【正文】 s occurring at each organisational level.Table 1: Risk related to organisational levelsLevel Examples of typical risks considered at this level Strategic/corporateCommercial, financial, political, environmental, directional, cultural, acquisition and quality risks. There is a focus on business survival, continuity and growth for the programme, project and operational risks exceed set criteria – . not acceptable, outside agreed limits, could affect strategic objectives, information needs to be escalated to this level so that appropriate decisions can be taken.Programme Procurement/acquisition, funding, organisational, projects, security, safety, quality and business continuity project and operational risks exceed set criteria – . not acceptable, outside agreed limits, could affect programme objectives, information needs to be escalated to this level so that appropriate decisions can be taken.Project Personal, technical, cost, schedule, resource, operational support, quality and provider issues/risks should be considered at this level as they affect the project and how it needs to be run. Information on strategic and programme related risks should be municated to this level where they could affect project objectives. Project managers should municate information on risks to other projects and operations as appropriate.Operations Personal, technical, cost, schedule, resource, operational support, quality, provider failure, environmental and infrastructure the higher levels have input to this level。 specific concerns include business continuity management/contingency planning, support for business processes and customer relations.Additional factorsAdditional factors may increase the plexity of assessing overall exposure to risk. These include: interdependencies, or links between projects and/or related issues, where the impact of one or more risks could affect others, possibly creating a ‘domino’ effect. You should ensure that any known interdependencies are identified and assessed so that appropriate action can be planned the relationship between business benefits and risks to delivery, where achievement of benefits is dependent on successful delivery of a project. You should continually check whether changing plans affect the achievement of benefits. A framework for managing riskA framework for management of risk sets the context in which risks will be identified, analysed, controlled, monitored and reviewed. It must be consistent with processes that are embedded in everyday management and operational practices. It addresses: how risks are identified how information about their probability and potential impact is obtained how risks are quantified how options to deal with them are identified how decisions on risk management are made, such as further risk reduction how these decisions are implemented how actions are evaluated for their effectiveness how appropriate munication mechanisms are set up and supported how stakeholders are engaged throughout the process. (See Chapter 3 for more information about the management of risk framework and supporting processes.) Risk ownershipFor the organisation, ownership of the risk management framework lies with the Accounting Officer (or equivalent senior manager at Board level). Individual senior managers own the programme or project and are responsible for the management of the overall risk of that activity. However, these roles do not own all the individual risks. Risk ownership must be clearly defined, documented and agreed with the individual owners at all levels, so that they understand their various roles, responsibilities and ultimate accountability with regard to the management of risk. The owner of a risk may not be the person tasked with the assessment or management of the risk, but he or she is responsible for ensuring the management of risk process is applied – there may be separate owners to actually deal with the risks.It is important to identify who owns: the setting policy and the organisation’s willingness to take risk the management of risk process at the different levels – that is, strategic, programme, project, operational levels different elements of the management of risk process, such as identifying threats, through to producing risk responses and reporting on decisions implementation of the actual measures taken in response to the risks interdependent risks that cross organisational boundaries, whether they are business processes, operational services or projects. For example, for a senior manager with responsibility for a project, ownership of risk could be defined as follows:Senior managers responsible for projects must assure themselves that a number of types of risk are being tracked and dealt with as effectively as possible. The mechanisms in place for monitoring and reporting risk will vary according to the size and plexity of the project or programme, ranging from the use of a simple risk register to the appointment of a risk manager reporting directly to the senior manager. Clearly, the degree of delegation adopted by the senior manager will vary, but he or she must be sure that the critical issues are being addressed。 for example, through chairing the project board or by developing strong mechanisms for reporting problems. Checklist: ownership of risk and the process Have owners been allocated for all the various parts of the plete management of risk process? Are the various roles and responsibilities associated with ownership well defined? Do the individuals who have been allocated ownership actually have the authority and capability to fulfil their responsibilities? For example, suppliers may be tasked with risk ownership. Have the various roles and responsibilities been municated and understood? Are the nominated owners appropriate and aware of their nomination? Is ownership re