References

This document contains typical activity solutions and additional information referred to
during the course.

Table of contents:
Activity 1: Overall tasks................................................................................................... 2
Activity 2: Baseline gap analysis ...................................................................................... 3
Activity 3: Create a Gantt chart........................................................................................ 4
Activity 4: Determine leadership, commitment and integration ........................................... 4
Activity 5: Understanding organizational context ............................................................... 5
Activity 6: Risk management policy .................................................................................. 7
Activity 7: Determine communication and consultation approach: Framework process .......... 8
Activity 8: Evaluation and improvement ............................................................................ 9
Activity 9: Determine communication and consultation approach: Risk management process10
Activity 10: Determine the scope ................................................................................... 10
Activity 11: Determine the risk criteria............................................................................ 11
Activity 12: Risk identification ........................................................................................ 13
Activity 13: Analyse and evaluate risks ........................................................................... 15
Activity 14: Determine risk treatment options ................................................................. 16
Activity 15: Create a risk treatment plan ......................................................................... 17
Activity 16: Determine recording and reporting ............................................................... 18
Activity 17: Your implementation feedback to management ............................................. 18

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 1 of 18

 References

Activity 1: Overall tasks

1. Obtain top management commitment in integrating risk management with overall

management systems

2. Determine the external and internal context in which your organization is seeking to
achieve their objectives

3. Articulate risk management commitment through a policy statement demonstrating

organization objectives and commitment to risk management

4. Assign roles authorities, responsibilities and accountabilities for relevant roles with
respect to risk management

5. Establish communication and consultation approach

6. Develop an appropriate implementation plan based on the gap analysis and Gantt
Chart

7. Measure the risk management framework performance against its purpose,

implementation plans, indicators and expected behaviour 


8. Create an action plan to adapt the risk management framework to address external
and internal changes

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 2 of 18

 References

Activity 2: Baseline gap analysis

This questionnaire can be kept by delegates and used again to track progress towards a fully
implemented risk management framework. Target scores and what they indicate about the
companies concerned:

Benchmarking delegate score (0-20 points): 80 – 100% gap

There is every chance that their operation is running at higher levels of risk. They have
below average controls on their processes and their risk management. They could be
exposed to unacceptably high levels of liability. This may make financial institutions
reconsider any long-term loans. If they are a service provider, they know little about their
indirect effects, and could be denying themselves an improved marketing position.

Benchmarking delegate score (21-50 points): 50 – 80% gap

They may well have identified some elements within their organization that have the
capacity to help them manage risk. They may even have undertaken some risk management
related initiatives, but as yet they are content to cope with problems as they appear, rather
than choose a more proactive approach. It may be that, they have no sense that risk issues
are central to the continued sustainability of their company and as long as their current
arrangements continue to keep them within compliance of the law on a day-to-day basis,
they see no reason to engage in any activity that changes the situation. As a result, they are
missing out on business improvement, extra profits and increased client/wider societal care.

Benchmarking delegate score (51-70 points): 30 – 50% gap

They have already begun to identify those risk management issues that are pertinent to their
company and its stakeholders. They have the building blocks of risk management in place,
and probably have some good in-house technical expertise currently focused on other work.
They may have controlled activities on site, with extremely good technology that ensures
incidents are kept to a minimum.

Benchmarking delegate score (71-90 points): 10 – 30% gap

They already have a fledgling risk management policy in place. It may be that it has not
been very long in existence and is still generating its first useful information. They have
come a substantial way towards reaching their target and they are well on the way to being
ready for verification by an outside body.

Benchmarking delegate score (91-100 points): 0 – 10% Gap

It is unclear what their objective is in attending this course. Their score indicates that they
are already in amongst the foremost proponents of risk management, and would gain little
from this training, unless they are sitting with many of their suppliers whom they wish to
encourage down a similar path.

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 3 of 18

Activity 3: Create a Gantt chart

Please complete the examples in your Toolkit. This will be available to you on a memory stick
as well.

Activity 4: Determine leadership, commitment and integration

Sample answer

Four main areas that will demonstrate leadership and commitment in your organization
(Clause 5.2):
• Customizing and implementing all components of the framework
• Issuing a statement or policy that establishes a risk management approach, plan or
course of action
• Ensuring that the necessary resources are allocated to managing risk
• Assigning authority, responsibility and accountability at appropriate levels within the
organization

Four areas/functions in your organization where decisions are taken (Clause 5.3):
• Strategic decisions – Board level
• Operation decision – CEO level

• Functional decision – Vertical head level
• Day to day decision – Function/project level

Planning to integrate risk management in decision points:

Strategic level
• Decisions on mergers/de-mergers, growth, cross-boundary, considering more options
during strategy selection

Tactical level
• Considerations to decision on approach to implement strategy

Operational level
• Day to day working; decision on risk taking/mitigation
• Project risk
• Decision on impact/probability criteria
• Decision on conflicting interests

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 4 of 18

 References

Activity 5: Understanding organizational context

Example answer: Telecom Company

Purpose of organization:
Telecom Company is an IT support and services provider. The organization’s purpose is to
provide IT support and hosting services to both public and private sector organizations.

Internal and external issues may include but are not necessarily limited to the following:

Internal issues:
• Structure of the organization
• Roles within the organization
• Availability of reliable qualified and competent work force
• Stability of work force
• Staff retention
• Impact of unionization
• Staff training levels
• Contractual arrangements with customers
• Payment terms from customers
• Solvency of customers
• Expansion of customer base
• Overall strength of business to support funding needs
• Opportunities to improve technology e.g. leasing of equipment
• Power consumption
• Data Centre capacity (physical and environmental)
• Resilience of infrastructure
• Relationship with investors
• Credit terms available
• Service level agreements with customers
• Culture within the organization

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 5 of 18

 References

External issues:
• Political, economic, social, technological, legal and regulatory
• Environmental e.g. power consumption, recycling or destruction of equipment etc.
• Overall economic performance in the country
• Economic plans for future
• The nature and impact of economy on hosting market
• Customer demographic
• General levels of consumer confidence
• Growth of outsourcing business
• Competitive environment – overall low cost of entry in to the market
• Customer expectation
• Standardization and certification within the industry
• Fuel prices – international pressures, domestic market pressures, government
taxation regime, etc.
• Regulation within the industry generally
• Licensing requirements in respect of software
• Trade associations and lobbying powers
• Impact on neighbours

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 6 of 18

 References

Activity 6: Risk management policy

Example

ABC Risk management policy statement

The objective of this policy is to implement the highest standards of business risk
management across the organization.

ABC is committed to the effective identification, mitigation and management of risk as an

integral part of the organization’s overall approach to governance. As such, this policy
outlines the strategic approach and steps that ABC takes to ensure effective risk
management throughout the whole of the organization and in every activity the organization
undertakes.

ABC defines risk as events and consequences that constitute opportunities for benefit and
also threats to success.

The Board recognizes its responsibility for knowing and understanding the most significant
risks facing the organization and for ensuring that the risk management framework is
effective in the management of risk and is clearly embedded throughout the whole
organization.

All employees have the duty to identify and escalate risks through their line management.
Managers at all levels are responsible for ensuring that risks to their activities are identified,
recorded, assessed and managed on an agreed basis.

The risk management framework outlines the process of achieving successful risk
management by identifying the key elements required and the process for implementation.

The organization’s risk appetite will be identified and set annually by the Board and
communicated throughout the organization. All risks identified must be treated appropriately
to bring them within the organization’s risk appetite. Deviation from this process is only
permissible with the express approval of the Board.

Risks will be reported and reviewed monthly by the Executive, biannually by the Board.
Regional, and functional risks will be reviewed in accordance with the review program laid
out in the risk management framework. The Board will also review the effectiveness of the
risk management framework and risk management program.

Signed
CEO

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 7 of 18

 References

Activity 7: Determine communication and consultation approach:

Framework process

Some examples of what needs to be communicated internally by top management may

include:
• The risk policy
• The risk appetite statement
• Changes to strategic directions and objectives of the organization
• Learning from incidents
• Business forecasts that may impact the business objectives

Some examples of what needs to be communicated (high risks) to oversight body and top
management may include:
• Results of risk assessment
• Key risk indictors (leading and lagging)
• Results of audits
• Feedback from interested party/stakeholders

Some examples of voluntary communications could include:

• Frauds
• Whistle blowing events
• Social media incidents impacting reputation of your organization

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 8 of 18

 References

Activity 8: Evaluation and improvement

Some areas/functions that need monitoring and review could be:

• Implementation of the risk management framework against the project plan
• Training needs identification vs. completion
• Awareness program and their effectiveness
• Status of changes to internal and external context
• Legal/regulatory updates
• Organizations performance measurement (upward/downward trends)
• Results of audits and status of improvements

Oversight body may be required to fulfil some of these responsibilities as part of evaluation
and improvements:
• Supporting senior management in establishing the risk appetite, monitoring
compliance with the organization’s risk policy
• Monitoring the adequacy of controls
• Monitoring changes to the organization’s risk profile
• Assisting the organization to understand its key risks
• Periodically reviewing the effectiveness and appropriateness and adequacy of the risk
management and reporting process

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 9 of 18

 References

Activity 9: Determine communication and consultation approach: Risk

management process

When identifying and analysing risks; it’s important to include all stakeholders who would be
impacted if the risk were to materialize. Please find an example below:

Risk identification: Loss of customer information

We could consult with:

• IT
• All staff that have access to the information
• The account manager of the client whose data is at stake

Consultation we could seek:

We would seek to gather all information necessary to describe the risk; what could happen,
why and how.

At this stage, it’s also important to identify the risk owner.

Risk analysis: Once again, you would need to consult experienced employees/staff on how to
ascertain the probability of the risk identified as well as what the impact would be. An
individual may NOT have the complete information; hence the need for communications and
consultation.

Activity 10: Determine the scope

This is the first stage of the risk process and needs to address the following questions:

1. What is the objective of conducting risk assessment?

For example: Information security, health and safety, business continuity, strategic
options decision making, etc.

2. What decisions would be made as an outcome of this activity?

For example: Take action to mitigate/pursue the activity – Risks/opportunity decision
making

3. What activities would be included and what would be exclusions?

For example: HR, IT, projects, client accounts, locations, departments, etc.

4. What tools/approach will be taken?

For example: Risk assessment techniques such as; brainstorming, ‘what if’ analysis,
probability/impact matrix, FMEA, etc.

5. Relationship with other projects/activities

List interdependencies – internal/external

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 10 of 18

Activity 11: Determine the risk criteria

Determining the risk criteria is the first and the most critical step in the risk assessment process.

Sample Likelihood criteria covering following areas is provided in the table below:
• Financial
• Operational
• Legal/contractual
• Customer satisfaction

Likelihood Criteria (examples)

1 or more incidents per month
OR
no controls exist to prevent incidents OR controls not fit for purpose
High (3)
OR
Project involves agents OR is executed in a country with high bribery risk OR involves business sector prone to
high risk of bribery (refer list of countries and sectors)
Not more than 1 incident per quarter
OR
Med (2) controls present but not measured or not reported
OR country and sector risk is high but does NOT involve any agent

Not more than one incident per annum OR

Low (1)
multiple controls exist and are measured AND reported periodically (PDCA evident)

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 11 of 18

 References

Sample Impact criteria covering following areas is provided in the table below:
• Financial
• Operational
• Legal/contractual
• Customer satisfaction

Impact Criteria (examples)

Financial loss above $10000; OR SLA not being met exceeding 10 clients; OR Contract violations amounting to
High (3)
Heavy penalties in one quarter OR Customer satisfaction severe in nature and escalated at a Global level

Financial loss greater than $ 5000 and less than 10000; OR SLA not being met for more than 5 clients; OR
Med (2) Contract violations amounting to moderate penalties half yearly OR Customer satisfaction moderate in nature
and escalated regionally

Financial loss less than $ 5000; OR SLA not being met for less than 5 clients; OR Contract violations amounting
Low (1)
to minor penalties once in a year OR Customer satisfaction minor in nature and locally resolved

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 12 of 18

Activity 12: Risk identification

Please find examples under each category below. Make sure to note down examples
provided by other groups.

Financial risk
Financial loss in revenue due to loss of customer base arising due to competition bringing
down their sale price.

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

Operational risk
Penalties imposed by clients due to SLAs not met arising due to non-availability of skilled
staff.

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

Legal risk
Notice by the local municipality to close down premises; due to failure to produce fire
clearance required by the law.

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

Customer satisfaction
CSAT results falling due to failure of the company to address the issues arising due to
customer details having incorrect/incomplete details in the system database.

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

……………………………………………………………………………………………………………………………………

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 13 of 18

 References

# Additional risk examples

Unauthorized access by external party, leading to compromise of customer information,

1
due to lack of sufficient network controls, i.e. firewalls
Power failure leading to unavailability of customer services due to lack of sufficient
2
power backup such as UPS and diesel generator
User error, resulting in a loss of integrity of customer information due to a lack of
3
sufficient staff training
4 Loss of customer information due to poor backup processes
Unauthorized access by customer to confidential information due to lack of segregation
5
between client information / environments
Unauthorized access by external party leading to compromise of customer information
6
due to a lack of patch management
Increased security incidents, which impact confidentiality, integrity or availability of
7
organization’s and customer information due to the lack of skilled staff
Unauthorized access by internal party leading to compromise of customer information
8
due to a lack of appropriate pre-employment screening
Unforeseen events leading to prolonged loss of availability of services due to a lack of
9
business continuity planning
Unauthorized physical access to the data centre leading to a compromise of customer
10
information due to a lack of physical security
Unauthorized disclosure of confidential customer information due to insufficient control
11
over email usage
Failure of operational software, leading to unavailability of customer systems due to
12
poor change management
Failure of IT hardware, leading to unavailability of customer systems due to poor
13
equipment maintenance by an approved third party
Failure of operational software, leading to integrity issue of information due to poor
14
malware protection
Unauthorized external access to personal data, leading to a breach of personal data
15
protection laws due to an increase in the use of bring your own devices (BYOD)

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 14 of 18

Activity 13: Analyse and evaluate risks

Sample answer

Risk evaluation
Probability (P) Impact (I)
Risk value
Risk ID Risk description H (=>6), M
H = 3, M = 2, H = 3, M = 2,
(P * I) (=>3<=6),
L =1 L =1
L=<3

Financial loss in revenue due to loss of customer based

1 1 2 2 Low
arising due to competition bring down their sale price

Penalties imposed by clients due to SLA’s not met arising

2 2 3 6 Medium
due to non-availability of skilled staff

CSAT results falling due to failure of the company to

3 address the issues arising due to customer details having 3 3 9 High
incorrect/incomplete details in the system database

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 15 of 18

 References

Activity 14: Determine risk treatment options

Sample answer

Risk treatment option

Risk evaluation
chosen:
Risk ID Risk description H (=>6), M
Accept, Mitigate, Transfer,
(=>3<=6), L=<3
Avoid

Financial loss in revenue due to loss of customer based arising due to

1 Low Accept
competition bring down their sale price

Penalties imposed by clients due to SLA’s not met arising due to non-
2 Medium Mitigate
availability of skilled staff

CSAT results falling due to failure of the company to address the issues
3 arising due to customer details having incorrect/incomplete details in High Mitigate (High Priority)
the system database

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 16 of 18

 References

Activity 15: Create a risk treatment plan

Sample answer

Risk Risk treatment Proposed Performance Reporting/

Risk description Rationale Accountability
ID option chosen action measures monitoring

May exceed CFO Market Increase in Quarterly

Financial loss in revenue due
risk appetite; survey customer base review
to loss of customer base
1 Low (Accept) need to
arising due to competition
monitor
bring down their sale price
closely

Penalties imposed by clients Meet Account Hire skilled SLA’s Initially

due to SLA’s not met arising Medium customer Manager manpower performance weekly then
2
due to non-availability of (Mitigate) expectation measurement quarterly
skilled staff

CSAT results falling due to Reputational Sales Director Procure tool Audit Weekly
failure of the company to and customer for integrity
address the issues arising due High (High dissatisfaction of data
3
to customer details having priority)
incorrect/ incomplete details
in the system database

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 17 of 18

Activity 16: Determine recording and reporting

Some examples of what needs to be recorded and reported could include:

1. Report results of risk assessment

2. Record assumptions made during assessment
3. Report and obtain approval risk accepted outside the risk appetite
4. Weakness in existing controls
5. Results of monitoring and review
6. Results of audits (internal and external)
7. New threats reported
8. Changes to risk criteria basic incidents reported

Activity 17: Your implementation feedback to management

Possible topic areas include:

• Benefits to implementing for your organization
• Your baseline gap analysis - extent of work left to do?
• Suggested risk management scope
• Decisions on milestones, completion, certification, etc.
• Resources to fill gaps, hit milestones, etc.
• Top management involvement - their tasks?
• Specific tasks requiring additional training e.g. internal or second party auditing
• Critical paths, blockers?
• Strengths we already have in our existing management system
• Strategy and regulatory requirements to be included
• Risk-based thinking challenges for any other standards implemented?
• Your proposed actions and agreed actions
• etc.

RMG02101ENME v3.0(AD02) Nov 2019 ©The British Standards Institution 2019 18 of 18