CAN/CSA-ISO (ISO 31000:2009, IDT) National Standard of Canada

Transcription

1 CAN/CSA-ISO (ISO 31000:2009, IDT) National Standard of Canada Risk management Principles and guidelines NOT FOR RESALE. PUBLICATION NON DESTINÉE À LA REVENTE.

2 Legal Notice for Standards Canadian Standards Association (CSA) standards are developed through a consensus standards development process approved by the Standards Council of Canada. This process brings together volunteers representing varied viewpoints and interests to achieve consensus and develop a standard. Although CSA administers the process and establishes rules to promote fairness in achieving consensus, it does not independently test, evaluate, or verify the content of standards. Disclaimer and exclusion of liability This document is provided without any representations, warranties, or conditions of any kind, express or implied, including, without limitation, implied warranties or conditions concerning this document s fitness for a particular purpose or use, its merchantability, or its non-infringement of any third party s intellectual property rights. CSA does not warrant the accuracy, completeness, or currency of any of the information published in this document. CSA makes no representations or warranties regarding this document s compliance with any applicable statute, rule, or regulation. IN NO EVENT SHALL CSA, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES, DIRECTORS, OR OFFICERS, BE LIABLE FOR ANY DIRECT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED, INCLUDING BUT NOT LIMITED TO SPECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM ACCESS TO OR POSSESSION OR USE OF THIS DOCUMENT, EVEN IF CSA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES. In publishing and making this document available, CSA is not undertaking to render professional or other services for or on behalf of any person or entity or to perform any duty owed by any person or entity to another person or entity. The information in this document is directed to those who have the appropriate degree of experience to use and apply its contents, and CSA accepts no responsibility whatsoever arising in any way from any and all use of or reliance on the information contained in this document. CSA is a private not-for-profit company that publishes voluntary standards and related documents. CSA has no power, nor does it undertake, to enforce compliance with the contents of the standards or other documents it publishes. Intellectual property rights and ownership As between CSA and the users of this document (whether it be in printed or electronic form), CSA is the owner, or the authorized licensee, of all works contained herein that are protected by copyright, all trade-marks (except as otherwise noted to the contrary), and all inventions and trade secrets that may be contained in this document, whether or not such inventions and trade secrets are protected by patents and applications for patents. Without limitation, the unauthorized use, modification, copying, or disclosure of this document may violate laws that protect CSA s and/or others intellectual property and may give rise to a right in CSA and/or others to seek legal redress for such use, modification, copying, or disclosure. To the extent permitted by licence or by law, CSA reserves all intellectual property rights in this document. Patent rights Attention is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. CSA shall not be held responsible for identifying any or all such patent rights. Users of this standard are expressly advised that determination of the validity of any such patent rights is entirely their own responsibility. Authorized use of this document This document is being provided by CSA for informational and non-commercial use only. The user of this document is authorized to do only the following: If this document is in electronic form: load this document onto a computer for the sole purpose of reviewing it; search and browse this document; and. print this document if it is in PDF format. Limited copies of this document in print or paper form may be distributed only to persons who are authorized by CSA to have such copies, and only if this Legal Notice appears on each such copy. In addition, users may not and may not permit others to alter this document in any way or remove this Legal Notice from the attached standard; sell this document without authorization from CSA; or. make an electronic copy of this document. If you do not agree with any of the terms and conditions contained in this Legal Notice, you may not load or use this document or make any copies of the contents hereof, and if you do make such copies, you are required to destroy them immediately. Use of this document constitutes your acceptance of the terms and conditions of this Legal Notice.

3 CSA Standards Update Service CAN/CSA-ISO January 2010 Title: Risk management Principles and guidelines Pagination: 35 pages (CSA/1 CSA/4, i vii, and 24 text) To register for notification about any updates to this publication go to click on Services under MY ACCOUNT click on CSA Standards Update Service The List ID that you will need to register for updates to this publication is If you require assistance, please techsupport@csa.ca or call Visit CSA s policy on privacy at to find out how we protect your personal information.

4 The Canadian Standards Association (CSA), under whose auspices this National Standard has been produced, was chartered in 1919 and accredited by the Standards Council of Canada to the National Standards system in It is a not-for-profit, nonstatutory, voluntary membership association engaged in standards development and certification activities. CSA standards reflect a national consensus of producers and users including manufacturers, consumers, retailers, unions and professional organizations, and governmental agencies. The standards are used widely by industry and commerce and often adopted by municipal, provincial, and federal governments in their regulations, particularly in the fields of health, safety, building and construction, and the environment. Individuals, companies, and associations across Canada indicate their support for CSA s standards development by volunteering their time and skills to CSA Committee work and supporting the Association s objectives through sustaining memberships. The more than 7000 committee volunteers and the 2000 sustaining memberships together form CSA s total membership from which its Directors are chosen. Sustaining memberships represent a major source of income for CSA s standards development activities. The Association offers certification and testing services in support of and as an extension to its standards development activities. To ensure the integrity of its certification process, the Association regularly and continually audits and inspects products that bear the CSA Mark. In addition to its head office and laboratory complex in Toronto, CSA has regional branch offices in major centres across Canada and inspection and testing agencies in eight countries. Since 1919, the Association has developed the necessary expertise to meet its corporate mission: CSA is an independent service organization whose mission is to provide an open and effective forum for activities facilitating the exchange of goods and services through the use of standards, certification and related services to meet national and international needs. For further information on CSA services, write to Canadian Standards Association 5060 Spectrum Way, Suite 100 Mississauga, Ontario, L4W 5N6 Canada The Standards Council of Canada (SCC) is the coordinating body of the National Standards System, a coalition of independent, autonomous organizations working towards the further development and improvement of voluntary standardization in the national interest. The principal objects of the SCC are to foster and promote voluntary standardization as a means of advancing the national economy, benefiting the health, safety, and welfare of the public, assisting and protecting the consumer, facilitating domestic and international trade, and furthering international cooperation in the field of standards. A National Standard of Canada (NSC) is a standard prepared or reviewed by an accredited Standards Development Organization (SDO) and approved by the SCC according to the requirements of CAN-P-2. Approval does not refer to the technical content of the standard; this remains the continuing responsibility of the SDO. An NSC reflects a consensus of a number of capable individuals whose collective interests provide, to the greatest practicable extent, a balance of representation of general interests, producers, regulators, users (including consumers), and others with relevant interests, as may be appropriate to the subject in hand. It normally is a standard which is capable of making a significant and timely contribution to the national interest. Those who have a need to apply standards are encouraged to use NSCs. These standards are subject to periodic review. Users of NSCs are cautioned to obtain the latest edition from the SDO which publishes the standard. The responsibility for approving standards as National Standards of Canada rests with the Standards Council of Canada 270 Albert Street, Suite 200 Ottawa, Ontario, K1P 6N7 Canada Cette Norme nationale du Canada est offerte en anglais et en français. Although the intended primary application of this Standard is stated in its Scope, it is important to note that it remains the responsibility of the users to judge its suitability for their particular purpose. Registered trade-mark of Canadian Standards Association

5 National Standard of Canada CAN/CSA-ISO Risk management Principles and guidelines Prepared by International Organization for Standardization Reviewed by Approved by Standards Council of Canada Published in January 2010 by Canadian Standards Association A not-for-profit private sector organization 5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N Visit our Online Store at

6 CAN/CSA-ISO Risk management Principles and guidelines CAN/CSA-ISO Risk management Principles and guidelines CSA Preface This is the first edition of CAN/CSA-ISO 31000, Risk management Principles and guidelines, which is an adoption without modification of the identically titled ISO (International Organization for Standardization) Standard ISO (first edition, ). This Standard was reviewed for Canadian adoption by the CSA Technical Committee on Risk Management, under the jurisdiction of the Strategic Steering Committee on Business Management and Sustainability, and has been formally approved by the Technical Committee. The Standard has been approved as a National Standard of Canada by the Standards Council of Canada. January 2010 Canadian Standards Association 2010 All rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission of the publisher. ISO material is reprinted with permission. Where the words this International Standard appear in the text, they should be interpreted as this National Standard of Canada. Inquiries regarding this National Standard of Canada should be addressed to Canadian Standards Association 5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N To purchase CSA Standards and related publications, visit CSA s Online Store at or call toll-free or CSA Standards are subject to periodic review, and suggestions for their improvement will be referred to the appropriate committee. To submit a proposal for change to CSA Standards, please send the following information to inquiries@csa.ca and include Proposal for change in the subject line: (a) Standard designation (number); (b) relevant clause, table, and/or figure number; (c) wording of the proposed change; and (d) rationale for the change. CSA/4 Canadian Standards Association January 2010

7 INTERNATIONAL STANDARD ISO First edition Risk management Principles and guidelines Management du risque Principes et lignes directrices International Organization for Standardization (ISO), All rights reserved. NOT FOR RESALE. Reference number ISO 31000:2009(E) ISO 2009

8 ISO 31000:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel Fax copyright@iso.org Web ii CAN/CSA-ISO ISO 2009 All rights reserved

9 ISO 31000:2009(E) Contents Page Foreword...iv Introduction...v 1 Scope Terms and definitions Principles Framework General Mandate and commitment Design of framework for managing risk Understanding of the organization and its context Establishing risk management policy Accountability Integration into organizational processes Resources Establishing internal communication and reporting mechanisms Establishing external communication and reporting mechanisms Implementing risk management Implementing the framework for managing risk Implementing the risk management process Monitoring and review of the framework Continual improvement of the framework Process General Communication and consultation Establishing the context General Establishing the external context Establishing the internal context Establishing the context of the risk management process Defining risk criteria Risk assessment General Risk identification Risk analysis Risk evaluation Risk treatment General Selection of risk treatment options Preparing and implementing risk treatment plans Monitoring and review Recording the risk management process...21 Annex A (informative) Attributes of enhanced risk management...22 Bibliography...24 ISO 2009 All rights reserved CAN/CSA-ISO iii

10 ISO 31000:2009(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO was prepared by the ISO Technical Management Board Working Group on risk management. iv CAN/CSA-ISO ISO 2009 All rights reserved

11 ISO 31000:2009(E) Introduction Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization's objectives is risk. All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Throughout this process, they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required. This International Standard describes this systematic and logical process in detail. While all organizations manage risk to some degree, this International Standard establishes a number of principles that need to be satisfied to make risk management effective. This International Standard recommends that organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk into the organization's overall governance, strategy and planning, management, reporting processes, policies, values and culture. Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities. Although the practice of risk management has been developed over time and within many sectors in order to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organization. The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context. Each specific sector or application of risk management brings with it individual needs, audiences, perceptions and criteria. Therefore, a key feature of this International Standard is the inclusion of establishing the context as an activity at the start of this generic risk management process. Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the diversity of risk criteria all of which will help reveal and assess the nature and complexity of its risks. The relationship between the principles for managing risk, the framework in which it occurs and the risk management process described in this International Standard are shown in Figure 1. When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example: increase the likelihood of achieving objectives; encourage proactive management; be aware of the need to identify and treat risk throughout the organization; improve the identification of opportunities and threats; comply with relevant legal and regulatory requirements and international norms; improve mandatory and voluntary reporting; improve governance; improve stakeholder confidence and trust; ISO 2009 All rights reserved CAN/CSA-ISO v

12 ISO 31000:2009(E) establish a reliable basis for decision making and planning; improve controls; effectively allocate and use resources for risk treatment; improve operational effectiveness and efficiency; enhance health and safety performance, as well as environmental protection; improve loss prevention and incident management; minimize losses; improve organizational learning; and improve organizational resilience. This International Standard is intended to meet the needs of a wide range of stakeholders, including: a) those responsible for developing risk management policy within their organization; b) those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or activity; c) those who need to evaluate an organization's effectiveness in managing risk; and d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed within the specific context of these documents. The current management practices and processes of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances. In such cases, an organization can decide to carry out a critical review of its existing practices and processes in the light of this International Standard. In this International Standard, the expressions risk management and managing risk are both used. In general terms, risk management refers to the architecture (principles, framework and process) for managing risks effectively, while managing risk refers to applying that architecture to particular risks. vi CAN/CSA-ISO ISO 2009 All rights reserved

13 ISO 31000:2009(E) a) Creates value b) Integral part of organizational processes c) Part of decision making Mandate and commitment (4.2) Establishing the context (5.3) d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Continual improvement of the framework (4.6) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Implementing risk management (4.4) Risk assessment (5.4) Risk identification (5.4.2) Risk analysis (5.4.3) Communication and consultation (5.2) Monitoring and review (5.6) Risk evaluation (5.4.4) Risk treatment (5.5) Principles Framework (Clause 3) (Clause 4) Process (Clause 5) Figure 1 Relationships between the risk management principles, framework and process ISO 2009 All rights reserved CAN/CSA-ISO vii

14

15 INTERNATIONAL STANDARD ISO 31000:2009(E) Risk management Principles and guidelines 1 Scope This International Standard provides principles and generic guidelines on risk management. This International Standard can be used by any public, private or community enterprise, association, group or individual. Therefore, this International Standard is not specific to any industry or sector. NOTE For convenience, all the different users of this International Standard are referred to by the general term organization. This International Standard can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. This International Standard can be applied to any type of risk, whatever its nature, whether having positive or negative consequences. Although this International Standard provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed. It is intended that this International Standard be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards. This International Standard is not intended for the purpose of certification. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. 2.1 risk effect of uncertainty on objectives NOTE 1 An effect is a deviation from the expected positive and/or negative. NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). NOTE 3 Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these. NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence. ISO 2009 All rights reserved CAN/CSA-ISO