Enterprise Risk Management Process

NBIMC440 rue King Street, Tour York TowerFredericton, NB E3B 5H8Enterprise Risk Management FrameworkAugust 2007Updated: February 2008ContentsI.OverviewII.Risk Management PhilosophyIII.General Risk Management Activities IV.Types of Riska.Strategic Riskb.Investment Riskc.Operational RiskV.ConclusionsAppendix A: Risk Governance Structure Appendix B: Risk Management OutlineI.OverviewRisk is an inherent part of investing and therefore risk management is a very important component of our business and in reaching our primary goal to“…assist the plan sponsor in meeting the pension promise to itsmembers.”In order to meet this pension promise NBIMC has based its investment policies on the following two objectives:i.Maximize investment returns, andii.Protect accumulated assetsThe NBIMC Board of Directors, as outlined in section 2.6 of their Terms of Reference, is responsible for understanding the principal risk facing the corporation and the systems that management has put in place to mitigate and manage those risks as outlined in this document.While each Board Committee supports the Board’s risk management oversight in areas related to their specific mandate, the Audit Committee is specifically assigned the task of assisting the Board in its oversight of risk management.Our enterprise risk management framework has been put in place to integrate strong corporate oversight with a series of well-defined independent risk management systems and processes within the various NBIMC business teams. The process involves the participation of the NBIMC Board, management, and external service providers. An outline of the risk governance structure is provided in Appendix A.The following document presents NBIMC’s philosophy and management of risk by identifying:•the types of risks faced by the corporation in its normal business operations and, •what parties are accountable for monitoring each risk type, while also outlining the means and timing through which we seek to measure and manage these risks.An overall risk review is provided through the President’s Report at each quarterly Board Meeting, and a more detailed review of this Risk Framework and related issues is conducted annually by the Audit Committee and subsequently the Board.The corporation believes that this system will significantly contribute to providing the highest long-term risk adjusted returns possible to meet the actuarial requirements of our funds under management.II. Risk Management PhilosophyNBIMC bases the core of its investment decision making processes on the following Investment Beliefs:i.NBIMC is a relatively low risk investment manager when compared to itspeers.ii.Real Return Bonds, because of their long-term inflation-linked characteristics, are considered to be an excellent match for our pension liabilities.iii.New asset classes are introduced incrementally in order to progressively gain experience and to minimize transition costs.iv.The establishment of the appropriate asset mix for each of the funds under management is heavily influenced by both the actuarial profile and fundingstatus of each plan.v.NBIMC believes that market inefficiencies present opportunities to add value through active management.Given the importance that NBIMC places on comprehensively managing risks, each of the first four core beliefs of the corporation concern (either directly or indirectly) the management or reduction of risk.In general, NBIMC faces three major categories of risk related to its business activities; Strategic Risk, Investment Risk, and Operational Risk. Risk management is a primary responsibility of the Board of Directors and is guided by a specific Board approved Risk Management Policy. Oversight of specific risks may be delegated to one of the Board Committees as outlined in their Committee Terms of Reference.Board of Directors Risk Management ProcessNBIMC’s risk management process provides a general framework through which the corporation carries out its risk management activities, and is intended to:i.Ensure that NBIMC takes a proactive and systematic approach to identifyingand managing the risks inherent in its operations and environment ii.Ensure that there is agreement among NBIMC stakeholders (Board, senior management, and staff) as to its risk management priorities at any point intimeiii.Ensure appropriate involvement by the Board and senior management in setting the above prioritiesIII. General Risk Management ActivitiesIn general, risk management is a circular process, where potential risks are identified, methods to measure and manage these risks are designed and implemented, and systems are put in place to monitor the effectiveness of the original risk management systems, thus allowing for the identification of new potential risks.Risk management at NBIMC is based on several principles and assumptions designed to ensure that the Corporation takes a “proactive and systematic” approach to managing risk. Specifically, the Corporation believes through its Risk Management Policy that:i.Risk management is an input into, rather than a substitute for, the businessplanning process.ii.Establishing a risk framework is a necessary prerequisite to meaningful discussions on risk by NBIMC fiduciaries.iii.Due to its detailed understanding of the operations of the Corporation, management should play a leading role in identifying the primary risks of thecorporation. The role of the Board is to provide input into, and ultimatelyapprove, the risk management priorities identified by management, and toensure that management then develops a business plan and budget foraddressing the risk priorities.iv.Risk should be defined broadly enough to encompass all major aspects of the Corporation, including such areas as Investments, Administration, HumanResources, and Technology.v.No risk framework can be expected to identify or address every conceivable risk. It is important, therefore, that once adopted, the risk managementframework be continually refined and updated to reflect new risks once theyare identified.vi.At any point in time, the risks that can be identified will exceed the Corporation’s capacity to address them. Resources must therefore be focusedon those risks that are deemed to be the most critical.NBIMC manages risk through a number of processes: investment risk is measured and managed within various systems from both a policy perspective as well as an active management/relative return perspective, while operational risks are managed through the activities of various committees and policies. The following section provides details on the specific functioning of the risk systems, controls and responsibilities, with an emphasis on explaining the rationale for their existence, the techniques by which they operate, and the information they provide to senior management and the Board to aid in risk management decision making.IV. Types of RiskNBIMC has identified three main categories of risk related to its business activities. Within these sections we have also subdivided a number of specific risk areas in which we have assigned specific monitoring and control responsibilities and set out the specific measures used to achieve them.The following chart summarizes each of the three main risk categories and the respective specific risk elements.Strategic Risk Investment Risk Operational Risk Governance Investment Legal, Regulatory, and PolicyComplianceStrategyBusinessOperationsFiduciaryTechnologyBusinessEnvironmentHuman ResourcesReputationalExternal CommunicationThe following section outlines a more detailed description of each risk category and specific risk element that is reviewed by the corporation. A summary of this information is provided in a table contained in Appendix B.Category A: Strategic RiskStrategic risk is the risk of not achieving the Objects and Purposes of the Corporation (or mission) as outlined in the New Brunswick Investment Management Corporation Act, within the parameters provided in the legislation. It is significantly related to many of the other shorter term risks faced by the organization but manifests itself in the long-term time frame under which pension investment management activities are managed. NBIMC subdivides Strategic Risk as follows:Governance riskThis risk comes about through potential improper governance structures (including delegation of authority) between directors, senior management, and staff, leading to improper decision making in the Corporation. Good governance processes thatoutline key responsibility and accountability areas is a key part of overall riskmanagement.ResponsibilityThe NBIMC Act and By-Laws outline the governance responsibilities of theCorporation as well as related reporting obligations.The Board of Directors have set out a series of Board Policies that must befollowed, of which first and foremost are the Investment Policies for each fundunder management. The Board and each Board Committee also have Terms ofReference that outline their respective responsibilities.NBIMC management has developed an extensive Administration Manual andInvestment Procedures Manual that outline specific operational responsibilitiesand authorities. All staff members also have position descriptions that outlinetheir specific responsibilities.MeasuresThe Governance Committee of the Board of Directors oversees and coordinatesthe governance responsibilities of the organization.The Board of Directors, and Board Committees, meets at least quarterly. TheCorporation is also scheduled to appear annually before the Crown Corporation’s Committee of the Legislature.Business strategy riskThe risk of not developing, executing, or monitoring the business activities of the corporation in order to achieve the mission of the Corporation.ResponsibilityThe Board of Directors and management participate in creating a five-yearstrategic plan for the organization and review it on an annual basis.Management develops an annual business plan that is reviewed with the Board of Directors near the inception of each fiscal year. Progress against the plan isreviewed by the Board periodically throughout the year, and in measuring overall performance at year-end.MeasuresQuarterly Board Meetings and annual Strategic Plan review sessions (Board &Management)Fiduciary riskThe risk that fiduciary responsibilities are not fully respected or executed by NBIMC on behalf of its investment management and trustee responsibilities.ResponsibilityThe Board of Directors acts in a fiduciary capacity and do not represent anyspecific constituency. Their focus is therefore solely on the best interest of thefunds under management The Board is responsible for approving governingPolicies and also a Code of Ethics and Business Conduct that governs the ethical affairs of the corporation. Management is responsible for setting outadministrative and procedural guidelines.MeasuresDirectors and employees annually acknowledge understanding and compliancewith the Code of Ethics and Business Conduct. Management assembles acorporate Administration Manual and an Investment Risk ManagementCommittee meet on an ad-hoc basis to consider changes to an InvestmentProcedure Manual.NBIMC also has set-out a clear segregation of duties between the investmentoperations activity and the accounting and performance measurement activities of the corporation.Business environment riskThe risk that NBIMC is not continuously anticipating, monitoring, understanding, or reacting to external changes to the business environment in which NBIMC operates.ResponsibilityManagement and staff are primarily responsible for keeping abreast of industrydevelopments through media reports, legislative pronouncements, and bothongoing peer and supplier communication.MeasuresThe Corporation is an active participant in a number of industry relatedassociations such as the Pension Investment Management Association of Canada(PIAC), and the Canadian Coalition for Good Governance (CCGG). Management also actively participates in a number of global industry conferences which notonly provide up-to-date information on emerging industry issues, but providegood networking opportunities with personnel from peer institutional investmentorganizations.A number of employees are also members of professional associations such as theCFA Institute, CA, CGA organizations etc.Reputational riskThe risk of damage to our reputation, image, or credibility as a prudent and effective investment manager due to internal or external factors.ResponsibilityThe Board and Government of New Brunswick (as key stakeholder) haveinstituted a number of oversight and audit relationships that provide third partyassurance to the corporation’s reputation.MeasuresThe Government, as plan sponsor, appoints an Actuary to review the fundingposition and investment assumptions for the Fund’s under management. TheAuditor General for the Province also has reviewed the corporation’s activitiesfrom time-to-time.The Board, through its Audit Committee, annually appoints both an External and Internal audit firm to review and advise on various corporate activities.External communication riskThe risk of not effectively communicating the governance structure, strategic plan, operational activities, and performance of the corporation to stakeholders.ResponsibilityThe Chairperson of the Board and the President are responsible for all officialCommunication activities.MeasuresThe NBIMC Act outlines specific communication requirements for theCorporation that include the provision of an annual budget, and submission of an annual report including an auditor’s report.The corporation has undertaken to provide a number of other communicationactivities that have been outlined in further detail in Appendix B.Category B: Investment RiskThe risk that investments are not made in accordance with NBIMC’s mission and do not achieve the long-term return on investments as required by the Plan Sponsor for the Funds under management.ResponsibilityThe Board of Directors is responsible for the Investment Policy of the Fundsunder management. This policy sets out the benchmark portfolio asset weights,permitted asset weight deviations from the benchmark, performance benchmarks, permissible investments, and performance evaluation metrics.Management is responsible for developing and managing the underlyinginvestment strategy and program that operates within the Board approvedguidelines. This program is outlined in an Investment Procedures Manual. AnInvestment Risk Management Committee, made up of representatives from both the investment and administration teams, review any changes to investmentstrategies before they are included in the Procedures Manual.There are a number of significant areas of investment related risk which are outlined in more detail in the section below:Asset-Liability Mismatch (ALM)Investments are made to support the pension obligations of each Fund. ALMrisk refers to the risk that the investment portfolio held for a particular fundwill be insufficient to meet the obligations set out by the specific pensionobligation.MeasuresEach fund undergoes an actuarial valuation, as determined by the PlanSponsor, at a minimum of every three years. The Board determines anappropriate asset mix that is believed to best meet the future pensionobligations of each fund. Funding status estimates are monitored by the Boardon a quarterly basis between valuation dates.Management assists the Board’s decision by undertaking an asset liabilitystudy which attempts to identify the most efficient mix of financial assets thatwill meet or exceed the Sponsor’s required funding rate with the least amountof risk. Management has also developed a Policy Asset Mix Capital-at-Risk(PAM CaR) process that estimates and monitors the risk between the actualasset mix and the pension liability estimate. This calculation estimates themaximum change in value of the funding position of the Fund that would beexpected at a 95 percent confidence level over a one year time period. Thereport is distributed weekly to the Board Chair and to members of theInvestment Risk Management Committee.Active ManagementActive risk, also known as relative return risk, is the risk that actualinvestment returns do not meet the pre-specified benchmark portfolio andresult in under-performance versus those that would have resulted frompassive management.MeasuresThe Board approved Investment Policies outline the expected return and valueadded objectives in excess of those achieved by a passive managementapproach.Management utilizes a risk budgeting approach to active management whichlinks the amount of active risk taken with the overall active return target.Management has also developed a Capital-at-Risk (CaR) process thatestimates and monitors the risk of the active value added investment activities conducted by the investment staff. This calculation estimates the maximumchange in value of the relative value added to the benchmark that would beexpected at a 95 percent confidence level over a one year time period. Thiscalculation is distributed weekly to the Board Chair and to members of theInvestment Risk Management Committee.Market RiskMarket risk is broadly defined as the risk of a change in the value at which an investment portfolio could be sold due to exposure of the portfolio to certainunderlying variables. This risk is commonly considered to be the risk of anadverse change, or, the risk that the value of a portfolio will decline. NBIMCfaces market risk in virtually all of its investment portfolios, although thefundamental drivers of this risk tend to be unique, depending on thecomposition of the portfolio.MeasuresThe Board approved Investment Policies are developed in the context ofproviding a diversified portfolio of assets that will provide protection against a significant adverse change to any specific asset class.Management monitors market risk through the weekly PAM CaR processmentioned earlier.Benchmark RiskThe risk that the benchmarks used to evaluate investment performance do not appropriately reflect the underlying portfolio.MeasuresThe Investment Policies set out by the Board approve the appropriatebenchmarks for each investment asset class. These benchmarks are typicallystandards set out by the institutional investment industry and correspondclosely to those used by peer organizations.Credit RiskCredit risk is defined as the risk that a specific counterparty will not meet itsfinancial obligations as set out in a previously agreed upon contract. Creditrisk arises from numerous activities including the holding of investments in aspecific entity that require a scheduled repayment as well as through enteringinto derivatives transactions with various counterparties (banks/investmentdealers). Credit risk can manifest itself through changes in the market value ofa security or obligation, and is generally measured through procedures thatattempt to model the probability of default and / or loss.MeasuresThe Investment Policies set out by the Board provide limits in terms ofpermissible investments and credit quality requirements for a number ofinvestment alternatives.Management monitors this exposure through a monthly Counterparty CreditExposure reporting process.Liquidity RiskLiquidity Risk is the risk that an investment position can not be unwound oroffset in the financial markets in a timely fashion without enduring significant losses. An occurrence of this type could lead to NBIMC not being able tomeet payment obligations as they become due because of an inability toliquidate assets.MeasuresThe Board approved Investment Policies are developed with a considerationto the near term periodic cash flow requirements of each pension fund. Credit risk mitigation also ensures that investments are made in higher quality assets that tend to be more liquid in terms of transaction availability. Liquidity risk is also mitigated through the actions of a Trade Management OversightCommittee which is composed of senior NBIMC investment staff.Category C: Operational RiskOperational risk is generally considered to include all risks not arising out of investment or business strategy decisions of the firm. It concerns the risks arising from the loss of effectiveness or efficiency in the corporation from reliance on specialized internal processes.NBIMC has subdivided operational risk as follows:Legal, regulatory, and policy compliance riskThe risk of loss from illegal or inappropriate business practices or activities by the Corporation or its employees.ResponsibilityThe Board of Directors, or a Board Committee, is responsible for monitoring the Corporation’s compliance with legal, regulatory, and policy compliance.The Governance Committee of the Board is responsible for the oversight of theNBIMC Code of Ethics and Business Conduct. The Audit Committee isresponsible for the oversight of the Corporation’s financial reporting process.Senior management is responsible for the accurate preparation and completeness of the financial reporting prepared by the Corporation.MeasuresThe Board of Directors engage two independent accounting firms to act asexternal and internal auditors of NBIMC’s financial reporting and activities.Senior management reports to the Board quarterly with respect to InvestmentPolicy Compliance. They also present quarterly financial statements to the Audit Committee and Board for review.Management in conjunction with the Investment Finance and Corporate Services team also monitor and report on NBIMC’s compliance with both InvestmentPolicy and Investment Procedures Manual guidelines on a weekly basis.Operational riskThe risk of either direct or indirect loss resulting from inadequate or failed internal operational processes.ResponsibilityManagement is responsible to ensure operational efficiency.MeasuresThe corporation has developed both a comprehensive Administration Manual anda Business Continuity Plan in order to standardize operational processes and toenable an efficient continuity plan in the case of adverse events.Management has delineated a clear segregation of duties with respect totransaction initiation, authorization, and recording activities. Banking authorities and limits are also clearly set out.Each employee position has a specific job description, and cross training is usedextensively to provide back-up support. The corporation also has a mandatoryvacation policy.The Internal Auditor for the corporation also performs ad-hoc audit work in thisarea.Technology RiskNBIMC relies significantly on management information systems and communication technology. It is therefore exposed to the potential for material risk of direct or indirect loss resulting from inadequate or failed information technology.ResponsibilityManagement is responsible to ensure technological operational efficiency.MeasuresAs noted above, the corporation has developed both a comprehensiveAdministration Manual and a Business Continuity Plan. Management utilizes an Information Technology Risk Management Committee to help oversee anddevelop related initiatives throughout the corporation.Human Resources RiskThe risk of loss resulting from inadequate or failed internal human resource performance and from business practices that are inconsistent with generally accepted HR laws and practices.ResponsibilityThe Human Resources and Compensation Committee of the Board is responsible for oversight of the Corporation’s Human Resource policies.Senior Management is responsible for effective human resource activities with the help of a Human Resources Coordinator position. This includes the development of job descriptions for each employee, training and development activities, andannual performance reviews.MeasuresThe Human Resources and Compensation Committee has developed aCompensation Philosophy for the corporation. They annually review thecompetitive compensation landscape versus a group of peer institutional pensionfund managers, and periodically retain the services of an external consultant toprovide advice in this regard. The Committee also annually reviews and adviseson Management’s annual succession plan for key staff positions.Management maintains all human resource policies and procedures in thecorporation’s Administration Manual.V. ConclusionThis document presented a summary of NBIMC’s philosophy on the management of risk, discussed the risks that the Corporation is exposed to in the normal course of operations, and provided a brief overview of the investment risk management procedures that are currently employed by the corporation to aid in managerial decision making.NBIMC attempts to take an integrative point of view on the management of risk, and uses tools and processes available to it in various situations, such as quantitative tools for objective investment risks, and qualitative assessments for other risks such as operational risks.Risk management is, as mentioned, a circular process. The undertaking of risk management procedures often leads to the identification of previously unidentified sources of risk. For this reason, this document is expected to be a living document, and will be continually updated as NBIMC updates its risk management beliefs, objectives, and processes.Appendix A:Risk Governance StructureBoard of Directors and its CommitteesManagement and its CommitteesPlan Sponsor RelationshipsExternal Service ProvidersEnterprise Risk Management Framework Appendix B: Risk Management OutlineCore Risk Detailed Risk NBIMC Process and ReponsibilitySTRATEGICGovernance *NBIMC Act, By-Laws, Board Policy, Management Procedures, Annual Crown CorporationCommittee Appearance, Quarterly Board Governance CommitteeBusiness Strategy *Strategic Plan - 5 year cycle, Annual Business Planning Process, Regular Board MeetingsFiduciary Administration Manual, Procedures Manual, Code of Ethics (Annual Acknowledgement)Business Environment Senior Management Monitor, Industry Association InvolvementReputational *PNB Actuary Interaction, PNB Auditor General Interaction, External and Internal Audit RelationshipsExternal Communications *Centralized with President, Audit Committee Approves Ad-Hoc Press ReleasesAnnual Report, PSSA Consultation Committee Involvement, NBTA Pension Committee Involvement,Annual Crown Corporations Committee Appearance, Annual PNB Board of Management BudgetDiscussion, Quarterly PNB Board of Management Performance DiscussionINVESTMENTInvestment *Asset-Liability Studies (as per receipt of Actuarial analysis), Investment Policies (Board Approved),Investment Risk Management Committee, Weekly Relative & Nominal Risk Reports (CaR, PAM CaR),Monthly Counterparty Credit Exposure Report , Key Vendor Selection Policy (Board Approved),Trade Management Oversight Committee (TMOC)OPERATIONALLegal, Regulatory, and Policy Regular Board Meetings - President Report, Quarterly Board Audit Committee, Weekly InternalCompliance *Compliance Reports (Independent Team), Annual External Audit, Internal Audit Projects (external co.)Operational Administration Manual, Business Resumption Plan (external consultant)Technology *IT Risk Management Committee, Business Continuity Plan (external consultant)Human Resources *Board Human Resources & Compensation Committee, Annual Succession Plan, Administration Manual, CompensationPhilosophy, Peer Institutional Manager Compensation Survey participation and external consultant reviews.- Page 21 of 21 -。

企业风险管理的实践随着经济的快速发展和全球化的不断推进，企业面临着越来越多的风险与挑战。

因此，企业风险管理成为了企业管理中不可或缺的一个重要环节。

本文将从企业风险管理的定义、重要性以及实践方法等方面进行探讨。

一、企业风险管理的定义企业风险管理，简称ERM（Enterprise Risk Management），是指企业在开展经营活动时，通过识别、评估、应对和监控各种可能威胁企业目标实现的风险，以达到有效管理和控制的综合性管理系统。

二、企业风险管理的重要性1. 保障企业可持续经营：风险是不可避免的，但通过风险管理，企业能够及时发现和应对潜在的问题，减少风险带来的损失，确保企业能够持续经营。

2. 提升企业价值：有效的风险管理能够提高企业的价值，降低投资者的风险偏好，增强企业的信誉度和市场竞争力。

3. 满足法律法规和监管要求：随着法律法规和监管要求的不断提高，企业需要建立合规性和可持续性的风险管理体系，以满足监管机构的要求。

三、企业风险管理的实践方法1. 风险识别与分类：企业应通过全面收集和分析各类信息，识别出潜在的风险，并进行分类，确保风险管理的全面性和系统性。

2. 风险评估与分析：对已识别的风险进行评估和分析，评估风险的概率和影响程度，并确定每个风险的优先级，制定相应的应对策略。

3. 风险应对与控制：根据风险评估的结果，制定相应的风险管理策略和控制措施，降低风险的概率和影响程度，保障企业的正常运营。

4. 风险监控与反馈：建立有效的风险监控机制，定期对风险进行监测和反馈，并根据实际情况进行调整和改进，确保风险管理的有效性和及时性。

四、企业风险管理的挑战与对策1. 内外部环境的变化：快速变化的市场环境和政策法规对企业风险管理提出了更高的要求，因此企业需要不断学习和应对变化，保持灵活性和敏捷性。

2. 组织文化和意识：企业风险管理需要全员参与和支持，因此企业需要树立风险意识，并建立共同的风险管理文化，加强员工的培训和教育。

ERM的名词解释企业风险管理（Enterprise Risk Management，ERM）是一种系统性和综合性的方法，用于识别、评估和管理企业面临的各种风险。

它旨在帮助企业制定和实施风险管理策略，以最大程度地降低风险对企业目标的影响，同时提高企业的绩效和可持续发展能力。

1. 风险管理的定义和重要性风险管理是指通过实施一系列措施，以识别、评估和应对潜在的风险。

它旨在帮助企业减少各种不确定性造成的负面影响，并为企业创造更稳定和可持续的经营环境。

风险管理经常被认为是企业治理的核心要素之一，它可帮助企业提高经营效率、遵守法规，并在竞争激烈的环境中获得竞争优势。

2. ERM的核心组成部分ERM包括一系列核心组成部分，这些部分相互关联，共同构成了一个完整的风险管理框架。

以下是ERM的核心组成部分：2.1 风险识别和评估ERM的第一步是识别和评估企业面临的各种风险。

这包括内部风险（如管理风险、操作风险）、外部风险（如市场风险、经济风险）以及战略风险（如不确定的商业环境、新技术的崛起等）。

通过识别和评估风险，企业可以更好地了解其潜在的威胁和机会，并制定相应的应对策略。

2.2 风险管理策略制定在识别和评估风险之后，企业需要制定相应的风险管理策略。

这需要根据风险的重要性和优先级，确定适当的控制措施。

常见的风险管理策略包括风险避免、风险转移、风险减少和风险接受。

通过制定有效的风险管理策略，企业可以更好地应对风险，并减少潜在损失。

2.3 风险监控和控制风险监控和控制是ERM的关键环节，它涉及到监测风险的实施情况，并采取必要的措施确保风险得到有效控制。

这包括建立风险监控系统、制定风险控制政策和程序、加强内部控制等。

通过风险监控和控制，企业可以及时发现和应对风险，避免风险扩大化和演变为危机。

2.4 风险信息披露和报告风险信息披露和报告是ERM的重要环节，它涉及到向内外部相关方提供有关企业风险管理情况的及时和准确的信息。

这种披露和报告有助于提高透明度、信任度和可持续发展能力，同时也是一种合规要求。

企业风险管理ERM讲义企业风险管理（ERM）讲义一、什么是企业风险管理（ERM）企业风险管理（Enterprise Risk Management，ERM）指的是一种系统性的方法，用于评估、管理和控制企业面临的各种风险。

通过开展ERM，企业可以更好地识别、评价和对抗风险，以保护企业利益并提高企业绩效。

二、ERM的核心原则1. 全面性：ERM应覆盖整个组织，包括所有的业务部门和职能部门。

2. 综合性：ERM需要综合考虑内外部风险，并将其与企业的战略目标和业务运作相结合。

3. 风险定位与评估：ERM需要明确风险的来源、潜在影响和发生概率，以便开展相应的风险管理措施。

4. 风险响应与控制：ERM需要确定适当的风险应对策略和控制措施，以减少潜在损失和最大限度地发挥企业价值。

5. 信息和沟通：ERM依赖于及时、准确地收集、分析和传递风险信息，并确保风险管理措施得到适当的沟通和运用。

三、ERM的基本步骤1. 确定风险：通过认真评估，明确影响企业目标实现的各种内外部风险。

2. 评估风险：定量或定性地评估风险的概率、影响程度和优先级，以确定主要风险和应对重点。

3. 风险处理：根据评估结果，采取适当的风险应对措施，包括避免、转移、减轻和接受等策略。

4. 风险监测：定期跟踪和监测风险的演变和控制效果，对风险进行动态管理和调整。

5. 审查和持续改进：对ERM的执行和效果进行定期审查，并根据需要进行持续改进，以确保ERM的有效性和可持续性。

四、ERM的好处1. 降低风险：ERM系统能帮助企业识别和减少各类风险，从而减少潜在的损失和风险事件发生的可能性。

2. 提高决策质量：通过全面的风险评估和管理，ERM能为决策者提供更全面、准确的信息，从而改善决策的质量和效果。

3. 优化资源配置：ERM能够帮助企业合理配置资源，将重点放在最关键的风险上，提高资源利用效率和企业绩效。

4. 增强声誉和信任：通过积极的风险管理，企业能够增强声誉和信任度，提高对外界的吸引力和竞争力。

⾸次全⾯解析2017COSO正式版《企业风险管理框架》（⼲货收藏版）2017年9⽉6⽇晚（美国时间9⽉6⽇早），全球风险管理⾏业翘⾸以盼的COSO更新版《企业风险管理框架》正式发布，距离2016年9⽉30⽇全球意见征集截⽌，已经过去了将近⼀年的时间。

在这个过程中，笔者⼀直和COSO主席Hirth先⽣保持的紧密的沟通。

当看到摘要中新框架与征求意见稿的变化如此巨⼤时，笔者⼤概理解了正式版迟迟没有推出的原因，COSO内部肯定经历了⼤量的讨论、争议、妥协和坚持。

9⽉7⽇⼀早，笔者便拿到了COSO正式发布的《企业风险管理框架》正式版，总共201页，这应该是中国第⼀份全⽂正式版⽂件。

其中附录B中记录了定稿这个过程中关于对1600多条反馈建议的考虑、⼤量的不同意见的处理以及40多场研讨会，正好证实了笔者之前的猜测。

针对2016年COSO发布的征求意见稿，笔者去年12⽉份曾专门翻译了其中精要并发布了征求意见稿解读（参见前期公众号⽂章）。

公众可以在COSO的⽹站上（）免费下载公开的⼏个介绍⽂件：1、企业风险管理框架-摘要；2、企业风险管理框架-常见问题；3、COSO发布正式版企业风险管理框架的新闻稿。

下⾯，我们就正式版《企业风险管理框架》的相关背景和主要内容进⾏分析介绍。

⼀、2017正式版（第⼆版）《企业风险管理框架》与2004年《企业风险管理-整合框架》的异同2004版框架发布据今已有⼗⼏年时间，这⼗⼏年间，风险的复杂性发⽣了重⼤变化，由于新环境、新技术的不断演变，新的风险也层出不穷。

在此前提下，COSO在2014年启动了⾸次对风险管理框架的修订⼯作，新版本更新的内容主要包含：变更了题⽬和框架展现⽅式；应⽤了要素和原则的编写结构；简化了企业风险管理的定义；强调了风险和价值之间的关联性；重新审视了企业风险管理整合框架所关注的焦点；检验了关于⽂化在风险管理⼯作中的定位；提升了对战略相关议题的研讨；增强了绩效和企业风险管理⼯作的协同效应；体现了企业风险管理⽀持更加明确的做出决策；明确了企业风险管理和内部控制的关系；优化了风险偏好和风险承受度的概念。

企业风险管理的实质企业风险管理（Enterprise Risk Management，ERM）是指企业为了应对环境变化、保障利益最大化而进行的一系列风险预测、评估、控制和应对的活动。

其实质是在现代企业经营中，积极主动地识别、测量、监控并有效地应对各类风险，以保障企业目标的实现。

它是企业战略管理的重要组成部分，能够帮助企业避免潜在的经营障碍，提升绩效，增强竞争力。

一、风险管理意识的重要性企业风险管理的实质是建立一种风险管理意识，将风险识别、评估、控制纳入企业决策的各个层面。

风险管理意识的重要性主要体现在以下几个方面：1. 保护企业利益：风险管理能够帮助企业预测并识别潜在的风险，采取相应措施降低风险带来的损失，保护企业的利益。

2. 提升决策质量：风险管理能够提供风险信息和数据分析，帮助企业进行科学决策，减少主观臆断和盲目决策的可能性。

3. 增强企业竞争力：通过风险管理，企业能够更好地应对市场竞争、把握机遇，为企业的可持续发展提供有力支撑。

二、企业风险管理的核心要素企业风险管理的核心要素包括风险认知、风险评估、风险控制和风险应对。

下面将对每个要素进行详细介绍。

1. 风险认知：企业首先要对风险有清晰的认识和理解，明确各类风险对企业的潜在影响和可能带来的后果。

2. 风险评估：通过对风险的定性和定量分析，对各类风险的可能性和严重程度进行评估，确定关键风险。

3. 风险控制：根据评估结果，采取相应措施进行风险控制，包括风险的避免、转移、减轻或接受。

4. 风险应对：针对潜在和已经发生的风险，制定相应的应对策略和预案，及时应对风险事件，减少损失。

三、企业风险管理的实施步骤企业风险管理的实施步骤可以简单概括为风险识别、风险评估、风险控制和风险监测。

1. 风险识别：企业要全面识别各类风险，包括战略风险、市场风险、操作风险、财务风险等，通过内外部环境的分析找出潜在风险的源头。

2. 风险评估：对已识别的风险进行评估，分析风险的可能性、影响程度和相关因素，确定风险的优先级和应对策略。

《全程风险管理模式》建立概述全面风险管理(Enterprise-wide Risk)是从战略目标制定到目标实现的全程风险管理，是一个复杂体系和动态过程，这个过程由全体员工实施，包括建立并维护全面风险管理体系，在层面和各个过程的层面，执行全面风险管理的一般程序，管理的所有重大风险，以实现全面风险管理的目标。

全程风险管理模式是用系统的、动态的方法进行过程的风险控制，以减少过程中的不确定性。

它不仅使各层级的管理者建立风险意识，重视风险问题，防患于未然，而且在各阶段、各方面实施有效的风险控制，形成一个前后连贯的管理过程，以保证在实现其未来战略目标的过程中，将市场不确定性和变化所产生的影响控制在可接受范围内。

面对各种错综复杂的风险，企业要实现价值最大化和可持续发展战略，不仅要关注企业外部的风险，更要从企业内部的业务过程风险管理层面入手对风险加以管控。

企业业务过程风险管理主要是在吸纳业务过程重组、过程再造（BPR）思想和工具的前提下，采用综合有效的方法来强化组织战略的分析和执行、规范和精细化业务操作，关注客户、市场和价值实现过程、提高企业内外部响应速度、降低运营成本，以传递绩效压力、充分应用信息技术和实现组织的持续改进等。

企业的运转，正是由一系列的业务过程组成，这些业务过程解决了实现企业战略目标需要做哪些事情，这些事情是怎么做的问题。

企业风险管理就是要从这些过程入手，将风险管理的方法与理念根植于业务过程的各环节中，与企业的现有管理框架实现一定程度上的耦合，构建起过程的风险管理显性化模式，从而推动企业风险管理工作有效落地。

一、企业过程风险管理的三阶段没有一个单一的业务活动能为客户创造价值，只有将一系列的活动放到一个整体框架里面才能为客户创造价值。

过程风险管理是一种以规范化的构造端到端的卓越业务过程为中心，以持续的提高组织业务绩效为目的的系统化管理方法。

深入地讲，业务过程是企业运营的核心，它决定了企业的人、财、物等各种资源的组织方式及其运作的效率，最终也决定了企业服务客户和获取收益的能力，是通过有意识地对过程进行认识、描述、研究、设计及改进的系统化、可持续的工作。

企业风险管理企业风险管理（Enterprise Risk Management, ERM）是指企业应对各种风险的综合管理方法和系统，通过风险评估、风险治理、风险监控等手段，确保企业在不确定的环境中持续运营并实现战略目标。

企业风险管理在当今复杂多变的商业环境中显得尤为重要，以下将介绍企业风险管理的概念、重要性以及主要步骤。

一、概念企业风险管理是一种综合性的管理方法，它不仅包括对传统风险（如财务风险、市场风险等）的管理，也包括对战略风险、合规风险、操作风险等各类风险的管理。

企业风险管理通过建立有效的风险管理框架和制度，将风险管理纳入企业日常运营的各个环节，以便及时识别、评估和应对各种风险。

二、重要性企业风险管理的重要性体现在以下几个方面：1. 提高决策质量：通过对风险的识别和评估，企业可以更准确地预测可能面临的风险并制定相应的对策，从而提高决策的精准性和有效性。

2. 保护企业价值：企业风险管理有助于保护企业的资产和价值，减少损失和不确定性。

它帮助企业建立适应变化的机制，降低经营风险对企业的冲击。

3. 提升企业竞争力：通过对风险的主动管理，企业可以更好地把握机遇，避免潜在的威胁，提升企业的竞争力和可持续发展能力。

4. 合规管理：企业面临着越来越多的法律法规要求，风险管理能够帮助企业合规运营，降低法律风险和罚款的可能性。

三、主要步骤企业风险管理包括以下主要步骤：1. 风险识别：通过对企业内外部环境的分析，识别可能对企业造成影响的各类风险，包括战略风险、市场风险、操作风险等。

2. 风险评估：对已识别的风险进行评估，包括风险的概率和影响程度，确定风险的优先级和管理重点。

3. 风险应对：基于风险评估结果，制定相应的风险管理策略和计划，包括风险避免、风险转移、风险减轻、风险接受等策略。

4. 风险监控：建立风险监控机制，对风险管理的有效性进行监测和评估，及时修正或调整风险管理措施。

5. 持续改进：风险管理是一个持续不断的过程，企业应不断总结经验教训，改进风险管理方法，并使其与企业战略和目标相一致。

全面风险管理是近年来管理界和审计人员经常提及的概念之一。

特别是在2004年6月《新巴塞尔协议》发布以后，不少媒体刊登了大量文章，讨论全面风险管理问题。

其实，全面风险管理不是一个新话题，早先的说法叫做“企业级的风险管理”（Enterprise Risk Management）。

推行全面风险管理，将在一定程度上提高我国企业风险控制的水平。

但是，推行全面风险管理是一个长期、艰苦的工作，需要得到许多部门和人员认可，而来自高级管理层的重视是非常重要的。

推行全面风险管理，有一些基础的工作要做，如资本金分配、内部资金定价、机构设计等等。

一、风险管理体系的基本要素按照2003年7月美国COSO（The Committee of Sponsoring Organization of the Theadway Commission）公布的《全面风险管理框架》（草案）所描述的内容，全面风险管理是一个从企业战略目标制定，到目标实现的风险管理过程。

它可以简单描述为三个维度：企业目标、全面风险管理要素、企业的各个层级；企业目标包括四个方面：战略目标、经营目标，、报告目标和合规目标；全面风险管理要素有八个：内部环境、目标设定、事件识别、风险评估、风险对策、控制活动、信息和交流、监控。

全面风险管理的八个要素为企业的四个目标服务；企业的各个层面要坚持同样的四个目标；每个层面都必须从八个要素进行风险管理。

企业必须按照要求，建立与企业的业务性质、规模和复杂程度相适应的、完善的、可靠的风险管理体系。

在实际操作中风险管理体系主要包括如下基本要素：（一）董事会和高级管理层的有效监控；（二）完善的风险管理政策和程序；（三）完善的风险识别、计量、监测和控制程序；（四）完善的内部控制和独立的外部审计；风险管理应适当考虑风险类别，如市场风险、金融风险、信用风险、流动性风险、操作风险、法律风险、声誉风险等风险的相关性，并协调各类风险管理的政策和程序。

密级：内部公开文档编号：NTT_RSKM_FXGLGC版本号：V1.0风险管理过程惠州市新中新电子技术开发有限公司------------------------------------------------------------------------- 惠州市新中新电子技术开发有限公司对本文件享受著作权及其它专属权利，未经书面许可，不得将该等本文件（全部或任何部分）向任何第三方披露，或进行修改后使用。

文件更改摘要一、目的和方针风险管理（Risk Management, RSKM）的目的在于识别潜在的问题，以便策划处理风险的活动（识别、分析评估和缓解）和在必要时在整个项目生存周期中实施这些活动，缓解不利的影响，实现项目目标。

本过程建立组织级的风险管理策略，定义风险参数。

项目经理依据本过程在项目策划阶段进行风险识别、风险评估以及制订风险缓解措施。

在项目的生命周期内，应用持续风险管理的方法持续地识别、评估、监控和缓解风险，确保有效地抵御或缓解具有关键影响的风险。

二、范围适用于公司所有类型项目的风险管理过程。

三、术语无四、角色与职责五、入口准则●项目启动●项目里程碑阶段六、输入●项目立项过程和策划过程信息●项目监督和控制过程信息七、流程图风险管理过程如下图：有效的风险管理是为了积极设法尽量减小风险对项目的影响，而有系统地进行策划、防止和缓解风险。

包括：在项目策划过程中，与共利益者合作，早期识别风险，分析和评估风险影响，制订风险缓解措施；在项目监督和控制过程中，处理所识别的风险（包括在必要时实施风险缓解计划）以及持续识别、评估风险，针对新的风险制订缓解措施。

八、主要活动风险管理主要有四个活动：✧风险识别：确定对项目的进度、成本和质量造成不利影响的风险的来源，风险产生的条件，描述其风险特征和造成结果描述。

风险识别不是一次就可以完成的事，应当在项目生命周期内定期进行。

✧风险评估：运用风险参数（风险概率、风险影响、风险值等）对每个风险进行评价和分类，并确定其相对优先顺序。

ACCA笔记| SBL笔记10 | Risk management process今天的笔记是关于Risk management process的！关于Risk management 的其他知识点可参考昨日笔记。

Risk management process1. Risk identification - Strategic and operational risks Strategic risks: Should be identified and assessed at senior management and board or director level. Operational risks: Can be managed by internal control system.- Business risks Market risks Product risk Commodity price risk Currency risk/Exchange rate risk Interest rate risk Gearing risk Political risk Legal, or litigation riskCompliance risk Technology risk Economic risk Environmental risk Business probity risk Derivatives risk Liquidity risk Reputation risk Entrepreneurial risk Health and safety risks2. Risk assessment - It involves evaluating the likelihood and potential impact of identified risks.- Risk assessment is a dynamic management activity because of changes in the organisational environment and because of changes in the activities and operations of the organisation which interact with that environment.- Risk assessment needed to be ‘continuous’ and ‘ongoing’.- In a certain period, an organisation is facing many various kinds of risk, some risk is more important than the others, as a result, risk register is required.3. Risk management- Strategies for managing risks can be explained as TARA (or SARA): Transference (or Sharing), Avoidance, Reduction or Acceptance- ALARP (as low as reasonably practicable) As we cannot eliminate risk altogether the ALARP principle, simply states that residual risk should be as low as reasonably practicable.- Diversifying/spreading risk Risk can be reduced by diversifying into operations in different areas, such as different industries or countries.- Embedding risk The aim of embedding risk management is to ensure that it is ‘part of the way we do business’.It can be considered at two levels: - Embedding risk in systems - Embedding risk in culture4. Risk audit - Identifying the risks that exist within an organisation.- Assessing those risks in terms of likelihood of occurrence and impact on the organisation should the risk actually occur.- Reviewing the controls that are in place to prevent and/or detect the risk and assessing if they are appropriate.- Informing the board about the risk which are outside acceptable levels or where controls over specific risks are ineffective.。

总承包单位项目风险管理制度及流程英文回答：1. Risk Management Policy.1.1 Purpose.The purpose of this policy is to establish a comprehensive risk management framework for the company to identify, assess, and mitigate risks associated with its projects.1.2 Scope.This policy applies to all projects undertaken by the company, regardless of size or complexity.1.3 Definitions.Risk: An uncertain event or condition that, if itoccurs, can have a negative impact on a project's objectives.Risk Management: The process of identifying, assessing, and mitigating risks to achieve project objectives.1.4 Risk Management Process.The risk management process consists of the following steps:Risk Identification: Identifying potential risks that may impact the project.Risk Assessment: Evaluating the likelihood and impactof identified risks.Risk Mitigation: Developing and implementingstrategies to reduce or eliminate the likelihood or impactof identified risks.Risk Monitoring: Monitoring identified risks and theirmitigation strategies to ensure their effectiveness.1.5 Roles and Responsibilities.Project Manager: Responsible for overall risk management on the project.Risk Manager: Assists the project manager in identifying, assessing, and mitigating risks.Project Team: Contributes to risk identification and mitigation efforts.2. Risk Management Procedures.2.1 Risk Identification.Conduct brainstorming sessions with project team members.Review project documentation and historical data.Consult with industry experts and stakeholders.2.2 Risk Assessment.Use qualitative or quantitative methods to evaluate risks.Consider the likelihood and impact of each risk on project objectives.2.3 Risk Mitigation.Develop and implement strategies to reduce or eliminate the likelihood or impact of identified risks.Strategies may include risk avoidance, risk reduction, or risk transfer.2.4 Risk Monitoring.Regularly review identified risks and their mitigation strategies.Make adjustments to mitigation strategies as needed.3. Reporting and Communication.Report risk management findings to project stakeholders.Communicate risk management plans and mitigation strategies to the project team.中文回答：1. 总承包单位项目风险管理制度。

全面风险管理理论与实践全面风险管理（Enterprise Risk Management, ERM）理论是指在统筹考虑企业面临的不同风险类别、来源、影响程度等各方面要素的基础上，采取协同化、全面化的风险管理措施，合理控制企业的风险，增强企业的企业价值创造能力。

ERM的理论体系包括风险识别、风险评估、风险监控、预警、响应、措施修订等多个环节，其中风险识别和评估作为ERM的核心，是实现风险管理最基础与关键的环节。

风险识别：主要是通过明确企业内部和外部的各种风险因素，包括人员、财务、技术、竞争等多种因素，采用量化或非量化方式进行分类、排列等操作，最终建立一个完整的风险识别体系，为企业的风险管理提供基础。

风险评估：风险评估是根据风险识别结果，对不同风险因素可能产生的影响及其可能性进行综合评估的过程。

风险评估可使用多种方法，如误差与不确定性分析、统计风险分析等，以便预测将来不同方案的风险情况。

风险监控：做好风险识别和评估还不够，企业需要建立动态的风险监控机制，随时掌握风险的变化，及时做出反应。

预警和响应：当风险出现时，企业需要建立一套统一、及时、有效的预警机制。

同时，企业还需要制定完善的响应措施，以降低风险的损失。

证券投资行业作为风险高、管理难度大的行业，应重视全面风险管理。

具体实践中，证券公司可以通过建立风险管理委员会、多元化风险管理团队、完善风险管理体系、运用科技手段等多种途径，实现全方位风险控制。

ERM已经成为现代企业风险管理的基石，证券公司也应该通过逐步实行ERM理论和方法，加强组织体系建设，保证顺利实施风险管理，控制风险损失，提高企业的可持续发展能力。

企业风险管理中英文对照外文翻译文献(文档含英文原文和中文翻译)原文：Risk ManagementThis chapter reviews and discusses the basic issues and principles of risk management, including: risk acceptability (tolerability); risk reduction and the ALARP principle; cautionary and precautionary principles. And presents a case study showing the importance of these issues and principles in a practical management context. Before we take a closer look, let us briefly address some basic features of risk management.The purpose of risk management is to ensure that adequate measures are taken to protect people, the environment, and assets from possible harmful consequences of the activities being undertaken, as well as to balance different concerns, in particular risks and costs. Risk management includes measures both to avoid the hazards and toreduce their potential harm. Traditionally, in industries such as nuclear, oil, and gas, risk management was based on a prescriptive regulating regime, in which detailed requirements were set with regard to the design and operation of the arrangements. This regime has gradually been replaced by a more goal-oriented regime, putting emphasis on what to achieve rather than on the means of achieving it.Risk management is an integral aspect of a goal-oriented regime. It is acknowledged that risk cannot be eliminated but must be managed. There is nowadays an enormous drive and enthusiasm in various industries and in society as a whole to implement risk management in organizations. There are high expectations that risk management is the proper framework through which to achieve high levels of performance.Risk management involves achieving an appropriate balance between realizing opportunities for gain and minimizing losses. It is an integral part of good management practice and an essential element of good corporate governance. It is an iterative process consisting of steps that, when undertaken in sequence, can lead to a continuous improvement in decision-making and facilitate a continuous improvement in performance.To support decision-making regarding design and operation, risk analyses are carried out. They include the identification of hazards and threats, cause analyses, consequence analyses, and risk descriptions. The results are then evaluated. The totality of the analyses and the evaluations are referred to as risk assessments. Risk assessment is followed by risk treatment, which is a process involving the development and implementation of measures to modify the risk, including measures designed to avoid, reduce (“optimize”), transfer, or retain the risk. Risk transfer means sharing with another party the benefit or loss associated with a risk. It is typically affected through insurance. Risk management covers all coordinated activities in the direction and control of an organization with regard to risk.In many enterprises, the risk management tasks are divided into three main categories: strategic risk, financial risk, and operational risk. Strategic risk includes aspects and factors that are important for the e nterprise’s long-term strategy and plans,for example mergers and acquisitions, technology, competition, political conditions, legislation and regulations, and labor market. Financial risk includes the enterprise’s financial situation, and includes: Market risk, associated with the costs of goods and services, foreign exchange rates and securities (shares, bonds, etc.). Credit risk, associated with a debtor’s failure to meet its obligations in accordance with agreed terms. Liquidity risk, reflecting lack of access to cash; the difficulty of selling an asset in a timely manner. Operational risk is related to conditions affecting the normal operating situation: Accidental events, including failures and defects, quality deviations, natural disasters. Intended acts; sabotage, disgruntled employees, etc. Loss of competence, key personnel. Legal circumstances, associated for instance, with defective contracts and liability insurance.For an enterprise to become successful in its implementation of risk management, top management needs to be involved, and activities must be put into effect on many levels. Some important points to ensure success are: the establishment of a strategy for risk management, i.e., the principles of how the enterprise defines and implements risk management. Should one simply follow the regulatory requirements (minimal requirements), or should one be the “best in the class”? The establishment of a risk management process for the enterprise, i.e. formal processes and routines that the enterprise is to follow. The establishment of management structures, with roles and responsibilities, such that the risk analysis process becomes integrated into the organization. The implementation of analyses and support systems, such as risk analysis tools, recording systems for occurrences of various types of events, etc. The communication, training, and development of a risk management culture, so that the competence, understanding, and motivation level within the organization is enhanced. Given the above fundamentals of risk management, the next step is to develop principles and a methodology that can be used in practical decision-making. This is not, however, straightforward. There are a number of challenges and here we address some of these: establishing an informative risk picture for the various decision alternatives, using this risk picture in a decision-making context. Establishing an informative risk picture means identifying appropriate risk indices and assessments ofuncertainties. Using the risk picture in a decision making context means the definition and application of risk acceptance criteria, cost benefit analyses and the ALARP principle, which states that risk should be reduced to a level which is as low as is reasonably practicable.It is common to define and describe risks in terms of probabilities and expected values. This has, however, been challenged, since the probabilities and expected values can camouflage uncertainties; the assigned probabilities are conditional on a number of assumptions and suppositions, and they depend on the background knowledge. Uncertainties are often hidden in this background knowledge, and restricting attention to the assigned probabilities can camouflage factors that could produce surprising outcomes. By jumping directly into probabilities, important uncertainty aspects are easily truncated, and potential surprises may be left unconsidered.Let us, as an example, consider the risks, seen through the eyes of a risk analyst in the 1970s, associated with future health problems for divers working on offshore petroleum projects. The analyst assigns a value to the probability that a diver would experience health problems (properly defined) during the coming 30 years due to the diving activities. Let us assume that a value of 1 % was assigned, a number based on the knowledge available at that time. There are no strong indications that the divers will experience health problems, but we know today that these probabilities led to poor predictions. Many divers have experienced severe health problems (Avon and Vine, 2007). By restricting risk to the probability assignments alone, important aspects of uncertainty and risk are hidden. There is a lack of understanding about the underlying phenomena, but the probability assignments alone are not able to fully describe this status.Several risk perspectives and definitions have been proposed in line with this realization. For example, Avon (2007a, 2008a) defines risk as the two-dimensional combination of events/consequences and associated uncertainties (will the events occur, what the consequences will be). A closely related perspective is suggested by Avon and Renan (2008a), who define risk associated with an activity as uncertaintyabout and severity of the consequences of the activity, where severity refers to intensity, size, extension, scope and other potential measures of magnitude with respect to something that humans value (lives, the environment, money, etc.). Losses and gains, expressed for example in monetary terms or as the number of fatalities, are ways of defining the severity of the consequences. See also Avon and Christensen (2005).In the case of large uncertainties, risk assessments can support decision-making, but other principles, measures, and instruments are also required, such as the cautionary/precautionary principles as well as robustness and resilience strategies. An informative decision basis is needed, but it should be far more nuanced than can be obtained by a probabilistic analysis alone. This has been stressed by many researchers, e.g. Apostolicism (1990) and Apostolicism and Lemon (2005): qualitative risk analysis (QRA) results are never the sole basis for decision-making. Safety- and security-related decision-making is risk-informed, not risk-based. This conclusion is not, however, justified merely by referring to the need for addressing uncertainties beyond probabilities and expected values. The main issue here is the fact that risks need to be balanced with other concerns.When various solutions and measures are to be compared and a decision is to be made, the analysis and assessments that have been conducted provide a basis for such a decision. In many cases, established design principles and standards provide clear guidance. Compliance with such principles and standards must be among the first reference points when assessing risks. It is common thinking that risk management processes, and especially ALARP processes, require formal guidelines or criteria (e.g., risk acceptance criteria and cost-effectiveness indices) to simplify the decision-making. Care must; however, be shown when using this type of formal decision-making criteria, as they easily result in a mechanization of the decision-making process. Such mechanization is unfortunate because: Decision-making criteria based on risk-related numbers alone (probabilities and expected values) do not capture all the aspects of risk, costs, and benefits, no method has a precision that justifies a mechanical decision based on whether the result is overor below a numerical criterion. It is a managerial responsibility to make decisions under uncertainty, and management should be aware of the relevant risks and uncertainties.Apostolicism and Lemon (2005) adopt a pragmatic approach to risk analysis and risk management, acknowledging the difficulties of determining the probabilities of an attack. Ideally, they would like to implement a risk-informed procedure, based on expected values. However, since such an approach would require the use of probabilities that have not b een “rigorously derived”, they see themselves forced to resort to a more pragmatic approach.This is one possible approach when facing problems of large uncertainties. The risk analyses simply do not provide a sufficiently solid basis for the decision-making process. We argue along the same lines. There is a need for a management review and judgment process. It is necessary to see beyond the computed risk picture in the form of the probabilities and expected values. Traditional quantitative risk analyses fail in this respect. We acknowledge the need for analyzing risk, but question the value added by performing traditional quantitative risk analyses in the case of large uncertainties. The arbitrariness in the numbers produced can be significant, due to the uncertainties in the estimates or as a result of the uncertainty assessments being strongly dependent on the analysts.It should be acknowledged that risk cannot be accurately expressed using probabilities and expected values. A quantitative risk analysis is in many cases better replaced by a more qualitative approach, as shown in the examples above; an approach which may be referred to as a semi-quantitative approach. Quantifying risk using risk indices such as the expected number of fatalities gives an impression that risk can be expressed in a very precise way. However, in most cases, the arbitrariness is large. In a semi-quantitative approach this is acknowledged by providing a more nuanced risk picture, which includes factors that can cause “surprises” r elative to the probabilities and the expected values. Quantification often requires strong simplifications and assumptions and, as a result, important factors could be ignored or given too little (or too much) weight. In a qualitative or semi-quantitative analysis, amore comprehensive risk picture can be established, taking into account underlying factors influencing risk. In contrast to the prevailing use of quantitative risk analyses, the precision level of the risk description is in line with the accuracy of the risk analysis tools. In addition, risk quantification is very resource demanding. One needs to ask whether the resources are used in the best way. We conclude that in many cases more is gained by opening up the way to a broader, more qualitative approach, which allows for considerations beyond the probabilities and expected values.The traditional quantitative risk assessments as seen for example in the nuclear and the oil & gas industries provide a rather narrow risk picture, through calculated probabilities and expected values, and we conclude that this approach should be used with care for problems with large uncertainties. Alternative approaches highlighting the qualitative aspects are more appropriate in such cases. A broad risk description is required. This is also the case in the normative ambiguity situations, as the risk characterizations provide a basis for the risk evaluation processes. The main concern is the value judgments, but they should be supported by solid scientific assessments, showing a broad risk picture. If one tries to demonstrate that it is rational to accept risk, on a scientific basis, too narrow an approach to risk has been adopted. Recognizing uncertainty as a main component of risk is essential to successfully implement risk management, for cases of large uncertainties and normative ambiguity.A risk description should cover computed probabilities and expected values, as well as: Sensitivities showing how the risk indices depend on the background knowledge (assumptions and suppositions); Uncertainty assessments; Description of the background knowledge, including models and data used.The uncertainty assessments should not be restricted to standard probabilistic analysis, as this analysis could hide important uncertainty factors. The search for quantitative, explicit approaches for expressing the uncertainties, even beyond the subjective probabilities, may seem to be a possible way forward. However, such an approach is not recommended. Trying to be precise and to accurately express what is extremely uncertain does not make sense. Instead we recommend a more openqualitative approach to reveal such uncertainties. Some might consider this to be less attractive from a methodological and scientific point of view. Perhaps it is, but it would be more suited for solving the problem at hand, which is about the analysis and management of risk and uncertainties.Source: Terje Aven. 2010. “Risk Management”. Risk in Technological Systems, Oct, p175-198.译文：风险管理本章回顾和讨论风险管理的基本问题和原则，包括：风险可接受性（耐受性）、风险削减和安全风险管理原则、警示和预防原则，并提出了一个研究案例，说明在实际管理环境中这些问题和原则的重要性。