ISO_FDIS_31000(2009)_风险管理最终发布版中文翻译稿.doc

ISO/FDIS 31000:2009(E)iv ISO 2009 All rights reserved本版本由YH.Liu整理，非专业翻译版。未避免理解偏差，对有异议的中文部分，请参考原文。INTERNATIONAL STANDARD ISO/FDIS31000Risk management Principles and guidelinesForeword前言ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies(ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental andnot-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with theInternational Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.国际标准化组织（ISO）是各国标准化团体（ISO成员团体）组成的世界性的联合汇。制定国际标准工作通常由ISO的技术委员会完成。个成员团体若对某技术委员会确定的项目感兴趣，均由权参加该委员会的工作。与ISO保持联系的各国际组织（官方的或非官方的）也可参加有关工作。ISO与国际电工委员会（IEC）在电工技术标准化方面保持密切合作的关系。International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.国际标准是根据ISO/IEC导则第2部分的规则起草的。The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote.由技术委员会通过的国际标准草案提交各成员团体投票表决，需取得了至少3/4参加表决的成员团体的同意，国际标准草案才能作为国际标准证实发布。Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights.本标准中的某些内容有可能涉及一些专利权问题，这一点应引起注意，ISO不负责识别任何这样的专利权问题。ISO 31000 was prepared by the ISO Technical Management Board Working Group on risk management.ISO 31000由ISO技术管理委员会风险管理工作组编写。Introduction简介Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organizations objectives is “risk”.所有类型和规模的组织都面临内部和外部因素的影响，使得它不能确定是否及何时实现其目标。这种对一个组织的目标影响的不确定性既是“风险”。All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria.一个组织的所有活动都涉及风险。组织通过识别、分析、评价风险以及处理风险，以满足他们的风险标准。Throughout this process, they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required. This International Standard describes this systematic and logical process in detail.在这个过程中，他们与利益相关者沟通协商，监测和审查风险控制，并不断的修正风险，以确保风险处理不再是必需的。本标准详细描述了这一系统的和符合逻辑的过程。While all organizations manage risk to some degree, this International Standard establishes a number of principles that need to be satisfied to make risk management effective. This International Standard recommends that organizations develop, implement and continuously improve a framework whose purpose is to integrate the process for managing risk into the organizations overall governance, strategy and planning,management, reporting processes, policies, values and culture.尽管所有的组织在某种程度上都在管理风险，本标准规定了一些原则，以使风险管理变得有效。本标准建议，组织制定，实施和不断完善的框架，其目的是将风险管理纳入到组织的治理，战略和规划，管理，报告程序，政策，价值观和文化等综合管理的整个过程。Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.风险管理可以应用到整个组织，它的许多领域和层次，在任何时间，以及具体职能，项目和活动。Although the practice of risk management has been developed over time and within many sectors in order to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently and coherently across an organization. The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context.尽管在过去这段时间内的许多部门，以满足不同的需要的风险管理的做法是成熟的，但是通过采用一致性流程的综合框架有助于确保风险管理的有效性，并且有效和连贯整个组织。在本标准规定的一般性的原则和方针，目的在于在任何的环境和背景下，系统的、清晰的、可靠的方式管理风险。Each specific sector or application of risk management brings with it individual needs, audiences, perceptions and criteria. Therefore, a key feature of this International Standard is the inclusion of “establishing the context” as an activity at the start of this generic risk management process. Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders and the diversity of risk criteria all of which will help reveal and assess the nature and complexity of its risks.每一个具体部门或风险管理的应用都产生了独自的需要，受众，观念和标准。因此，这一国际标准的主要特点是将风险管理“环境建设”列入其管理过程的开始活动。环境建设方面将捕获该组织的目标，它所追求目标的环境，它的利益相关者和风险标准的多样性，所有这些都将帮助揭示和评估风险的性质和复杂性。The relationship between the principles for managing risk, the framework in which it occurs and the risk management process described in this International Standard are shown in Figure 1.本标准描述了风险管理的原则、框架、风险管理的流程之间的关系，如图1所示。When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example:当按照这一国际标准实施和维护时，风险的管理者需使一个组织加强，例如： increase the likelihood of achieving objectives; 增加实现目标的可能性 encourage proactive management; 鼓励主动性管理; be aware of the need to identify and treat risk throughout the organization; 在组织中，意识到识别和对待风险的需要; improve the identification of opportunities and threats; 提高的机会和威胁识别能力 comply with relevant legal and regulatory requirements and international norms; 符合有关法律及监管要求和国际规范 improve financial reporting; 改进财务报告 improve governance; 改善治理 improve stakeholder confidence and trust; 提高利益相关者的信心和信任 establish a reliable basis for decision making and planning; 建立决策和规划提供可靠的根基 improve controls;加强控制 effectively allocate and use resources for risk treatment; 有效地分配和使用资源处理风险 improve operational effectiveness and efficiency;提高运营的效果和效率 enhance health and safety performance, as well as environmental protection; 加强健康和安全业绩，以及环境的保护; improve loss prevention and incident management; 改善防损和事件管理 minimize losses; 减少损失 improve organizational learning; and提高组织的学习能力 improve organizational resilience. 提高组织的应变能力This International Standard is intended to meet the needs of a wide range of stakeholders, including: 本标准是为了满足广大利益相关者需要，包括：a) those responsible for developing risk management policy within their organization;a）开发者对其机构内的风险管理政策负责;b) those accountable for ensuring that risk is effectively managed within the organization as a whole or within a specific area, project or activity;b）有人对组织作为一个整体、或者某一特定范围、项目或者活动的风险管理的有效性负责;c) those who need to evaluate an organization effectiveness in managing risk; andc）有人需要对风险管理评估的有效性负责;和d) developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed within the specific context of these documents.d）标准，指南，程序和守则的开发者，应该对在特定的环境下风险管理整体的或部分的文件得以实施负责；The current management practices and processes of many organizations include components of risk management, and many organizations have already adopted a formal risk management process for particular types of risk or circumstances. In such cases, an organization can decide to carry out a critical review of its existing practices and processes in the light of this International Standard.目前许多组织的管理实践和流程包括风险管理的组成部分，并且许多组织对特殊类型的风险或环境下已经采用了正式的风险管理流程。在这种情况下，组织可以在本标准下开展对其现有的做法和程序严格审查。In this International Standard, the expressions “risk management” and “managing risk” are both used. In general terms, “risk management” refers to the architecture (principles, framework and process) for managing risks effectively, while “managing risk” refers to applying that architecture to particular risks.在本国际标准中，“风险管理”和“管理风险”同时使用。一般来说，“风险管理”是指管理风险的有效性架构（原则，框架和流程），而“管理风险”是指运用该架构管理特定风险。40Figure 1 Relationships between the risk management principles, framework and processRisk management Principles and guidelines风险管理-原则和指导方针1 Scope范围This International Standard provides principles and generic guidelines on risk management.本标准提供了风险管理的原则和一般准则。This International Standard can be used by any public, private or community enterprise, association, group or individual. Therefore, this International Standard is not specific to any industry or sector.本标准可用于任何公共，私人或社区组织，协会，团体或个体。因此，这个国际标准是不针对特殊行业或部门。NOTE For convenience, all the different users of this International Standard are referred to by the general term “organization”.为方便起见，本国际标准提到的所有不同的用户通用术语为“组织”。This International Standard can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.本标准可用于整个组织生活及各种活动，包括战略和决策，运营，流程，职能，范围广泛的项目，产品，服务和资产。This International Standard can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.本标准可以适用于任何类型的风险，无论其性质是否有积极或消极的后果。Although this International Standard provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives,context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.尽管本国际标准提供了风险管理的一般准则，但不是为了促进各组织风险管理的统一性。设计和风险管理计划和框架的实施需要考虑到特定组织的不同需要，具体做法受其特定的目标，环境，结构，业务，流程，功能，项目，产品，服务或资产等影响。It is intended that this International Standard be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards.本国际标准目的是用来协调风险管理与现有的和未来的标准之间的流程。它提供了一个支持处理特定风险和/或部分风险的通用方法，而不是取代这些标准。This International Standard is not intended for the purpose of certification.本标准不适合认证目的。 2 Terms and definitions术语和定义For the purposes of this document, the following terms and definitions apply.下列术语和定义适用本文件。2.1risk 风险effect of uncertainty on objectives不确定性对目标的影响NOTE 1 An effect is a deviation from the expected positive and/or negative.注1：影响是与预期的偏差积极和/或消极NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).注2：目标可以有不同方面（如财务，健康和安全，以及环境目标），可以体现在不同的层次（如战略，组织范围，项目，产品和流程）。NOTE 3 Risk is often characterized by reference to potential events (2.19) and consequences (2.20), or a combination of these.注3：风险通常被描述为潜在事件（2.19）和后果（2.20），或它们的组合。NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.21) of occurrence.注4：风险往往表达了对事件后果（包括环境的变化）和相关的可能性概率（2.21）。NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.ISO Guide 73:2009, definition 1.12.2risk management风险管理coordinated activities to direct and control an organization with regard to risk (2.1)一个组织对风险的指挥和控制的一系列协调活动ISO Guide 73:2009, definition 2.12.3risk management framework风险管理框架set of components that provide the foundations and organizational arrangements for designing, implementing,monitoring (2.30), reviewing and continually improving risk management (2.2) throughout the organization 组织对风险管理的设计、实施、监控、检查和持续改进等进行的一系列基础的组织安排NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk (2.1).基础包括管理风险的政策、目标、任务和承诺NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities.组织安排包括计划、关系、职责、资源、流程和活动NOTE 3 The risk management framework is embedded within the organizations overall strategic and operational policies and practices.风险管理框架被植入到组织的整个战略和运营的战略和实践中ISO Guide 73:2009, definition 2.1.12.4risk management policy风险管理政策statement of the overall intentions and direction of an organization related to risk management (2.2) 一个组织对风险管理的意图和指导方向的陈述ISO Guide 73:2009, definition 2.1.22.5risk attitude风险态度organizations approach to assess and eventually pursue, retain, take or turn away from risk (2.1)组织评估、追求、保留、采取或避开风险的处理手段ISO Guide 73:2009, definition 3.7.1.12.6risk appetite风险偏好amount and type of risk (2.1) that an organization is prepared to pursue, retain or take一个组织追求、保留或采取风险的数量和类型ISO Guide 73:2009, definition 3.7.1.22.7risk aversion风险规避attitude to turn away from risk (2.1)避开风险的态度ISO Guide 73:2009, definition 3.7.1.42.8risk management plan风险管理计划scheme within the risk management framework (2.3) specifying the approach, the management components and resources to be applied to the management of risk (2.1)为风险管理框架方案指定方法、管理措施、资源以用于管理风险NOTE 1 Management components typically include procedures, practices, assignment of responsibilities, sequence and timing of activities.管理措施一般包括程序、做法、职责分配、序列和及时的行动NOTE 2 The risk management plan can be applied to a particular product, process and project, and part or whole of the organization.风险管理计划适用于特定的产品、流程和项目、部分或整个组织 ISO Guide 73:2009, definition 2.1.32.9risk owner风险所有者person or entity with the accountability and authority to manage the risk (2.1)对风险管理持有权力和责任的个人或实体ISO Guide 73:2009, definition 3.5.1.42.10risk management process风险管理流程systematic application of management policies, procedures and practices to the activities of communicating,consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring (2.30) and reviewing risk (2.1)系统的应用管理政策，程序和沟通协商，在建立的风险管理环境下，识别，分析，评价，处理，监测和审查风险ISO Guide 73:2009, definition 3.12.11establishing the context环境建设defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria (2.24) for the risk management policy (2.4)界定风险管理应该考虑的外部和内部参数，并设置风险管理政策的范围和风险的标准ISO Guide 73:2009, definition 3.3.12.12 external context外部环境external environment in which the organization seeks to achieve its objectivesNOTE External context can include:外部环境包括 the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment,whether international, national, regional or local;文化、社会、政治、法律、监管、财政金融、技术、经济、自然和竞争环境，无论是国际，国家，区域或地方 key drivers and trends having impact on the objectives of the organization; and影响该组织的主要驱动和趋势 relationships with, and perceptions and values of, external stakeholders (2.15).与外部利益相关者之间的关系和价值观ISO Guide 73:2009, definition 3.3.1.12.13internal context内部环境internal environment in which the organization seeks to achieve its objectivesNOTE Internal context can include:内部环境包括 governance, organizational structure, roles and accountabilities;治理、组织结构、角色和责任 policies, objectives, and the strategies that are in place to achieve them;政策、目标、实现目标的战略 the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);能力、资源和知识（如资本、时间、人、流程、系统和技术） perceptions and values of internal stakeholders;内部利益相关者的价值观 information systems, information flows and decision-making processes (both formal and informal);信息系统、信息流和（正式的和非正式的）决策流程 relationships with, and perceptions and values of, internal stakeholders;内部利益相关者价值观之间的关系 the organizations culture;组织文化 standards, guidelines and models adopted by the organization; and标准、指引和组织采用的模式 form and extent of contractual relationships.合同关系的形成和范围ISO Guide 73:2009, definition 3.3.1.22.14communication and consultation沟通和协商continual and iterative processes that an organization conducts to provide, share or obtain information and to engage in dialogue with stakeholders (2.15) and others regarding the management of risk (2.1)一个组织提供，共享或获取信息，与利益相关者和其他风险管理者持续和反复对话的流程NOTE 1 The information can relate to the existence, nature, form, likelihood (2.21), severity, evaluation, acceptability,treatment or other aspects of the management of risk.信息涉及存在、性质、形式、可能性、严重程度、评价、可接受性、处理或者其他与管理风险相关的方面NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders or others on an issue prior to making a decision or determining a direction on a particular issue. Consultation is:协商是一个组织与它的利益相关者或其他利益相关者双向沟通的过程，目的在于就以问题提前做出决策或就某一问题决定方向。协商是： a process which impacts on a decision through influence rather than power; and通过影响而非权力影响决策的过程 an input to decision making, not joint decision making.加入决策而非共同决策ISO Guide 73:2009, definition 3.2.12.15stakeholder利益相关者person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity 可以影响、被影响或者觉得自己会被决策或者活动影响的个人或组织NOTE A decision maker can be a stakeholder.决策者可以是利益相关者ISO Guide 73:2009, definition 3.2.1.12.16risk assessment风险评估overall process of risk identification (2.17), risk analysis (2.23) and risk evaluation (2.26)风险识别，风险分析和风险评价的整个过程 ISO Guide 73:2009, definition 3.4.12.17risk identification风险识别process of finding, recognizing and describing risks (2.1)发现、识别、描述风险的过程NOTE 1 Risk identification involves the identification of risk sources (2.18), events (2.19), their causes and their potential consequences (2.20).风险识别包括风险源的识别、风险事件的识别、风险原因及潜在后果的识别NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders (2.15) needs.风险识别涉及历史数据、技术分析、知情人、专家和利益相关者的意见ISO Guide 73:2009, definition 3.5.12.18risk source风险源element which alone or in combination has the intrinsic potential to give rise to risk (2.1)单独或联合具有内在的潜在引起危险的因素NOTE A risk source can be tangible or intangible.一个风险源可以是有形的或者无形的ISO Guide 73:2009, definition 3.5.1.12.19event事件occurrence or change of a particular set of circumstances特别环境的产生或者变化NOTE 1 An event can be one or more occurrences, and can have several causes.一个事件可能是一个或多个事情组成，并且会有多种原因NOTE 2 An event can consist of something not happening.一个事件可能有一些不会发生NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.一个事件有时被称为“偶然事件”或“事故”NOTE 4 An event without consequences can also be referred to as a “near miss”, “incident”, “near hit” or “close call”.一个不会产生后果的事件可以被称为“近乎为零”、“偶然事件”、“near hit” or “close call”ISO Guide 73:2009, definition 3.5.1.22.20consequence后果outcome of an event (2.19) affecting objectives事件对目标的影响结果NOTE 1 An event can lead to a range of consequences.一个事件可能产生一些列的后果NOTE 2 A consequence can be certain or uncertain and can have positive or negative effects on objectives.后果可能对目标是确定或非确定的、积极或消极的NOTE 3 Consequences can be expressed qualitatively or quantitatively.后果可能是质量上的，也可能是数量上的NOTE 4 Initial consequences can escalate through knock-on effects.初步的后果可能升级，产生连锁效应ISO Guide 73:2009, definition 3.6.1.32.21likelihood可能性chance of something happening某事发生的机会NOTE 1 In risk management terminology, the word “likelihood” is used to refer to the chance of something happening,whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).在风险管理术语中，“可能性”是指事情发生的机会，不论是界定，衡量或客观或主观的确定，定性或定量、一般的或精确的描述（如在一定时期内事情发生的几率和频率）NOTE 2 The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, i