qITIL中级课程风险管理

qlTIL中级课程风险管理

Contents

CHAPTER1:INTRODUCTION

1.1Purposeofthisguide

1.2Whatismanagementofrisk?

Inthisguideriskisdefinedasuncertaintyofoutcome,whetherpositiveopportunityornegative

threat.Theterm'managementofrisk'incorporatesalltheactivitiesrequiredtoidentifyandcontrol

theexposuretoriskwhichmayhaveanimpactontheachievementofanorganisation'sbusiness

objectives.

Everyorganisationmanagesitsrisk,butnotalwaysinawaythatisvisible,repeatableand

consistentlyappliedtosupportdecisionmaking.Thetaskofmanagementofriskistoensurethat

theorganisationmakescosteffectiveuseofariskprocessthathasaseriesofwelldefinedsteps.

Theaimistosupportbetterdecisionmakingthroughagoodunderstandingofrisksandtheirlikely

impact.

Therearetwodistinctphases:riskanalysisandriskmanagement.Riskanalysisisconcernedwith

gatheringinformationaboutexposuretorisksothattheorganisationcanmakeappropriate

decisionsandmanageriskappropriately.

Managementofriskinvolveshavingprocessesinplacetomonitorrisks,accesstoreliableandupto

dateinformationaboutrisks,therightbalanceofcontrolinplacetodealwiththoserisks,and

decisionmakingprocessessupportedbyaframeworkofriskanalysisandevaluation.

Managementofriskcoversawiderangeoftopics,includingbusinesscontinuitymanagement,

security,programme/projectriskmanagementandoperationalservicemanagement.Thesetopics

needtobeplacedinthecontextofanorganisationalframeworkforthemanagementofrisk.Some

risk-relatedtopics,suchassecurity,arehighlyspecialisedandthisguidanceprovidesonlyan

overviewofsuchaspects.

1.3Whymanagementofriskisimportant

Acertainamountofrisktakingisinevitableifyourorganisationistoachieveitsobjectives.Effective

managementofriskhelpsyoutoimproveperformancebycontributingto:

•increasedcertaintyandfewersurprises

•betterservicedelivery

•moreeffectivemanagementofchange

•moreefficientuseofresources

bettermanagementatalllevelsthroughimproveddecisionmaking

reducedwasteandfraud,andbettervalueformoney

innovation

•managementofcontingentandmaintenanceactivities.

1.4Whoisinvolvedinriskmanagement

Inpractice,everyoneinanorganisationisinvolvedinriskmanagementtosomeextentandshould

beawareoftheirresponsibilitiesinidentifyingandmanagingrisk.However,therearesomeaspects

forwhichresponsibilitymustbeassignedtoindividuals.Withoutclearresponsibility(andthe

authoritytosupportthatresponsibility)someriskswillbemissedoroverlooked.

Inthepublicsector,therearetwomajorroleswithaclearresponsibilitytoensurerisksaremanaged

(therewillbeequivalentstotheserolesinprivatesectororganisations).Theserolesare:

•anAccountingOfficer(orequivalentseniormanager),whoisresponsibleforthe

organisation'soverallexposuretorisk.TypicallythispersonwillbetheChiefExecutive

Officer(CEO);theseniormanagerintheorganisation.Theymaydelegatesomeofthe

actionsbutcannotforgotheresponsibility

•aseniormanageractingasaproject'owner；whoisresponsibleforriskrelatingtoaspecific

programmeorprojectandfortherealisationofassociatedbusinessbenefits.

Audienceforthisguidance

Businessmanagers,processowners,strategicplanners,projectandprocurementteams,business

continuityplannersandsecurityteamsaretheprimaryaudienceforthisguidance,togetherwith

theirserviceproviders.

Itwillalsobeofinteresttoauditors,withtheirresponsibilityforensuringeffectivecorporate

governance.

1.5Howtousethisguide

Chapter1introducesthestructure,processandcultureofmanagementofrisk,explainingwhy

organisationsneedtodeviseandimplementeffectivestrategiesinordertomaximiseopportunities

andminimisethreatstotheachievementoftheirbusinessobjectives.Itidentifieskeypersonnelin

themanagementofriskandthetargetaudiencefortheguidance.

TheAnnexesprovidesupportingdetail:

1.6Theresearchforthisguidance

CHAPTER2:PRINCIPLES

Thischapteroutlinesthekeyprinciplesunderpinningtheeffectivemanagementofrisk.

2.1Criticalsuccessfactorsformanagementofrisk

Thekeyelementsthatneedtobeinplaceifriskmanagementistobeeffective,andinnovation

encouraged,include:

•clearlyidentifiedseniormanagementtosupport,ownandleadonriskmanagement

•riskmanagementpoliciesandthebenefitsofeffectivemanagementclearlycommunicated

toallstaff

•existenceandadoptionofaframeworkformanagementofriskthatistransparentand

repeatable

•existenceofanorganisationalculturewhichsupportswellthought-throughrisktakingand

innovation

•managementofriskfullyembeddedinmanagementprocessesandconsistentlyapplied

•managementofriskcloselylinkedtoachievementofobjectives

•risksassociatedwithworkingwithotherorganisationsexplicitlyassessedandmanaged

•risksactivelymonitoredandregularlyreviewedonaconstructive'no-blame'basis.

Jointworkingandpartnershipsofteninvolvemorecomplextypesofriskthatcanadverselyaffect

thedeliveryofbusinessservices.Forexample,ifpartoftheserviceprovidedbyoneorganisationis

delayedorofpoorquality,thesuccessofthewholecollaborationcanbeputatrisk.Youmustmake

surethatyourorganisationknowsabouttheriskmanagementapproachesofyourpartners.Sharing

informationaboutriskmanagementmeansthatrisksincollaborativeprogrammescanbeidentified

andmanagedinaproactiveway.

Publicsectorconcerns

TheModernisingGovernmentinitiativeseekstoencouragethepublicsectortoadoptwellmanaged

risktakingwhereitislikelytoleadtosustainableimprovementsinservicedelivery.Moreeffective

riskmanagementwillimprovethepublicsector'sabilitytoundertaketheincreasinglycomplexand

cross-cuttingprojectsthataredemandedbytheModernisationagenda.Publicsectororganisations

needtohaveinplacetheskills,managementstructuresandorganisationalstructurestotake

advantageofpotentialopportunitiestoperformbetterandtoreducethepossibilityoffailure.

Thekeyareasthathavetobeaddressedare:

•theneedfora'riskowner'atseniorlevel,foranactivity(strategy,programmeorproject).

Heorsheissupportedbyriskownersateverydayworkinglevelsasappropriateforthe

activityandriskexposure

•theneedforimprovedreportingandupwardreferralofmajorproblems

•opportunitiesandthepotentialresolutionapproaches

theneedforsharedunderstandingofriskmanagementatalllevelsintheorganisationand

withpartners,combinedwithconsistenttreatmentofrisk

managingprojectriskinthewidercontextofprogrammesofchangeandthebusiness.

Meetingtheneedsofcorporategovernance

Corporategovernanceistheongoingactivityofmaintainingasoundsystemofinternalcontrolto

safeguardshareholders'investmentandthecompany'sassets.

TheTurnbullReportstatesthat:

'acompany/sobjectives,itsinternalorganisationandtheenvironmentwhichitoperatesinare

continuallyevolvingandasaresulttherisksitfacesarecontinuallychanging.Asoundsystemof

controlthereforedependsonathoroughandregularevaluationofthenatureandextentoftherisks

towhichthecompanyisexposed.Sinceprofits[orbusinessresults]areinparttherewardfor

successfulrisktakinginbusiness,thepurposeofinternalcontrolistohelpmanageandcontrolrisk

ratherthaneliminateit.'

Corporategovernanceframeworksmustensurethatmanagementisheldaccountablefora

corporation'sperformanceandthatownersareabletomonitorandinterveneintheoperationsof

management.

Theseprinciplesapplyequallytothepublicandprivatesectors.Whereascorporationsfocusmainly

onshareholderreturnsandthepreservationofshareholders'value,thepublicsector'sroleisto

implementprogrammescosteffectivelyinaccordancewithGovernmentlegislationandpolicies.

Policyonmanagementofrisktosupportcorporate

governance

Tosupportcorporategovernance,thereneedstobeariskmanagementpolicyinplace.Thispolicy

should:

•beappropriateforthesizeandnatureofyourorganisation,itsbusinessandoperating

environment

•beclearabouttheroles(and,ifpossible,individuals)thatareresponsibleforrisk

•beclearaboutescalationcriteriainrelationtoriskmanagement(i.e.zwhentoreferdecision

makingupwards)

•ensurethatprocesses,andthecuIture/infrastructure,toidentifyandmanageriskareputin

place;theseprocessesmustberepeatable

setupthemechanismformonitoringthesuccessoftheapplicationofthepolicy(including

reportstomanagement,atleastannually)

•ensurethatinternalcontrolmechanismsareinplaceforindependentassessmentthatthe

policyisimplemented(andchecked).

2.2Whatisatriskandwhy?

Relatingmanagementofrisktosafety,securityandbusiness

continuity

Managementofriskshouldbecarriedoutinthewidercontextofsafetyconcerns,securityand

businesscontinuity.

•Healthandsafetypolicyandpracticeisconcernedwithensuringthattheworkplaceisa

safeenvironment.

•Securityisconcernedwithprotectingtheorganisation'sassets,includinginformation,

buildingsandsoon.

•Businesscontinuityisconcernedwithensuringthattheorganisationcouldcontinueto

operateintheeventofadisaster;suchaslossofaservice,floodorfiredamage.

冈

Figure1:Reasonsforariskmanagementprocess

Reducingriskinlargescaleprojects

Experiencehasshownthatprogrammesandprojectsattemptingalargescale,comprehensive

businesschangearelesslikelytobesuccessfulthanthosetakingalessambitious,step-by-step

approach.Althoughthelatterincreasesmanagementactivity,witheachoftheelementsneedingto

becontrolledandcoordinated,theadvantagesarethatactivitiesare:

•easiertomanage

•simplertoimplementwithinthebusinessenvironment

•easiertoacceptformallyas,typically,thespecificationiseasiertodocumentandthus

simplertoverifythatithasbeenmet

•abletooffermoreoptionsforcontingency

•morelikelytoaccommodatefastmovingchangesintechnology,orinthepoliticalor

financialenvironment

abletooffermoredecisionpoints,allowinggreatercontroloftheproject.

2.3Decisionsaboutrisk

Decisionsaboutriskneedtobebalancedsothatthepotentialbenefitsareworthmoretothe

organisationthanitcoststoaddresstherisk.

Forexample,innovationisinherentlyriskybutcouldachievemajorbenefitsinimprovingservices.

Theabilityoftheorganisationtolimititsexposuretoriskwillalsobeofrelevance.

Youshouldaimtomakeanaccurateassessmentoftherisksinagivensituationandanalysethe

potentialbenefits.Therisksandopportunitiespresentedbyeachcourseofactionshouldbedefined

inordertoidentifyappropriateresponse.

Scopeofdecisions

Decisionsaboutriskwillvarydependingonwhethertheriskrelatestolong,mediumorshort-term

goals.

Strategicdecisionsareprimarilyconcernedwithlong-termgoals;thesesetthecontextfordecisions

atotherlevelsoftheorganisation.Therisksassociatedwithstrategicdecisionsmaynotbecome

apparentuntilwellintothefuture.Thusitisessentialtoreviewthesedecisions,andassociatedrisks,

onaregularbasis.

Medium-termgoalsareusuallyaddressedthroughprogrammesandprojectstobringaboutbusiness

change.Decisionsrelatingtomedium-termgoalsarenarrowerinscopethanstrategicones,

particularlyintermsoftimeframeandfinancialresponsibilities.

Therearealsoconsiderationsaboutwhatcanrealisticallybeachievedinonechangeinitiative.

Deliveryofeachofthecomponentsofachangeinitiative(whetheraprogramme,projectorstage)

mustprovidesomedirectbenefittotheorganisationasaresultofitsdelivery.Thiscouldbeby

delivering:

•amajorcomponenttosupport/buildtowardstheintendedoutcome-forexample,

providingatelephonehelplinefirstaspartofanewinformationserviceandthenadding

websiteservicestoexpandthefacilitiesavailabletothepublic

•theproducttopartoftheendusercommunityandthen'rollingout'totherestofthat

community-forexample,introducinganewinformationserviceintheNorth-Eastand

graduallymakingitavailablenationwide.

Whenmanaginganyprojectitisessentialtoensuremajordecisionsaremadeappropriately.A

projectwillsupportsomebusinesschangeandsorequiresomethingtobeproducedandthenput

intouse.

0

Figure2:Mainstagesoftheprocurementprocess

2.4Whererisksoccur

Theriskmanagementprocessshouldbemostrigorouslyappliedwherecriticaldecisionsarebeing

made.

•strategicorcorporate

programme

project

operational.

Inpractice,thelevelsoverlap;however,itishelpfultoclarifytheoccurrenceofrisksattheselevels

toinformthekindofdecisionsyouarelikelytomake.

0

Figure3:Organisationalmanagementhierarchy

Itisimportanttonotethatariskmaymaterialiseinitiallyatonelevelbutsubsequentlyhaveamajor

impactatadifferentlevel.ArecentexampleisaHighStreetbankfacingtechnicalfaultsatthe

operationallevel;ultimatelycustomers'confidenceinthebank'sonlineservicebecameastrategic

risk.Thishighlightstheneedforrelevantinformationaboutriskstobesharedthroughoutthe

organisation.

Table1:Riskrelatedtoorganisationallevels

LevelExamplesoftypicalrisksconsideredatthislevel

Strategic/corporateCommercial,financial,political,environmental,directional,cultural,acquisition

andqualityrisks.Thereisafocusonbusinesssurvival,continuityandgrowth

forthefuture.Whenprogramme,projectandoperationalrisksexceedset

criteria-e.g.notacceptable,outsideagreedlimits,couldaffectstrategic

objectives,informationneedstobeescalatedtothislevelsothatappropriate

decisionscanbetaken.

ProgrammeProcurement/acquisition,funding,organisational,projects,security,safety,

qualityandbusinesscontinuityrisks.Whenprojectandoperationalrisksexceed

setcriteria一e.g.notacceptable,outsideagreedlimits,couldaffectprogramme

objectives,informationneedstobeescalatedtothislevelsothatappropriate

decisionscanbetaken.

ProjectPersonal,technical,cost,schedule,resource,operationalsupport,qualityand

providerfailure.Operationalissues/risksshouldbeconsideredatthislevelas

theyaffecttheprojectandhowitneedstoberun.Informationonstrategicand

programmerelatedrisksshouldbecommunicatedtothislevelwheretheycould

affectprojectobjectives.Projectmanagersshouldcommunicateinformationon

riskstootherprojectsandoperationsasappropriate.

OperationsPersonal,technical,cost,schedule,resource,operationalsupport,quality,

providerfailure,environmentalandinfrastructurefailure.AIIthehigherlevels

haveinputtothislevel;specificconcernsincludebusinesscontinuity

management/contingencyplanning,supportforbusinessprocessesand

customerrelations.

Additionalfactors

Additionalfactorsmayincreasethecomplexityofassessingoverallexposuretorisk.Theseinclude:

•interdependencies,orlinksbetweenprojectsand/orrelatedissues,wheretheimpactof

oneormoreriskscouldaffectothers,possiblycreatinga'domino'effect.Youshouldensure

thatanyknowninterdependenciesareidentifiedandassessedsothatappropriateaction

canbeplanned

•therelationshipbetweenbusinessbenefitsandriskstodelivery,whereachievementof

benefitsisdependentonsuccessfuldeliveryofaproject.Youshouldcontinuallycheck

whetherchangingplansaffecttheachievementofbenefits.

2.5Aframeworkformanagingrisk

Aframeworkformanagementofrisksetsthecontextinwhichriskswillbeidentified,analysed,

controlled,monitoredandreviewed.Itmustbeconsistentwithprocessesthatareembeddedin

everydaymanagementandoperationalpractices.Itaddresses:

•howrisksareidentified

•howinformationabouttheirprobabilityandpotentialimpactisobtained

•howrisksarequantified

•howoptionstodealwiththemareidentified

•howdecisionsonriskmanagementaremade,suchasfurtherriskreduction

•howthesedecisionsareimplemented

•howactionsareevaluatedfortheireffectiveness

howappropriatecommunicationmechanismsaresetupandsupported

howstakeholdersareengagedthroughouttheprocess.

2.6Riskownership

Fortheorganisation,ownershipoftheriskmanagementframeworklieswiththeAccountingOfficer

(orequivalentseniormanageratBoardlevel).Individualseniormanagersowntheprogrammeor

projectandareresponsibleforthemanagementoftheoverallriskofthatactivity.However,these

rolesdonotownalltheindividualrisks.Riskownershipmustbeclearlydefined,documentedand

agreedwiththeindividualownersatalllevels,sothattheyunderstandtheirvariousroles,

responsibilitiesandultimateaccountabilitywithregardtothemanagementofrisk.Theownerofa

riskmaynotbethepersontaskedwiththeassessmentormanagementoftherisk,butheorsheis

responsibleforensuringthemanagementofriskprocessisapplied-theremaybeseparateowners

toactuallydealwiththerisks.

Itisimportanttoidentifywhoowns:

•thesettingpolicyandtheorganisation'swillingnesstotakerisk

•themanagementofriskprocessatthedifferentlevels-thatis,strategic,programme,

project,operationallevels

•differentelementsofthemanagementofriskprocess,suchasidentifyingthreats,through

toproducingriskresponsesandreportingondecisions

•implementationoftheactualmeasurestakeninresponsetotherisks

•interdependentrisksthatcrossorganisationalboundaries,whethertheyarebusiness

processes,operationalservicesorprojects.

Forexample,foraseniormanagerwithresponsibilityforaproject,ownershipofriskcouldbe

definedasfollows:

Seniormanagersresponsibleforprojectsmustassurethemselvesthatanumberoftypesofriskare

beingtrackedanddealtwithaseffectivelyaspossible.Themechanismsinplaceformonitoringand

reportingriskwillvaryaccordingtothesizeandcomplexityoftheprojectorprogramme,ranging

fromtheuseofasimpleriskregistertotheappointmentofariskmanagerreportingdirectlytothe

seniormanager.Clearly,thedegreeofdelegationadoptedbytheseniormanagerwillvary,butheor

shemustbesurethatthecriticalissuesarebeingaddressed;forexample,throughchairingthe

projectboardorbydevelopingstrongmechanismsforreportingproblems.

Checklist:ownershipofriskandtheprocess

•Haveownersbeenallocatedforallthevariouspartsofthecompletemanagementofrisk

process?

Arethevariousrolesandresponsibilitiesassociatedwithownershipwelldefined?

•Dotheindividualswhohavebeenallocatedownershipactuallyhavetheauthorityand

capabilitytofulfiltheirresponsibilities?Forexample,suppliersmaybetaskedwithrisk

ownership.

•Havethevariousrolesandresponsibilitiesbeencommunicatedandunderstood?

•Arethenominatedownersappropriateandawareoftheirnomination?

•Isownershipreassessedonaperiodicbasis,orintheeventofachangeinthesituation;

andifnecessary,canitbequicklyandeffectivelyreallocated?

•Doallrisks,andwhereappropriatetheirmitigationactions,haveclearlyidentifiedowners?

Aretheseownersappropriate?

2.7Embeddingtheriskmanagementculture

Identifyingappropriatepolicies,standardsandpracticesisthefirststageofcreatingarisk

managementculture.Oncetheseareinplacetheyneedtobetotallyembeddedinindividuals

throughtheenactmentoftheirrolesandassociatedresponsibilities.

Awarenessofandresponsibilityforriskissuesmustbelinkedexplicitlytokeyobjectives,inorderto

buildasustainableriskmanagementculture.Thereshouldbedelegatedresponsibilityforrisksat

everylevelofobjectivesintheorganisation.Thisisthemajorsupporttoembeddingrisk

managementintotheorganisationanditsculture,withriskmanagementseenasanintrinsicpartof

thewayanorganisationworks.Asthepeopleinanorganisationchange,itisessentialtoensurea

continuingunderstandingofrolesandresponsibilitiesrelatedtomanagingrisk.

Theriskenvironmentisconstantlychangingtoo.Yourorganisation'sprioritiesandtherelative

importanceofriskswillshiftandchange.Assumptionsaboutriskhavetoberegularlyrevisitedand

reconsidered,perhapsbyannualreviewoftherisksassociatedwitheachofthekeyorganisational

objectives.

Establishingappropriatecompetenciesandbehaviours

Animportantaspectofsettingupariskcultureistoensureitisrelevanttotheorganisation.Risk

managementisamajorfacetofeffectivecorporategovernance.

Thoseresponsibleforcorporategovernanceneedtohaveknowledgeandunderstandingof:

•strategicplanning

•legalrequirements

•agreementsandcontracts

•communicationtechniquesandinformationmanagement

•staffmatters,includinghowstaffcanbemotivatedandinvolved

•educationopportunitiesandcontinualprofessionaldevelopment

•continuousimprovementand/oranalyticaltechniques

•howtheorganisationismonitoredandevaluated

•resourcemanagement,includingequalopportunitiesanddelegation.

Althoughmanagerstendtoworkinspecificareasoftheorganisation,eitherbasedontechnical

specialismorbusinessfunction,theyallneedtoidentifyandmanagerisk.Todothistheyneedtobe

ableto:

•ensurethatthesituationisproperlyscoped

•identifyandassesstherisk

•createvalidoptionsforreducingrisktoanacceptablelevel

•collectappropriateandmeaningfulinformationtoassessriskandtheoptions,andthento

monitortherisk

•usesoundreasoningwhenmakingatrade-offbetweenthecostsandbenefitsofmanaging

arisk

•makeaclearcommitmenttoaparticularcourseofaction.

Forplanning,themajorareastoconsiderare:

•decidingonthelikelihoodofaspecificeventoccurring

•prioritisingareastoaddress/actionstoinstigate.Thisrequiresunderstandingthe

implicationsoftheoptionsavailable

•assigningownershipofrisksandactions,containmentorcontingent,tobedeployedina

timelymanner

•ensuringthatcontinuityplanscancopewiththecurrentandpotentialfuturesituation,not

withhowthingswereintherecentpast.

Visibleinformationonrisk

Informationonriskanditsmanagementneedstoreachthepeoplewhohavetotakeactionormake

decisions.Thisinformationwillflowdownwardsandupwardsbetweentheorganisationallevels.

Therewillalsobesidewaysflowsacrosseachlevel,betweenprogrammesorprojects.Thevertical

flowsarethemostimportantastheyreflectlevelsofresponsibilityfordecisionmaking.

Forexample,adecisionmaybemadeatthestrategiclevelthataffectstheprogressofcurrent

programmes.Conversely,thecollectiverisksrelatingtotheprogressofcurrentprogrammesmay

haveastrategicimpact.

Theseexamplesillustratewhyrisksshouldbeidentifiedandhandledateachlevelbeforetheyare

passedupordowntothenextlevel.Goodcommunicationmechanismsareessentialtoavoidthe

followingproblems:

•inadequatecommunicationfromlowerlevels,wherepeoplehave'handson'knowledge,to

thelevelwheredecisionsaremade,leadstounrealisticexpectationsfromsenior

management

•inadequatecommunicationfromthetopdowncanmeanthatprojectsarenolonger

supportingthebusinessdirection.

Communications

Toaddresstheseproblemsyouwillneedtoensurethatappropriatecommunicationmechanisms

existandareadopted.Yourorganisationshould:

•ensurethereissufficientcommunicationtokeystakeholders,whetherinternalorexternal,

tosupporttheirneeds

•ensurethatpeopleareaware,informedandunderstandtheirpartinmanagingrisk

•considerwhetherthereisaneedtoimproveinternalcommunications

•considertrainingneedsandhowthesecanbemetadequately

•ensurepeoplehavetherightinformationattherighttimetofulfiltheirresponsibilities(and

howtorecogniseifthisdoesnothappen).

Ensuringthatyourcontrolsareadequate

Theremustbeadequatecontrolmechanismstomeettheneedsofcorporategovernance.Thesewill

bedescribedintheriskpolicyandimplementedthroughtheriskmanagementframework.Specific

controlswillbeintroducedacrosstheorganisationtocopewithcertaincircumstances,suchas

throughtheuseofprogrammeandprojectmanagement.

Onceanappropriatesetofcontrolsisadopted,anindependentauditwillcheckthattheyareinplace,

adequateandinuse.

2.8Budgets

Themanagementofriskprocessmustbeembeddedintheorganisation,ratherthanbeingtacked

onasanafterthought.Th