CTOITIL中級課程風(fēng)險管理資料

Contents?CHAPTER1：INTRODUCTION?CHAPTER2:PRINCIPLES?CHAPTER3:HOWRISKSAREMANAGED?CHAPTER4:MANAGINGRISKATTHESTRATEGICLEVEL?CHAPTER5:MANAGINGRISKATTHEPROGRAMMELEVEL?CHAPTER6:MANAGINGRISKSATTHEPROJECTLEVEL?CHAPTER7：MANAGINGRISKATTHEOPERATIONALLEVEL?CHAPTER8:TECHNIQUES?ANNEXA:EXAMPLESOFBENEFITSOFRISKMANAGEMENT?ANNEXB:HEALTHCHECK:HOWWELLISYOURORGANISATIONMANAGINGRISK??ANNEXC:CATEGORISINGRISK?ANNEXD:SETTINGASTANDARDFOREVALUATIONOFRISK?ANNEXE:PROCUREMENT,CONTRACTUALANDLEGALCONSIDERATIONS?ANNEXF:BUSINESSCONTINUITYMANAGEMENT?ANNEXG:MANAGINGORGANISATIONALSAFETYANDSECURITY?ANNEXH:INFORMATIONONFURTHERTECHNIQUESTOSUPPORTMANAGEMENTOFRISK?ANNEXJ:LESSONSLEARNEDFROMOTHERS?ANNEXK:ASSESSINGTHESUITABILITYOFTOOLS?ANNEXL:DOCUMENTATIONOUTLINESCHAPTER1:INTRODUCTIONPurposeofthisguideWhatismanagementofrisk?WhymanagementofriskisimportantWhoisinvolvedinriskmanagementHowtousethisguideTheresearchforthisguidancePurposeofthisguideThisguideisintendedtohelporganisationstoputinplaceeffectiveframeworksfortakinginformeddecisionsaboutrisk.Theguidanceprovidesaroutemapforriskmanagement,bringingtogetherrecommendedapproaches,checklistsandpointerstomoredetailedsourcesofadviceontoolsandtechniques.ItexpandsontheOGCGuidelinesforManagingRisk.Theprocessofinvestmentappraisal,inwhichassessmentsaremadeofcosts,benefitsandrisks,isoutsidethescopeofthisguide.However,manyoftheprinciplesandtechniquesdescribedherecanbeusedwhendevelopingthebusinesscase.TheapproachdescribedinthisguidecomplementsOGC'sguidanceonprogrammeandprojectmanagementandiscontinuallyupdatedtoreflectcurrentthinking.Thisapproach,brandedbyOGCasM_o_R(ManagementofRisk),issupportedbytrainingandqualifications.Whatismanagementofrisk?Inthisguideriskisdefinedasuncertaintyofoutcome,whetherpositiveopportunityornegativethreat.Theterm'managementofrisk7incorporatesalltheactivitiesrequiredtoidentifyandcontroltheexposuretoriskwhichmayhaveanimpactontheachievementofanorganisation'sbusinessobjectives.Everyorganisationmanagesitsrisk,butnotalwaysinawaythatisvisible,repeatableandconsistentlyappliedtosupportdecisionmaking.Thetaskofmanagementofriskistoensurethattheorganisationmakescosteffectiveuseofariskprocessthathasaseriesofwelldefinedsteps.Theaimistosupportbetterdecisionmakingthroughagoodunderstandingofrisksandtheirlikelyimpact.Therearetwodistinctphases:riskanalysisandriskmanagement.Riskanalysisisconcernedwithgatheringinformationaboutexposuretorisksothattheorganisationcanmakeappropriatedecisionsandmanageriskappropriately.Managementofriskinvolveshavingprocessesinplacetomonitorrisks,accesstoreliableanduptodateinformationaboutrisks,therightbalanceofcontrolinplacetodealwiththoserisks,anddecisionmakingprocessessupportedbyaframeworkofriskanalysisandevaluation.Managementofriskcoversawiderangeoftopics,includingbusinesscontinuitymanagement,security,programme/projectriskmanagementandoperationalservicemanagement.Thesetopicsneedtobeplacedinthecontextofanorganisationalframeworkforthemanagementofrisk.Somerisk-relatedtopics,suchassecurity,arehighlyspecialisedandthisguidanceprovidesonlyanoverviewofsuchaspects.WhymanagementofriskisimportantAcertainamountofrisktakingisinevitableifyourorganisationistoachieveitsobjectives.Effectivemanagementofriskhelpsyoutoimproveperformancebycontributingto:?increasedcertaintyandfewersurprises?betterservicedelivery?moreeffectivemanagementofchange?moreefficientuseofresources?bettermanagementatalllevelsthroughimproveddecisionmaking?reducedwasteandfraud,andbettervalueformoney?innovation?managementofcontingentandmaintenanceactivities.SeeAnnexAforexamplesofthebenefitsofmoreeffectivemanagementofrisk.WhoisinvolvedinriskmanagementInpractice,everyoneinanorganisationisinvolvedinriskmanagementtosomeextentandshouldbeawareoftheirresponsibilitiesinidentifyingandmanagingrisk.However,therearesomeaspectsforwhichresponsibilitymustbeassignedtoindividuals.Withoutclearresponsibility(andtheauthoritytosupportthatresponsibility)someriskswillbemissedoroverlooked.Inthepublicsector,therearetwomajorroleswithaclearresponsibilitytoensurerisksaremanaged(therewillbeequivalentstotheserolesinprivatesectororganisations).Theserolesare:?anAccountingOfficer(orequivalentseniormanager),whoisresponsiblefortheorganisation'soverallexposuretorisk.TypicallythispersonwillbetheChiefExecutiveOfficer(CEO);theseniormanagerintheorganisation.Theymaydelegatesomeoftheactionsbutcannotforgotheresponsibility?aseniormanageractingasaproject'owner；whoisresponsibleforriskrelatingtoaspecificprogrammeorprojectandfortherealisationofassociatedbusinessbenefits.AudienceforthisguidanceBusinessmanagers,processowners,strategicplanners,projectandprocurementteams,businesscontinuityplannersandsecurityteamsaretheprimaryaudienceforthisguidance,togetherwiththeirserviceproviders.Itwillalsobeofinteresttoauditors,withtheirresponsibilityforensuringeffectivecorporategovernance.Howtousethisguideintroducesthestructure,processandcultureofmanagementofrisk,explainingwhyorganisationsneedtodeviseandimplementeffectivestrategiesinordertomaximiseopportunitiesandminimisethreatstotheachievementoftheirbusinessobjectives.Itidentifieskeypersonnelinthemanagementofriskandthetargetaudiencefortheguidance.outlinesthekeyprinciplesunderpinningmanagementofrisk:establishingariskmanagementframework,riskownership,whererisksoccur,thedecisionmakingprocess,theimportanceofembeddingtheriskmanagementculture,andallocatingrealisticbudgets.describesthemainactivitiesofmanagementofrisk.Itcontainspracticalexamples,pointersandchecklistsforidentifyingandrespondingtorisk,andmonitoringriskresponses.Chapters4-7explainwhenandhowmanagementofriskshouldbeappliedthroughoutanorganisation,atthestrategic,programme,projectandoperationallevels.Chapter8discussestherangeoftechniquesavailabletosupporttheriskmanagementprocess.TheAnnexesprovidesupportingdetail:A:ExamplesofbenefitsofriskmanagementB:Healthcheck:howwellisyourorganisationmanagingrisk?C:CategorisingriskD:SettingastandardforevaluationofriskE:Procurement,contractualandlegalconsiderationsF:BusinesscontinuitymanagementG:ManagingorganisationalsafetyandsecurityH:InformationonfurthertechniquestosupportmanagementofriskJ:LessonslearnedfromothersK:AssessingthesuitabilityoftoolsL:Documentationoutlines.1.6TheresearchforthisguidancePreparedbyOGCsITDirectorate,thisguidancehasbeendevelopedfromextensiveresearchintocurrentthinkingandpracticeinboththepublicandprivatesectors,drawingonpublishedpapersandinterviews/studieswithanumberofleadingorganisationsinvolvedinmajorchangeandwithspecialistexpertsinthemanagementofrisk.ItbuildsontherecentworkoftheNationalAuditOffice(NAO),HMTreasuryandCabinetOffice,togetherwithOGCspublishedguidanceonbestpracticeinriskmanagement;italsoaimstoaddressissuesrelatingtocorporategovernance.Thisguidancerespondstolessonslearnedandtheexperiencesofreal-worldpracticalissues,asreportedbyconsultantsinOGC'sStrategicAssignmentsConsultancyServiceandtheirclients.Inaddition,itincorporatesfeedbackfromcontributorstoOGCworkshopsandotherreviewchannels.Thesecontributionsareacknowledgedwiththanks.CriticalsuccessfactorsformanagementofriskWhatisatriskandwhy?DecisionsaboutriskWhererisksoccurAframeworkformanagingriskRiskownershipEmbeddingtheriskmanagementcultureBudgetsThischapteroutlinesthekeyprinciplesunderpinningtheeffectivemanagementofrisk.CriticalsuccessfactorsformanagementofriskThekeyelementsthatneedtobeinplaceifriskmanagementistobeeffective,andinnovationencouraged,include:clearlyidentifiedseniormanagementtosupport,ownandleadonriskmanagementriskmanagementpoliciesandthebenefitsofeffectivemanagementclearlycommunicatedtoallstaffexistenceandadoptionofaframeworkformanagementofriskthatistransparentandrepeatableexistenceofanorganisationalculturewhichsupportswellthought-throughrisktakingandinnovationmanagementofriskfullyembeddedinmanagementprocessesandconsistentlyappliedmanagementofriskcloselylinkedtoachievementofobjectivesrisksassociatedwithworkingwithotherorganisationsexplicitlyassessedandmanagedrisksactivelymonitoredandregularlyreviewedonaconstructive'no-blame'basis.Jointworkingandpartnershipsofteninvolvemorecomplextypesofriskthatcanadverselyaffectthedeliveryofbusinessservices.Forexample,ifpartoftheserviceprovidedbyoneorganisationisdelayedorofpoorquality,thesuccessofthewholecollaborationcanbeputatrisk.Youmustmakesurethatyourorganisationknowsabouttheriskmanagementapproachesofyourpartners.Sharinginformationaboutriskmanagementmeansthatrisksincollaborativeprogrammescanbeidentifiedandmanagedinaproactiveway.PublicsectorconcernsTheModernisingGovernmentinitiativeseekstoencouragethepublicsectortoadoptwellmanagedrisktakingwhereitislikelytoleadtosustainableimprovementsinservicedelivery.Moreeffectiveriskmanagementwillimprovethepublicsector'sabilitytoundertaketheincreasinglycomplexandcross-cuttingprojectsthataredemandedbytheModernisationagenda.Publicsectororganisationsneedtohaveinplacetheskills,managementstructuresandorganisationalstructurestotakeadvantageofpotentialopportunitiestoperformbetterandtoreducethepossibilityoffailure.Thekeyareasthathavetobeaddressedare:therequirementsofcorporategovernance-includingmorefocusedandopenwaysofmanagingrisk(seethesectiononcorporategovernancebelow)theneedfora'riskowner'atseniorlevel,foranactivity(strategy,programmeorproject).Heorsheissupportedbyriskownersateverydayworkinglevelsasappropriatefortheactivityandriskexposuretheneedforimprovedreportingandupwardreferralofmajorproblemsopportunitiesandthepotentialresolutionapproachestheneedforsharedunderstandingofriskmanagementatalllevelsintheorganisationandwithpartners,combinedwithconsistenttreatmentofriskmanagingprojectriskinthewidercontextofprogrammesofchangeandthebusiness.TheNAOstudyofriskmanagement{SupportingInnovation:ManagingRiskinGovernmentDepartments),theCabinetOffice'sreportSuccessfulYT:ModernisingGovernmentinAction,andHMTreasury'sOrangeBookprovidevaluablemessagesthatareincorporatedinthisguidance.MeetingtheneedsofcorporategovernanceCorporategovernanceistheongoingactivityofmaintainingasoundsystemofinternalcontroltosafeguardshareholders/investmentandthecompany'sassets.TheTurnbullReportstatesthat:'acompany'sobjectives,itsinternalorganisationandtheenvironmentwhichitoperatesinarecontinuallyevolvingandasaresulttherisksitfacesarecontinuallychanging.Asoundsystemofcontrolthereforedependsonathoroughandregularevaluationofthenatureandextentoftheriskstowhichthecompanyisexposed.Sinceprofits[orbusinessresults]areinparttherewardforsuccessfulrisktakinginbusiness,thepurposeofinternalcontrolistohelpmanageandcontrolriskratherthaneliminateit/Corporategovernanceframeworksmustensurethatmanagementisheldaccountableforacorporation'sperformanceandthatownersareabletomonitorandinterveneintheoperationsofmanagement.Theseprinciplesapplyequallytothepublicandprivatesectors.Whereascorporationsfocusmainlyonshareholderreturnsandthepreservationofshareholders'value,thepublicsector'sroleistoimplementprogrammescosteffectivelyinaccordancewithGovernmentlegislationandpolicies.TheBritishStandardsInstitute(BSI)hasproducedaguidancenoteonCorporateGovernance-PD6668:2000-relatingtothemanagementofstrategicrisks.Itoutlinesamanagementframeworkforidentifyingthethreats,determiningtherisks,implementationandmaintainingcontrolmeasuresandfinallyreportingannuallyontheorganisation'scommitmenttothisprocess.PolicyonmanagementofrisktosupportcorporategovernanceTosupportcorporategovernance,thereneedstobeariskmanagementpolicyinplace.Thispolicyshould:beappropriateforthesizeandnatureofyourorganisation,itsbusinessandoperatingenvironmentbeclearabouttheroles(and,ifpossible,individuals)thatareresponsibleforriskbeclearaboutescalationcriteriainrelationtoriskmanagement(i.e.,whentoreferdecisionmakingupwards)ensurethatprocesses,andthecuIture/infrastructure,toidentifyandmanageriskareputinplace;theseprocessesmustberepeatablesetupthemechanismformonitoringthesuccessoftheapplicationofthepolicy(includingreportstomanagement,atleastannually)ensurethatinternalcontrolmechanismsareinplaceforindependentassessmentthatthepolicyisimplemented(andchecked).Whatisatriskandwhy?Therearemanydiversefactorsthatcouldplaceanorganisationatrisk.Figure1outlinesthemainreasonswhythereshouldbearobustriskmanagementprocessinplace.Yourorganisationwillhaveasetofkeyobjectives.Risksshouldbeidentifiedagainsttheseobjectives,ideallynotmorethan10-15athighlevel.Thesehigh-levelriskswillthenbeconsideredandmanagedbyseniormanagement,increasingtheorganisation'sabilitytomeetitsobjectives.AnnexBprovidesa'healthcheck'toseeifanorganisationisadoptinganeffectiveframeworkformanagementofriskandriskmanagementprocess.AnnexCexpandsonpossiblecategoriesofrisk.Relatingmanagementofrisktosafety,securityandbusinesscontinuityManagementofriskshouldbecarriedoutinthewidercontextofsafetyconcerns,securityandbusinesscontinuity.Healthandsafetypolicyandpracticeisconcernedwithensuringthattheworkplaceisasafeenvironment.Securityisconcernedwithprotectingtheorganisation'sassets,includinginformation,buildingsandsoon.Businesscontinuityisconcernedwithensuringthattheorganisationcouldcontinuetooperateintheeventofadisaster;suchaslossofaservice,floodorfiredamage.Figure1:ReasonsforariskmanagementprocessReducingriskinlargescaleprojectsExperiencehasshownthatprogrammesandprojectsattemptingalargescale,comprehensivebusinesschangearelesslikelytobesuccessfulthanthosetakingalessambitious,step-by-stepapproach.Althoughthelatterincreasesmanagementactivity,witheachoftheelementsneedingtobecontrolledandcoordinated,theadvantagesarethatactivitiesare:easiertomanagesimplertoimplementwithinthebusinessenvironmenteasiertoacceptformallyas,typically,thespecificationiseasiertodocumentandthussimplertoverifythatithasbeenmetabletooffermoreoptionsforcontingencymorelikelytoaccommodatefastmovingchangesintechnology,orinthepoliticalorfinancialenvironmentabletooffermoredecisionpoints,allowinggreatercontroloftheproject.2.3DecisionsaboutriskDecisionsaboutriskneedtobebalancedsothatthepotentialbenefitsareworthmoretotheorganisationthanitcoststoaddresstherisk.Forexample,innovationisinherentlyriskybutcouldachievemajorbenefitsinimprovingservices.Theabilityoftheorganisationtolimititsexposuretoriskwillalsobeofrelevance.Youshouldaimtomakeanaccurateassessmentoftherisksinagivensituationandanalysethepotentialbenefits.Therisksandopportunitiespresentedbyeachcourseofactionshouldbedefinedinordertoidentifyappropriateresponse.ScopeofdecisionsDecisionsaboutriskwillvarydependingonwhethertheriskrelatestolong,mediumorshort-termgoals.Strategicdecisionsareprimarilyconcernedwithlong-termgoals;thesesetthecontextfordecisionsatotherlevelsoftheorganisation.Therisksassociatedwithstrategicdecisionsmaynotbecomeapparentuntilwellintothefuture.Thusitisessentialtoreviewthesedecisions,andassociatedrisks,onaregularbasis.Medium-termgoalsareusuallyaddressedthroughprogrammesandprojectstobringaboutbusinesschange.Decisionsrelatingtomedium-termgoalsarenarrowerinscopethanstrategicones,particularlyintermsoftimeframeandfinancialresponsibilities.Attheoperationalleveltheemphasisisonshort-termgoalstoensureongoingcontinuityofbusinessservices;however,decisionsaboutriskatthislevelmustalsosupporttheachievementoflong-andmedium-termgoals.TheseorganisationallevelsarediscussedinmoredetailinChapters4,5,6and7.Therearealsoconsiderationsaboutwhatcanrealisticallybeachievedinonechangeinitiative.Deliveryofeachofthecomponentsofachangeinitiative(whetheraprogramme,projectorstage)mustprovidesomedirectbenefittotheorganisationasaresultofitsdelivery.Thiscouldbebydelivering:?amajorcomponenttosupport/buildtowardstheintendedoutcome-forexample,providingatelephonehelplinefirstaspartofanewinformationserviceandthenaddingwebsiteservicestoexpandthefacilitiesavailabletothepublic?theproducttopartoftheendusercommunityandthen'rollingouttotherestofthatcommunity-forexample,introducinganewinformationserviceintheNorth-Eastandgraduallymakingitavailablenationwide.Thisisamodularand/orincrementalapproachthatisfurtherdiscussedinChapters5and6andinAnnexE.Whenmanaginganyprojectitisessentialtoensuremajordecisionsaremadeappropriately.Aprojectwillsupportsomebusinesschangeandsorequiresomethingtobeproducedandthenputintouse.Figure2showsthemainstagesoftheprocurementprocessandthedecisionstobetakenaboutbreakingprojectsdownintomanageable'packages*.Formajorprojects,therewillbeformalGatewayReviewsinadditiontothenormalprojectdecisionpoints;thesereviewsestablishwhethertheprojectisreadytoproceedtothenextstage.Figure2:Mainstagesoftheprocurementprocess2.4WhererisksoccurTheriskmanagementprocessshouldbemostrigorouslyappliedwherecriticaldecisionsarebeingmade.Figure3showswhereriskcanoccurinanorganisation.Forconvenience,theselevelsaredescribedas:strategicorcorporateprogrammeprojectoperational.Inpractice,thelevelsoverlap;however,itishelpfultoclarifytheoccurrenceofrisksattheselevelstoinformthekindofdecisionsyouarelikelytomake.Figure3:OrganisationalmanagementhierarchyItisimportanttonotethatariskmaymaterialiseinitiallyatonelevelbutsubsequentlyhaveamajorimpactatadifferentlevel.ArecentexampleisaHighStreetbankfacingtechnicalfaultsattheoperationallevel;ultimatelycustomers/confidenceinthebank'sonlineservicebecameastrategicrisk.Thishighlightstheneedforrelevantinformationaboutriskstobesharedthroughouttheorganisation.Table1showsexamplesoftypicalrisksoccurringateachorganisationallevel.Table1:RiskrelatedtoorganisationallevelsLevel ExamplesoftypicalrisksconsideredatthislevelStrategic/corporateCommercial,financial,political,environmental,directional,cultural,acquisitionandqualityrisks.Thereisafocusonbusinesssurvival,continuityandgrowthforthefuture.Whenprogramme,projectandoperationalrisksexceedsetcriteria-e.g.notacceptable,outsideagreedlimits,couldaffectstrategicobjectives,informationneedstobeescalatedtothislevelsothatappropriatedecisionscanbetaken.ProgrammeProcurement/acquisition,funding,organisational,projects,security,safety,qualityandbusinesscontinuityrisks.Whenprojectandoperationalrisksexceedsetcriteria-e.g.notacceptable,outsideagreedlimits,couldaffectprogrammeobjectives,informationneedstobeescalatedtothislevelsothatappropriatedecisionscanbetaken.Project Personal,technical,cost,schedule,resource,operationalsupport,qualityandproviderfailure.Operationalissues/risksshouldbeconsideredatthislevelastheyaffecttheprojectandhowitneedstoberun.Informationonstrategicandprogrammerelatedrisksshouldbecommunicatedtothislevelwheretheycouldaffectprojectobjectives.Projectmanagersshouldcommunicateinformationonriskstootherprojectsandoperationsasappropriate.OperationsPersonal,technical,cost,schedule,resource,operationalsupport,quality,providerfailure,environmentalandinfrastructurefailure.AIIthehigherlevelshaveinputtothislevel;specificconcernsincludebusinesscontinuitymanagement/contingencyplanning,supportforbusinessprocessesandcustomerrelations.AdditionalfactorsAdditionalfactorsmayincreasethecomplexityofassessingoverallexposuretorisk.Theseinclude:interdependencies,orlinksbetweenprojectsand/orrelatedissues,wheretheimpactofoneormoreriskscouldaffectothers,possiblycreatinga'domino'effect.Youshouldensurethatanyknowninterdependenciesareidentifiedandassessedsothatappropriateactioncanbeplannedtherelationshipbetweenbusinessbenefitsandriskstodelivery,whereachievementofbenefitsisdependentonsuccessfuldeliveryofaproject.Youshouldcontinuallycheckwhetherchangingplansaffecttheachievementofbenefits.AframeworkformanagingriskAframeworkformanagementofrisksetsthecontextinwhichriskswillbeidentified,analysed,controlled,monitoredandreviewed.Itmustbeconsistentwithprocessesthatareembeddedineverydaymanagementandoperationalpractices.Itaddresses:howrisksareidentifiedhowinformationabouttheirprobabilityandpotentialimpactisobtainedhowrisksarequantifiedhowoptionstodealwiththemareidentifiedhowdecisionsonriskmanagementaremade,suchasfurtherriskreductionhowthesedecisionsareimplementedhowactionsareevaluatedfortheireffectivenesshowappropriatecommunicationmechanismsaresetupandsupportedhowstakeholdersareengagedthroughouttheprocess.(SeeChapter3formoreinformationaboutthemanagementofriskframeworkandsupportingprocesses.)RiskownershipFortheorganisation,ownershipoftheriskmanagementframeworklieswiththeAccountingOfficer(orequivalentseniormanageratBoardlevel).Individualseniormanagersowntheprogrammeorprojectandareresponsibleforthemanagementoftheoverallriskofthatactivity.However,theserolesdonotownalltheindividualrisks.Riskownershipmustbeclearlydefined,documentedandagreedwiththeindividualownersatalllevels,sothattheyunderstandtheirvariousroles,responsibilitiesandultimateaccountabilitywithregardtothemanagementofrisk.Theownerofariskmaynotbethepersontaskedwiththeassessmentormanagementoftherisk,butheorsheisresponsibleforensuringthemanagementofriskprocessisapplied-theremaybeseparateownerstoactuallydealwiththerisks.Itisimportanttoidentifywhoowns:thesettingpolicyandtheorganisation'swillingnesstotakeriskthemanagementofriskprocessatthedifferentlevels-thatis,strategic,programme,project,operationallevelsdifferentelementsofthemanagementofriskprocess,suchasidentifyingthreats,throughtoproducingriskresponsesandreportingondecisionsimplementationoftheactualmeasurestakeninresponsetotherisksinterdependentrisksthatcrossorganisationalboundaries,whethertheyarebusinessprocesses,operationalservicesorprojects.Forexample,foraseniormanagerwithresponsibilityforaproject,ownershipofriskcouldbedefinedasfollows:Seniormanagersresponsibleforprojectsmustassurethemselvesthatanumberoftypesofriskarebeingtrackedanddealtwithaseffectivelyaspossible.Themechanismsinplaceformonitoringandreportingriskwillvaryaccordingtothesizeandcomplexityoftheprojectorprogramme,rangingfromtheuseofasimpleriskregistertotheappointmentofariskmanagerreportingdirectlytotheseniormanager.Clearly,thedegreeofdelegationadoptedbytheseniormanagerwillvary,butheorshemustbesurethatthecriticalissuesarebeingaddressed;forexample,throughchairingtheprojectboardorbydevelopingstrongmechanismsforreportingproblems.Checklist:ownershipofriskandtheprocessHaveownersbeenallocatedforallthevariouspartsofthecompletemanagementofriskprocess?Arethevariousrolesandresponsibilitiesassociatedwithownershipwelldefined?Dotheindividualswhohavebeenallocatedownershipactuallyhavetheauthorityandcapabilitytofulfiltheirresponsibilities?Forexample,suppliersmaybetaskedwithriskownership.Havethevariousrolesandresponsibilitiesbeencommunicatedandunderstood?Arethenominatedownersappropriateandawareoftheirnomination?Isownershipreassessedonaperiodicbasis,orintheeventofachangeinthesituation;andifnecessary,canitbequicklyandeffectivelyreallocated?Doallrisks,andwhereappropriatetheirmitigationactions,haveclearlyidentifiedowners?Aretheseownersappropriate?EmbeddingtheriskmanagementcultureIdentifyingappropriatepolicies,standardsandpracticesisthefirststageofcreatingariskmanagementculture.Oncetheseareinplacetheyneedtobetotallyembeddedinindividualsthroughtheenactmentoftheirrolesandassociatedresponsibilities.Awarenessofandresponsibilityforriskissuesmustbelinkedexplicitlytokeyobjectives,inordertobuildasustainableriskmanagementculture.Thereshouldbedelegatedresponsibilityforrisksateverylevelofobjectivesintheorganisation.Thisisthemajorsupporttoembeddingriskmanagementintotheorganisationanditsculture,withriskmanagementseenasanintrinsicpartofthewayanorganisationworks.Asthepeopleinanorganisationchange,itisessentialtoensureacontinuingunderstandingofrolesandresponsibilitiesrelatedtomanagingrisk.Theriskenvironmentisconstant