Some standard content:
ICS 03.100.01
National Standard of the People's Republic of China
GB/T24353-2009
Risk management-Principles and guidelines on Implementation 2009-09-30 Issued
Digital security
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China Standardization Administration of China
Full Autumn Companion Network t
2009-12-01 Implementation
GB/T24353-2009
Normative references
3 Terms and definitions
Risk management principles
Risk management process
Implementation of risk management
References.
http://foodmate.net Foreword
This standard is a guiding standard in the risk management series of standards. This standard is prepared with reference to ISO/DIS81090 "Risk Management Principles and Implementation Guidelines" and the cost standard is proposed by the National Technical Committee for Standardization of Quality Management and Quality Assurance (SAC/TC15I). This standard is under the jurisdiction of the National Technical Committee for Standardization of Risk Management (SAC/TC3T0). GB/T24353-2009
The drafting units of this standard are: China National Institute of Standardization, First Huida Risk Management Technology Co., Ltd., China Aviation Comprehensive Technology Research Institute, Beijing Institute of Technology, Institute of Science and Technology Strategy and Management Science of Chinese Academy of Sciences, Beijing Institute of Humanities. The main drafters of this standard are: Gao Xiaohong, Lv Duojia, Tang Wanjin, Yang Ying, Wang Bangjun, Liu Tiezhong, Li Jianping, Liu Xinli http://foodmate.neGB/T243532009
Organizations of any type and size are exposed to risks, and all activities of the organization involve risks. Risks can affect the realization of organizational goals: these goals may be related to various activities in the organization from strategic decision-making to operations, including various processes and specific projects: the latest year, strategy, operation, finance, environment, society, reputation and other aspects. Risk management considers uncertainty and its impact on itself and takes appropriate measures to support the organization's operational strategy and effective response to various emergencies: Risk management is applicable to the entire life cycle of the organization and any stage: its scope of application includes all areas and levels of the entire organization, as well as specific departments and activities of the organization. Risk management aims to ensure that the organization responds to risks appropriately, improves the efficiency and effectiveness of risk response, enhances the rationality of actions, and effectively allocates resources. Effective risk management should be integrated into the entire organization's philosophy, governance, management, procedures, policies and strategies, and culture. Risk management awareness should be an integral part of the entire organization. Although risk management has been developed in long-term practice and meets different requirements in many industries, there is currently a lack of a method to ensure that risk management is effectively implemented. This standard provides a general and empirical guide to the principles of risk management, which helps organizations implement risk management in a transparent and reliable manner in any scope and specific environment. This standard helps organizations to:
improve risk management awareness:
effectively allocate and use risk management resources! Implement proactive and forward-looking management:
Resize the limits of opportunities and risks:
Comply with relevant laws, regulations and international standards to improve internal control;
- Improve financial reporting
Improve corporate governance:
: Improve operational effectiveness and efficiency:
Increase the confidence and trust of stakeholders: Lay a solid foundation for planning and decision-making;- Improve health, safety and environmental protection levels; Improve the prevention and handling of incidents:
- Reduce losses;
Improve the learning ability of the organization!
Enhance the survival and sustainable development capabilities of the organization: The intended users of this standard are the organization's stakeholders, such as the organization's decision makers;
People within the organization who are responsible for formulating risk management policies; People who implement risk management in the organization or activities; People who evaluate the organization's risk management practices; People in the organization who are responsible for formulating standards, guidelines, and application criteria for procedures related to risk management: Shareholders, boards of directors, senior management, employees, creditors, suppliers, customers, banks, regulators, partners, etc., and other people who need to ensure that the organization manages its risks. ht
GB/T24353-2009
Taking into account the diversity of the nature, importance and complexity of risks, in actual application, organizations can use the methods provided by this standard to identify specific risk management environments to ensure the rationality and applicability of risk management. Many organizations have implemented risk management in existing management practices and processes, or have adopted formal risk management processes for certain specific risks or specific areas, such as internal control. Management can check existing risk management practices and processes against this standard. This standard is a general standard, which aims to coordinate the risk management content in existing and future standards. This standard provides an applicable method to support the development of standards for specific risks or specific industries, but is not intended to replace these standards. http://foodmate.nt1.com/|tt||Risk Management Principles and Implementation Guidelines
This standard provides the principles of risk management and practical implementation guidelines. GB/T24353-2009
This standard is applicable to organizations of all types and sizes, to the entire life cycle and all stages of the organization, and to all activities of the organization, including process management, functional behavior, project management, and various activities related to products, services, assets, operations and decision-making. This standard provides general guidelines for the implementation of risk management, but the specific implementation of risk management depends on the actual needs and specific implementation of the organization. 2 Normative References
The clauses in the following documents become the clauses of this standard through reference in this standard. For any dated referenced document, all subsequent amendments (excluding errors and revisions) are not applicable to this standard. However, it is encouraged that the latest versions of these documents be used by the equipment manufacturers based on this standard. For any undated referenced document, the latest version shall apply to this standard. GB/T23694 Risk Management Terminology
3 Terms and Definitions
(The terms and definitions established in GB/T23691 apply to this standard. Principles of Risk Management
In order to effectively manage risks, organizations should follow the following principles when implementing risk management: a) Control losses and create value
Creating value first by controlling losses. Risk management based on goals helps organizations achieve specific and visible results and improve performance in all aspects, including employee health and safety, compliance operations, credit level, social recognition, environmental protection and financial performance. Effectiveness, product quality, operational efficiency and corporate governance. Integration into the organizational management process
Risk management is not a separate activity independent of the main activities and management processes of the organization, but an indispensable and important part of the organizational management process.
Support the decision-making process
All decisions of the organization should consider risk and risk management. Risk management aims to control risks within the acceptable range of the organization, help judge whether the risk response is sufficient and effective, help determine the priority of actions and select feasible action plans, and thus help decision makers make reasonable decisions. Apply a systematic and structured approach
A systematic and structured approach helps improve the efficiency of risk management and produce consistent, comparable and reliable results: e)
That is, information-based
The risk management process should be based on effective information. This information can be obtained through a variety of channels such as experience feedback, observation, prediction and expert judgment, but when using it, the limitations of data, models and expert opinions should be considered, and the environment depends on the internal and external environment of the organization and the risks undertaken by the organization. It should be pointed out that risk management is affected by human factors.
Wide participation and full communication
Communication among stakeholders of an organization, especially the appropriate and timely participation of decision-makers in risk management,It helps to ensure the pertinence and effectiveness of risk management.
Product Partner Network
GB/T24353--2009
The extensive participation of stakeholders helps their views to be reflected in the risk management process, and their interests are fully considered when determining the risk preferences of the organization. The extensive participation of stakeholders should be based on the clear recognition of their rights and responsibilities.
There is a need for continuous, two-way and timely communication between stakeholders, especially in terms of major risk events and the effectiveness of risk management.
Continuous Improvement
Risk management is a dynamic process that adapts to environmental changes. An information feedback loop is formed between its various steps. With the occurrence of internal and external events, changes in organizational environment and knowledge, and the implementation of monitoring and inspection, some risks may change, some new risks may appear, and others may disappear. Therefore, the organization should continue to be sensitive to various changes and respond appropriately. The organization should use performance measurement, inspection and adjustment to continuously improve risk management. 5 Risk Management Process
5.1 Overview
The risk management process is an integral part of risk management, and is integrated into the organizational culture and practices, and runs through the organization's business processes. The risk management process consists of the activities described in 5.2 to 5., namely, clarifying environmental information, risk assessment, risk response, supervision and inspection, as shown in Figure 1. Among them, risk assessment includes steps such as risk identification and risk evaluation.
It should be integrated and recorded throughout the various activities of the risk management process, and will be described in detail in 6. 5.2 Clarify Environmental Information
5.3 Risk Assessment
542 Risk Identification
5.2 Clarify Environmental Information
5.2. 1 Overview
53.3 Risk Analysis
5.3.4 Risk Assessment
Risk Response
Figure 1 Risk Management Process
By clarifying the environmental information, the organization can clarify its risk management objectives, determine the internal and external parameters related to the organization, and set the scope of risk management and related risk rules. 5.2.2 External Environmental Information
External environmental information is the historical, current and future information about the external environment that the organization faces in the process of achieving its objectives: In order to ensure that the objectives and concerns of external stakeholders are fully considered when formulating risk criteria, the organization needs to understand the external environmental information. The external environmental information is based on the overall environment of the organization, including legal and regulatory requirements, stakeholder demands and other information related to the specific risk management process. External environmental information includes but is not limited to:
International, domestic, regional and local political, economic, cultural, legal, regulatory, technological, financial, natural and competitive environments; external key factors that affect the achievement of organizational goals and their history and changing trends: external stakeholders and their demands, values, risk tolerance; the relationship between external stakeholders and the organization, etc. 5.2.3 Internal environmental information
Internal environmental information is the historical, current and future information about the internal environment faced by the organization in the process of achieving its goals. The risk management process should be adapted to the organization's culture, business processes and structure, including anything within the organization that affects its risk management. The organization needs to clarify the internal environmental information, because risks may affect various aspects of the organization's strategy, daily operations or project operations, and thus further affect the organization's value, credit commitment, etc.:
The objectives and related inferences of specific activities carried out by risk management under the specific objectives and management conditions of the organization should be considered in the overall objectives of the organization. Internal environmental information may include: the organization's marketing objectives and business strategies, resources, knowledge and capabilities (such as money, time, manpower, processes and technology); information systems, decision-making processes (including formal and informal); stakeholders and their demands, values, risk tolerance: internal interests; the standard model adopted: the organizational chart (including governance structure, tasks and responsibilities, etc.); management processes and measures; environmental information related to the risk management implementation process, etc. Among them, the environmental information of the risk management process changes according to the needs of the organization, including but not limited to the scope and objectives of the risk management work carried out, the resources required, the purpose of the risk management process; the depth and breadth of the risk management activities to be performed; the integration of risk management activities and the elements between the activities: risk assessment methods and the data used; risk management performance evaluation platform: decisions that need to be made, risk inference principles, etc.
5.2.4 Determine risk criteria
Risk criteria are the criteria used by the organization to evaluate the importance of risks. Therefore, risk criteria need to reflect the organization's risk tolerance, the organization's values, goals and resources. Some risk criteria directly or indirectly reflect legal and regulatory requirements or other requirements that the organization needs to follow. Risk criteria should be consistent with the organization's risk management objectives. Specific risk flow charts should be developed as early as possible in the risk management process and continuously reviewed and improved. The following factors should be considered when determining risk criteria: the nature and type of possible consequences and the measurement of consequences: - measurement of probability:
- time limit of probability and consequence;
- risk measurement method:
- determination of risk level;
htt
GB/T24353-—2009
- acceptable risk or tolerable risk level for stakeholders: the impact of the combination of multiple risks.
By paying attention to the above factors and other related factors: it will help ensure that the risk management methods adopted by the organization are suitable for the current situation of the organization and the risks it faces.
5.3 Risk Assessment
5.3.1 Overview
Risk assessment includes three steps: risk identification, risk analysis and risk evaluation. 5.3.2 Risk Identification
Risk identification is to generate a comprehensive risk list by identifying risk sources, impact scope, events and their causes and potential consequences. Risk identification not only considers the possible losses caused by the relevant events, but also the opportunities contained therein. When conducting risk identification, the benefits and information should be collected. When necessary, applicable background information should be included. In addition to identifying possible risk events, the possible causes and possible consequences should also be considered, including all important causes and consequences. Regardless of whether the risk source of the risk event is under the control of the organization or whether its cause is known, it should be identified. In addition, attention should be paid to risk events that have occurred, especially those that have occurred recently. Risk identification requires the participation of all relevant personnel. The risk identification tools and techniques used by the organization should be appropriate to its objectives, capabilities and environment.
5.3.3 Risk Analysis
Risk analysis is a qualitative and quantitative analysis of identified risks based on the type of risk, the information obtained and the use of risk assessment results, to provide support for risk assessment and risk response. Risk analysis should consider the causes and sources of risks, the positive and negative consequences of risk events and their likelihood of occurrence, the factors affecting the consequences and likelihood, the relationship between different risks and their risk sources, and other characteristics of risks, as well as existing alternative management measures and their effectiveness and efficiency. In risk analysis, the risk tolerance of the organization and its sensitivity to premises and assumptions should be considered, and effective communication should be carried out with decision makers and other stakeholders in a timely manner. In addition, possible differences in expert opinions and limitations of data and models should also be considered. Based on the time of risk analysis, the information and data resources obtained, risk analysis can be qualitative, semi-quantitative, quantitative or a combination of methods: Generally, qualitative analysis is used first to gain a preliminary understanding of the risk level and reveal the main risks. Where appropriate, conduct a conditional and quantitative risk analysis.
Consequences and likelihoods may be determined through expert opinion, or by modeling the consequences of an event or combination of events, or by extrapolating data obtained from experimental studies or trials. The description of consequences may be expressed as tangible or intangible impacts. In some cases, a series of indicators may be needed to accurately describe the consequences at different times, locations, categories or situations. 5.3.4 Risk Assessment
Risk assessment is to compare the results of risk analysis with the organization's risk criteria, or to compare the results of various risk analyses, determine the risk level, and make risk-based decisions: If the risk is a newly identified risk, the corresponding risk criteria should be determined to evaluate the risk.
The results of risk assessment should meet the needs of risk response, otherwise, further analysis should be done. Sometimes, based on the established risk criteria, risk assessment enables the organization to decide to continue with the existing risk response measures and not take new measures. 5.4 Risk Response
5.4.1 Overview
Risk response is to select and implement one or more measures to change the risk, including measures to change the likelihood or consequences of risk events. Risk response decisions should take into account various environmental information, including the risk tolerance of internal and external stakeholders, as well as legal, regulatory and other requirements:
The formulation and evaluation of risk response measures may be an incremental process. For the above risk response measures, it is necessary to evaluate whether the residual risk is acceptable. If the residual risk is unacceptable, new risk response measures should be adjusted or formulated, and the effectiveness of the new risk response measures should be evaluated until the residual risk is acceptable. The implementation of risk response measures will change the organizational risk. The organization should track and monitor the effectiveness of risk response and the relevant environmental information of the organization, and evaluate the changed risks. If necessary, re-formulate risk response measures. Possible risk response measures may not be mutually exclusive. A risk response measure may not be suitable under all conditions. Risk response measures may include the following:
Deciding to stop or exit activities that may lead to risks in order to avoid risks: increasing risks or assuming new risks in order to seek opportunities: eliminating sources of risks with negative effects:
Changing the possible magnitude of risk events and the nature of their distribution; -Changing the possible consequences of risk events: -Transferring risks:
Sharing risks:
Retaining risks, etc.
Choosing risk response measures
Choosing appropriate risk response measures requires considering many aspects at any time, such as laws, regulations, social responsibilities, and environmental protection requirements. The implementation costs and benefits of risk response measures (some risks may require organizations to consider adopting risk response decisions that seem unreasonable in theory, such as risk events that may have serious negative consequences but are less likely to occur. Select several response measures and use them alone or in combination; the demands and values of stakeholders, their awareness and tolerance of risks, and their preferences for certain risk response measures. Risk response measures may fail or become ineffective during implementation. Therefore, monitoring should be an integral part of the implementation plan of risk response measures. Positive response measures should be effective. Risk response measures may cause secondary risks, which also need to be evaluated, responded to, supervised and inspected. These secondary risks should be included in the original risk response plan. Instead of treating it as a new risk independently. To do this, it is necessary to identify and examine the connection between the original risk and the secondary risk: When the risk response measures affect risks in other areas within the organization or affect other stakeholders, these impacts should be evaluated and communicated to relevant stakeholders, and the risk response measures should be adjusted when necessary. Decision makers and other stakeholders should be clear about the nature and extent of the remaining risks after the risk response measures are taken. 5.4.3 Develop a risk response plan
After selecting the risk response measures, it is necessary to develop a corresponding risk response plan. Expected benefits:
Performance indicators and their evaluation methods;
Risk management responsible persons and personnel arrangements for risk response measures: Specific business and management activities involved in the risk response measures: Risk The risk response plan should include the following information: When selecting multiple possible risk-paired measures, the priority of implementing risk response measures; reporting, supervision and inspection requirements;
Channel arrangements with appropriate stakeholders; Resource requirements, including resource requirements for emergency mechanisms; Implementation schedule, etc.
Risk response plans should be integrated with the organization's management processes. 5.5 Supervision and inspection
The organization should clearly define the responsibilities for supervision and inspection. Supervision and inspection may include:
Monitoring events, analyzing changes and trends and learning lessons from them; Discovering changes in internal and external environmental information, including changes in the risks themselves, possible changes in risk response measures and their implementation priorities;
http
|fnodmatono
GB/T243532009
一Supervise and record the residual risk after the implementation of risk response measures so that further treatment can be carried out when appropriate. When applicable, check the deviation between the work progress and the plan against the risk response plan to ensure the design and implementation of risk response measures are effective:
一Report on risks, progress of risk response plans and compliance with risk management policies; -Implement risk management performance evaluation.
Risk management performance evaluation should be incorporated into the performance management of the organization and the internal and external reporting system of the organization. Supervision and inspection activities include routine inspections, monitoring of known risks, regular or irregular inspections, and regular or irregular inspections should be included in the risk response plan.
When appropriate, the results of supervision and inspection should be recorded and reported internally or externally: 5.6 Communication and Records
5.6.1 Communication
The organization should communicate effectively with internal and external stakeholders at every stage of the risk management process to ensure that those responsible for implementing risk management and stakeholders understand the basis for the organization's risk management decisions and why certain actions need to be taken. Due to the different values, demands, assumptions, cognitions and concerns of stakeholders, their risk preferences are also different and may have a significant impact on decision-making. Therefore, the organization should fully communicate with stakeholders during the decision-making process, identify and record the risk preferences of stakeholders.
5.6.2 Records
In the risk management process, records are the basis for implementing and improving the entire risk management process. The following aspects should be considered when establishing records:
The need to reuse information for management purposes; the need to further analyze risks and adjust risk responses; the traceability requirements of risk management activities;
The need for records in laws, regulations and trade; the need for continuous learning of the organization itself
The cost and effort required to establish and maintain records; the method of obtaining information, the ease of access to information and the storage media; the retention period of records:
The sensitivity of information
6 Implementation of risk management
6.1 Overview
The implementation of the risk management process (see Chapter 5) requires a risk management system, including the infrastructure such as relevant policies, organizational structure, work procedures, resource allocation, information communication mechanisms and related technical means to embed risk management into all levels and activities of the organization. By implementing the risk management process at different levels of the organization and in specific environments, the risk management system helps the organization to effectively manage risks. The organization's risk management system may consist of subsystems that implement risk management processes at various levels and in specific environments, such as internal control systems. Risk management systems should ensure that risk information is fully communicated during the risk management process and used as a basis for decision-making and accountability within the relevant organizational levels. Based on the review, the organization should make decisions on how to improve the risk management system, policies and risk response plans: thereby guiding the improvement of the organization's risk management and risk management culture. The elements of the risk management system mainly include: 1. Risk management approach; 2. Appropriate systems and procedures to integrate risk management into all activities and processes of the organization; 3. Responsibilities related to the organizational structure: and relevant risk management performance indicators that are consistent with the organization's performance indicators; 4. Resource allocation; 5. Mechanisms for communicating risk management with all stakeholders: technical means, methods, tools, etc.
62 Risk Management Policy
The risk management policy should specify the following items: Organization's risk management philosophy
The organization's top management's commitment to risk management: Organization's risk management objectives;
Organization's risk preferences:
The relationship between the risk management policy and the organization's objectives and other policies:
Risk management responsibility allocation:
Procedures and methods for managing risks;
Risk management resource allocation!
Methods for measuring and reporting risk management performance: "Plan for establishing a risk management system;
Commitment for continuous improvement,
The organization should fully communicate the risk management policy with internal and external stakeholders6.3 Risk Management Procedures
GB/T24353-2009
Organizations should design appropriate systems and behavioral norms, establish risk management procedures, especially risk management plans at the organizational level, to ensure that risk management is embedded in all activities and processes of the organization, especially in the organization's strategic planning, operational processes and change management.
6.4 Risk Management Related Organizational Structurewww.bzxz.net
Organizations can ensure the identification and authorization of risk management responsibilities through the following methods, so as to be able to implement the risk management process and ensure the adequacy and effectiveness of risk management:
Clearly define the responsibilities of personnel who formulate, implement and maintain the risk management system:-Clearly define the responsibilities of personnel who implement risk response measures, maintain the risk management system and report relevant risk information: Establish an approval and authorization system:
Establish performance measurement and corresponding appropriate reward and punishment systems: Establish internal and external reporting mechanisms, etc.
6.5 Risk Management Resource Allocation
Organizations need to develop feasible methods based on risk management plans to allocate appropriate resources for risk management. Specifically, the following personnel, technology, experience and capabilities should be considered:
Funds and various resources required for each stage of the risk management process; Process and procedure steps for data recording;
- Information and knowledge management system.
6.6 Communication and reporting mechanism
6.6.1 Internal communication and reporting mechanism
The organization should establish an internal communication and reporting mechanism to ensure that the key components of the risk management system and their adjustments are properly communicated; - Fully report the effectiveness and efficiency of the implementation of the risk response plan within the organization; - Provide relevant information on risk management at an appropriate time; -
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.