Reference Document: ISO31000

Version Number: 1.0

Release Date: May 2024

 

1. Introduction

تلتزم عمادة التحول الرقمي ومصادر المعرفة – التابعة لجامعة نجران بتطبيق إطار متكامل لإدارة المخاطر وفقًا لمعيار ISO 31000:2018 وبما يتوافق مع السياسات الوطنية للأمن السيبراني ومتطلبات هيئة الحكومة الرقمية ووزارة التعليم. تهدف هذه السياسة إلى تعزيز قدرة العمادة على التنبؤ بالمخاطر، وتحليلها، ومعالجتها بشكل فعّال، بما يساهم في حماية الموارد والأصول، وضمان استمرارية الأعمال، ودعم الأهداف الاستراتيجية للجامعة.

2. The Purpose

  • Establish a methodological framework for risk management at all levels.
  • Enabling decision-makers to manage risks within an approved risk tolerance level.
  • Guaranteeing the link between risks and strategic and operational objectives of the University.
  • Business Continuity Support and Integration with the ISO 22301 Business Continuity Management System.

      • 3. Application Scope

      This policy applies to:

      • All Departments and Units Affiliated with the Deanship.
    • The Systems, Digital Services, Infrastructure, Data, Human Resources, and Vendors.
    • Operational Activities and Projects and Digital Initiatives.

        • 4. General Principles

        • Comprehensiveness: Risk management of all types (strategic, operational, technical, financial, legal, security).
      • Integration: Linking risks with business continuity plans and digital governance.
      • Participation: Engage all employees and stakeholders in identifying and assessing risks.
      • Transparency: Documenting all stages of risk management in the approved Risk Log.
      • Compliance: Adherence to national regulations (Supreme Orders – Cabinet Decisions – Council of Ministers Policies – Ministry of Education Requirements).
      • Continuous Improvement: Review and update policies and procedures on a regular basis.

          • 5. The Methodology

        1. Risk Identification: Identify potential risks related to operations and services.
      • Risk Analysis: Assessment (Probability x Impact) using the approved Risk Matrix.
      • Risk Assessment: Determine the risk level (Low – Medium – High – Critical).
      • Risk Treatment: Selecting one of the methods (Avoid – Reduce – Transfer – Accept).
      • Follow-up and Review: Monitor the risk status and taken measures periodically.
      • Documentation: Recording data in the risk log, including:
        • Risk Name
      • The Reasons
      • The Effects
      • Related Objectives
      • Assessment Level Before / After Processing
      • Responsible Owner
      • Preventive/Treatment Measures
      • Status (Applied – Proposed – Open – Archived)