【正文】 Design of framework for managing risk風(fēng)險(xiǎn)管理框架的設(shè)計(jì) Understanding of the organization and its context理解組織及組織的環(huán)境Before starting the design and implementation of the framework for managing risk, it is important。確保為風(fēng)險(xiǎn)管理分配必要的資源? municate the benefits of risk management to all stakeholders。確保與法律法規(guī)相一致? assign accountabilities and responsibilities at appropriate levels within the organization。確保使風(fēng)險(xiǎn)管理績(jī)效指標(biāo)與組織績(jī)效指標(biāo)相一致? align risk management objectives with the objectives and strategies of the organization。s culture and risk management policy are aligned。管理層應(yīng)該：? define and endorse the risk management policy。s existing management practices and processes include ponents of risk management or if the organization has already adopted a formal risk management process for particular types of risk or situations, then these should be critically reviewed and assessed against this International Standard, including the attributes contained in Annex A, in order to determine their adequacy and effectiveness.如果一個(gè)組織的現(xiàn)有管理方法和程序包括風(fēng)險(xiǎn)管理的組成部分，或者該組織針對(duì)特殊類型的風(fēng)險(xiǎn)和環(huán)境采用了正式的風(fēng)險(xiǎn)管理流程，那么，這些措施應(yīng)嚴(yán)格審查，并參照這一國(guó)際標(biāo)準(zhǔn)，包括附件A中的內(nèi)容進(jìn)行評(píng)估，以確保其充分性和有效性。因此，組織可以采用框架適當(dāng)?shù)牟糠忠赃m應(yīng)其特殊的需要。本條款描述了框架中風(fēng)險(xiǎn)管理的各組成部分，及其相互聯(lián)系，如圖2所示。The framework assists in managing risks effectively through the application of the risk management process (see Clause 5) at varying levels and within specific contexts of the organization. The framework ensures that information about risk derived from these processes is adequately reported and used as a basis for decision making and accountability at all relevant organizational levels.This clause describes the necessary ponents of the framework for managing risk and the way in which they interrelate in an iterative manner, as shown in Figure 2.該框架通過風(fēng)險(xiǎn)管理流程（見第5款）在不同層級(jí)在組織特定環(huán)境的實(shí)施，確保管理風(fēng)險(xiǎn)的有效性。附件A提供了組織希望更有效的管理風(fēng)險(xiǎn)的進(jìn)一步意見。因此，風(fēng)險(xiǎn)管理需要持續(xù)的意識(shí)和不斷響應(yīng)以應(yīng)對(duì)變化。參與過程允許利益相關(guān)者提出異議，并將其意見考慮到風(fēng)險(xiǎn)標(biāo)準(zhǔn)的決定過程之中。s objectives.風(fēng)險(xiǎn)管理意識(shí)到可以促進(jìn)或阻礙組織目標(biāo)的實(shí)現(xiàn)的內(nèi)部和外部人的能力，觀念和意圖。s external and internal context and risk profile. 風(fēng)險(xiǎn)管理與該組織的外部和內(nèi)部環(huán)境及風(fēng)險(xiǎn)狀況是相匹配的。然而，決策者應(yīng)該了解并應(yīng)考慮到，數(shù)據(jù)或模型的局限性以及專家之家分歧的可能性。e) Risk management is systematic, structured and ，有組織和及時(shí)的A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, parable and reliable results. 有系統(tǒng)的，及時(shí)的和結(jié)構(gòu)性的風(fēng)險(xiǎn)管理方法有助于提高效率和連貫一致的，可衡量的和可靠的結(jié)果。c) Risk management is part of decision Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.風(fēng)險(xiǎn)管理可以幫助決策者作出明智的選擇，優(yōu)先行動(dòng)和區(qū)分備選行動(dòng)方針。b) Risk management is an integral part of all organizational Risk management is not a standalone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.風(fēng)險(xiǎn)管理不是一個(gè)從組織的主要活動(dòng)和流程中分開的孤立活動(dòng)。 and與其他團(tuán)體風(fēng)險(xiǎn)共擔(dān)（包括合同、風(fēng)險(xiǎn)融資）? retaining the risk by informed choice. 通過知情維持風(fēng)險(xiǎn)NOTE 2 Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.對(duì)消極后果的風(fēng)險(xiǎn)處理可以歸為“風(fēng)險(xiǎn)緩和”、“風(fēng)險(xiǎn)消除”、“風(fēng)險(xiǎn)預(yù)防”和“風(fēng)險(xiǎn)減小”NOTE 3 Risk treatment can create new risks or modify existing risks.風(fēng)險(xiǎn)處理可能產(chǎn)生新的風(fēng)險(xiǎn)或修正已存在的風(fēng)險(xiǎn)[ISO Guide 73:2009, definition ]measure that is modifying risk ()修正風(fēng)險(xiǎn)的措施NOTE 1 Controls include any process, policy, device, practice, or other actions which modify risk.控制包括任何流程、政策、策略、時(shí)間或其他修正風(fēng)險(xiǎn)的行動(dòng)NOTE 2 Controls may not always exert the intended or assumed modifying effect.控制可能不總是符合產(chǎn)生預(yù)期或假定的修正效果[ISO Guide 73:2009, definition ] risk剩余風(fēng)險(xiǎn)risk () remaining after risk treatment ()通過風(fēng)險(xiǎn)處理后仍然存在的風(fēng)險(xiǎn)NOTE 1 Residual risk can contain unidentified NOTE 2 Residual risk can also be known as “retained risk”.剩余風(fēng)險(xiǎn)也可以成為風(fēng)險(xiǎn)殘留[ISO Guide 73:2009, definition ]continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected不斷檢查，監(jiān)督，審慎地觀察或明確現(xiàn)狀，以確保識(shí)別與要求的或預(yù)期的績(jī)效的變化情況NOTE Monitoring can be applied to a risk management framework (), risk management process (), risk() or control ().監(jiān)控適用于風(fēng)險(xiǎn)管理框架、風(fēng)險(xiǎn)管理流程、風(fēng)險(xiǎn)和控制[ISO Guide 73:2009, definition ]activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives采取適當(dāng)、足夠、有效的活動(dòng)以保障已設(shè)目標(biāo)的達(dá)成NOTE Review can be applied to a risk management framework (), risk management process (), risk () or control ().檢查適用于風(fēng)險(xiǎn)管理框架、風(fēng)險(xiǎn)管理流程、風(fēng)險(xiǎn)和控制[ISO Guide 73:2009, definition ]3 Principles原則For risk management to be effective, an organization should at all levels ply with the principles below.為了確保風(fēng)險(xiǎn)管理富有成效，組織的各個(gè)層面應(yīng)該遵循以下原則。改變可能性? changing the consequences ()。為了追求機(jī)遇采取或增加風(fēng)險(xiǎn)? removing the risk source ()。 [ISO Guide 73:2009, definition ] profile風(fēng)險(xiǎn)描述description of any set of risks ()每一種風(fēng)險(xiǎn)的描述NOTE The set of risks can contain those that relate to the whole organization, part of the organization, or as otherwise 、組織的部分或者其他特定部分向關(guān)聯(lián)的風(fēng)險(xiǎn)[ISO Guide 73:2009, definition ] analysis風(fēng)險(xiǎn)分析process to prehend the nature of risk () and to determine the level of risk ()充分理解風(fēng)險(xiǎn)的性質(zhì)和確定風(fēng)險(xiǎn)等級(jí)的過程N(yùn)OTE 1 Risk analysis provides the basis for risk evaluation () and decisions about risk treatment ().風(fēng)險(xiǎn)分析是風(fēng)險(xiǎn)評(píng)價(jià)和風(fēng)險(xiǎn)處理決策的基礎(chǔ)NOTE 2 Risk analysis includes risk [ISO Guide 73:2009, definition ] criteria風(fēng)險(xiǎn)標(biāo)準(zhǔn)terms of reference against which the significance of a risk () is evaluated對(duì)風(fēng)險(xiǎn)評(píng)價(jià)具有重要意義的條款NOTE 1 Risk criteria are based on organizational objectives, and external () and internal context ().風(fēng)險(xiǎn)標(biāo)準(zhǔn)建立以組織目標(biāo)、外部及內(nèi)部環(huán)境為基礎(chǔ)NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements.風(fēng)險(xiǎn)標(biāo)準(zhǔn)可以從標(biāo)準(zhǔn)、法律、政策和其他要求中產(chǎn)生[ISO Guide 73:2009, definition ] of risk風(fēng)險(xiǎn)等級(jí)magnitude of a risk (), expressed in terms of the bination of consequences () and their likelihood ()風(fēng)險(xiǎn)的重要度，所風(fēng)險(xiǎn)組合所產(chǎn)生的后果和其可能性[ISO Guide 73:2009, definition ] risk evaluation風(fēng)險(xiǎn)評(píng)價(jià)process of paring the results of risk analysis () with