Everything you wanted to know about Management of Risk (M_o_R®) in less than 1000 words White Paper
- White Paper
- Risk management
March 23, 2021 |
8 min read
- White Paper
- Risk management
The Management of Risk (M_o_R®) guide is intended to help organizations put in place an effective framework for risk management. This will help them take informed decisions about the risks that affect their strategic, programme, project or operational objectives.
M_o_R defines risk as ‘an uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk is measured by the combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives’. Within this definition, ‘threat’ is used to describe an uncertain event that would have a negative impact on objectives and ‘opportunity’ is used to describe an uncertain event that would have a favourable impact on objectives.
The first edition of this guide was published in 2002 in response to the Turnbull Report1, to provide a generic framework for risk management across all parts of an organization.
The second edition, published in 2007, was produced to reflect the further developments in the world of risk management, such as:
- In the UK public sector, HM Treasury had revised its Orange Book, which outlines the principles and concepts of risk management.
- In the private sector, change had been instigated by new regulatory environments such as the Combined Code on Corporate Governance 2006 (UK), Basel II Accord 2004 (Europe), and Sarbanes-Oxley 2002 (US).
The 2010 edition updated the guide with changes proposed through the Best Management Practice Change Control System, and brought the principles in line with the international standard for risk management ISO 31000:2009.
1 Internal Control: Guidance for Directors on the Combined Code (1999) also known as the “Turnbull Report” is a report drawn up with the London Stock Exchange for listed companies. The report informs directors of their obligations under the Combined Code with regard to keeping good “internal controls” in their companies, or having good audits and checks to ensure the quality of financial reporting and catch any fraud.
The M_o_R framework
The M_o_R framework is based on four core concepts:
- M_o_R principles. These are essential for the development and maintenance of good risk management practice. They are informed by corporate governance principles and the international standard for risk management ISO 31000:2009. They are high-level and universally applicable statements that provide guidance to organizations as they design an appropriate approach to risk management as part of their internal controls.
- M_o_R approach. The principles need to be adapted and adopted to suit each individual organization. Accordingly, an organization’s approach to the principles needs to be agreed and defined within a risk management policy, process guide and strategies.
- M_o_R process. The process is divided into four main process steps: identify, assess, plan and implement. Each step describes the inputs, outputs, tasks and techniques involved to ensure that the overall process is effective.
- Embedding and reviewing M_o_R. Having put in place an approach and process that satisfy the principles, an organization should ensure that these are consistently applied across the organization and that their application undergoes continual improvement in order for them to remain effective.
Figure 1.1 shows the M_o_R framework.
Figure 1.2 The M_o_R framework - from Management of Risk: Guidance for Practitioners. Reproduced with permission of the Cabinet Office
The M_o_R principles are intended to guide rather than dictate so that organizations can develop their own policies, process, strategies and plans to meet their specific needs.
Effective risk management satisfies the eight principles listed below. The first seven principles are enablers. The final principle is the result of implementing risk management well. For risk management to become more than a compliance-led activity within an organization, the value of risk management, measured by the return on investment of risk management work, must be determined and communicated.
- Aligns with objectives
- Fits the context
- Engages stakeholders
- Provides clear guidance
- Informs decision-making
- Facilitates continual improvement
- Creates a supportive culture
- Achieves measurable value.
To remain competitive in a changing and uncertain world, organizations need to learn and adapt. Not all organizations will need the same arrangements to manage risk. The context, size, extent of operations and services, and the inherent uncertainty in the work being undertaken will shape actual practices. Together, the eight principles form a coherent whole to ensure successful risk management.
The way in which the principles are implemented will vary from organization to organization. Collectively the principles provide a foundation from which the risk management approach for an organization can be developed. An organization can adapt this approach to meet its specific needs and objectives.
Central to the M_o_R approach is the creation of a set of documentation comprising:
- Risk management policy
- Risk management process guide
- Risk management strategies for each organizational activity.
The policy, process guide and strategies provide the explanation of how the organization will implement risk management. They describe the activities to be undertaken, the sequence in which these are carried out, and the roles and responsibilities necessary for their delivery.
In support of the risk management policy, process guide and strategies, the M_o_R approach also recommends the use of other documents. These are:
- Risk register
- Issue register
- Risk improvement plan
- Risk communications plan
- Risk response plan
- Risk progress report.
Figure 3.1 shows the relationship between documents.
Risk management process
The M_o_R process diagram (Figure 4.1) shows the overall management of risk process, consisting of four main steps. These steps are represented as a circle of arrows, as it is common for the entire process to be completed several times in the lifecycle of an organizational activity. The activity ‘communicate’ deliberately stands alone as the findings of any individual step may be communicated to management for action prior to the completion of the overall process.
Embedding and reviewing M_o_R
Risk management should be integrated into the culture of the organization. How an organization manages risk is an expression of its core values and communicates to stakeholders its appetite for and attitude to risk-taking. A disconnected or unmanaged approach to risk management is more likely to lead to reactive rather than proactive management where unforeseen issues are commonplace. Such a situation can leave stakeholders feeling less confident about the organization’s ability to manage its affairs appropriately.
It is important therefore to embed risk management into the culture and to put in place mechanisms to review and confirm that the approach to risk management remains appropriate given the organization’s objectives and context. Health checks and maturity models are methods to support organizational efforts to gain maximum value from their investment in risk management.
About the author
Graham Williams is Principal Consultant at GSW Consultancy Limited. He is one of the authors of the 2007 edition, and mentor to Ruth Murray-Webster of Lucidus Consulting, the author of the 2010 edition.
Sourced by TSO and published on www.best-management-practice.com
Our White Paper series should not be taken as constituting advice of any sort and no liability is accepted for any loss resulting from use of or reliance on its content. While every effort is made to ensure the accuracy and reliability of the information, TSO cannot accept responsibility for errors, omissions or inaccuracies. Content, diagrams, logos and jackets are correct at time of going to press but may be subject to change without notice.
© Copyright TSO. Reuse of this white paper is permitted solely in accordance with the permission terms at http://www.bestmanagement-prac...
A copy of these terms can be provided on application to BMP White Paper Permissions, TSO, St Crispins, Duke St, Norwich, Norfolk, NR3 1PD, United Kingdom.
Trademarks and statements
AXELOS®, the AXELOS swirl logo®, ITIL®, PRINCE2®, PRINCE2 Agile®, MSP®, AgileSHIFT®, M_o_ R®, P3M3®, P3O®, MoP®, MoV®, RESILIA® are registered trade marks of AXELOS Limited. All rights reserved. Copyright © TSO 2011.
Reuse of any content in this White Paper is permitted solely in accordance with the permission terms at https://www.axelos.com/policies/legal/permitted-use-of-white-papers-and-case-studies
A copy of these terms can be provided on application to AXELOS at Licensing@AXELOS.com
Our White Paper series should not be taken as constituting advice of any sort and no liability is accepted for any loss resulting from or use of or reliance on its content. While every effort is made to ensure the accuracy and reliability of information, AXELOS cannot accept responsibility for errors, omissions or inaccuracies. Content, diagrams, logos and jackets are correct at time of going to press but may be subject to change without notice.
Sourced by TSO and published on www.AXELOS.com
Further information is available at:
See also the Management of Risk publications:
- Management of Risk: Guidance for Practitioners
- Management of Risk Pocketbook