ISO31000風險管理標準中文版-翻譯(DOC55頁)

1、ISO31000 風險管理標準中文版-翻譯（DOC 55頁 ）ISO/FDIS31000Risk management Principles and guidelinesForeword 前言ISO （the International Organization for Standardization） is a worldwide f ederation of national standards bodies（ISO member bodies）. The work of pre paring International Standards is normally carried out

2、through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that com mittee. International organizations, governmental andnot-governmental, in liais on with ISO, also take part in the work. ISO col

3、laborates closely with theIn ternational Electrotechnical Commission （IEC） on all matters of electrotechnic al standardization.國際標準化組織（ISO）是各國標準化團體（ISO成員團體）組成的世界 性的聯(lián)合匯。制定國際標準工作通常由ISO的技術(shù)委員會完成。個成員團體 若對某技術(shù)委員會確定的項目感愛好，均由權(quán)參加該委員會的工作。與ISO保持聯(lián)系的各國際組織（官方的或非官方的）也可參加有關(guān)工作。ISO與國際電工委員會（IEC）在電工技術(shù)標準化方面保持緊密合作的關(guān)系。Inte

4、rnational Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.國際標準是按照ISO/IEC 導(dǎo)則第 2部分的規(guī)則起草的。The main task of technical committees is to prepare International Standa rds. Draft International Standards adopted by the technical committees are cir culated to the mem

5、ber bodies for voting. Publication as an International Stan dard requires approval by at least 75 % of the member bodies casting a vot e.由技術(shù)委員會通過的國際標準草案提交各成員團體投票表決，需取得了至少 3/4參加表決的成員團體的同意，國際標準草案才能作為國際標準證實公布。Attention is drawn to the possibility that some of the elements of this document may be the su

6、bject of patent rights. ISO shall not be held respons ible for identifying any or all such patent rights.本標準中的某些內(nèi)容有可能涉及一些專利權(quán)咨詢題，這一點應(yīng)引起注意，ISO 不負責識不任何如此的專利權(quán)咨詢題。ISO 31000 was prepared by the ISO Technical Management Board Wor king Group on risk management.ISO 31000由ISO技術(shù)治理委員會風險治理工作組編寫。Introduction 簡介Or

7、ganizations of all types and sizes face internal and external factors an d influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization's objectives is “ risk” .所有類型和規(guī)模的組織都面臨內(nèi)部和外部因素的阻礙，使得它不能確定是否及何時實現(xiàn)其目標。這種對一個組織的目標阻礙的不確定

8、性既是“風險”。All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then evaluating whether the risk should b e modified by risk treatment in order to satisfy their risk criteria.一個組織的所有活動都涉及風險。組織通過識不、分析、 評判風險以及處理風險，以滿足他們的風險標準。Throughout this process

9、, they communicate and consult with stakeholder s and monitor and review the risk and the controls that are modifying the ri sk in order to ensure that no further risk treatment is required. This Internati onal Standard describes this systematic and logical process in detail.在那個過程中，他們與利益有關(guān)者溝通協(xié)商，監(jiān)測和審

10、查風險操縱，并持續(xù)的修正風險，以確保風險處理不再是必需的。本標準詳細描述了這一系統(tǒng)的和符合邏輯的過程。While all organizations manage risk to some degree, this International S tandard establishes a number of principles that need to be satisfied to make risk management effective. This International Standard recommends that orga nizations develop, impl

11、ement and continuously improve a framework whose purpose is to integrate the process for managing risk into the organization's overall governance, strategy and planning,management, reporting processes,p olicies, values and culture.盡管所有的組織在某種程度上都在治理風險，本標準規(guī)定了一些原則，以使風險治理變得有效。本標準建議，組織制定，實施和持續(xù)完善的框架，其

12、目的是將風險治理納入到組織的治理，戰(zhàn)略和規(guī)劃，治理，報告程序，政策，價 值觀和文化等綜合治理的整個過程。Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and a ctivities.風險治理能夠應(yīng)用到整個組織，它的許多領(lǐng)域和層次，在任何時刻，以及具體職能，項目和活動。Although the practice of risk management has

13、been developed over time and within many sectors in order to meet diverse needs, the adoption of co nsistent processeswithin a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organizatio n. The generic approach described in this Inter

14、national Standard provides the principles and guidelines for managing any form of risk in a systematic, tra nsparent and credible manner and within any scope and context.盡管在過去這段時刻內(nèi)的許多部門，以滿足不同的需要的風險治理的做法是成熟的，然而通過采納一致性流程的綜合框架有助于確保風險治理的有效性， 同時有效和連貫整個組織。在本標準規(guī)定的一樣性的原則和方針，目的在于在任何的環(huán)境和背景下，系統(tǒng)的、清晰的、可靠的方式治理風險。

15、Each specific sector or application of risk management brings with it in dividual needs, audiences, perceptions and criteria. Therefore, a key feature o f this International Standard is the inclusion of “ establishing the context” a s an activity at the start of this generic risk management process.

16、 Establishin g the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the diversity of ri sk criteria - all of which will help reveal and assessthe nature and compl exity of its risks.每一個具體部門或風險治理的應(yīng)用都產(chǎn)生了獨自的需要，受眾， 觀念和標準。

17、因此，這一國際標準的要緊特點是將風險治理“環(huán)境建設(shè)”列入其治理過程的開始活動。環(huán)境建設(shè)方面將捕捉該組織的目標，它所追求目標的環(huán)境，它的利益有關(guān)者和風險標準的多樣性，所有這些都將關(guān)心揭示和評估風險的性質(zhì)和復(fù)雜性。The relationship between the principles for managing risk, the framewor k in which it occurs and the risk management process described in this Inte rnational Standard are shown in Figure 1.本標準描述了

18、風險治理的原則、框架、 風險治理的流程之間的關(guān)系，如圖1 所示。When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example:當按照這一國際標準實施和愛護時，風險的治理者需使一個組織加大，例如：? increase the likelihood of achieving objectives; 增加實現(xiàn)目標的可能性? encourage proactive manageme

19、nt; 鼓舞主動性治理;? be aware of the need to identify and treat risk throughout the organi zation; 在組織中，意識到識不和對待風險的需要;? improve the identification of opportunities and threats; 提升的機會和威逼識不能力? comply with relevant legal and regulatory requirements and internatio nal norms; 符合有關(guān)法律及監(jiān)管要求和國際規(guī)范? improve financial

20、 reporting; 改進財務(wù)報告? improve governance; 改善治理? improve stakeholder confidence and trust; 提升利益有關(guān)者的信心和信任? establish a reliable basis for decision making and planning; 建立決策和規(guī)劃提供可靠的根基? improve controls;力口大操縱? effectively allocate and use resources for risk treatment; 有效地分配和使用資源處理風險? improve operational e

21、ffectiveness and efficiency; 提升運營的成效和效率? enhance health and safety performance, as well as environmental pro tection; 加大健康和安全業(yè)績，以及環(huán)境的愛護;? improve loss prevention and incident management; 改善防損和事件治理? minimize losses; 減少缺失? improve organizational learning; and 提升組織的學(xué)習(xí)能力? improve organizational resilien

22、ce. 提升組織的應(yīng)變能力This International Standard is intended to meet the needs of a wide range of stakeholders, including: 本標準是為了滿足寬敞利益有關(guān)者需要，包括：a) those responsible for developing risk management policy within their organization;a)開發(fā)者對其機構(gòu)內(nèi)的風險治理政策負責；b) those accountable for ensuring that risk is effectively

23、managed within the organization as a whole or within a specific area, project or activity;b)有人對組織作為一個整體、或者某一特定范疇、項目或者活動的風險 治理的有效性負責;c) those who need to evaluate an organization effectiveness in managing risk; andc)有人需要對風險治理評估的有效性負責；和d) developers of standards, guides, procedures and codes of practi

24、ce tha t, in whole or in part, set out how risk is to be managed within the specifi c context of these documents.d)標準，指南，程序和守則的開發(fā)者，應(yīng)該對在特定的環(huán)境下風險治理 整體的或部分的文件得以實施負責；The current management practices and processes of many organizations i nclude components of risk management, and many organizations have a

25、lready adopted a formal risk management process for particular types of risk or ci rcumstances. In such cases, an organization can decide to carry out a critical review of its existing practices and processesin the light of this Internation al Standard.目前許多組織的治理實踐和流程包括風險治理的組成部分，同時許多組織對專門類型的風險或環(huán)境下差不多

26、采納了正式的風險治理流程。在這種情形 下，組織能夠在本標準下開展對其現(xiàn)有的做法和程序嚴格審查。In this International Standard, the expressions “ risk managemen” t and “ managing risk” are both used. In general terms, “ risk managemen”t ref ers to the architecture (principles, framework and process) for managing risks effectively, while “ managing

27、 risk” refers to applying that architecture to p articular risks.在本國際標準中，“風險治理”和“治理風險”同時使用。一樣來講，“風 險治理”是指治理風險的有效性架構(gòu)（原則，框架和流程），而“治理風險” 是指運用該架構(gòu)治理特定風險。a) Creates' valueb) Integral part &t Organkzatioma) processesMandatamudcommitment *4-21Part of <d«ciiii0n makingd) Explicitly addresses

28、uncertainty&l SystomaUe. filruclured and timelyf Bas«di on th« best available informal iong Tal* lore dhj Tak+事 liu«Ti>hi 力力4 cunurvl hKtm i nto accounli) Tran4par-Hnt Hind iinczlur整Imj) lDynnim4Cu itoratliva and rqisponsivQi t。*h 口k，PaGilitates continuall imprnvemeil and eriha

29、ncoriierit of the arganizDtionPrinciples for mnngingrisk(Clauso 3)Framework for managingrisk(Clau» 4)Ri»k awe。喋零wet(S4JEstnbliBhirkg 1th« context (53)CM6) 84 號HC8ME £9= uenEUJOuRlik Identiflcalion (5.4.2) 4Ri主k 總r18aliys話(5_4-3)卜Riisk tranimont (5 5)*-Risk evaluation(544)Precess

30、fewr managing risk(Glause 5)Figure 1 Relationships between the risk management principles, framework and processRisk management Principles and guidelines風險治理-原則和指導(dǎo)方針1 Scope范疇This International Standard provides principles and generic guidelines on risk management.本標準提供了風險治理的原則和一樣準則。This Internationa

31、l Standard can be used by any public, private or comm unity enterprise, association, group or individual. Therefore, this InternationalStandard is not specific to any industry or sector.本標準可用于任何公共，私人或社區(qū)組織，協(xié)會，團體或個體。因此，那 個國際標準是不針對專門行業(yè)或部門。NOTE For convenience, all the different users of this Internatio

32、nal Stan dard are referred to by the general term “ organization” .為方便起見，本國際標準提到的所有不同的用戶通用術(shù)語為“組織”。This International Standard can be applied throughout the life of an org anization, and to a wide range of activities, including strategies and decision s, operations, processes,functions, projects, pro

33、ducts, services and assets.本標準可用于整個組織生活及各種活動，包括戰(zhàn)略和決策，運營，流程， 職能，范疇廣泛的項目，產(chǎn)品，服務(wù)和資產(chǎn)。This International Standard can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.本標準能夠適用于任何類型的風險，不管其性質(zhì)是否有主動或消極的后 果。Although this International Standard provides generi

34、c guidelines, it is no t intended to promote uniformity of risk management across organizations. T he design and implementation of risk management plans and frameworks wil l need to take into account the varying needs of a specific organization, its particular objectives,context, structure, operatio

35、ns, processes,functions, project s, products, services, or assets and specific practices employed.盡管本國際標準提供了風險治理的一樣準則，但不是為了促進各組織風險治理的統(tǒng)一性。設(shè)計和風險治理打算和框架的實施需要考慮到特定組織的不同需要，具體做法受其特定的目標，環(huán)境，結(jié)構(gòu)，業(yè)務(wù)，流程，功能，項目，產(chǎn)品，服務(wù)或資產(chǎn)等阻礙。It is intended that this International Standard be utilized to harmonize ri sk management p

36、rocessesin existing and future standards. It provides a com mon approach in support of standards dealing with specific risks and/or sect ors, and does not replace those standards.本國際標準目的是用來和諧風險治理與現(xiàn)有的和以后的標準之間的流程。它提供了一個支持處理特定風險和/或部分風險的通用方法，而不是取代這些標準。This International Standard is not intended for the

37、purpose of certificatio n.本標準不適合認證目的。2 Terms and definitions 術(shù)語和定義For the purposes of this document, the following terms and definitions apply.下列術(shù)語和定義適用本文件。2.1 risk 風險effect of uncertainty on objectives不確定性對目標的阻礙NOTE 1 An effect is a deviation from the expected positive and/or negative.注 1：阻礙是與預(yù)期的偏差

38、主動和/或消極NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).注 2：目標能夠有不同方面(如財務(wù)，健康和安全，以及環(huán)境目標)，能夠體現(xiàn)在不同的層次(如戰(zhàn)略，組織范疇，項目，產(chǎn)品和流程)。NOTE 3 Risk is ofte

39、n characterized by reference to potential events (2. 19) and consequences(2.20), or a combination of these.注 3： 風險通常被描述為潛在事件( 2.19) 和后果 ( 2.20) ， 或它們的組合。NOTE 4 Risk is often expressed in terms of a combination of the cons equences of an event (including changes in circumstances) and the associated l

40、ikelihood (2.21) of occurrence.注 4：風險往往表達了對事件后果(包括環(huán)境的變化)和有關(guān)的可能性概率(2.21) 。NOTE 5 Uncertainty is the state, even partial, of deficiency of informat ion related to, understanding or knowledge of an event, its consequence,or l ikelihood.ISO Guide 73:2009, definition 1.12.2 risk management風險治理coordinated

41、 activities to direct and control an organization with regard t o risk (2.1)一個組織對風險的指揮和操縱的一系列和諧活動ISO Guide 73:2009, definition 2.12.3 risk management framework 風險治理框架set of components that provide the foundations and organizational arrang ements for designing, implementing,monitoring (2.30), reviewi

42、ng and continua lly improving risk management (2.2) throughout the organization組織對風險治理的設(shè)計、實施、 監(jiān)控、 檢查和連續(xù)改進等進行的一系列基礎(chǔ)的組織安排NOTE 1 The foundations include the policy, objectives, mandate and co mmitment to manage risk (2.1).基礎(chǔ)包括治理風險的政策、目標、任務(wù)和承諾NOTE 2 The organizational arrangementsinclude plans, relation

43、ships, ac countabilities, resources, processesand activities.組織安排包括打算、關(guān)系、職 責、資源、流程和活動NOTE 3 The risk management framework is embedded within the organ ization's overall strategic and operational policies and practices 風險治理框架 被植入到組織的整個戰(zhàn)略和運營的戰(zhàn)略和實踐中ISO Guide 73:2009, definition 2.1.12.4 risk manage

44、ment policy 風險治理政策statement of the overall intentions and direction of an organization relate d to risk management (2.2) 一個組織對風險治理的意圖和指導(dǎo)方向的陳述ISO Guide 73:2009, definition 2.1.22.5 risk attitude 風險態(tài)度organization's approach to assessand eventually pursue, retain, take or t urn away from risk (2.1)

45、組織評估、追求、保留、采取或躲開風險的處理手段ISO Guide 73:2009, definition 3.7.1.12.6 risk appetite風險偏好amount and type of risk (2.1) that an organization is prepared to pursu e, retain or take一個組織追求、保留或采取風險的數(shù)量和類型ISO Guide 73:2009, definition 3.7.1.22.7 risk aversion 風險規(guī)避attitude to turn away from risk (2.1)躲開風險的態(tài)度ISO Gui

46、de 73:2009, definition 3.7.1.42.8 risk management plan 風險治理打算scheme within the risk management framework (2.3) specifying the appr oach, the management components and resources to be applied to the manag ement of risk (2.1)為風險治理框架方案指定方法、治理措施、資源以用于治理風險NOTE 1 Management components typically include pr

47、ocedures, practice s, assignment of responsibilities, sequence and timing of activities.治理措施 一樣包括程序、做法、職責分配、序列和及時的行動NOTE 2 The risk management plan can be applied to a particular prod uct, process and project, and part or whole of the organization.風險治理打算 適用于特定的產(chǎn)品、流程和項目、部分或整個組織ISO Guide 73:2009, defi

48、nition 2.1.32.9 risk owner 風險所有者person or entity with the accountability and authority to manage the ris k (2.1)對風險治理持有權(quán)力和責任的個人或?qū)嶓wISO Guide 73:2009, definition 3.5.1.42.10 risk management process風險治理流程systematic application of management policies, procedures and practices to the activities of commun

49、icating,consulting, establishing the context, and id entifying, analyzing, evaluating, treating, monitoring (2.30) and reviewing risk (2.1)系統(tǒng)的應(yīng)用治理政策，程序和溝通協(xié)商，在建立的風險治理環(huán)境下，識不，分析，評判，處理，監(jiān)測和審查風險ISO Guide 73:2009, definition 3.12.11 establishing the context 環(huán)境建設(shè)defining the external and internal parameters

50、 to be taken into account w hen managing risk, and setting the scope and risk criteria (2.24) for the risk management policy (2.4)界定風險治理應(yīng)該考慮的外部和內(nèi)部參數(shù)，并設(shè)置風險治理政策的范疇和風險的標準ISO Guide 73:2009, definition 3.3.12.12 external context 外部環(huán)境external environment in which the organization seeks to achieve its obje

51、 ctivesNOTE External context can include:外部環(huán)境包括? the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment,whether international, nationa l, regional or local;文化、社會、政治、法律、監(jiān)管、財政金融、技術(shù)、經(jīng)濟、 自然和競爭環(huán)境，不管是國際，國家，區(qū)域或地點? key drivers and trends h

52、aving impact on the objectives of the organi zation; and阻礙該組織的要緊驅(qū)動和趨勢? relationships with, and perceptions and values of, external stakeholde rs (2.15).與外部利益有關(guān)者之間的關(guān)系和價值觀ISO Guide 73:2009, definition 3.3.1.12.131 nternal context 內(nèi)部環(huán)境internal environment in which the organization seeks to achieve its

53、obje ctivesNOTE Internal context can include:內(nèi)部環(huán)境包括? governance, organizational structure, roles and accountabilities;治理、組織結(jié)構(gòu)、角色和責任? policies, objectives, and the strategies that are in place to achieve th em;政策、目標、實現(xiàn)目標的戰(zhàn)略? the capabilities, understood in terms of resources and knowledge (e.g. capit

54、al, time, people, processes,systems and technologies);能力、資源和知識(如資本、時刻、人、流程、系統(tǒng)和技術(shù))? perceptions and values of internal stakeholders內(nèi)部禾1J益有關(guān)者的價 值觀? information systems, information flows and decision-making processes (both formal and informal); 信息系統(tǒng)、信息流和(正式的和非正式的)決策流程? relationships with, and percepti

55、ons and values of, internal stakeholder s;內(nèi)部利益有關(guān)者價值觀之間的關(guān)系? the organization's culture;組織文化? standards, guidelines and models adopted by the organization; and 標 準、指引和組織采納的模式? form and extent of contractual relationships.合同關(guān)系的形成和范疇ISO Guide 73:2009, definition 3.3.1.22.132 ommunication and consult

56、ation 溝通和協(xié)商continual and iterative processes that an organization conducts to provid e, share or obtain information and to engage in dialogue with stakeholders (2.15) and others regarding the management of risk (2.1)一個組織提供，共享或獵取信息，與利益有關(guān)者和其他風險治理者連續(xù)和反復(fù)對話的流程NOTE 1 The information can relate to the exis

57、tence, nature, form, likeli hood (2.21), severity, evaluation, acceptability,treatment or other aspects of th e management of risk.信息涉及存在、性質(zhì)、形式、可能性、嚴峻程度、評判、 可同意性、處理或者其他與治理風險有關(guān)的方面NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders or others

58、on an issue prior to making a decision or determining a direction on a particular issue. Consultati on is:協(xié)商是一個組織與它的利益有關(guān)者或其他利益有關(guān)者雙向溝通的過程，目的在于就以咨詢題提早做出決策或就某一咨詢題決定方向。協(xié)商是：? a process which impacts on a decision through influence rather than power; and通過阻礙而非權(quán)力阻礙決策的過程? an input to decision making, not joint deci