SMI_views_risk_management_-_May_2011.pdfVIP专享VIP免费原创优质

FromSecurityManagementtoRiskManagementCriticalReflectionsonAidAgencySecurityManagementandtheISORiskManagementGuidelinesMaartenMerkelbachPascalDaudinIssuedby:DISCUSSIONPAPERFromSecurityManagementtoRiskManagement–May2011©SMI,Merkelbach&Daudin2ABOUTTHISPAPERThisDiscussionPaperisproducedbytheSecurityManagementInitiative(SMI).SMIfocusesontopicsofcentralinteresttotheriskandsecuritymanagementcommunityofinternationalaidagencies.SMIofferspolicymakersandpractitionersanoverviewofkeypracticesandconceptualissuesaswellasasummaryoftherecentevolutionofthechosentopic,pointstosomeofthemaindebatesandsuggestsperspectivesformovingforward.Itthusaimstoclarifyandinformthefieldofaidagencyriskandsecuritymanagement.TheauthorsandSMIwelcomereactionsandadditionalsourcesrelativetotheissuescoveredinthispaper.ABOUTTHEAUTHORPascalDaudinisformerDirectoroftheCAREInternationalSafetyandSecurityUnit(CISSU).MaartenMerkelbachisProjectDirectoroftheSecurityManagementInitiative(SMI)attheGenevaCentreforSecurityPolicy(GCSP).ACKNOWLEDGEMENTSManyofthethoughtsandopinionsinthispaperhavebeeninfluencedandinspiredbyremarksandsourcessharedbyothers,eitherbilaterallyoratevents.Weapologizeifwefailedtoattributesomeofthese;thisisunintentional.Dueacknowledgementwillbemadeifourattentionisdrawntosuchoversight.TheauthorswishtothankDr.VincenzoBollettino,PeterLehmannandDr.ir.LeonardvanDuijnfortheirconstructivecommentsandinsightsondraftsofthisPolicyBrief.AppreciationisalsoextendedtotheInternationalOrganizationforStandardization(ISO)inGenevaforgivinguspermissiontouseanumberofthefiguresthatfeatureintheirpublications.LastbutnotleastourthanksgotoEmilySpeersMearsforhercomments,suggestionsandthorougheditorialassistance.Whileallprovidedvaluableinputandfeedbackondrafts,thecontentofthispaperandanyerrorsaretheresponsibilityofSMIalone.SMIexpressesitsgratitudetotheFederalDepartmentofForeignAffairsofSwitzerlandforitsfinancialsupport.FigurestakenfromISO31000:2009,Riskmanagement–PrinciplesandguidelinesandfromIEC/ISO31010,Riskmanagement–Riskassessmenttechniques,arereproducedwiththepermissionoftheInternationalOrganizationforStandardization(ISO).ThisstandardcanbeobtainedformanyISOmemberandfromthewebsiteoftheISOCentralSecretariatatthefollowingaddress:www.iso.org.CopyrightremainswithISO.FromSecurityManagementtoRiskManagement–May2011©SMI,Merkelbach&Daudin3CONTENTSEXECUTIVESUMMARY4I.INTRODUCTION61.Secureaccessandprogramimplementation:twosidesofthesamecoin62.Personalandinstitutionalrisk9II.RISKMANAGEMENT12III.THEINTERNATIONALORGANIZATIONFORSTANDARDIZATION(ISO)ANDISO3100014IV.ISO31000ANDAIDAGENCIES171.Riskasaninstitutionalandgovernanceissue172.Definitionofrisk183.Riskcriteria204.Absorbratherthanacceptrisk225.Riskandwhatis‘atrisk’236.Therelevanceofdutyofcare247.Internalandexternalcontext268.Riskassessment279.Revisiting‘riskthreshold’3110.Risktreatment3211.Riskattitude34V.RISKASSESSMENTTECHNIQUES351.Consequence/probabilitymatrix372.ALARP:‘aslowasreasonablypracticable’403.Fishbonediagram424.Bow-­‐tieanalysis435.Scenarioanalysis44VI.PARTICULARCHALLENGES451.UncertaintyandComplexity452.Resilienceandadaptability49VII.CONCLUSIONSANDRECOMMENDATIONS53Recommendations55SOURCES57FIGURESFigure1–Action,Access,andSafety&Security9Figure2–Treekindsofrisk10Figure3–Relationshipsbetweentheriskmanagementprinciples,frameworkandprocess16Figure4–Relationshipsbetwee...