51CTO下载-ITIL中级课程-风险管理71页资料

ContentsCHAPTER1:INTRODUCTIONCHAPTER2:PRINCIPLESCHAPTER3:HOWRISKSAREMANAGEDCHAPTER4:MANAGINGRISKATTHESTRATEGICLEVELCHAPTER5:MANAGINGRISKATTHEPROGRAMMELEVELCHAPTER6:MANAGINGRISKSATTHEPROJECTLEVELCHAPTER7:MANAGINGRISKATTHEOPERATIONALLEVELCHAPTER8:TECHNIQUESANNEXA:EXAMPLESOFBENEFITSOFRISKMANAGEMENTANNEXB:HEALTHCHECK:HOWWELLISYOURORGANISATIONMANAGINGRISK?ANNEXC:CATEGORISINGRISKANNEXD:SETTINGASTANDARDFOREVALUATIONOFRISKANNEXE:PROCUREMENT,CONTRACTUALANDLEGALCONSIDERATIONSANNEXF:BUSINESSCONTINUITYMANAGEMENTANNEXG:MANAGINGORGANISATIONALSAFETYANDSECURITYANNEXH:INFORMATIONONFURTHERTECHNIQUESTOSUPPORTMANAGEMENTOFRISKANNEXJ:LESSONSLEARNEDFROMOTHERSANNEXK:ASSESSINGTHESUITABILITYOFTOOLSANNEXL:DOCUMENTATIONOUTLINESCHAPTER1:INTRODUCTION1.1Purposeofthisguide1.2Whatismanagementofrisk?1.3Whymanagementofriskisimportant1.4Whoisinvolvedinriskmanagement1.5Howtousethisguide1.6Theresearchforthisguidance1.1PurposeofthisguideThisguideisintendedtohelporganisationstoputinplaceeffectiveframeworksfortakinginformeddecisionsaboutrisk.Theguidanceprovidesaroutemapforriskmanagement,bringingtogetherrecommendedapproaches,checklistsandpointerstomoredetailedsourcesofadviceontoolsandtechniques.ItexpandsontheOGCGuidelinesforManagingRisk.Theprocessofinvestmentappraisal,inwhichassessmentsaremadeofcosts,benefitsandrisks,isoutsidethescopeofthisguide.However,manyoftheprinciplesandtechniquesdescribedherecanbeusedwhendevelopingthebusinesscase.TheapproachdescribedinthisguidecomplementsOGC’sguidanceonprogrammeandprojectmanagementandiscontinuallyupdatedtoreflectcurrentthinking.Thisapproach,brandedbyOGCasM_o_R(ManagementofRisk),issupportedbytrainingandqualifications.1.2Whatismanagementofrisk?Inthisguideriskisdefinedasuncertaintyofoutcome,whetherpositiveopportunityornegativethreat.Theterm‘managementofrisk’incorporatesalltheactivitiesrequiredtoidentifyandcontroltheexposuretoriskwhichmayhaveanimpactontheachievementofanorganisation’sbusinessobjectives.Everyorganisationmanagesitsrisk,butnotalwaysinawaythatisvisible,repeatableandconsistentlyappliedtosupportdecisionmaking.Thetaskofmanagementofriskistoensurethattheorganisationmakescosteffectiveuseofariskprocessthathasaseriesofwelldefinedsteps.Theaimistosupportbetterdecisionmakingthroughagoodunderstandingofrisksandtheirlikelyimpact.Therearetwodistinctphases:riskanalysisandriskmanagement.Riskanalysisisconcernedwithgatheringinformationaboutexposuretorisksothattheorganisationcanmakeappropriatedecisionsandmanageriskappropriately.Managementofriskinvolveshavingprocessesinplacetomonitorrisks,accesstoreliableanduptodateinformationaboutrisks,therightbalanceofcontrolinplacetodealwiththoserisks,anddecisionmakingprocessessupportedbyaframeworkofriskanalysisandevaluation.Managementofriskcoversawiderangeoftopics,includingbusinesscontinuitymanagement,security,programme/projectriskmanagementandoperationalservicemanagement.Thesetopicsneedtobeplacedinthecontextofanorganisationalframeworkforthemanagementofrisk.Somerisk-relatedtopics,suchassecurity,arehighlyspecialisedandthisguidanceprovidesonlyanoverviewofsuchaspects.1.3WhymanagementofriskisimportantAcertainamountofrisktakingisinevitableifyourorganisationistoachieveitsobjectives.Effectivemanagementofriskhelpsyoutoimproveperformancebycontributingto:increasedcertaintyandfewersurprisesbetterservicedeliverymoreeffectivemanagementofchangemoreefficientuseofresourcesbettermanagementatalllevelsthroughimproveddecisionmakingreducedwasteandfraud,andbettervalueformoneyinnovationmanagementofcontingentandmaintenanceactivities.SeeAnnexAforexamplesofthebenefitsofmoreeffectivemanagementofrisk.1.4WhoisinvolvedinriskmanagementInpractice,everyoneinanorganisationisinvolvedinriskmanagementtosomeextentandshouldbeawareoftheirresponsibilitiesinidentifyingandmanagingrisk.However,therearesomeaspectsforwhichresponsibilitymustbeassignedtoindividuals.Withoutclearresponsibility(andtheauthoritytosupportthatresponsibility)someriskswillbemissedoroverlooked.Inthepublicsector,therearetwomajorroleswithaclearresponsibilitytoensurerisksaremanaged(therewillbeequivalentstotheserolesinprivatesectororganisations).Theserolesare:anAccountingOfficer(orequivalentseniormanager),whoisresponsiblefortheorganisation’soverallexposuretorisk.TypicallythispersonwillbetheChiefExecutiveOfficer(CEO);theseniormanagerintheorganisation.Theymaydelegatesomeoftheactionsbutcannotforgotheresponsibilityaseniormanageractingasaproject‘owner’,whoisresponsibleforriskrelatingtoaspecificprogrammeorprojectandfortherealisationofassociatedbusinessbenefits.AudienceforthisguidanceBusinessmanagers,processowners,strategicplanners,projectandprocurementteams,businesscontinuityplannersandsecurityteamsaretheprimaryaudienceforthisguidance,togetherwiththeirserviceproviders.Itwillalsobeofinteresttoauditors,withtheirresponsibilityforensuringeffectivecorporategovernance.1.5HowtousethisguideChapter1introducesthestructure,processandcultureofmanagementofrisk,explainingwhyorganisationsneedtodeviseandimplementeffectivestrategiesinordertomaximiseopportu