The global skills and competency framework for the digital world

Risk management BURM

Planning and implementing organisation-wide processes and procedures for the management of risk to the success or integrity of the enterprise.

Updates for SFIA 9

  • Theme(s) influencing the updates for this skill: Making SFIA easier to consume (enhance readability/guidance/descriptions), Making SFIA easier to consume (new levels).
  • New level 2 added to support entry-level roles.
  • Readability improvements have been made to levels 5, 6, and 7.
  • You can move to SFIA 9 when you are ready - SFIA 8 skill descriptions will still be available to use.
  • Previous SFIA assessments or skills mapping are not impacted by this change.

Guidance notes

Risk management can be applied to many enterprise functions as well as technical and engineering specialisms — such as, but not limited to, information and technology systems, operations, environmental, information and cyber-security, safety, energy supply. Risk is also explicitly referenced in many SFIA skills. 

Activities may include — but are not limited to:

  • identifying risks
  • classifying and prioritising risks — their impact and probability, and mitigation actions
  • planning, developing, and implementing organisational approaches to risk management to ensure the integrity of the business, its products and services, and the end-users
  • communicating and reporting on risks and mitigation actions to key stakeholders.

Levels of responsibility for this skill

3 4 5 6 7

Risk management: Levels 1-2

This skill is not typically observed or practiced at these levels of responsibility and accountability.

Risk management: Level 3

Undertakes basic risk management activities.

Maintains documentation of risks, threats, vulnerabilities and mitigation actions.

Risk management: Level 4

Carries out risk management activities within a specific function, technical area or project of medium complexity.

Identifies risks and vulnerabilities, assesses their impact and probability, develops mitigation strategies and reports to the business.

Involves specialists and domain experts as necessary.

Risk management: Level 5

Plans and implements complex and substantial risk management activities within a specific function, technical area, project or programme.

Implements consistent and reliable risk management processes and reporting to key stakeholders.

Engages specialists and domain experts as necessary.

Advises on the organisation's approach to risk management.

Risk management: Level 6

Plans and manages the implementation of organisation-wide processes and procedures, tools and techniques for risk management.

Considers organisation-wide risk and mitigation activities within the context of business risk as a whole and the organisation’s appetite for risk.

Provides leadership on risk management at the organisational and business levels.

Risk management: Level 7

Establishes organisational strategy for risk management.

Defines and communicates the organisation's appetite for risk.

Provides resources to implement the organisation's risk strategy.

Delegates authority for detailed planning and execution of risk management activities across the organisation.