk
• 4.4.2 Implementing the risk management
process

53.  measure risk management performance against
indicators
 periodically measure progress against, and deviation
from, the risk management plan
 periodically review whether the risk management
framework, policy and plan are still appropriate
 report on risk, progress with the risk management plan
 review the effectiveness of the risk management
framework

54.  Based on results of monitoring and reviews,
decisions should be made on how the risk
management framework, policy and plan can
be improved.
 These decisions should lead to improvements
in the organization's management of risk and
its risk management culture.

66. 5.1 General
The risk management process should be
⎯ an integral part of management,
⎯ embedded in the culture and practices, and
⎯ tailored to the business processes of the
organization.

68.  Communication and consultation with external
and internal stakeholders should take place
during all stages of the risk management
process.

69.  5.3.1 General
 5.3.2 Establishing the external context
 5.3.3 Establishing the internal context
 5.3.4 Establishing the context of the risk
management process
 5.3.5 Defining risk criteria

70.  5.4.1 General
 5.4.2 Risk identification
 5.4.3 Risk analysis
 5.4.4 Risk evaluation

71.  5.5.1 General
 5.5.2 Selection of risk treatment options
 5.5.3 Preparing and implementing risk
treatment plans

72.  Both monitoring and review should be a
planned part of the risk management process
and involve regular checking or surveillance. It
can be periodic or ad hoc.

73.  Risk management activities should be
traceable. In the risk management process,
records provide the foundation for
improvement in methods and tools, as well as
in the overall process.

74.  Attributes of enhanced risk management

76.  [1] ISO Guide 73:2009, Risk management —
Vocabulary
 [2] IEC 31010, Risk management — Risk
assessment guidelines

77. • BS 31100:2008 -BSI British Standards- Risk
management- Code of practice