Clause 4: The principles in Clause 4 provide guidance on the characteristics of effective and efficient risk management; communicating its value and explaining its intention and purpose.

• Integrated - P.4.a

  Principle a): Risk management is integrated. It should be an integral part of all organizational activities; including governance and decision-making.

• Structured and Comprehensive - P.4.b

  Principle b): Risk management is structured and comprehensive. A structured and comprehensive approach to risk management contributes to consistent and comparable results.

• Customized - P.4.c

  Principle c): Risk management is customized. The risk management framework and process are customized and proportionate to the organization's external and internal context related to its objectives.

• Inclusive - P.4.d

  Principle d): Risk management is inclusive. Appropriate and timely involvement of stakeholders enables their knowledge; views and perceptions to be considered.

• Dynamic - P.4.e

  Principle e): Risk management is dynamic. Risks can emerge; change or disappear as an organization's external and internal context changes. Risk management anticipates; detects; acknowledges and responds to those changes.

• Best Available Information - P.4.f

  Principle f): Risk management is based on the best available information. The inputs to risk management are based on historical and current information; as well as on future expectations.

• Human and Cultural Factors - P.4.g

  Principle g): Risk management considers human and cultural factors. Human behavior and culture significantly influence all aspects of risk management at all levels and stages.

• Continual Improvement - P.4.h

  Principle h): Risk management is continually improved. Risk management is improved continually through learning and experience.

Clause 5: The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions.

• Leadership and Commitment - F.5.2

  5.2 Leadership and commitment: Top management and oversight bodies; where applicable; should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment.

• Integration - F.5.3

  5.3 Integration: Integrating risk management relies on an understanding of organizational structures and context. It needs to be part of the organization's purpose; governance; leadership and commitment; strategy; objectives and operations.

• Design - F.5.4

  5.4 Design: This involves understanding the organization and its context; articulating commitment; assigning roles and authorities; allocating resources; and establishing communication.

• Implementation - F.5.5

  5.5 Implementation: The organization should implement the risk management framework by developing an appropriate plan; identifying where; when; how and by whom decisions are made; and modifying applicable processes.

• Evaluation - F.5.6

  5.6 Evaluation: To evaluate the effectiveness of the risk management framework; the organization should periodically measure its performance against its purpose; implementation plans; indicators and expected behavior.

• Improvement - F.5.7

  5.7 Improvement: The organization should continually monitor and adapt the risk management framework to address external and internal changes. The organization should continually improve its suitability; adequacy and effectiveness.

Clause 6: The risk management process involves the systematic application of policies; procedures and practices to the activities of communicating and consulting; establishing the context and assessing; treating; monitoring; reviewing; recording and reporting risk.

• Communication and Consultation - PR.6.2

  6.2 Communication and consultation: This is an iterative process that assists in an exchange of information. It should take place throughout all steps of the risk management process.

• Scope; Context; and Criteria - PR.6.3

  6.3 Scope; context and criteria: This step involves customizing the risk management process by defining its scope; understanding the external and internal context; and defining risk criteria.

• Risk Identification - PR.6.4.2

  6.4.2 Risk identification: The purpose of risk identification is to find; recognize and describe risks that might help or prevent an organization from achieving its objectives.

• Risk Analysis - PR.6.4.3

  6.4.3 Risk analysis: The purpose of risk analysis is to comprehend the nature of risk and its characteristics. It involves a detailed consideration of uncertainties; risk sources; consequences; likelihood; events; scenarios; controls and their effectiveness.

• Risk Evaluation - PR.6.4.4

  6.4.4 Risk evaluation: The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of risk analysis with the established risk criteria to determine where additional action is needed.

• Risk Treatment - PR.6.5

  6.5 Risk treatment: The purpose of risk treatment is to select and implement options for addressing risk. This involves selecting options; planning and implementing treatment; and assessing its effectiveness.

• Monitoring and Review - PR.6.6

  6.6 Monitoring and review: The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design; implementation and outcomes. This should be a planned part of the risk management process.

• Recording and Reporting - PR.6.7

  6.7 Recording and reporting: The risk management process and its outcomes should be documented and reported. Reporting should be customized to different stakeholders; providing information to support decision-making and improve risk management activities.