Business Continuity Requirements and Scope
4 Risk management 4.1 Risk management strategy [Organization Name]’s strategy with respect to the high-level management of risk is to broadly adopt the principles of the ISO31000 standard (Risk management – principles and guidelines) so that risk management: • • • • • • • • • • •
Creates and protects value Is an integral part of all organizational processes Is part of decision-making Explicitly addresses uncertainty Is systematic, structured and timely Is based on the best available information Is tailored Takes human and cultural factors into account Is transparent and inclusive Is dynamic, iterative and responsive to change Facilitates continual improvement of the organization
These principles will also be applied to the management of risk with respect to the business continuity of the organization.
4.2 Risk appetite The BCMS is designed to address the major risks that are identified to the business continuity of [Organization Name]. In identifying, assessing and managing these risks there are a number of options open to the organisation according to its appetite for risk. In general terms the organisations appetite for risk may be said to be Low / Moderate / High (delete as appropriate). • • •
Low: The strategy of the organisation is to avoid risk where possible and to invest resources in mitigating residual risk through effective business continuity measures. Moderate: The strategy of the organisation is to accept reasonable levels of risk whilst making some effort to ensure measures are in place to handle risks if they occur. High: The strategy of the organisation is to accept significant levels of risk as an integral part of the business it is in, on the basis that the resulting rewards will be sufficient justification.
This level of risk appetite will be applied to the risk assessments that are carried out as part of the BCMS and will determine the actions that need to be taken to mitigate risk to an acceptable degree.
Version 1
Page 16 of 22
[Insert date]
