【正文】 cision making. The task of management of risk is to ensure that the organisation makes cost effective use of a risk process that has a series of well defined steps. The aim is to support better decision making through a good understanding of risks and their likely impact.There are two distinct phases: risk analysis and risk management. Risk analysis is concerned with gathering information about exposure to risk so that the organisation can make appropriate decisions and manage risk appropriately.Management of risk involves having processes in place to monitor risks, access to reliable and up to date information about risks, the right balance of control in place to deal with those risks, and decision making processes supported by a framework of risk analysis and evaluation.Management of risk covers a wide range of topics, including business continuity management, security, programme/project risk management and operational service management. These topics need to be placed in the context of an organisational framework for the management of risk. Some riskrelated topics, such as security, are highly specialised and this guidance provides only an overview of such aspects. Why management of risk is importantA certain amount of risk taking is inevitable if your organisation is to achieve its objectives. Effective management of risk helps you to improve performance by contributing to: increased certainty and fewer surprises better service delivery more effective management of change more efficient use of resources better management at all levels through improved decision making reduced waste and fraud, and better value for money innovation management of contingent and maintenance activities. See Annex A for examples of the benefits of more effective management of risk. Who is involved in risk managementIn practice, everyone in an organisation is involved in risk management to some extent and should be aware of their responsibilities in identifying and managing risk. However, there are some aspects for which responsibility must be assigned to individuals. Without clear responsibility (and the authority to support that responsibility) some risks will be missed or overlooked.In the public sector, there are two major roles with a clear responsibility to ensure risks are managed (there will be equivalents to these roles in private sector organisations). These roles are: an Accounting Officer (or equivalent senior manager), who is responsible for the organisation’s overall exposure to risk. Typically this person will be the Chief Executive Officer (CEO)。 the senior manager in the organisation. They may delegate some of the actions but cannot forgo the responsibility a senior manager acting as a project ‘owner’, who is responsible for risk relating to a specific programme or project and for the realisation of associated business benefits. Audience for this guidanceBusiness managers, process owners, strategic planners, project and procurement teams, business continuity planners and security teams are the primary audience for this guidance, together with their service providers.It will also be of interest to auditors, with their responsibility for ensuring effective corporate governance. How to use this guideChapter 1 introduces the structure, process and culture of management of risk, explaining why organisations need to devise and implement effective strategies in order to maximise opportunities and minimise threats to the achievement of their business objectives. It identifies key personnel in the management of risk and the target audience for the guidance.Chapter 2 outlines the key principles underpinning management of risk: establishing a risk management framework, risk ownership, where risks occur, the decision making process, the importance of embedding the risk management culture, and allocating realistic budgets.Chapter 3 describes the main activities of management of risk. It contains practical examples, pointers and checklists for identifying and responding to risk, and monitoring risk responses.Chapters 4–7 explain when and how management of risk should be applied throughout an organisation, at the strategic, programme, project and operational levels.Chapter 8 discusses the range of techniques available to support the risk management process.The Annexes provide supporting detail: A: Examples of benefits of risk management B: Healthcheck: how well is your organisation managing risk? C: Categorising risk D: Setting a standard for evaluation of risk E: Procurement, contractual and legal considerations F: Business continuity management G: Managing organisational safety and security H: Information on further techniques to support management of risk J: Lessons learned from others K: Assessing the suitability of tools L: Documentation outlines. The research for this guidancePrepared by OGC39。s IT Directorate, this guidance has been developed from extensive research into current thinking and practice in both the public and private sectors, drawing on published papers and interviews/studies with a number of leading organisations involved in major change and with specialist experts in the management of risk. It builds on the recent work of the National Audit Office (NAO), HM Treasury and Cabinet Office, together with OGC39。s published guidance on best practice in risk management。 it also aims to address issues relating to corporate governance.This guidance responds to lessons learned and the experiences of realworld practical issues, as reported by consultants in OGC39。s Strategic Assignments Consultancy Service and their clients. In addition, it incorporates feedback from contributors to OGC workshops and other review channels. These contributions are acknowledged with thanks.CHAPTER 2: PRINCIPLES Critical success factors for management of risk What is at risk and