Documenting the context provides an overview of the organisation, its objectives and specific criteria for business success, the objectives and scope of the risk assessment activity and a set of key elements for structuring the risk identification activity. As part of the planning process, establishing the context is an essential and very important step in the risk assessment process. It is focused on:

• Obtaining an understanding of the subject of the risk assessment activity and its risks.
• Establishing the scope of the risk assessment activity being undertaken.
• Developing a structure for the risk assessment activities.

Elements of context requiring consideration include the internal and external environments of the organisation and the purpose of the risk management activity. The depth of information required relates directly to the size and complexity of the risk management activity being undertaken.

External Context
Defining the external context includes consideration of the external environment in which the organisation operates and understanding the relationship between the environment, external stakeholders and the organisation. The external context may include the:

• Environment - business, social, regulatory, cultural, competitive, financial and political situation.
• SWOT - organisation's strengths, weaknesses, opportunities and threats.
• Stakeholders - objectives and expectations of individuals, groups and organisations with a significant interest in the business.

Internal Context
Defining the internal context includes documenting the key aspects of the business and may include:

Risk Management Context

Defining the risk management context includes establishing key information related to the subject (activity, project, organisation etc) to which the risk assessment process is being applied. This includes defining the:

• Goals and objectives of the risk assessment activity.
• Scope and parameters of the risk assessment, including specific inclusions and exclusions.
• Identification of data sources to be utilised.
• Risk assessment approach to be utilised.
• Reporting and recording requirements.
• Relationship of the risk assessment with other business activities and plans.
• Criteria against which risks are to be evaluated, such as how likelihood will be defined, the kinds of consequences that will be considered and what level of risk will require further risk reduction treatment.
• Key components - the subject of the risk assessment is best broken down into parts or key topics. This establishes a framework to facilitate risk identification for each part, one by one. It provides for consideration of all areas of risk and formulation of a comprehensive list of risks. The manner of establishing and selecting key topics will depend on the objectives of the risk assessment activity and the issues of concern.