Risk management as a management technology has been experiencing a period of active development abroad and in Russia over the past 10-15 years. Of particular importance is the issue of developing a common understanding of the goals and objectives of the risk management system, the terminology used, the organizational structure and the risk management process itself, adapted to modern Russian conditions. World practice offers one of the universal approaches to solving this problem - unification and standardization in the field of risk management.

According to definition International organization on standardization (ISO - ISO), a standard is a normative document that is developed on the basis of consensus, adopted by a body recognized at the appropriate level and establishes rules for universal and repeated use, general principles and characteristics relating to various activities or their results, and which aims to achieve the optimal degree of order in a certain area. Standards should be based on the combined results of science, technology and practical experience and aimed at achieving optimal benefit to society

In recent years, there has been a clear tendency to replicate in a number of countries, including Russia, risk management standards that were first developed 10–15 years ago and related primarily to man-made hazards. These include GOST 27.310-95 “Analysis of types, consequences and criticality of failures”, GOST R 51901-2002 “Reliability management. Risk analysis of technological systems”, GOST R 51897‑2002 “Risk management. Terms and definitions”, as well as GOST ISO/TO 12100-1 and 2 - 2002 “Equipment safety. Basic concepts, general design principles” and others.

GOST R 51901.2-2005 Risk management. Reliability management systems,

GOST R 51901.13-2005 Risk management. Fault tree analysis and a number of others Over the course of 5-6 years, 8 risk management standards have been developed, and this work is far from finished. It was prepared in 2009 and adopted in August 2010 new standard- ISO 31000 “General guidance on the principles and implementation of risk management.”

Increased attention from consultants in the field of risk management operating in the Russian market is paid to the document “Risk Management of Organizations. Integrated Model" developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)

The Russian Society for Risk Management, in addition to COSO recommendations, considers the Risk Management Standard of the Federation of European Risk Manager Associations (FERMA), which is a joint development of the Institute of Risk Management (IRM), the Association of Risk Management and Insurance (AIRMIC) and the National Forum for Risk Management in the Public Sector (ALARM) (2002).

Standards COSO and FERMA. In the document “Risk Management of Organizations. Integrated Model”, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), provides reasons for developing concepts for constructing an RMS and recommendations for implementing a rational procedure for its creation.

However, domestic non-profit organization RusRisk also recommends the risk management standard of the Federation of European Risk Managers Associations (FERMA), created in 2002 by the Institute of Risk Management (IRM), the Association risk management and Insurance (AIRMIC) and the National Forum on Risk Management in the Public Sector.

In Fig. 5.2 and 5.3 present the risk management processes in the COSO and FERMA standards.

Rice. 5.2.

Rice. 5.3.

The FERMA standard is based on the terminology of the International Organization for Standardization (ISO/IEC Guide 73:2002 Risk management - Terms and definitions). Thus, unlike the standards of individual countries, the FERMA standard defines risk as “a combination of the probability of an event and its consequences,” which is a limitation of the document. At the same time, the RMS in the FERMA standard is placed at the center of the strategy management system, and strategic, operational and financial risks and dangers are named as the most important.

The FERMA standard also contains:

• ? a concise description of the main elements of the risk management procedure, taking into account the dependence of the content of information on the type of its recipient;
• ? a list of organizational units involved in the work of the RMS, and the main requirements for the preparation of documentation accompanying risk management.

The FERMA standard is advisable to use in corporations that are more involved in production sector, or, in economic terms, in the real sector of the economy.

• ? risk is a combination of the likelihood of an event and its consequences;
• ? reliance on systematic approach;
• ? optimization of risk management procedures based on analysis of business processes, content, favorable and unfavorable factors;
• ? effective management capital and resources;
• ? reducing the level of uncertainty in the influence of factors;
• ? respecting the interests of owners and improving the image of the organization;
• ? improving the skills of employees and creating an organizational knowledge base;
• ? optimization of business processes.

COSO standards are intended primarily for use in corporate structures actively involved in exchange trading.

In accordance with this standard, the RMS is based on the following provisions:

• ? assessment of risk appetite, determined by the strategic goals of the organization;
• ? improving procedures for developing adequate actions in relation to risks;
• ? reducing the level of environmental uncertainty;
• ? identifying the maximum list of risks and influencing them;
• ? identifying favorable factors and realizing the opportunities provided;
• ? effective capital management.

A comparison of the evolution of the content of standards (for example, Australian, American) shows their gradual transition to a more generalized form, highlighting the key stages of the risk factor regulation process. In addition, the development of risk management standards, including their modernization and addition in individual countries, indicates that these processes cannot end, as the business context is constantly changing and new dangers, threats and risks arise.

New international standards. The development of international standards continues. Uniformity of terms is ensured by ISO/IEC Guide 73:2002 “Risk management. Terms and definitions" (ISO/IEC Guide 73 "Risk Management Vocabulary Guidelines for use in standards"), published in 2002.

In 2009, the International Organization for Standardization published ISO Standard 31000 “Risk Management. Risk Management. Principles and guidelines on implementation. Standards have also been created for certain types of activities (oil and gas, production of medical equipment, etc.).

The ISO 31000 standard was developed on the basis of the already mentioned Australian and New Zealand standard. The risk management process in the ISO standard is presented in Fig. 5.4. As follows from Fig. 5.1 and 5.4, the risk management process flow diagrams in the ISO standard and the Australia and New Zealand standard are very similar. However, in addition to differences in the interpretation of elements with similar names, the ISO standard is characterized by the simultaneous implementation of risk identification, analysis and assessment processes, which is not provided for in the Australian and New Zealand standard.

Establishing Context involves an analysis of the external and internal environment of the organization, namely:

• ? establishing external context - assessing connections with external environment and external threats;
• ? establishing an internal context - determining the elements of the system representing the organization, internal connections, resource provision, target and strategic objectives;
• ? establishing the context of risk management - highlighting the processes that the RMS can influence;
• ? identification of risk criteria by which the need to influence it is determined and which may belong to the sphere of business organization, technology, law, economics, social and environmental issues, etc., reflect the attitude of those involved to risk, the provisions of regulations

Rice. 5.4.

Comrade Such criteria, in particular, include the results of assessing the implementation of risk factors;

Description of the risk management system by division.

During the risk assessment, the following processes are also implemented in parallel:

• ? identification of risks - probable sources of risk factors are identified and the results of their implementation are assessed;
• ? risk analysis - the probabilities and results of the implementation of risk factors are established. Can be carried out qualitatively or quantitative analysis or analysis using combined methods;
• ? risk assessment - based on the results of risk analysis, the risk that can be impacted is identified in the process of assessment based on risk criteria.

• ? risk treatment - a rational procedure for impacting the risk is selected, an impact plan is drawn up and implemented, the residual risk is assessed and described. When planning processing, the following are determined: the content of the impact procedure and the required resources, the distribution of rights and responsibilities, the effectiveness of the procedure, the content of reporting documentation and monitoring technology;
• ? monitoring and review - continuous documentation of all activities and their consequences.

The integrated risk management procedure consists of several elements.

• 1. Planning the risk management procedure. This management procedure must be integrated into the organization’s policy, strategy, asset and liability management, investment management, audit, anti-criminal technologies, etc.
• 2. Formation of risk management policy. The policy must be documented and contain a description of: target settings and management technology, the relationship between the content of the policy and strategies, procedures for influencing risk, procedures for assisting persons involved in risk management, procedures for measuring and documenting the management process, procedures for periodic measurement of the RMS, functions of top management in relation to the management process.

Unlike the COSO concept, where risk management is presented as a process aimed at identifying events and managing the associated risk, in ISO standards risk management is a coordinated effort to manage and control an organization, taking into account risk. Accordingly, the risk management process is the systematic application of management policies, procedures and practices to the activities of communicating, consulting, contextualizing and identifying, analyzing, assessing, addressing, monitoring and reviewing risk.

The RMS model described in the standard (Fig. 5.5) is designed to improve the efficiency of organization management.

The annexes to the standard state:

• ? the need for continuous improvement of management processes and communications;
• ? the importance of establishing responsibility, control and practical implementation risk management procedures;
• ? the dominant role of risk management in the structure of the organization.

Currently, Russia has a huge number of state standards, of which only a small share, less than 1%, are standards related to business risks, and that is this type risk is extremely important for any business entity. The world practice of risk management considers the standard to be a model worth striving for. There are few standards in risk management. At the same time, the roots of existing Russian risk management standards, as well as a huge number of recommended industry practices, come from abroad, laying the foundation for the principles of foreign reality.

For general idea about risk management standards, you need to familiarize yourself with some of them: the FERMA standard, some postulates of the Sarbanes-Oxley law, the COSO II standard and the South African standard - KING II.

The FERMA risk management standard was developed jointly by The Institute of Risk Management in the UK, The Association of Insurance and Risk Management and the National Forum for Risk Management in the Public Sector (The National Forum for Risk Management in the Public Sector) and adopted in 2002. The scheme contained in the document serves as the basis for the implementation of a risk management system. These risk management standards contain: definition of risk, risk management, explanation of internal and external factors risk, risk management processes, risk assessment procedures, methods and technologies for risk analysis, risk management activities, as well as the responsibilities of a risk manager. According to this document, risk is considered as a combination of probability and its event, and risk management is considered as a central part strategic management organizations. For example, the main functions of a risk specialist, according to the FERMA standard, are the development and implementation of a risk management program, coordinating the interaction of various structural divisions of the organization, developing programs to reduce unplanned losses and organizing measures to maintain the continuity of business processes. The main idea of ​​this standard is that the adoption of the standard is necessary to achieve agreement on the terminology used, the process of practical application of risk management, organizational structure risk management, risk management goals. It is especially important to understand that risk management is not just a tool for commercial and public organizations, but a guide for any action (both in the short and long term).

One of the few legally approved standards in the field of risk management is the Sarbanes-Oxley Act. This law primarily addresses issues of internal control and reliability of financial reporting, and also indirectly regulates the risk management process. The law does not provide guidance on the development of specific financial control procedures. The standard offers analysis of incoming process data and verification of compliance through auditing.

In 2001, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), together with PriceWaterHouseCoopers, initiated a project to develop the principles of risk management (Enterprise Risk Management - Integrated Framework). In accordance with the developed principles, risk management is a process that covers the entire activity of an enterprise, in which employees are involved at various levels of management; a tool that allows you to achieve your strategic goals; technology for identifying and managing risks; a way to insure the activities of an enterprise against possible errors management or board of directors.

The South African standard "KING II" is a collection standard solutions in the practice of risk management, is constantly updated and serves as a guide for training risk managers. This standard does not pay attention to certain specific business and corporate governance, but, at the same time, the ideology of the process and the desired stages are clearly expressed. Thus, careful adaptation of procedures to the specifics of a particular company can lead to the desired result.

It must be said that most of the analyzed standards - “COSO II”, “FERMA” - operate on the basis of agreement of their participants. One of the few legally approved standards in the field of risk management is the Sarbanes-Oxley Act. But this law does not guarantee the success of actions and procedures.

However, existing foreign standards for building a risk management system, as practice shows, are poorly applicable in Russian reality, or are partially applicable. Therefore in Russian Federation Based on foreign ones, they developed their own standards in the field of risk management, which we will dwell on in more detail.

Standards series 51901, Risk Management, provide general instructions in the field of application of risk management at an enterprise, contain methods for using various methods for assessing risks, taking into account the specifics of using a particular method in assessing individual business risks. Thus, GOST R 51901.1-2002 “Risk management. Risk Analysis technological systems» establishes guidelines for the selection and implementation of risk analysis methods, primarily for assessing the risks of technological systems; GOST R 51901.2-2005 “Risk management. Reliability management systems" describes the concepts and principles of the reliability management system, defines the main processes of this system (processes of planning, resource sharing, management and adaptation) and reliability tasks at the stages life cycle products related to planning, design, measurement, analysis and improvement; GOST R 51901.3-2007 “Risk management. Reliability Management Guidelines" establishes guidance for reliability management in design, development, product evaluation and process improvement; GOST R 51901.4-2005 “Risk management. Guidelines for use in design" establishes general provisions risk management during design, its subprocesses and influencing factors; GOST R 51901.5-2005 “Risk management. Guidelines for the Application of Reliability Analysis Methods" contains brief overview frequently used reliability analysis methods, descriptions of the main methods and their advantages and disadvantages, input data and other conditions of use; GOST R 51901.6-2005 “Risk management. Reliability Improvement Program establishes requirements and makes recommendations for eliminating weaknesses in hardware and software to improve reliability; GOST R 51901.10-2009 “Risk management. Procedures for managing fire risk at an enterprise” contains the main provisions of fire risk management and establishes the basic principles for the analysis and interpretation of fire risk; GOST R 51901.11-2005 “Risk management. Hazard and performance studies. The Application Guide provides guidance on the hazard and system performance investigation using the set of control words defined in this standard, and also provides guidance on the application of the HAZOP investigation method and procedures, including definition, preparation, examination and final documentation; GOST R 51901.12-2007 “Risk management. Method for analyzing the types and consequences of failures” establishes methods for analyzing the types and consequences of failures, the types, consequences and criticality of failures and provides recommendations for their use; GOST R 51901.13-2005 “Risk management. Fault Tree Analysis" establishes a fault tree analysis method and provides guidance on its application; GOST R 51901.14-2007 “Risk management. Block diagram reliability and Boolean methods" describes methods for constructing a system reliability model and using this model to calculate indicators of its reliability and availability; GOST R 51901.15-2005 “Risk management. Application of Markov Methods" establishes guidelines for the application of Markov methods for reliability analysis; GOST R 51901.16-2005 “Risk management. Increased reliability. Statistical criteria and methods of assessment" describes models and quantitative methods reliability improvement estimates based on system failure data obtained in accordance with the reliability improvement program. These procedures allow one to determine point estimates, confidence intervals, and hypothesis tests for system reliability improvement characteristics.

Thus, the standards of the 51901 series “Risk Management” describe in detail the use of various methods and approaches to risk assessment and analysis, aimed specifically at their practical implementation and use in the enterprise. For clarity, many standards discuss practical examples.

Standards in the field of risk management of the IEC, ISO series are based on the translation of international standards developed by the International Electrotechnical Commission, the International Organization for Standardization ISO. The main objects of ISO standardization are represented by the following industries: mechanical engineering, chemistry, ores and metals, information technology, construction, medicine and healthcare, environment, quality assurance systems. IEC standards are more specific than ISO standards and are more suitable for direct application. Great value The IEC emphasizes the development of safety standards - the main purpose of safety standardization is to seek protection from various types danger.

The scope of activities of the IEC includes: traumatic hazards, electric hazards, explosion hazards, equipment radiation hazards, incl. and from ionizing radiation, biological hazard, etc. For example, GOST R IEC 62305-1-2010 “Risk management. Lightning protection. Part 1. General principles" establishes the general principles of lightning protection of buildings, structures and their parts, including people in them, utility networks related to the building (structure) and other objects; GOST R ISO 17776-2010 “Risk management. Guidelines for the Selection of Hazard Identification and Risk Assessment Methods and Tools for Offshore Oil and Gas Production Facilities" provides a description of the principal methods recommended for hazard identification and risk assessment relevant to the development and operation of offshore oil and gas fields, including seismic exploration, topographic surveys, exploration and development drilling, field development, including provision of resources, as well as decommissioning and disposal of related equipment; GOST R ISO 17666-2006 “Risk management. Space Systems" establishes the principles and requirements for integrated risk management for a space project, on the basis of which the integrated enterprise policy is implemented into the risk management system during the implementation of the project by each project participant at all levels (consumer, first-level supplier, suppliers lower level); GOST R IEC 61160-2006 “Risk management. Formal Design Review provides guidelines for performing design review procedures as a means of driving product and process improvement. The standard provides guidance for planning and conducting project reviews and provides detailed description participation in the analysis of reliability specialists, maintenance, repair and performance assurance.

The ISO/IEC Joint Program Committee distributes the responsibilities of the two organizations on issues related to related areas of technology; the standards developed by the committee include ISO/IEC 16085:2006 “Systems and software engineering. Life cycle processes. Risk Management" and the identical GOST R ISO/IEC 16085-2007 "Risk Management. Application in the life cycle processes of systems and software”, which establishes a risk management process for ordering, supplying, developing, operating and maintaining software.

In addition to the listed standards related to the management of economic risks, there are also specialized ones that regulate the process of risk management in such areas as medicine, ecology, information technology, etc.

Currently, professionals have come to realize that in order to create effective system risk management, it is necessary to develop a unified basis for the regulatory framework of the organization's risk management system. But due to the fact that there are many ways to achieve this goal, it is almost impossible to combine all directions into a single document. That is why already existing standards Risk management is not intended to be normative. However, following the components of the considered standards and choosing various ways and methods, organizations will be able to achieve their goals in terms of risk management.

Literature

1. Potapkina M. Risk management standards: methods of application in Russian reality [ Electronic resource]. Access mode: www.buk.irk.ru/library/potapkina1.doc.

2. International risk management standards.” Educational and methodological manual[Electronic resource]. Access mode: www.minzdravsoc.ru/.../Mezhdunarodnye_standarty_upravleniya_riskami.doc.

3. International standardization. ISO. IEC [Electronic resource]. Access mode: http://www.asu-tp.org/index.php?option

In addition to international risk management standards, there are also national risk management standards adopted in countries with Anglo-Saxon law (Australia, New Zealand, Japan, Great Britain, South Africa, Canada).

Rice. 3 – History of risk management standardization.

Simultaneously with national management standards, numerous regulatory requirements appeared for the construction and improvement of the risk management process of companies related to industry specifics. Among industry risk management standards, the most famous are those affecting the activities of insurance companies, reinsurance companies (Solvency, Solvency II) and banks (Basel, Basel II, Basel III).

Standards in the field of risk management provide for the unification of:

The terminology used in this area;

Components of the risk management process;

Approaches to building an organizational structure for risk management.

However, despite the unification of terminologies carried out within each risk management standard, the methods and goals of risk management differ in different standards. In Fig. 3 presents national and international standards, the terminology of which is minimally different. When trying to combine various standards confusion is possible, since the definition of basic terms is different.

Standard “Risk Management of Organizations. Integrated Model”, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This document provides a conceptual framework for enterprise risk management and provides detailed recommendations to create a corporate risk management system within the organization.

The organization's risk management process, as interpreted by COSO, consists of eight interrelated components:

1) determination of the internal environment;

2) setting goals;

3) definition (identification) of risk events;

4) risk assessment;

5) response to risk;

6) controls;

7) information and communications;

8) monitoring.

Thus, in relation to defining the components of the risk management process, the document in question follows the understanding of the process already established in the risk management standards.

Rice. 4 – COSO CUBE.

In world practice, the standard, called the “COSO Cube” (Fig. 4), establishes the relationship between the goals of the organization (strategic, operational goals, reporting and compliance with legislation), the organizational structure of the company (levels of the company, division, business unit, subsidiary) and the already identified components of the risk management process.

1. Internal environment

Lays the foundations for a risk management approach. Includes:

Board of Directors;

Risk management philosophy;

Risk appetite;

Honesty and ethical values;

The importance of competence;

Organizational structure;

Delegation of powers and distribution of responsibilities;

Personnel management standards.

2. Setting goals

Goals must be defined before management begins to identify events that may affect their achievement.

The company's management has a properly organized process for selecting and forming goals, and these goals correspond to the mission of the organization and the level of its risk appetite.

3. Risk assessment

Risks are analyzed based on their likelihood of occurrence and impact to determine what actions need to be taken to address them.

Risks are assessed in terms of inherent and residual risk.

4. Identify potential events

Internal and external events that have an impact on the achievement of the organization's objectives should be identified in terms of risks or opportunities.

Opportunities must be taken into account by management when formulating strategy and setting goals.

5. Risk response

Management chooses a risk response method:

Evasion;

Acceptance;

Decline;

Broadcast.

The developed measures make it possible to bring the identified risk into line with the acceptable level of risk and risk appetite of the organization.

6. Control procedures

Policies and procedures are designed and established to provide “reasonable” assurance that an emerging risk is responded to effectively and in a timely manner.

7. Information and communication

Required information defined, recorded and communicated in a form and time frame that enables employees to perform their responsibilities.

Effective exchange of information within the organization vertically and horizontally.

8. Monitoring

The entire risk management process of the organization is monitored and adjusted as necessary.

Monitoring is carried out as part of management's ongoing activities or through periodic assessments.

The Federation of European Risk Management Associations (FERMA) Risk Management Standard is a joint development of the Institute of Risk Management (IRM), the Association for Risk Management and Insurance (AIRMIC) and the National Forum on Risk Management in the Public Sector (ALARM) (2002).

In contrast to the COSO ERM Standard discussed above, in terms of the terminology used, this standard adheres to the approach adopted in the documents of the International Organization for Standardization (ISO/IEC Guide 73 Risk Management - Vocabulary - Guidelines for use in standards). In particular, risk is defined by the standard as “the combination of the probability of an event and its consequences” (Fig. 4).

Rice. 5 – Risk management process according to FERMA standards.

Risk management is considered as a central part of the strategic management of an organization, the task of which is to identify and manage risks. It is noted that risk management as a unified risk management system should include a program for monitoring the implementation of assigned tasks, assessing the effectiveness of ongoing activities, as well as an incentive system at all levels of the organization.

In accordance with the FERMA Standard, four groups of organizational risks are distinguished: strategic, operational and financial, as well as hazard risks.

In addition, the document provides:

1. Brief description key stages of the risk management process, within which it attracts attention detailed description requirements for detailing information in risk reports depending on the consumer of this information (among consumers of internal reports - the board of directors of the company, its separate structural unit, a specific employee of the organization; external reports - external contractors of the organization). In particular, a report on the company's risks to external users of information should include a description of:

Methods of the internal control system, namely the characteristics of the areas of responsibility of the organization’s management in matters of risk management;

Methods for identifying risks and their practical application in the current risk management system of the organization;

The main tools of the internal control system in relation to the most significant risks;

Existing mechanisms for monitoring and tracking risks.

2. Description of the organizational structure of risk management (board of directors - structural unit - risk manager), as well as the basic requirements for the development of regulatory documents in the field of risk management at the corporate level (Organizational Risk Management Program).

The appendix to the standard provides examples of risk analysis methods and technologies used in practice. Experts recognize the Risk Management Standard of Australia and New Zealand as one of the most comprehensive and developed national standards in the field of risk management. The AS/NZS 4360 standard is of a general (non-industry) nature; its main provisions are adapted for the construction of risk management systems by a number of transnational companies.

Rice. 6 – Risk management process according to AS/NZS 4360

According to Standard AS/NZS 4360, risk management at the company level is a set of five sequential stages and two end-to-end processes (Fig. 6). At the same time, risk management in the standard is understood as “a set of culture, processes and structures focused on using potential opportunities while simultaneously managing negative impacts.”

Stage 1. Definition of the environment (environment)

Among the factors determining the need to analyze and identify the internal environment of the company, the following should be highlighted:

Risk management must be carried out in the context of the organization's defined goals and objectives;

One of the company’s main risks is the occurrence of obstacles in the process of achieving its strategic, operational, project and other goals;

A clear formulation of the principles of organizational policy and company goals will help determine the main directions of corporate policy in the field of risk management;

Goals and objectives of the company by segments of activity, as well as targets formed during the implementation of individual corporate projects, must be considered in accordance with the company's objectives as a whole. As part of the risk management stage under consideration, they also determine the range of target performance indicators, compile a list of elements of the company's strategy, parameters of its functioning that will be influenced by risk management processes, and ensure a balance of possible costs and benefits (the so-called stage of identifying the risk management environment). The required resources and accounting procedures should also be determined.

Stage 2. Risk identification

At this stage, risks due to the characteristics of the external and internal environment analyzed at the previous stage should be identified: all possible sources of risk are considered, as well as available information on risk perception (risk awareness) of the parties involved, both internal to the organization and external . Special requirements are presented in relation to the quality of information (the highest possible level of relevance, completeness, accuracy and timeliness given the available resources to obtain it) and its sources. It is important that personnel involved in risk identification have full knowledge of the processes or activities that are being analyzed. The latter necessitates participation in this process special working groups composed of experts from various fields.

Stage 3. Risk analysis

The result of passing the stage under consideration is the determination of the level of risk, reflecting assessments of the consequences and likelihood of risk events. Quantitative and qualitative analysis is used. The value and impact of qualitative analysis is greatly enhanced when the definition of risk is shaped by a wide range of stakeholders.

Stage 4. Risk assessment

The task of this stage is to make a decision on the acceptability/unacceptability of the risk (in relation to the acceptable risk, the risk treatment procedures provided for by stage 5 of the risk management process under consideration are not applied).

Risk assessment involves studying the levels of control of a risk event, the costs of implementing the impact, and the potential costs and benefits associated with the risk event. The results of the experts’ work at this stage may require a revision of the risk criteria established at the first stage of the process (thus, the task of ensuring that all significant risks fall into the scope of analysis is solved).

Stage 5: Risk Treatment

At this stage, work is carried out with assessed and ranked risks, in relation to which a decision has been made about their unacceptability/inadmissibility for the company in accordance with the criteria determined at the initial stages of the risk management process under consideration. Alternative options risk treatment:

Avoidance of risk, carried out either by ceasing activities associated with an unacceptable level of risk for the company, or choosing other, more acceptable areas of activity that meet the objectives of the organization, or by choosing an alternative, less risky methodology in relation to the organization of the process or activity in question.

Reducing the likelihood of a risk event occurring and (or) possible consequences implementation; It is important to consider that a balance must be found between the level of risk and the costs associated with reducing the risk to a given level. When developed approaches to reduce risk are classified as justified, while simultaneously having high implementation costs, necessary costs require budgeting. The procedures recommended under this alternative are: control; process improvement; training and staff development; audit and determination of compliance with established rules.

Sharing risk with third parties. It must be taken into account that the transferor faces a new risk associated with the inability of the organization accepting the risk to effectively manage it.

Risk retention. This alternative applies to residual and undetected risks.

Conclusion

Despite differences in the objectives and methods of risk management, each standard affirms the need for continuity of risk monitoring and control processes.

Risk assessment is an integral part of risk management, which involves a structured process to identify which organizational objectives may be affected by risks. Risk assessment is used to analyze risks in terms of consequences and their likelihood, before the organization decides on further action, if required.

Risk assessments provide decision makers and responsible parties with a clear understanding of the risks that may affect the achievement of objectives, as well as information about the adequacy and effectiveness of controls. The standard provides a basis for deciding the most appropriate approach and will be used to make decisions for specific risks, as well as the choice between different options.

Choosing a specific standard as the main one for an enterprise is a serious task; sometimes, an organization uses several standards at the same time, which leads to uncertainties in risk management processes. The choice of a risk management standard or its balanced extension requires a detailed understanding of the requirements of each standard and methods of their practical application (implementation), and also depends on the level of maturity of both risk management processes and management processes information technology organizations.

List of used literature.

1. GOST 1.1-2002 “Interstate standardization system. Terms and definitions."

2. GOST R 51897 – 2002 “Risk management. Terms and definitions."

3. Organizational risk management. Integrated model. COSO Summary, 2004.

4. Organizational risk management. Integrated model // “Risk Management”, No. 5–6, 7–8, 9–10, 11–12, 2007; 1–2, 2008.

5. Risk management standards of the Federation of European Associations of Risk Managers, 2003.

6. J. Philopoulos. Policy formation and institutional framework for risk assessment in the EU. Recommendations for creating a risk assessment system in the country.

7. AS/NZS 4360:2004 - Risk Management, issued by Standards Australia.121

8. CSA (1997) Risk Management: Guideline for Decision-Makers – A National Standard of Canada / Canadian Standards Association (1997 reaffirmed 2002) CAN/CSA-Q850-97.

9. Draft International Standard ISO/DIS 31000 “Risk management – ​​Principles and guidelines on implementation”, ISO, 2008.

10. Kevin W. Knight. Risk Management – ​​a journey, no destination. January, 2006.

11. Kevin W. Knight. Risk Management: an integral component of corporate governance and good management. ISO Bulletin, October 2003.

12. Marc Saner. Information Brief on International Risk Management Standards. Institute On Governance, Canada, November 30, 2005.

13. Enterprise Risk Management – ​​Integrated Framework Executive Summary.-Committee of Sponsoring Organization of the Treadway Commission (COSO), 2004.

14. GOST R 51898-2002 Safety aspects. Rules for inclusion in standards.

Related information.