a risk management standard · a risk management standard 6 3. risk assessment risk assessment is...

A R I S K M A N A G E M E N TS T A N D A R D

F E D E R AT I O N O F

E U RO P E A N R I S K

M A N AG E M E N T

A S S O C I AT I O N S

© AIRMIC, ALARM, IRM: 2002, translation copyright FERMA: 2003.

A RISK MANAGEMENT STANDARD

2

IntroductionThe Risk Management Standard is the result ofwork by a team drawn from the major riskmanagement organisations in the UK - TheInstitute of Risk Management (IRM),TheAssociation of Insurance and Risk Managers(AIRMIC) and ALARM The National Forum forRisk Management in the Public Sector.

In addition, the team sought the views andopinions of a wide range of other professionalbodies with interests in risk management,during an extensive period of consultation.

Risk management is a rapidly developingdiscipline and there are many and varied viewsand descriptions of what risk managementinvolves, how it should be conducted and whatit is for. Some form of standard is needed toensure that there is an agreed:

• terminology related to the words used• process by which risk management can be

carried out• organisation structure for risk management• objective for risk management

Importantly, the standard recognises that riskhas both an upside and a downside.

Risk management is not just something forcorporations or public organisations, but forany activity whether short or long term. Thebenefits and opportunities should be viewednot just in the context of the activity itself butin relation to the many and varied stakeholderswho can be affected.

There are many ways of achieving theobjectives of risk management and it would beimpossible to try to set them all out in a singledocument. Therefore it was never intended toproduce a prescriptive standard which wouldhave led to a box ticking approach nor toestablish a certifiable process. By meeting thevarious component parts of this standard,albeit in different ways, organisations will be ina position to report that they are incompliance. The standard represents bestpractice against which organisations canmeasure themselves.

The standard has wherever possible used theterminology for risk set out by the InternationalOrganization for Standardization (ISO) in itsrecent document ISO/IEC Guide 73 RiskManagement - Vocabulary - Guidelines for usein standards.

In view of the rapid developments in this areathe authors would appreciate feedback fromorganisations as they put the standard into use(addresses to be found on the back cover ofthis Guide). It is intended that regularmodifications will be made to the standard inthe light of best practice.


3

1. Risk Risk can be defined as the combination of theprobability of an event and its consequences(ISO/IEC Guide 73).

In all types of undertaking, there is thepotential for events and consequences thatconstitute opportunities for benefit (upside) orthreats to success (downside).

Risk Management is increasingly recognised asbeing concerned with both positive andnegative aspects of risk. Therefore thisstandard considers risk from both perspectives.

In the safety field, it is generally recognisedthat consequences are only negative andtherefore the management of safety risk isfocused on prevention and mitigation of harm.

2. Risk ManagementRisk management is a central part of anyorganisation’s strategic management. It is theprocess whereby organisations methodicallyaddress the risks attaching to their activitieswith the goal of achieving sustained benefitwithin each activity and across the portfolio ofall activities.

The focus of good risk management is theidentification and treatment of these risks.Its objective is to add maximum sustainablevalue to all the activities of the organisation. Itmarshals the understanding of the potentialupside and downside of all those factors which

can affect the organisation. It increases theprobability of success, and reduces both theprobability of failure and the uncertainty ofachieving the organisation’s overall objectives.Risk management should be a continuous anddeveloping process which runs throughout theorganisation’s strategy and the implementationof that strategy. It should address methodicallyall the risks surrounding the organisation’sactivities past, present and in particular, future.

It must be integrated into the culture of theorganisation with an effective policy and aprogramme led by the most seniormanagement. It must translate the strategyinto tactical and operational objectives,assigning responsibility throughout theorganisation with each manager and employeeresponsible for the management of risk as partof their job description. It supportsaccountability, performance measurement andreward, thus promoting operational efficiencyat all levels.

2.1 External and Internal FactorsThe risks facing an organisation and itsoperations can result from factors bothexternal and internal to the organisation.

The diagram overleaf summarises examples ofkey risks in these areas and shows that somespecific risks can have both external andinternal drivers and therefore overlap the twoareas. They can be categorised further intotypes of risk such as strategic, financial,operational, hazard, etc.



4


2.1 Examples of the Drivers of Key

EXTERNALLY DRIVEN

EXTERNALLY DRIVEN

FINANCIAL RISKS STRATEGIC RISKS

OPERATIONAL RISKS HAZARD RISKS

INTEREST RATESFOREIGN EXCHANGECREDIT

COMPETITIONCUSTOMER CHANGES

INDUSTRY CHANGESCUSTOMER DEMAND

M & A INTEGRATION

LIQUIDITY &CASH FLOW

RESEARCH & DEVELOPMENTINTELLECTUAL CAPITAL

INTERNALLY DRIVEN

ACCOUNTING CONTROLSINFORMATION SYSTEMS

RECRUITMENTSUPPLY CHAIN

PUBLIC ACCESSEMPLOYEESPROPERTIESPRODUCTS &SERVICES

REGULATIONSCULTUREBOARD COMPOSITION

CONTRACTSNATURAL EVENTS

SUPPLIERSENVIRONMENT


5

Risk management protects and adds value tothe organisation and its stakeholders throughsupporting the organisation’s objectives by:

• providing a framework for an organisationthat enables future activity to take place ina consistent and controlled manner

• improving decision making, planning andprioritisation by comprehensive andstructured understanding of businessactivity, volatility and projectopportunity/threa

• contributing to more efficient use/allocationof capital and resources within theorganisation

• reducing volatility in the non essential areasof the business

• protecting and enhancing assets andcompany image

• developing and supporting people and theorganisation’s knowledge base

• optimising operational efficiency


2.2 The Risk Management Process

Mod

ifica

tion

Form

al A

udit

The Organisation’sStrategic Objectives

Risk Assessment

Risk AnalysisRisk IdentificationRisk DescriptionRisk Estimation

Risk Evaluation

Risk ReportingThreats and Opportunities

Decision

Risk Treatment

Residual Risk Reporting

Monitoring


6

3. Risk AssessmentRisk Assessment is defined by the ISO/ IECGuide 73 as the overall process of risk analysisand risk evaluation.(See appendix)

4. Risk Analysis

4.1 Risk IdentificationRisk identification sets out to identify anorganisation’s exposure to uncertainty. Thisrequires an intimate knowledge of theorganisation, the market in which it operates,the legal, social, political and culturalenvironment in which it exists, as well as thedevelopment of a sound understanding of itsstrategic and operational objectives, includingfactors critical to its success and the threatsand opportunities related to the achievementof these objectives.

Risk identification should be approached in amethodical way to ensure that all significantactivities within the organisation have beenidentified and all the risks flowing from theseactivities defined.All associated volatility related to theseactivities should be identified and categorised.

Business activities and decisions can beclassified in a range of ways, examples ofwhich include:

• Strategic - These concern the long-termstrategic objectives of the organisation.They can be affected by such areas ascapital availability, sovereign and politicalrisks, legal and regulatory changes,reputation and changes in the physicalenvironment.

• Operational - These concern the day-to-dayissues that the organisation is confrontedwith as it strives to deliver its strategicobjectives.

• Financial - These concern the effectivemanagement and control of the finances ofthe organisation and the effects of externalfactors such as availability of credit, foreignexchange rates, interest rate movement andother market exposures.

• Knowledge management - These concernthe effective management and control ofthe knowledge resources, the production,protection and communication thereof.External factors might include theunauthorised use or abuse of intellectualproperty, area power failures, andcompetitive technology. Internal factorsmight be system malfunction or loss of keystaff.

• Compliance - These concern such issues ashealth & safety, environmental, tradedescriptions, consumer protection, dataprotection, employment practices andregulatory issues.

Whilst risk identification can be carried out byoutside consultants, an in-house approach withwell communicated, consistent and co-ordinated processes and tools (see Appendix)is likely to be more effective. In-house‘ownership’ of the risk management process isessential.

4.2 Risk DescriptionThe objective of risk description is to displaythe identified risks in a structured format, forexample, by using a table. The risk descriptiontable overleaf can be used to facilitate thedescription and assessment of risks. The use ofa well designed structure is necessary toensure a comprehensive risk identification,description and assessment process. Byconsidering the consequence and probability ofeach of the risks set out in the table, it shouldbe possible to prioritise the key risks that needto be analysed in more detail. Identification ofthe risks associated with business activitiesand decision making may be categorised asstrategic, project/ tactical, operational. It isimportant to incorporate risk management atthe conceptual stage of projects as well asthroughout the life of a specific project.



7

4.3 Risk Estimation MonitoringRisk estimation can be quantitative, semi-quantitative or qualitative in terms of theprobability of occurrence and the possibleconsequence.

For example, consequences both in terms ofthreats (downside risks) and opportunities(upside risks) may be high, medium or low (seetable 4.3.1). Probability may be high, mediumor low but requires different definitions inrespect of threats and opportunities (seetables 4.3.2 and 4.3.3).

Examples are given in the tables overleaf.Different organisations will find that differentmeasures of consequence and probability willsuit their needs best.

For example many organisations find thatassessing consequence and probability ashigh, medium or low is quite adequate for theirneeds and can be presented as a 3 x 3 matrix.

Other organisations find that assessingconsequence and probability using a 5 x 5matrix gives them a better evaluation.


4.2.1 Table - Risk Description

1. Name of Risk

2. Scope of Risk

3. Nature of Risk

4. Stakeholders

5. Quantification of Risk

6. Risk Tolerance/ Appetite

7. Risk Treatment & ControlMechanisms

8. Potential Action forImprovement

9. Strategy and PolicyDevelopments

Qualitative description of the events, their size, type, number anddependencies

Eg. strategic, operational, financial, knowledge or compliance

Stakeholders and their expectations

Significance and Probability

Loss potential and financial impact of riskValue at riskProbability and size of potential losses/gainsObjective(s) for control of the risk and desired level ofperformance

Primary means by which the risk is currently managedLevels of confidence in existing controlIdentification of protocols for monitoring and review

Recommendations to reduce risk

Identification of function responsible for developing strategy andpolicy


8


Table 4.3.1 Consequences - Both Threats and Opportunities

High

Medium

Low

Financial impact on the organisation is likely to exceed £xSignificant impact on the organisation’s strategy or operational activitiesSignificant stakeholder concern

Financial impact on the organisation likely to be between £x and £yModerate impact on the organisation’s strategy or operational activitiesModerate stakeholder concern

Financial impact on the organisation likely to be less that £yLow impact on the organisation’s strategy or operational activitiesLow stakeholder concern

Table 4.3.2 Probability of Occurrence - Threats

Estimation

High (Probable)

Medium (Possible)

Low (Remote)

Description

Likely to occur each year or morethan 25% chance of occurrence.

Likely to occur in a ten year timeperiod or less than 25% chance ofoccurrence.

Not likely to occur in a ten yearperiod or less than 2% chance ofoccurrence.

Indicators

Potential of it occurring several timeswithin the time period (for example -ten years).Has occurred recently.

Could occur more than once withinthe time period (for example - tenyears).Could be difficult to control due tosome external influences.Is there a history of occurrence?

Has not occurred.Unlikely to occur.


9


4.4 Risk Analysis methods and techniquesA range of techniques can be used to analyserisks. These can be specific to upside ordownside risk or be capable of dealing withboth. (See Appendix).

4.5 Risk ProfileThe result of the risk analysis process can beused to produce a risk profile which gives asignificance rating to each risk and provides atool for prioritising risk treatment efforts. Thisranks each identified risk so as to give a viewof the relative importance.

This process allows the risk to be mapped tothe business area affected, describes theprimary control procedures in place andindicates areas where the level of risk controlinvestment might be increased, decreased orreapportioned.

Accountability helps to ensure that ‘ownership’of the risk is recognised and the appropriatemanagement resource allocated.

Table 4.3.3 Probability of Occurrence - Opportunities

Estimation

High (Probable)

Medium (Possible)

Low (Remote)

Description

Favourable outcome is likely to beachieved in one year or better than75% chance of occurrence.

Reasonable prospects of favourableresults in one year of 25% to 75%chance of occurrence.

Some chance of favourable outcomein the medium term or less than25% chance of occurrence.

Indicators

Clear opportunity which can be reliedon with reasonable certainty, to beachieved in the short term based oncurrent management processes.

Opportunities which may beachievable but which require carefulmanagement. Opportunities whichmay arise over and above the plan.

Possible opportunity which has yet tobe fully investigated by management.Opportunity for which the likelihoodof success is low on the basis ofmanagement resources currentlybeing applied.


10

5. Risk EvaluationWhen the risk analysis process has beencompleted, it is necessary to compare theestimated risks against risk criteria which theorganisation has established. The risk criteriamay include associated costs and benefits,legal requirements, socio-economic andenvironmental factors, concerns ofstakeholders, etc. Risk evaluation therefore, isused to make decisions about the significanceof risks to the organisation and whether eachspecific risk should be accepted or treated.

6. Risk TreatmentRisk treatment is the process of selecting andimplementing measures to modify the risk. Risktreatment includes as its major element, riskcontrol/mitigation, but extends further to, forexample, risk avoidance, risk transfer, riskfinancing, etc.

NOTE: In this standard, risk financing refers tothe mechanisms (eg insurance programmes)for funding the financial consequences of risk.Risk financing is not generally considered tobe the provision of funds to meet the cost ofimplementing risk treatment (as defined byISO/IEC Guide 73).

Any system of risk treatment should provide asa minimum:

• effective and efficient operation of theorganisation

• effective internal controls

• compliance with laws and regulations

The risk analysis process assists the effectiveand efficient operation of the organisation byidentifying those risks which require attentionby management. They will need to prioritiserisk control actions in terms of their potentialto benefit the organisation.

Effectiveness of internal control is the degreeto which the risk will either be eliminated orreduced by the proposed control measures.

Cost effectiveness of internal control relates tothe cost of implementing the control comparedto the risk reduction benefits expected.

The proposed controls need to be measured interms of potential economic effect if no actionis taken versus the cost of the proposedaction(s) and invariably require more detailedinformation and assumptions than areimmediately available.

Firstly, the cost of implementation has to beestablished. This has to be calculated withsome accuracy since it quickly becomes thebaseline against which cost effectiveness ismeasured. The loss to be expected if no actionis taken must also be estimated and bycomparing the results, management can decidewhether or not to implement the risk controlmeasures.

Compliance with laws and regulations is not anoption. An organisation must understand theapplicable laws and must implement a systemof controls to achieve compliance. There is onlyoccasionally some flexibility where the cost ofreducing a risk may be totally disproportionateto that risk.

One method of obtaining financial protectionagainst the impact of risks is through riskfinancing which includes insurance. However, itshould be recognised that some losses orelements of a loss will be uninsurable eg theuninsured costs associated with work-relatedhealth, safety or environmental incidents,which may include damage to employee moraleand the organisation’s reputation.



11

7. Risk Reporting andCommunication

7.1 Internal ReportingDifferent levels within an organisation needdifferent information from the risk managementprocess.

The Board of Directors should:

• know about the most significant risks facingthe organisation

• know the possible effects on shareholdervalue of deviations to expectedperformance ranges

• ensure appropriate levels of awarenessthroughout the organisation

• know how the organisation will manage acrisis

• know the importance of stakeholderconfidence in the organisation

• know how to manage communications withthe investment community where applicable

• be assured that the risk managementprocess is working effectively

• publish a clear risk management policycovering risk management philosophy andresponsibilities

Business Units should:

• be aware of risks which fall into their areaof responsibility, the possible impacts thesemay have on other areas and theconsequences other areas may have onthem

• have performance indicators which allowthem to monitor the key business andfinancial activities, progress towardsobjectives and identify developments whichrequire intervention (e.g. forecasts andbudgets)

• have systems which communicate variancesin budgets and forecasts at appropriatefrequency to allow action to be taken

• report systematically and promptly tosenior management any perceived newrisks or failures of existing control measures

Individuals should:

• understand their accountability forindividual risks

• understand how they can enablecontinuous improvement of riskmanagement response

• understand that risk management and riskawareness are a key part of theorganisation’s culture

• report systematically and promptly tosenior management any perceived newrisks or failures of existing control measures

7.2 External ReportingA company needs to report to its stakeholderson a regular basis setting out its riskmanagement policies and the effectiveness inachieving its objectives.

Increasingly stakeholders look to organisationsto provide evidence of effective management ofthe organisation’s non-financial performance insuch areas as community affairs, human rights,employment practices, health and safety andthe environment.



12

Good corporate governance requires thatcompanies adopt a methodical approach torisk management which:

• protects the interests of their stakeholders

• ensures that the Board of Directorsdischarges its duties to direct strategy,build value and monitor performance of theorganisation

• ensures that management controls are inplace and are performing adequately

The arrangements for the formal reporting ofrisk management should be clearly stated andbe available to the stakeholders.

The formal reporting should address:

• the control methods - particularlymanagement responsibilities for riskmanagement

• the processes used to identify risks andhow they are addressed by the riskmanagement systems

• the primary control systems in place tomanage significant risks

• the monitoring and review system in place

Any significant deficiencies uncovered by thesystem, or in the system itself, should bereported together with the steps taken to dealwith them.

8. The Structure andAdministration of RiskManagement.

8.1 Risk Management PolicyAn organisation’s risk management policyshould set out its approach to and appetite forrisk and its approach to risk management. Thepolicy should also set out responsibilities forrisk management throughout the organisation.

Furthermore, it should refer to any legalrequirements for policy statements eg. forHealth and Safety.

Attaching to the risk management process is anintegrated set of tools and techniques for usein the various stages of the business process.

To work effectively, the risk managementprocess requires:

• commitment from the chief executive andexecutive management of the organisation

• assignment of responsibilities within theorganisation

• allocation of appropriate resources fortraining and the development of anenhanced risk awareness by allstakeholders.

8.2 Role of the BoardThe Board has responsibility for determiningthe strategic direction of the organisation andfor creating the environment and the structuresfor risk management to operate effectively.

This may be through an executive group, a non-executive committee, an audit committee orsuch other function that suits theorganisation’s way of operating and is capableof acting as a ‘sponsor’ for risk management.

The Board should, as a minimum, consider, inevaluating its system of internal control :

• the nature and extent of downside risksacceptable for the company to bear withinits particular business

• the likelihood of such risks becoming areality

• how unacceptable risks should be managed

• the company’s ability to minimise theprobability and impact on the business



13

• the costs and benefits of the risk andcontrol activity undertaken

• the effectiveness of the risk managementprocess

• the risk implications of board decisions

8.3 Role of the Business UnitsThis includes the following:

• the business units have primaryresponsibility for managing risk on a day-to- day basis

• business unit management is responsiblefor promoting risk awareness within theiroperations; they should introduce riskmanagement objectives into their business

• risk management should be a regularmanagement-meeting item to allowconsideration of exposures and toreprioritise work in the light of effective riskanalysis

• business unit management should ensurethat risk management is incorporated at theconceptual stage of projects as well asthroughout a project

8.4 Role of the Risk ManagementFunctionDepending on the size of the organisation therisk management function may range from asingle risk champion, a part time risk manager,to a full scale risk management department.

The role of the Risk Management functionshould include the following:

• setting policy and strategy for riskmanagement

• primary champion of risk management atstrategic and operational level

• building a risk aware culture within theorganisation including appropriateeducation

• establishing internal risk policy andstructures for business units

• designing and reviewing processes for riskmanagement

• co-ordinating the various functionalactivities which advise on risk managementissues within the organisation

• developing risk response processes,including contingency and businesscontinuity programmes

• preparing reports on risk for the board andthe stakeholders

8.5 Role of Internal AuditThe role of Internal Audit is likely to differ fromone organisation to another.

In practice, Internal Audit’s role may includesome or all of the following:

• focusing the internal audit work on thesignificant risks, as identified bymanagement, and auditing the riskmanagement processes across anorganisation

• providing assurance on the management ofrisk

• providing active support and involvementin the risk management process

• facilitating risk identification/assessmentand educating line staff in riskmanagement and internal control

• co-ordinating risk reporting to the board,audit committee, etc

In determining the most appropriate role for aparticular organisation, Internal Audit shouldensure that the professional requirements forindependence and objectivity are not breached.



14

8.6 Resources and ImplementationThe resources required to implement theorganisation’s risk management policy shouldbe clearly established at each level ofmanagement and within each business unit.

In addition to other operational functions theymay have, those involved in risk managementshould have their roles in co-ordinating riskmanagement policy/strategy clearly defined.The same clear definition is also required forthose involved in the audit and review ofinternal controls and facilitating the riskmanagement process.

Risk management should be embedded withinthe organisation through the strategy andbudget processes. It should be highlighted ininduction and all other training anddevelopment as well as within operationalprocesses e.g. product/service developmentprojects.

9. Monitoring and Review of theRisk Management Process.Effective risk management requires a reportingand review structure to ensure that risks areeffectively identified and assessed and thatappropriate controls and responses are in

place. Regular audits of policy and standardscompliance should be carried out andstandards performance reviewed to identifyopportunities for improvement. It should beremembered that organisations are dynamicand operate in dynamic environments. Changesin the organisation and the environment inwhich it operates must be identified andappropriate modifications made to systems.

The monitoring process should provideassurance that there are appropriate controlsin place for the organisation’s activities andthat the procedures are understood andfollowed. Changes in the organisation and theenvironment in which it operates must beidentified and appropriate changes made tosystems.

Any monitoring and review process shouldalso determine whether:

• the measures adopted resulted in what wasintended

• the procedures adopted and informationgathered for undertaking the assessmentwere appropriate

• improved knowledge would have helped toreach better decisions and identify whatlessons could be learned for futureassessments and management of risks


APPENDIX

15

10. AppendixRisk Identification Techniques - examples

• Brainstorming

• Questionnaires

• Business studies which look at eachbusiness process and describe both theinternal processes and external factorswhich can influence those processes

• Industry benchmarking

• Scenario analysis

• Risk assessment workshops

• Incident investigation

• Auditing and inspection

• HAZOP (Hazard & Operability Studies)

Risk Analysis Methods and Techniques -examples

Upside risk• Market survey

• Prospecting

• Test marketing

• Research and Development

• Business impact analysis

Both

• Dependency modelling

• SWOT analysis (Strengths, Weaknesses,Opportunities, Threats)

• Event tree analysis

• Business continuity planning

• BPEST (Business, Political, Economic,Social, Technological) analysis

• Real Option Modelling

• Decision taking under conditions of risk anduncertainty

• Statistical inference

• Measures of central tendency anddispersion

• PESTLE (Political Economic Social TechnicalLegal Environmental)

Downside risk

• Threat analysis

• Fault tree analysis

• FMEA (Failure Mode & Effect Analysis)


FOR LOCAL INFORMATION, PLEASE CONTACT THE OFFICE OF THE NATIONAL ASSOCIATION

FERMA – Avenue Louis Gribaumont, 1 / B.4 – 1150 BRUSSELS - BELGIUMTEL: +32 2 761 94 32 – FAX: +32 2 771 87 20 – EMAIL: [email protected] – WEBSITE: www.ferma.eu

AGERS - Asociacion Española de Gerencia de Riesgos y SegurosPríncipe de Vergara, 86 - 1ª Esc., 2º Izda.– 28006 Madrid - SPAINTel : + 34 91 562 84 25 – Fax : + 34 91 590 07 80 – Email : [email protected] – www.agers.es

AIRMIC - The association of Insurance and Risk ManagersLloyd’s Avenue, 6 – London EC3N3AX - UKTel : + 44 207 480 76 10 – Fax : + 44 207 702 37 52 – Email : [email protected] – www.airmic.com

AMRAE - Association pour le Management des Risques et des Assurances de l'Entreprise Avenue Franklin Roosevelt, 9-11 – 75008 Paris - FRANCETel : + 33 1 42 89 33 16 – Fax : + 33 1 42 89 33 14 – Email : [email protected] – www.amrae.fr

ANRA - Associazione Nazionale dei Risk Manager e Responsabili Assicurazioni Aziendali Via del Gonfalone 3, I-20123 Milano - ITALYTel : + 39 02 58 10 33 00 – Fax : + 39 02 58 10 32 33 – Email : [email protected] – www.anra.it

APOGERIS - Associação Portuguesa de Gestão de Riscos e Seguros Avenida da Boavista, 1245, 3a Esq. – 4100-130 Porto – PORTUGALTel : + 351 22 608 24 62 – Fax: + 351 22 608 24 73 – E-mail : [email protected] – www.apogeris.pt

ASPAR CR - Association of Insurance and Risk Management of the Czech Republic o.s. Nad Ohradou 7 – 13000 Praha 3 – Tel : + 420 602 384 256 – Email: [email protected]

BELRIM - Belgian Risk Management AssociationRue Gatti de Gamond, 254 – 1180 Bruxelles - BELGIUMTel : + 32 2 389 23 95 – Fax : + 32 2 389 22 72 – Email : [email protected] – www.belrim.com

BfV - Bundesverband firmenverbundener Versicherungsvermittler und -Gesellschaften e.V.c/o Mr Hans-Otto GEIGER – Postfach 1916 – D-67209 Frankenthal – GERMANYTel : + 49 6233 86 2507 - Fax : + 49 6233 86 2507 - Email : [email protected] – www.bfv-fvv.de

BRIMA - Bulgarian Risk Management Association101, Tzarigradsko chausse, floor 4 – Sofia 1113 – BULGARIATel : + 359 878 100292 – Fax : + 359 2 971 0702 – Email : [email protected] – www.brima.biz

DARIM - DI's Risk Management ForeningDK-1787 Copenhagen – DENMARKTel : + 45 33 77 33 77 – Fax : + 45 33 77 33 00 – Email : [email protected] – www.di.dk

DVS - Deutscher Versicherungs-Schutzverband e.V.Breite Strasse 98 - D 53111 Bonn - GERMANYTel : + 49 228 98 22 30 - Fax: + 49 228 63 16 51- Email : [email protected] – www.dvs-schutzverband.de

FINNRIMA - Finnish Risk Management AssociationTalvikkitie 40 A 33, 01300 Vantaa – FINLANDTel : + 358 9 5607 5361 – Fax : + 358 9 5607 5365 – Email : [email protected] – www.srhy.fi

NARIM - Nederlandse Associatie van Risk en Insurance ManagersP.O. Box 65707 - 2506 EA Den Haag – THE NETHERLANDSTel : + 31 70 345 7426 – Fax : + 31 70 427 3263 – Email : [email protected] – www.narim.com

POLRISK - Polish Risk Management Associationul. Rzymowskiego 30 lok. 424 - 02-697 Warszawa - POLANDTel : + 48 22 331 8121 – Fax : + 48 22 331 81 22 – Email : [email protected] – www.polrisk.pl

RUSRISK - Russian Risk Management SocietyAddress Expert Institute, Staraya Ploshchad 10/4, Moscow, 103070 – RUSSIATel: + 7 495 231 53 56 - Fax : + 7 495 231 53 56 - Email : [email protected] – www.rrms.ru

SIRM - Swiss Association of Insurance and Risk ManagersGutenbergstrasse 1, Postfach 5464, CH-3001 Bern - SWITZERLANDTel : + 41 31 388 87 89 – Fax : + 41 31 388 87 88 – Email : [email protected] – www.sirm.ch

SWERMA - Swedish Risk Management AssociationGränsvägen 15 - SE-135 47 Tyresö - SWEDENTel: + 468 742 13 07 - Fax : + 468 798 83 11- E-mail : [email protected] – www.swerma.se

ALARM - The National Forum for Risk Management in the Public SectorQueens Drive, Exmouth - Devon, EX8 2AYTel: + 44 1395 223399 - Fax: + 44 1395 223304 - Email: [email protected] - www.alarm-uk.com

IRM - The Institute of Risk Management6 Lloyd’s Avenue - London EC3N 3AXTel: + 44 20 7709 9808 - Facsimile + 44 20 7709 0716 - Email: [email protected] - www.theirm.org

a risk management standard · a risk management standard 6 3. risk assessment risk assessment is...

Documents