BS 31100:2011 Risk management Code of practice and ...

1 This British Standard gives recommendations for implementing the principles and guidelines in BS ISO 31000 :2009, including the risk management framework and process. It provides a basis for understanding, developing, implementing and maintaining proportionate and effective risk management throughout an organization, in order to enhance the organization s likelihood of achieving its British Standard is intended for use by anyone with responsibility for, or involved in, any of the following:a) ensuring an organization achieves its objectives;b) ensuring risks are proactively managed in specific areas or activities;c) overseeing risk management in an organization;d) providing assurance about the effectiveness of an organization s risk management ; and/ore) reporting to stakeholders, through disclosures in annual financial statements, corporate governance reports and corporate social responsibility 31100:2011 Risk management Code ofpractice and guidance forthe implementation ofBS ISO 31000 BSI 389 Chiswick High RoadLondon W4 4AL United KingdomTel: +44 (0)20 8996 9001 Fax: +44 (0)20 8996 7001 Website: : 978-0-580-71607-2 Distributed by IT Governance Ltd (c) BSID istributed by IT Governance Ltd (c) BSIBS 31100:2011 Risk management Code ofpractice and guidance forthe implementation ofBS ISO 31000 Distributed by IT Governance Ltd (c) BSIP ublishing and copyright informationThe BSI copyright notice displayed in this document indicates when the documentwas last issued.

2 BSI 2011 ISBN 978 0 580 71607 2 ICS following BSI references relate to the work on this standard:Committee reference RM/1 Draft for comment 11/30228063 DCPublication historyFirst published October 2008 Second (present) edition, June 2011 Amendments issued since publicationDateText affectedBS 31100:2011 BRITISH STANDARDD istributed by IT Governance Ltd (c) BSIC ontentsForewordiiIntroduction11 Scope32 Terms and and of framework for managing risk and review of the improvement of the and the and performance of the instance of the risk information to the risk management process38 AnnexesAnnex A (informative) Risk management tools40 Annex B (normative) Incorporating potentially positive consequences ofrisk42 Annex C (informative) Effects of controls42 Bibliography45 List of figuresFigure 1 Risk management perspectives2 Figure 2 Relationships between the context, principles .

3 Framework andprocess11 Figure 3 Illustrative set of instances of the risk management process in a largerorganization12 Figure 4 Development of components of the risk management framework12 Figure 5 Typical documentation for risk management15 Figure 6 Items to include in the description of the framework16 Figure 7 The risk management process32 List of tablesTable 1 Examples of tailoring3 Table 2 One possible breakdown of roles17 Table 3 Leadership responsibilities18 Table 4 Minimum responsibilities for everyone in the organization18 Table 5 Role of a risk management function19 Table 6 Items to cover related to risk management competence22 Table 7 Features of risk identification33 Table Examples of risk management tools (including techniques)41 Summary of pagesThis document comprises a front cover, an inside front cover, pages i to iv,pages 1 to 46, an inside back cover and a back STANDARDBS 31100:2011 BSI 2011 iDistributed by IT Governance Ltd (c) BSIF orewordPublishing informationThis British Standard was published by BSI and came into effect on 30 June was prepared by technical Committee RM/1,Risk management .

4 A list oforganizations represented on this committee can be obtained on request to British Standard has been developed by practitioners throughout the riskmanagement community, drawing upon their considerable academic, technicaland practical experiences of risk 31100:2011 supersedes bs 31100 :2008, which is with other documentsBS ISO 31000 ,Risk management principles and guidelines on implementation,and ISO/IEC Guide 73,Risk management Vocabulary, were published after thefirst edition of bs 31100 , so that there were some minor structural differencesbetween the documents. This edition was drafted to be consistent with theprinciples and guidelines on risk management in BS ISO 31000 :2009 (seeIntroduction), and to acknowledge HM Treasury s Orange Book [1], the Office ofGovernment Commerce publication, management of risk: Guidance forpractitioners [2], Enterprise Risk management Integrated Framework andapplication techniques published by the Committee of Sponsoring Organizationsof the Treadway Commission (COSO) [3], and the risk management standarddeveloped by the Institute of Risk management (IRM), the Association ofInsurance and Risk Managers (Airmic) and Alarm [4].

5 Use of this documentAs a code of practice , this British Standard takes the form of guidance andrecommendations. It should not be quoted as if it were a specification andparticular care should be taken to ensure that claims of compliance are provisions in this standard are presented in roman ( upright) type. Itsrecommendations are expressed in sentences in which the principal auxiliaryverb is should .The word may is used in the text to express permissibility, as analternative to the primary recommendation of the clause. The word can isused to express possibility, a consequence of an action or an , explanation and general informative material is presented insmaller italic type, and does not constitute a normative user claiming compliance with this British Standard is expected to be able tojustify any course of action that deviates from its conventionsThe word should is used to express the recommendations of this standard,with which the user has to comply in order to comply with the standard.

6 Theword may is used in the text to express permissibility, as an alternative tothe primary recommendation of the clause. The word can is used to expresspossibility, a consequence of an action or an STANDARDBS 31100:2011ii BSI 2011 Distributed by IT Governance Ltd (c) BSIC ontractual and legal considerationsThis publication does not purport to include all the necessary provisions of acontract. Users are responsible for its correct with a British Standard cannot confer immunity from STANDARDBS 31100:2011 BSI 2011 iiiDistributed by IT Governance Ltd (c) BSIBRITISH STANDARDBS 31100:2011 This page deliberately left blankiv BSI 2011 Distributed by IT Governance Ltd (c) BSII ntroductionThis code of practice gives recommendations for implementing the principlesand guidelines on risk management in BS ISO 31000 edition of bs 31100 closely matches the structure, terminology anddiagrams of BS ISO 31000 :2009 and ISO Guide 73:2009 to make it easier to usethe three documents side by side.

7 This edition also expands on therecommendations of bs 31100 principles in BS ISO 31000 :2009 are as ) Risk management creates and protects ) Risk management is an integral part of all organizational ) Risk management is part of ) Risk management explicitly addresses ) Risk management is systematic, structured and ) Risk management is based on the best available ) Risk management is ) Risk management takes human and cultural factors into ) Risk management is transparent and ) Risk management is dynamic, iterative and responsive to ) Risk management facilitates continual improvement of the recommendations in this code of practice will help organizations implementthese principles in a way that is right for each organization. Therecommendations are more practical and specific than the principles andguidelines, but they focus on the key aspects of management and allow forvariations in the detail of are best managed by people following a defined risk management large organizations there could be many groups and many processes, eachwith its own scope, meetings, documents and methods.

8 This could be becausethey are working at different management levels in the organization and havedifferent perspectives (see Figure 1), are working in different organizationalsub-units, or are focusing on different types of approach recommended here is to provide an outline risk managementprocess that can be followed and interpreted so that each group works in a waythat is appropriate for them, and there is consistency and communication acrossthe example of a risk management process within an organization is called aninstance of the risk management outline risk management process is just one component of a broader riskmanagement framework that also contains activities to govern one or moreinstances of the risk management process and to drive improvements over recommendations cover the whole organization and all risks . This includesoutcomes that are better than expected, as well as those that are worse thanexpected.

9 In keeping with the definition of risk as the effect of uncertainty onobjectives the approach encourages people to think widely about what mighthappen, not just to look for potential dangers. It also encourages greaterawareness of STANDARDBS 31100:2011 BSI 2011 1 Distributed by IT Governance Ltd (c) BSIThis is achieved using a process and language that apply equally to all risks . Forexample, risks are modified by controls rather than mitigated because a riskwhose consequences are mostly desirable is one to promote or exploit ratherthan major construction project on a city site had very little land for storing materialsand so needed many costly lorry deliveries. There was space on an adjacent sitewhere another developer was working. If a deal could be made it would be possibleto use that space to store materials. This possibility was recorded as a risk withpredominantly positive consequences, and evaluated.

10 Although there would be anup-front commitment to the other developer, there were possible beneficialconsequences from lower transport costs and reduced likelihood of interruptions towork due to late deliveries. Actions were identified to increase the likelihood of therisk being realized, such as working out delivery times and access routes that wouldavoid interference between the projects. Subsequently, the risk was realized: a dealwas made benefiting both management needs to be integrated into all management activities. Thiscode of practice gives recommendations on how to achieve this recommendations in this British Standard have been written fororganizations of all types and sizes, and include guidance on how to choose anapproach that is appropriate. Table 1 gives examples of how large and smallorganizations might tailor their risk 1 Risk management perspectivesKeySet of activitiesCommunicationBRITISH STANDARDBS 31100:20112 BSI 2011 Distributed by IT Governance Ltd (c) BSI1 ScopeThis British Standard gives recommendations for implementing the principlesand guidelines in BS ISO 31000 :2009, including the risk management frameworkand process.