The global skills and competency framework for the digital world

Risk management BURM


Planning and implementing organisation-wide processes and procedures for the management of risk to the success or integrity of the enterprise.

SFIA 9 is in development

  • SFIA 9 beta due in early July 2024
  • SFIA 9 planned for publication October 2024

This is a prototype for SFIA 9. It is subject to change before publication.

Guidance notes


Risk management can be applied to many enterprise functions as well as technical and engineering specialisms — such as, but not limited to, information and technology systems, operations, environmental, information and cyber-security, safety, energy supply. Risk is also explicitly referenced in many SFIA skills. 

Activities may include — but are not limited to:

  • identifying risks
  • classifying and prioritising risks — their impact and probability, and mitigation actions
  • planning, developing, and implementing organisational approaches to risk management to ensure the integrity of the business, its products and services, and the end-users
  • communicating and reporting on risks and mitigation actions to key stakeholders.


Defined at these levels: 2 3 4 5 6 7

Risk management: Level 1

Risk management: Level 2


Assists in collecting and reporting data to support risk management activities under routine supervision.

Contributes to maintaining documentation of risks and risk management activities.

Risk management: Level 3


Undertakes basic risk management activities.

Maintains documentation of risks, threats, vulnerabilities and mitigation actions.

Risk management: Level 4


Carries out risk management activities within a specific function, technical area or project of medium complexity.

Identifies risks and vulnerabilities, assesses their impact and probability, develops mitigation strategies and reports to the business.

Involves specialists and domain experts as necessary.

Risk management: Level 5


Plans and implements complex and substantial risk management activities within a specific function, technical area, project or programme.

Implements consistent and reliable risk management processes and reporting to key stakeholders.

Engages specialists and domain experts as necessary.

Advises on the organisation's approach to risk management.

Risk management: Level 6


Plans and manages the implementation of organisation-wide processes and procedures, tools and techniques for risk management.

Considers organisation-wide risk and mitigation activities within the context of business risk as a whole and the organisation’s appetite for risk.

Provides leadership on risk management at the organisational and business levels.

Risk management: Level 7


Establishes organisational strategy for risk management.

Defines and communicates the organisation's appetite for risk.

Provides resources to implement the organisation's risk strategy.

Delegates authority for detailed planning and execution of risk management activities across the organisation.