1、| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BRITISH STANDARD BS 6079-3:2000 ICS 03.100
2、.50 NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAW Project management Part 3: Guide to the management of business related project riskThis British Standard, having been prepared under the direction of the Management Systems Sector Committee, was published under the authority
3、of the Standards Committee and comes into effect on 15 January 2000 BSI 01-2000 The following BSI references relate to the work on this standard: Committee reference MS/2 Draft for comment 99/402000 DC ISBN 0 580 33122 9 BS 6079-3:2000 Amendments issued since publication Amd. No. Date Comments Commi
4、ttees responsible for this British Standard The preparation of this British Standard was entrusted by Technical Committee MS/2, Project Management, upon which the following bodies were represented: Association of Project Managers BEAMA Ltd. British Computer Society British Standards Society British
5、Telecommunications plc Chartered Inst. of Management Accountants Federation of the Electronics Industry Fellowship for Operational Research GAMBICA (BEAMA Ltd.) Health and Safety Executive Highways Agency Institute of Quality Assurance Institution of Civil Engineers Institution of Incorporated Execu
6、tive Engineers Institution of Mechanical Engineers Ministry of Defence Operational Research Society Royal Institution of Chartered Surveyors Society of British Aerospace Companies Ltd. South Bank University Co-opted membersBS 6079-3:2000 BSI 01-2000 i Contents Page Committees responsible Inside fron
7、t cover Foreword ii Introduction 1 1 Scope 3 2 Terms and definitions 3 3 The business related project risk management model 3 4 Undertaking risk management 7 Annex A (informative) Communication in risk management 16 Annex B (informative) Business and risk management tools and techniques 17 Annex C (
8、informative) Risk perception 18 Annex D (informative) Stakeholder analysis 20 Annex E (informative) Common examples of business and project risk 21 Figure 1 The risk management process 2 Figure 2 The relationships between businesses, projects, and sub-projects 4 Figure 3 Business level risk manageme
9、nt steps 8 Figure 4 Project and sub-project level management steps 9 Figure 5 Scheme for evaluating risks 13 Table 1 Decision making levels 5 Table 2 Examples of decision makers 5 Table 3 The relationship between decision making focus, and decision making levels in the context of risk management 6 T
10、able 4 Basic qualitative analysis 12 Table 5 Counter measures 13 Table 6 Opportunities 14ii BSI 01-2000 BS 6079-3:2000 1) This was originally published as BS 6079:1996. 2) In the course of preparation. Foreword This British Standard has been prepared by Technical Committee MS/2. It is a part of a se
11、ries of standards that consists of: Part 1: Project Management Guide to project management 1) ; Part 2: Project Management Vocabulary 2) ; Part 3: Project Management Guide to the management of business related project risk. The publication contains guidance and recommendations. It should not be quot
12、ed as if it were a specification, and should not be used for certification purposes. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of its
13、elf confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, pages i and ii, pages 1 to 21 and a back cover. The BSI copyright notice displayed in this document indicates when the document was last issued. BSI 01-2000 1 BS 6079-3:2000 Int
14、roduction Risk management is a core process within any business or organization regardless of size, activity or sector. Individuals and organizations can lose substantial sums of money as a result of not paying sufficient attention to the identification and management of threats to their goals and t
15、o the projects they commission. Similarly, full advantage cannot be taken of potentially beneficial opportunities arising in the course of their activities if these are not recognized in good time. Risk management is therefore as much about looking ahead to identify further opportunities as it is ab
16、out avoiding or mitigating losses. On a wider level, efficient and effective management of risk can make a significant contribution to the economic and general welfare of society, as well as that of the businesses and projects directly concerned. Although it is often suggested that formal risk manag
17、ement does not begin until the first actual risk assessment has taken place, risks are rarely ignored when initial plans are made, or decisions taken, to proceed with projects. It is simply that it is rare for all risks to be identified and taken into account systematically in the early stages of pl
18、anning. It is well known that managers and their teams generally know what can go wrong and what worthwhile opportunities might occur. Without the benefit of systematic risk analysis however, it is not always possible for them to exploit their knowledge to the full. Even when an analysis is undertak
19、en, a team will not always maintain and update it. Equally, sometimes when risks are foreseen, they are dismissed on the grounds that “it couldnt happen here”. Risk assessment should therefore be seen as part of a continuous review process conducted throughout the life of each project. In this way,
20、the many risks to the business that occur as a consequence of the projects it undertakes, can be identified and actively managed. The benefits of systematic risk identification and risk management include: more realistic business and project planning; actions being implemented in time to be effectiv
21、e; greater certainty of achieving business goals and project objectives; appreciation of, and readiness to, exploit all beneficial opportunities; improved loss control; improved control of project and business costs; increased flexibility as a result of understanding all options and their associated
22、 risks; greater control over innovation and business development; fewer costly surprises through effective and transparent contingency planning. This standard describes a process for identifying, assessing, and controlling risk within a broad framework. The main features of this process are illustra
23、ted in Figure 1. The risk management process described in this standard is applicable for each aspect of the business activity focus at each level of decision making. Projects are the principal means by which a business moves forward. In order to manage risk effectively, the business, project, or su
24、b-project goals need to be clearly identified. This is because it is only in relation to an organizations or individuals specified goals that risk arises. Confusion over project objectives is itself a major cause of project failure. Managing business related project risk involves taking account of b
25、usiness risks that affect its projects and project risks that affect the business. Within any project there are also inherent risks to the project itself, and to its sub-projects. A vital part in clarifying goals and assessing risk is the identification of project and business stakeholders. The guid
26、ance in this standard highlights the importance of stakeholder analysis and suggests that it is integrated into the risk management process. Unless the stakeholders are identified and understood at an early stage the true extent of the management task and the source of much risk can go unrecognized.
27、 Identifying stakeholders also helps define the relationship between the business and its environment and the context in which its projects will be carried out. Not all stakeholders are easily recognizable and there can be many more organizations with influence and vested interests than is readily a
28、cknowledged. Taking stakeholders into account can ensure that planning is much more “viewpoint oriented”. Annexes A to E are informative and give background information for a fuller understanding of associated risk management factors. Annex A describes the importance of effective communication withi
29、n risk management. Annex B gives an overview of management tools that can be used to provide an analytical framework. Annex C describes the significant aspects of risk perception which can impede risk management. Annex D describes the principles involved in stakeholder analysis. Annex E gives a list
30、ing of some common types of business risk.2 BSI 01-2000 BS 6079-3:2000 Figure 1 The risk management process BSI 01-2000 3 BS 6079-3:2000 1 Scope This standard gives guidance on the identification and control of business related risks encountered when undertaking projects. It is applicable to a wide
31、spectrum of project organizations operating in the industrial, commercial and public or voluntary sectors. It is written for project sponsors and project managers, either or both of whom are almost always responsible to higher levels of authority for one or more projects of various types and sizes.
32、It is intended that its application will be proportional to the circumstances and needs of the particular organization. This standard offers generic guidance only and it is not suitable for certification or contractual purposes. It is not intended as a substitute for specific standards that address
33、risk assessment in distinct applications, such as health and safety, or areas of technological risk. NOTE This standard advises that risk management is treated as an integral part of good management practice. Risk management is an iterative process consisting of steps that enable continual improveme
34、nt in decision making. Its effective use depends on the experience and judgement of the practitioners applying the guidance, and not simply on routinely following the steps outlined. 2 Terms and definitions For the purposes of this British Standard the following terms and definitions apply. 2.1 resi
35、dual risk risk remaining after risk treatment measures have been taken 2.2 risk uncertainty inherent in plans and the possibility of something happening (i.e. a contingency) that can affect the prospects of achieving business or project goals NOTE Such contingencies could make the result more or les
36、s satisfactory. 2.3 risk analysis systematic use of available information to: characterize the risks; determine how often the specified events could occur; judge the magnitude of their likely consequences 2.4 risk assessment overall process of risk analysis and risk evaluation 2.5 risk consequence e
37、ffect on the interests and goals of those at risk if a risk event happens or a risky situation materializes 2.6 risk evaluation process used to decide risk management priorities by evaluating and comparing the level of risk against predetermined standards, target risk levels or other criteria 2.7 ri
38、sk identification determination of what could pose a risk 2.8 risk impact a measure of risk consequence 2.9 risk management systematic application of policies, procedures, methods, and practices to the tasks of identifying, analysing, evaluating, treating, and monitoring risk 2.10 risk sharing sprea
39、ding of risk by sharing it with others NOTE This is also referred to as “risk transfer”. 2.11 risk treatment selection and implementation of appropriate options for dealing with risk 2.12 secondary risk risk arising from the risk treatment process 2.13 stakeholder individual, group or organization h
40、aving a vested interest or influence on the business or its projects 2.14 stakeholder analysis process for identifying stakeholders, their interests and influences 3 The business related project risk management model 3.1 General The model outlined in this guide is shaped by two generic perspectives
41、that can be applied to any kind of business or project. These are as follows: a) defining the relationships between the businesses and its projects; b) modelling the decision making processes associated with activities at different levels within either the business or project. (Sub-projects often ex
42、ist within larger projects, some of which can be described as business initiatives but which nonetheless have the same general characteristics.)4 BSI 01-2000 BS 6079-3:2000 Figure 2 The relationships between businesses, projects, and sub-projects The effects of decisions in all parts of the business
43、 and at all levels within the business and its projects can be far reaching and should not be considered in isolation. Good communication between each level of a business and between the business and its projects is essential. Annex A gives guidance on the factors that can play a part in an effectiv
44、e communication strategy. 3.2 The relationship between businesses and projects Businesses operate in an external environment from which they can derive key opportunities and also experience constraints. Sources include other businesses and organizations; markets; governments; regulatory bodies; the
45、legislative framework; the financial system; and society at large. Any business takes inputs from its external environment, and acts on those inputs to produce goods or services, along with other outputs, such as profits, or pollution, which are then returned to the same environment. The nature and
46、extent of these outputs will influence the future of the business. Projects should be viewed in exactly the same way as businesses, because the business or businesses that set up a project are significant elements of that projects external environment. Similarly, a large project can consist of sever
47、al sub-projects, and this larger project then provides the external environment for its sub-projects. The model, shown in Figure 2, shows the nature of business and project relationships relevant to understanding how to manage business related project risks. Three types of relationships can be ident
48、ified as follows. a) Businesses can set up projects in which the inputs and outputs are maintained wholly within the business boundary. EXAMPLE A project that trains staff to undertake new jobs can be carried out by a team from the organizations training department. Project inputs (including risks t
49、o the project from the business), and outputs (including risks to the business from the project), are mostly retained within the business. Risks that can arise from the functioning of the project should also be considered as outputs in this context, and will be wholly retained within the business. b) Businesses can set up projects that are partly within and partly outside the business boundary. EXAMPLE An illustration is where one business contracts with another for the supply of parts required by the first busine
