Risk management (restructured) BURM

(new)

Planning and implementing organisation-wide processes and procedures for the management of risk to the success or integrity of the enterprise.

Guidance notes

(new)

Risk management can be applied to many enterprise functions as well as technical and engineering specialisms - such as, but not limited to, information and technology systems, operations, environmental, information and cyber security, safety, energy supply. Risk is also specifically referenced in many SFIA skills. 

Activities may include - but are not limited to...

  • identifying risks,
  • classifying and prioritising risks - their impact and probability and mitigation actions
  • planning, developing, and implementing organisational approaches to risk management to ensure integrity of the business, its products and services and the end-users
  • communicating and reporting on risks and mitigation actions to key stakeholders

Risk management (restructured): Level 7

(modified)

Establishes organisational strategy for risk management. Defines and communicates the organisation's appetite for risk. Provides resources to implement the organisation's risk strategy. Delegates authority for detailed planning and execution of risk management activities across the organisation.

Risk management (restructured): Level 6

(modified)

Plans and manages the implementation of organisation-wide processes and procedures, tools and techniques for risk management. Considers organisation-wide risk and mitigation activities within the context of business risk as a whole and the organisation’s appetite for risk. Provides leadership on risk management at organisational and business level.

Risk management (restructured): Level 5

(modified)

Plans and implements complex and substantial risk management activities within a specific function, technical area, project or programme. Implements consistent and reliable risk management processes and reporting to key stakeholders. Engages specialists and domain experts as necessary. Advises on the organisation's approach to risk management.

Risk management (restructured): Level 4

(modified)

Carries out risk management activities within a specific function, technical area or project of medium complexity. Identifies risks and vulnerabilities, assesses their impact and probability, develops mitigation strategies and reports into the business. Involves specialists and domain experts as necessary.

Risk management (restructured): Level 3

(new)

Undertakes basic risk management activities. Maintains documentation of risks, threats, vulnerabilities and mitigation actions.