Risk management BURM


The management of risk and vulnerabilities within a business function, technical area or the organisation as a whole. This includes the identification, classification and assessment of risks, their impact and probability and mitigation actions. The planning, development and implementation of organisational approaches to risk management to ensure integrity of the business, its products and services and the end-users.

Guidance notes

Risk management can be applied to many enterprise functions as well as technical and engineering specialisms - such as, but not limited to, information and technology systems, operations, environmental, information and cyber security, safety, energy supply. Risk is also specifically referenced in many SFIA skills. 

Risk management: Level 7


Establishes organisational strategy for risk management. Defines and communicates the organisation's appetite for risk. Provides resources to implement the organisation's risk strategy. Delegates authority for detailed planning and execution of risk management activities across the organisation.

Risk management: Level 6


Plans and manages the implementation of organisation-wide processes and procedures, tools and techniques for the identification, assessment and management of risks. Considers risk and mitigation activities from all functions and programmes within the context of business risk as a whole and the organisation’s appetite for risk. Provides leadership on risk management at organisational and business level.

Risk management: Level 5


Carries out complex and substantial risk management activities within a specific function, technical area or project or programme. Uses consistent risk management processes for the identification of risks and vulnerabilities, the assessment of their impact and probability, the development of mitigation strategies and reporting into the business. Engages specialists and domain experts as necessary. Coordinates complex mitigation activities and strategies and develops contingency plans. Advises on the organisations approach to risk management.

Risk management: Level 4


Carries out risk management activities within a specific function, technical area or project of medium complexity. Identifies risks and vulnerabilities, assesses their impact and probability, develops mitigation strategies and reports into the business. Involves specialists and domain experts as necessary.

Risk management: Level 3


Undertakes basic risk management activities. Maintains documentation of risks, threats, vulnerabilities and mitigation actions.