First Draft (April 2016) – Risk management guidelines presented during the "Workshop on risk management practices in Statistical Organizations", held in Geneva on 25-26 April 2016.

Second Draft (July 2016) – Review of risk management guidelines after the "Workshop on risk management practices in Statistical Organizations", according to the observations and suggestions received by the NSOs participating in the Survey.

-   The following paragraphs/chapters have been revised: Foreword: “what risk is and why risk management is relevant” statements added (page 9-11);

-   Risk Nomenclature and definitions: meaning of risk Plan clarified (page 17);

-   Risk appetite: risk Appetite and risk Profile issues implemented (page 18-20).

-   Risk management commitment: paragraph revised as required (page 20);

-   Risk management approach: example of “mixed approach” clarified (Fig. 2, page 23);

-   Internal control according to a risk-based approach: relationships between internal controls and risks clarified (page 24-26);

-   Integration with GAMSO: proposal to align GAMSO and risk management process added referring to the integration between risk and quality management (page 27);

-   Roles and Responsibilities: responsibility of he “governing board” clarified (page 31);

-   Monitoring and Review of the Framework: the importance of periodically reviewing the risk management maturity level underlined (page 34);

-   Review Audit Report:  the importance of the audit report in aligning risks with internal controls underlined (page 37);

-   Communicating risks: the importance of documenting risk communication in the risk management /Internal communication Plan underlined (page 42-44);

-   Establishing the context: the importance of risk maturity assessment in order to successful implementing a risk management policy underlined (page 46-47);

-   Risk treatment: the differences between mitigation actions and contingency actions clarified (page 61);

-   References: the standard ISO 27000 “Information technology - Security techniques  Information security management systems – Requirements” quoted in “References”

The following paragraphs/chapters have been included/added:

-   Risk management approaches: paragraph on risk management approaches (top-down, bottom-up) implemented (page 21-22);.

-   paragraph on risk identification modified (page 50);

-   Risk management Maturity Model paragraph added (page 76);

-   Risk Appetite: UK case study added (page 9-11, Annex);

-   Risk Maturity Model: UK Case study added (page 29-34, Annex);

-   Risk Maturity Model combining both international standards and analysis of surveys on risk management practices results added (page 35-42, Annex)

 

Third Draft (October 2016) – Risk management guidelines integrated with the analysis of results from the III Survey “What was most successful, What was most Difficult, What not to do when implementing risk management in NSOs’ experiences” (July – September 2016).

The following chapters have been included/added:

a)      Lessons Learned (page 85): new chapter on  analysis of 3rd survey on risk management practices results.

b)      Summary table of  3rd survey on risk management practices results: (page 36-48 Annex).

  • No labels