《qITIL中级课程-风险管理.docx》由会员分享,可在线阅读,更多相关《qITIL中级课程-风险管理.docx(70页珍藏版)》请在三一办公上搜索。
1、ContentsCHAPTER 1: INTRODUCTION o 1.1燩urpose of this guide o 1.2燱hat is management of risk? o 1.3燱hy management of risk is important o 1.4燱ho is involved in risk management o 1.5燞ow to use this guide o 1.6燭he research for this guidance CHAPTER 2: PRINCIPLESo 2.1燙ritical success factors for managemen
2、t of risk o 2.2燱hat is at risk and why? o 2.3燚ecisions about risk o 2.4燱here risks occur o 2.5燗 framework for managing risk o 2.6燫isk ownership o 2.7燛mbedding the risk management culture o 2.8燘udgets CHAPTER 3: HOW RISKS ARE MANAGED o 3.1燚efining a framework for management of risk o 3.2燫isk identifi
3、cation o 3.3營dentifying probable risk owners o 3.4燫isk evaluation o 3.5燬etting risk tolerances o 3.6燫esponse to risk o 3.7營mplementing risk responses o 3.8燤onitoring responses o 3.9燗ssurance and review o 3.10燙ontinuing to improve CHAPTER 4: MANAGING RISK AT THE STRATEGIC LEVEL o 4.1燭ypes of risk o 4
4、.2燱here to apply risk management o 4.3燱hen to do it o 4.4燱ho is involved o 4.5燬trategic level policy for management of risk CHAPTER 5: MANAGING RISK AT THE PROGRAMME LEVEL o 5.1燗reas of risk o 5.2燭ypes of risk o 5.3燱here to apply risk management o 5.4燱hen to do it o 5.5燱ho is involved o 5.6燩rogramme
5、 level policy for management of risk CHAPTER 6: MANAGING RISKS AT THE PROJECT LEVEL o 6.1燘reaking down a project o 6.2燭ypes of risk o 6.3燱here to apply risk management o 6.4燱hen to do it o 6.5燱ho is involved o 6.6燩roject level policy for management of risk CHAPTER 7: MANAGING RISK AT THE OPERATIONAL
6、 LEVEL o 7.1燭ypes of risk o 7.2燱here to apply risk management o 7.3燱hen to do it o 7.4燱ho is involved o 7.5燨perational level policy for management of risk CHAPTER 8: TECHNIQUES o 8.1燫isk identification approaches o 8.2燫isk management approaches o 8.3燚ocumentation techniques o 8.4燛xternal review of a
7、ctivities o 8.5燗pplying the risk management processes ANNEX A: EXAMPLES OF BENEFITS OF RISK MANAGEMENT o A1燬trategic benefits o A2燜inancial benefits o A3燩rogramme benefits o A4燘usiness process benefits o A5燨verall management benefits ANNEX B: HEALTHCHECK: HOW WELL IS YOUR ORGANISATION MANAGING RISK?
8、 o B1燢ey elements o B2燫eview of overall effectiveness o B3燙hecklist: risk ownership o B4燙hecklist: on risk identification o B5燙hecklist: risk evaluation and assessment of the organisations willingness to take on risk o B6燙hecklist: risk response o B7燙hecklist: monitoring and control mechanisms ANNEX
9、 C: CATEGORISING RISK o C1燭hreats and impacts o C2燬trategic risk - major threats o C3燭hreats to projects or programmes o C4燨perational risks ANNEX D: SETTING A STANDARD FOR EVALUATION OF RISK o D1燯sing the summary risk profile o D2燣ooking at probability o D3燣ooking at impact ANNEX E: PROCUREMENT, CO
10、NTRACTUAL AND LEGAL CONSIDERATIONS o E1燤odular and incremental approaches o E2燙ontract risk management o E3燨utsourcing to support business needs o E4燣egal aspects of procurement ANNEX F: BUSINESS CONTINUITY MANAGEMENT o F1燱hy is business continuity management important? o F2燱hat is business continui
11、ty management? o F3燞ow to implement business continuity management o F4燬tructuring business continuity plans o F5燘usiness continuity supported by a risk management process o F6燱ho to involve in business continuity management o F7營ssues to consider in a BCP o F8燗ssuring your BCP is viable o F9燱here t
12、o store BCPs o F10燙ommunications o F11燘CM summary ANNEX G: MANAGING ORGANISATIONAL SAFETY AND SECURITY o G1燞ow are safety and security related? o G2燤andate for ensuring safety and security o G3燬ecuring assets o G4燬ecuring incidents o G5燗dopting good practice in information security management ANNEX
13、H: INFORMATION ON FURTHER TECHNIQUES TO SUPPORT MANAGEMENT OF RISK o H1燫isk identification workshops o H2燫isk management workshops o H3燙ause-and-effect diagrams o H4燚ecision trees o H5營nsurance premium approach o H6燙ritical path analysis (CPA) or critical path method (CPM) o H7燤onte Carlo simulation
14、 o H8燫isk map o H9燩robability and impact grid o H10燬catter diagram o H11燫adar chart o H12燫isk indicators ANNEX J: LESSONS LEARNED FROM OTHERS o J1燗ssessing success o J2燱hy projects fail o J3燬topping a project o J4燘arriers ANNEX K: ASSESSING THE SUITABILITY OF TOOLS o K1營ssues to consider when select
15、ing tools o K2燗ppraisal and evaluation in context o K3燝eneral appraisal procedure o K4燙ustomisation of criteria ANNEX L: DOCUMENTATION OUTLINES o L1燘usiness Case o L2燘usiness Continuity Plan (BCP) o L3燙ommunications Plan o L4燙ontingency plan o L5燤anagement of Risk Policy o L6?Activity) plans for pro
16、gramme and/or project o L7燫isk Register o L8燬ecurity policy o L9燬takeholder map o L10燬ummary Risk ProfileCHAPTER 1: INTRODUCTION1.1 Purpose of this guide1.2 What is management of risk?1.3 Why management of risk is important1.4 Who is involved in risk management1.5 How to use this guide1.6 The resear
17、ch for this guidance1.1 Purpose of this guideThis guide is intended to help organisations to put in place effective frameworks for taking informed decisions about risk. The guidance provides a route map for risk management, bringing together recommended approaches, checklists and pointers to more de
18、tailed sources of advice on tools and techniques. It expands on the OGC Guidelines for Managing Risk.The process of investment appraisal, in which assessments are made of costs, benefits and risks, is outside the scope of this guide. However, many of the principles and techniques described here can
19、be used when developing the business case. The approach described in this guide complements OGCs guidance on programme and project management and is continually updated to reflect current thinking. This approach, branded by OGC as M_o_R (Management of Risk), is supported by training and qualificatio
20、ns.1.2 What is management of risk?In this guide risk is defined as uncertainty of outcome, whether positive opportunity or negative threat. The term management of risk incorporates all the activities required to identify and control the exposure to risk which may have an impact on the achievement of
21、 an organisations business objectives.Every organisation manages its risk, but not always in a way that is visible, repeatable and consistently applied to support decision making. The task of management of risk is to ensure that the organisation makes cost effective use of a risk process that has a
22、series of well defined steps. The aim is to support better decision making through a good understanding of risks and their likely impact.There are two distinct phases: risk analysis and risk management. Risk analysis is concerned with gathering information about exposure to risk so that the organisa
23、tion can make appropriate decisions and manage risk appropriately.Management of risk involves having processes in place to monitor risks, access to reliable and up to date information about risks, the right balance of control in place to deal with those risks, and decision making processes supported
24、 by a framework of risk analysis and evaluation.Management of risk covers a wide range of topics, including business continuity management, security, programme/project risk management and operational service management. These topics need to be placed in the context of an organisational framework for
25、 the management of risk. Some risk-related topics, such as security, are highly specialised and this guidance provides only an overview of such aspects.1.3 Why management of risk is importantA certain amount of risk taking is inevitable if your organisation is to achieve its objectives. Effective ma
26、nagement of risk helps you to improve performance by contributing to: increased certainty and fewer surprises better service delivery more effective management of change more efficient use of resources better management at all levels through improved decision making reduced waste and fraud, and bett
27、er value for money innovation management of contingent and maintenance activities. See Annex A for examples of the benefits of more effective management of risk.1.4 Who is involved in risk managementIn practice, everyone in an organisation is involved in risk management to some extent and should be
28、aware of their responsibilities in identifying and managing risk. However, there are some aspects for which responsibility must be assigned to individuals. Without clear responsibility (and the authority to support that responsibility) some risks will be missed or overlooked.In the public sector, th
29、ere are two major roles with a clear responsibility to ensure risks are managed (there will be equivalents to these roles in private sector organisations). These roles are: an Accounting Officer (or equivalent senior manager), who is responsible for the organisations overall exposure to risk. Typica
30、lly this person will be the Chief Executive Officer (CEO); the senior manager in the organisation. They may delegate some of the actions but cannot forgo the responsibility a senior manager acting as a project owner, who is responsible for risk relating to a specific programme or project and for the
31、 realisation of associated business benefits. Audience for this guidanceBusiness managers, process owners, strategic planners, project and procurement teams, business continuity planners and security teams are the primary audience for this guidance, together with their service providers.It will also
32、 be of interest to auditors, with their responsibility for ensuring effective corporate governance.1.5 How to use this guideChapter 1 introduces the structure, process and culture of management of risk, explaining why organisations need to devise and implement effective strategies in order to maximi
33、se opportunities and minimise threats to the achievement of their business objectives. It identifies key personnel in the management of risk and the target audience for the guidance.Chapter 2 outlines the key principles underpinning management of risk: establishing a risk management framework, risk
34、ownership, where risks occur, the decision making process, the importance of embedding the risk management culture, and allocating realistic budgets.Chapter 3 describes the main activities of management of risk. It contains practical examples, pointers and checklists for identifying and responding t
35、o risk, and monitoring risk responses.Chapters 47 explain when and how management of risk should be applied throughout an organisation, at the strategic, programme, project and operational levels.Chapter 8 discusses the range of techniques available to support the risk management process.The Annexes
36、 provide supporting detail: A: Examples of benefits of risk management B: Healthcheck: how well is your organisation managing risk? C: Categorising risk D: Setting a standard for evaluation of risk E: Procurement, contractual and legal considerations F: Business continuity management G: Managing org
37、anisational safety and security H: Information on further techniques to support management of risk J: Lessons learned from others K: Assessing the suitability of tools L: Documentation outlines. 1.6 The research for this guidancePrepared by OGCs IT Directorate, this guidance has been developed from
38、extensive research into current thinking and practice in both the public and private sectors, drawing on published papers and interviews/studies with a number of leading organisations involved in major change and with specialist experts in the management of risk. It builds on the recent work of the
39、National Audit Office (NAO), HM Treasury and Cabinet Office, together with OGCs published guidance on best practice in risk management; it also aims to address issues relating to corporate governance.This guidance responds to lessons learned and the experiences of real-world practical issues, as rep
40、orted by consultants in OGCs Strategic Assignments Consultancy Service and their clients. In addition, it incorporates feedback from contributors to OGC workshops and other review channels. These contributions are acknowledged with thanks.CHAPTER 2: PRINCIPLES2.1 Critical success factors for managem
41、ent of risk2.2 What is at risk and why?2.3 Decisions about risk2.4 Where risks occur2.5 A framework for managing risk2.6 Risk ownership2.7 Embedding the risk management culture2.8 BudgetsThis chapter outlines the key principles underpinning the effective management of risk.2.1 Critical success facto
42、rs for management of riskThe key elements that need to be in place if risk management is to be effective, and innovation encouraged, include: clearly identified senior management to support, own and lead on risk management risk management policies and the benefits of effective management clearly com
43、municated to all staff existence and adoption of a framework for management of risk that is transparent and repeatable existence of an organisational culture which supports well thought-through risk taking and innovation management of risk fully embedded in management processes and consistently appl
44、ied management of risk closely linked to achievement of objectives risks associated with working with other organisations explicitly assessed and managed risks actively monitored and regularly reviewed on a constructive no-blame basis. Joint working and partnerships often involve more complex types
45、of risk that can adversely affect the delivery of business services. For example, if part of the service provided by one organisation is delayed or of poor quality, the success of the whole collaboration can be put at risk. You must make sure that your organisation knows about the risk management ap
46、proaches of your partners. Sharing information about risk management means that risks in collaborative programmes can be identified and managed in a proactive way.Public sector concernsThe Modernising Government initiative seeks to encourage the public sector to adopt well managed risk taking where
47、it is likely to lead to sustainable improvements in service delivery. More effective risk management will improve the public sectors ability to undertake the increasingly complex and cross-cutting projects that are demanded by the Modernisation agenda. Public sector organisations need to have in pla
48、ce the skills, management structures and organisational structures to take advantage of potential opportunities to perform better and to reduce the possibility of failure.The key areas that have to be addressed are: the requirements of corporate governance including more focused and open ways of managing risk (see the section on corporate governance below)
