风险管理培训资料(英文版)(doc 70页).doc

n更多企业学院： 中小企业管理全能版183套讲座+89700份资料总经理、高层管理49套讲座+16388份资料中层管理学院46套讲座+6020份资料国学智慧、易经46套讲座人力资源学院56套讲座+27123份资料各阶段员工培训学院77套讲座+ 324份资料员工管理企业学院67套讲座+ 8720份资料工厂生产管理学院52套讲座+ 13920份资料财务管理学院53套讲座+ 17945份资料销售经理学院56套讲座+ 14350份资料销售人员培训学院72套讲座+ 4879份资料Contentso 1.1燩urpose of this guide o 1.2燱hat is management of risk? o 1.3燱hy management of risk is important o 1.4燱ho is involved in risk management o 1.5燞ow to use this guide o 1.6燭he research for this guidanceo 2.1燙ritical success factors for management of risk o 2.2燱hat is at risk and why? o 2.3燚ecisions about risk o 2.4燱here risks occur o 2.5燗 framework for managing risk o 2.6燫isk ownership o 2.7燛mbedding the risk management culture o 2.8燘udgetso 3.1燚efining a framework for management of risk o 3.2燫isk identification o 3.3營dentifying probable risk owners o 3.4燫isk evaluation o 3.5燬etting risk tolerances o 3.6燫esponse to risk o 3.7營mplementing risk responses o 3.8燤onitoring responses o 3.9燗ssurance and review o 3.10燙ontinuing to improveo 4.1燭ypes of risk o 4.2燱here to apply risk management o 4.3燱hen to do it o 4.4燱ho is involved o 4.5燬trategic level policy for management of risko 5.1燗reas of risk o 5.2燭ypes of risk o 5.3燱here to apply risk management o 5.4燱hen to do it o 5.5燱ho is involved o 5.6燩rogramme level policy for management of risko 6.1燘reaking down a project o 6.2燭ypes of risk o 6.3燱here to apply risk management o 6.4燱hen to do it o 6.5燱ho is involved o 6.6燩roject level policy for management of risko 7.1燭ypes of risk o 7.2燱here to apply risk management o 7.3燱hen to do it o 7.4燱ho is involved o 7.5燨perational level policy for management of risko 8.1燫isk identification approaches o 8.2燫isk management approaches o 8.3燚ocumentation techniques o 8.4燛xternal review of activities o 8.5燗pplying the risk management processeso A1燬trategic benefits o A2燜inancial benefits o A3燩rogramme benefits o A4燘usiness process benefits o A5燨verall management benefitso B1燢ey elements o B2燫eview of overall effectiveness o B3燙hecklist: risk ownership o B4燙hecklist: on risk identification o B5燙hecklist: risk evaluation and assessment of the organisations willingness to take on risk o B6燙hecklist: risk response o B7燙hecklist: monitoring and control mechanismso C1燭hreats and impacts o C2燬trategic risk - major threats o C3燭hreats to projects or programmes o C4燨perational riskso D1燯sing the summary risk profile o D2燣ooking at probability o D3燣ooking at impacto E1燤odular and incremental approaches o E2燙ontract risk management o E3燨utsourcing to support business needs o E4燣egal aspects of procuremento F1燱hy is business continuity management important? o F2燱hat is business continuity management? o F3燞ow to implement business continuity management o F4燬tructuring business continuity plans o F5燘usiness continuity supported by a risk management process o F6燱ho to involve in business continuity management o F7營ssues to consider in a BCP o F8燗ssuring your BCP is viable o F9燱here to store BCPs o F10燙ommunications o F11燘CM summaryo G1燞ow are safety and security related? o G2燤andate for ensuring safety and security o G3燬ecuring assets o G4燬ecuring incidents o G5燗dopting good practice in information security managemento H1燫isk identification workshops o H2燫isk management workshops o H3燙ause-and-effect diagrams o H4燚ecision trees o H5營nsurance premium approach o H6燙ritical path analysis (CPA) or critical path method (CPM) o H7燤onte Carlo simulation o H8燫isk map o H9燩robability and impact grid o H10燬catter diagram o H11燫adar chart o H12燫isk indicatorso J1燗ssessing success o J2燱hy projects fail o J3燬topping a project o J4燘arrierso K1營ssues to consider when selecting tools o K2燗ppraisal and evaluation in context o K3燝eneral appraisal procedure o K4燙ustomisation of criteriao L1燘usiness Case o L2燘usiness Continuity Plan (BCP) o L3燙ommunications Plan o L4燙ontingency plan o L5燤anagement of Risk Policy o L6?Activity) plans for programme and/or project o L7燫isk Register o L8燬ecurity policy o L9燬takeholder map o L10燬ummary Risk ProfileCHAPTER 1: INTRODUCTION1.1 Purpose of this guideThis guide is intended to help organisations to put in place effective frameworks for taking informed decisions about risk. The guidance provides a route map for, bringing together recommended approaches, checklists and pointers to more detailed sources of advice on tools and techniques. It expands on the Guidelines for Managing Risk.The process of investment appraisal, in which assessments are made of costs, and risks, is outside the scope of this guide. However, many of the principles and techniques described here can be used when developing the. The approach described in this guide complementss guidance on programme and management and is continually updated to reflect current thinking. This approach, branded by as (), is supported by training and qualifications.1.2 What is management of risk?In this guide risk is defined as uncertainty of outcome, whether positive or negative. The term incorporates all the activities required to identify and control the exposure to risk which may have an impact on the achievement of an organisations business objectives.Every organisation manages its risk, but not always in a way that is visible, repeatable and consistently applied to support decision making. The task of is to ensure that the organisation makes cost effective use of a that has a series of well defined steps. The aim is to support better decision making through a good understanding of risks and their likely impact.There are two distinct phases: and. Risk analysis is concerned with gathering information about exposure to risk so that the organisation can make appropriate decisions and manage risk appropriately.involves having processes in place to monitor risks, access to reliable and up to date information about risks, the right balance of control in place to deal with those risks, and decision making processes supported by a framework of and evaluation.covers a wide range of topics, including business continuity management, security, / management and operational service management. These topics need to be placed in the context of an organisational framework for the. Some risk-related topics, such as security, are highly specialised and this guidance provides only an overview of such aspects.1.3 Why management of risk is importantA certain amount of risk taking is inevitable if your organisation is to achieve its objectives. Effective helps you to improve performance by contributing to: increased certainty and fewer surprises better service delivery more effective management of change more efficient use of resources better management at all levels through improved decision making reduced waste and fraud, and better value for money innovation management of contingent and maintenance activities. See for examples of the of more effective.1.4 Who is involved in risk managementIn practice, everyone in an organisation is involved in risk management to some extent and should be aware of their responsibilities in identifying and managing risk. However, there are some aspects for which responsibility must be assigned to individuals. Without clear responsibility (and the authority to support that responsibility) some risks will be missed or overlooked.In the public sector, there are two major roles with a clear responsibility to ensure risks are managed (there will be equivalents to these roles in private sector organisations). These roles are: an Accounting Officer (or equivalent senior manager), who is responsible for the organisations overall exposure to risk. Typically this person will be the Chief Executive Officer (CEO); the senior manager in the organisation. They may delegate some of the actions but cannot forgo the responsibility a senior manager acting as a owner, who is responsible for risk relating to a specific or and for the realisation of associated business. Audience for this guidanceBusiness managers, process owners, strategic planners, and teams, business continuity planners and security teams are the primary audience for this guidance, together with their service providers.It will also be of interest to auditors, with their responsibility for ensuring effective.1.5 How to use this guideChapter 1 introduces the structure, process and culture of, explaining why organisations need to devise and implement effective strategies in order to maximise and minimise to the achievement of their business objectives. It identifies key personnel in the and the target audience for the guidance.outlines the key principles underpinning: establishing a framework, risk ownership, where risks occur, the decision making process, the importance of embedding the risk management culture, and allocating realistic budgets.describes the main activities of. It contains practical examples, pointers and checklists for identifying and responding to risk, and monitoring.7 explain when and how should be applied throughout an organisation, at the strategic, , and operational levels.discusses the range of techniques available to support the process.The Annexes provide supporting detail: : Examples of of : Healthcheck: how well is your organisation managing risk? : Categorising risk : Setting a standard for evaluation of risk :, contractual and legal considerations : : Managing organisational safety and security : Information on further techniques to support : Lessons learned from others : Assessing the suitability of tools : Documentation outlines. 1.6 The research for this guidancePrepared by OGCs Directorate, this guidance has been developed from extensive research into current thinking and practice in both the public and private sectors, drawing on published papers and interviews/studies with a number of leading organisations involved in major change and with specialist experts in the. It builds on the recent work of the National Audit Office (), HM Treasury and Cabinet Office, together with OGCs published guidance on best practice in; it also aims to address issues relating to.This guidance responds to lessons learned and the experiences of real-world practical issues, as reported by consultants in s Strategic Assignments Consultancy Service and their clients. In addition, it incorporates feedback from contributors to workshops and other review channels. These contributions are acknowledged with thanks.CHAPTER 2: PRINCIPLESThis chapter outlines the key principles underpinning the effective.2.1 Critical success factors for management of riskThe key elements that need to be in place if is to be effective, and innovation encouraged, include: clearly identified senior management to support, own and lead on policies and the of effective management clearly communicated to all staff existence and adoption of a framework for that is transparent and repeatable existence of an organisational culture which supports well thought-through risk taking and innovation fully embedded in management processes and consistently applied closely linked to achievement of objectives risks associated with working with other organisations explicitly assessed and managed risks actively monitored and regularly reviewed on a constructive no-blame basis. Joint working and partnerships often involve more complex types of risk that can adversely affect the delivery of business services. For example, if part of the service provided by one organisation is delayed or of poor quality, the success of the whole collaboration can be put at risk. You must make sure that your organisation knows about the approaches of your partners. Sharing information about risk management means that risks in collaborative can be identified and managed in a proactive way.Public sector concernsThe Modernising Government initiative seeks to encourage the public sector to adopt well managed risk taking where it is likely to lead to sustainable improvements in service delivery. More effective will improve the public sectors ability to undertake the increasingly complex and cross-cutting that are demanded by the Modernisation agenda. Public sector organisations need to have in place the skills, management structures and organisational structures to take advantage of potential to perform better and to reduce the possibility of failure.The key areas that have to be addressed are: the requirements of including more focused and open ways of managing risk (see the section on below) the need for a at senior level, for an activity (strategy, or). He or she is supported by at everyday working levels as appropriate for the activity and risk exposure the need for improved reporting and upward referral of major problems and the potential resolution approaches the need for shared understanding of at all levels in the organisation and with partners, combined with consistent treatment of risk managing in the wider context of of change and the business. The study of (Supporting Innovation: Managing Risk in Government Departments), the Cabinet Offices report Successful : Modernising Government in Action, and HM Treasurys Orange Book provide valuable messages that are incorporated in this guidance.Meeting the needs of corporate governanceCorporate governance is the ongoing activity of maintaining a sound system of internal control to safeguard shareholders investment and the companys.The states that:a companys objectives, its internal organisation and the environment which it operates in are continually evolving and as a result the risks it faces are continually changing. A sound system of control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which the company is exposed. Since profits or business results are in part the reward for successful risk taking in business, the purpose of internal control is to help manage and control risk rather than eliminate it. frameworks must ensure that management is held accountable for a corporations performance and that owners are able to monitor and intervene in the operations of management.These principles apply equally to the public and private sectors. Whereas corporations focus mainly on shareholder returns and the preservation of shareholders value, the public sectors role is to implement cost effectively in accordance with Government legislation and policies.The British Standards Institute () has produced a guidance note on Corporate Governance PD 6668:2000 relating to the management of. It outlines a management framework for identifying the, determining the risks, implementation and maintaining control measures and finally reporting annually on the organisations commitment to this process.Policy on management of risk to support corporate governanceTo support, there needs to be a policy in place. This policy should: be appropriate for the size and nature of your organisation, its business and operating environment be clear about the roles (and, if possible, individuals) that are responsible for risk be clear about escalation criteria in relation to (i.e., when to refer decision making upwards) ensure that processes, and the culture/infrastructure, to identify and manage risk are put in place; these processes must be repeatable set up the mechanism for monitoring the success of the application of the policy (including reports to management, at least annually) ensure that internal control mechanisms are in place for independent assessment that the policy is implemented (and checked). 2.2 What is at risk and why?There are many diverse factors that could place an organisation at risk. outlines the main reasons why there should be a robust process in place.Your organisation will have a set of key objectives. Risks should be identified against these objectives, ideally not more than 10-15 at high level. These high-level risks will then be considered and managed by senior management, increasing the organisations ability to meet its objectives. provides a healthcheck to see if an organisation is adopting an effective framework for and risk management process.expands on possible categories of risk.Relating management of risk to safety, security and business continuityshould be carried out in the wider context of safety concerns, security and business continuity. Health and safety policy and practice is concerned with ensuring that the workplace is a safe environment. Security is concerned with protecting the organisations, including information, buildings and so on. Business continuity is concerned with ensuring that the organisation could continue to operate in the event of a disaster, such as loss of a service, flood or fire damage. Figure 1: Reasons for a processReducing risk in large scale projectsExperience has shown that and attempting a large scale, comprehensive business change are less likely to be successful than those taking a less ambitious, step-by-step approach. Although the latter increases management activity, with each of the elements needing to be controlled and coordinated, the advantages are that activities are: easier to manage simpler to implement within the business environment easier to accept formally as, typically, the specification is easier to document and thus simpler to verify that it has been met able to offer more options for contingency more likel