M_o_R®: Guidance for Practitioners and the international standard on risk management, ISO 31000:2009
- White Paper
- Digital transformation
- Project management
- Project progress
April 17, 2013 |
20 min read
- White Paper
- Digital transformation
- Project management
- Project progress
Discover how M_o_R Guidance for Practitioners can help organizations ensure their risk management approach meets the requirements of ISO 31000:2009.
The purpose of this White Paper
This White Paper is intended to show how Management of Risk: Guidance for Practitioners (M_o_R®)1 can be used to help organizations ensure their risk management approach meets the requirements of ISO 31000:2009: Risk Management – Principles and Guidelines.2
Why standards help improve risk management effectiveness
Standards can improve the effectiveness of risk management by providing generic guidelines and drawing attention to the key principles and activities required. This happens in two ways:
- The content of ISO 31000 forms a checklist against which an organization can assess the completeness of its own approaches in terms of both principles and activities. This leads to fewer organizations missing vital activities that national (or international) consensus deems necessary for the effective management of risk.
- Effective management relies on good communications and these, in turn, rely on the use of a consistent vocabulary. By standardizing the use of words in a particular context, people are able to work together more easily and with fewer misunderstandings. ISO Guide 73:20093 provides a risk management vocabulary.
- Once standards have been established, they can promote continuous improvement by being periodically reviewed and updated. This ensures the latest consensus on best practice is included and any omissions or clarifications dealt with. In this way all users of standards benefit from the collective experience of all other users.
A comparison of both publications
M_o_R was first published in 2002 and has since undergone two revisions to reflect comments received from users and changes in management methods. It is broadly consistent with the principles and guidelines in ISO 31000 (but with some differences) as summarized here:
- M_o_R is designed for practical use and provides much more detailed guidance on how to implement risk management. Consequently it is some six times longer than the standard. ISO 31000 provides principles and generic guidelines on harmonizing standards and introducing risk management within an organization or for an activity.
- Both documents see risk management as a fundamental requirement to help organizations deliver their objectives.
- There are no significant areas of disagreement between the two publications in the overall approach and processes for risk management.
- Terminology is provided in both publications, but differs. A comparative table is provided in Appendix A.
- Whereas M_o_R provides the basis for qualifications in the management of risk, ISO 31000 does not.
Standards seek to provide their readers with a concise summary of the topic covered. ISO 31000 summarizes the key concepts and activities that an organization needs to undertake in order to manage risk effectively, and thus increase its chances of achieving its objectives, comply with relevant legal and regulatory requirements and respond to arising opportunities and threats. It does not define any particular techniques to be used but stresses that the organization should apply risk identification tools and techniques that are suited to its objectives. Another ISO publication, ISO/IEC 31010, Risk Management – Risk Assessment Techniques,4 does include details of some risk assessment techniques. Risk assessment provides an understanding of risks that could affect an organization’s achievement of its objectives and the adequacy and effectiveness of controls already in place. ISO/IEC 31010 provides a basis for decisions to be made about which approach to use to treat particular risks and to select the best options. By contrast, M_o_R contains an extensive appendix devoted to the description of commonly used techniques.
ISO 31000 provides a set of principles to inform a framework within which an organization can manage risk and a process by which it can do this. It is not intended to promote uniformity of risk management throughout all organizations, as each should customize its approach to address its particular objectives and operational needs. However, legislation in certain countries may require organizations to comply with ISO 31000. In this respect it is comforting that M_o_R is compliant with ISO 31000.
The international standard ISO 31000 covers the key concepts and activities for managing risk and is intended to harmonize risk management processes in existing and future standards. It sets out the guidelines for implementing effective risk management in an organization. As its title implies, M_o_R provides guidance for practitioners on managing risk, embedding good risk management practice and improving maturity in its application; something which is also recommended in ISO 31000.
The different purposes served by both publications
Rather than reflecting inconsistencies, the differences between ISO 31000 and M_o_R referred to in the preceding paragraph highlight the fact that each document is designed to serve a different purpose. In simple terms:
- ISO 31000 defines what needs to be done and by whom, but not how activities are done.
- M_o_R describes both what needs to be done, through a set of principles, activities and roles, and how to undertake the activities.
- M_o_R is designed for practical application of risk management methods.
- ISO 31000 is designed to help assess how completely the risk management method has been applied.
Although it is designed for practical use, M_o_R does not prescribe how an organization should implement risk management but allows it to customize its approach within the guidelines to suit its operating environment and processes. In this respect it serves a similar purpose to ISO 31000.
Compatibility with BS 31100:2008
One of the quality criteria for the 2010 revision of M_o_R was that the guidance must be compatible with BS 31100:2008, the standard that was in place at the time.
This White Paper shows the relationship between M_o_R and ISO 31000. The ISO 31000 principles are identified by a letter notation that was adopted in BS 31100:2011, Risk Management. Code of Practice and Guidance for the Implementation of BS ISO 31000.5
The comparison of M_o_R principles with ISO 31000 also holds for a comparison of the principles of M_o_R with those in BS 31100:2011, which has replaced BS 31100:2008. The BS 31100:2011 principles are not repeated here as this would be an unnecessary duplication.
Appendix B provides a tabular comparison of the two publications. The summary in this section seeks to emphasize the similarities as much as the differences between them. M_o_R is longer and much more detailed; however, the main components are very similar. We have structured the comparison in seven parts, reflecting the contents of M_o_R: introduction; structure; principles; approach (M_o_R) and framework (ISO 31000); embed and review; perspectives; and miscellaneous.
In their introductions both publications outline their intended audiences. The main difference is that M_o_R is aimed at those responsible for implementing and overseeing risk management practice, while the standard is aimed at those responsible for developing policy, ensuring risks are effectively managed, assessing its effectiveness and setting up the organizational standards.
Both documents see effective risk management as being very relevant to the achievement of an organization’s objectives and describe consistent approaches to managing risk.
M_o_R defines risk as ‘an uncertain event or set of events that, should it occur, will have an effect (positive or negative) on the achievement of objectives’. ISO 31000’s definition is similar and defines risk as ‘effect of uncertainty on objectives’.
While both publications list similar benefits of risk management in an organization, the emphasis within M_o_R is on how it contributes to corporate governance and internal control. Only M_o_R is designed to underpin qualifications in risk management.
Although superficially different, the main components of each publication are very similar. M_o_R is based on four core concepts – principles; approach; process; and embedding and review – while ISO 31000 describes principles, a framework and a process.
M_o_R supplements the above core concepts with sections on perspectives, covering application at strategic, programme, project and operational levels, together with document outlines, techniques, a health check and maturity mode. While the standard acknowledges some of these aspects, it provides no detail.
The third edition of M_o_R reduces the number of principles from twelve to eight. These are informed by corporate governance principles and ISO 31000. It is hardly surprising, therefore, that there is a strong alignment between the two. While M_o_R states that they are essential for the maintenance of good practice, ISO 31000 simply emphasizes that they should be adhered to. One area of difference is that M_o_R includes the principle of creating a supportive culture within the organization. ISO 31000 emphasizes the need for such a culture but does not include it as one of the principles.
Approach (M_o_R) and framework (ISO 31000)
These sections describe how the principles should be applied within an organization and cover similar ground, although they use different terms. For example, whereas M_o_R uses the term ‘risk register’, ISO 31000 speaks of keeping records without specifying what form these records should take.
Both publications describe setting up a policy aligned with the organization’s objectives, activities that should be undertaken, creating and maintaining records and monitoring and reporting progress. ISO 31000 includes the need for continuous improvement, which in M_o_R is dealt with in a separate section. M_o_R includes the need for a plan to embed risk management in the culture of the organization.
The process for managing risk is essentially the same in both publications, consisting of identification, assessment, treatment, monitoring and review. Since M_o_R is designed to guide the practitioner, its coverage of the process is more detailed than that of ISO 31000. It comprises four key stages – identify, assess, plan and implement – all underpinned by effective communication.
Embed and review
Both documents stress the need to embed risk management into the organization’s management processes. However, M_o_R places greater emphasis on integrating it into the culture of the organization; in fact it devotes a specific chapter to this subject. While the need to do so is acknowledged within ISO 31000, the requisite steps are only outlined under various headings, particularly within ‘framework’.
ISO 31000 refers to the application of risk management throughout the life of an organization and across a wide range of activities, strategies and decisions, operations, processes, functions, projects, services and assets. M_o_R devotes an entire chapter to how risk management may be applied at strategic, programme, project and operational levels. For more detail, please refer to Appendix A.
M_o_R contains appendices giving outlines of commonly used documents and techniques and a process for assessing how well risk management is used in an organization. It describes a suggested maturity model to measure the current level of risk management maturity and to identify areas for improvement. ISO 31000 refers to the need for these things but provides little in the way of detail or method.
Both publications contain glossaries explaining the meaning of the terms used but these are different in each one. A comparative table is included in Appendix A.
How M_o_R meets ISO 31000
This section summarizes how M_o_R meets the requirements of the International Standard. Because M_o_R and ISO 31000 have a different structure and purpose, clause-by-clause comparisons are inappropriate. Appendix B contains a detailed comparison.
The main points of consistency are:
- Risk management is very relevant to the achievement of an organization’s objectives
- They share consistent principles
- They recommend a similar approach to the application of risk management
- They promote the use of similar risk management processes
- They encourage the integration within the organization’s culture and management processes
- They both emphasize risk management application throughout the life of an organization and its activities.
Thus it may be concluded that if an organization is using M_o_R it meets the requirements of ISO 31000 and, indeed, exceeds them in that it provides much of the detail and method that is not covered in the standard.
Key areas of similarity and difference
Terminology differs in some respects between M_o_R and ISO 31000 but each publication includes equivalent terms. The table below provides a comparison of Section 2 of ISO 31000 (terms and definitions) with the equivalent terms in M_o_R. The M_o_R glossary is more extensive than the one in ISO 31000.
Appendix B Map of M_o_R against ISO 31000
The table below provides a direct comparison of M_o_R with ISO 31000 against categories that are common to both publications.
1 Management of Risk: Guidance for Practitioners, third edition. Office of Government Commerce. The Stationery Office, 2010.
2 ISO 31000:2009, Risk Management – Principles and Guidelines. International Organization for Standardization, 2009.
3 ISO Guide 73:2009, Risk Management – Vocabulary. International Organization for Standardization, 2009.
4 ISO/IEC 31010:2009, Risk Management – Risk Assessment Techniques. International Organization for Standardization, 2009.
5 BS 31100:2011, Risk management. Code of Practice and Guidance for the Implementation of BS ISO 31000. British Standards Institution, 2011.
6 The Orange Book. Management of Risk – Principles and Concepts. HM Treasury, 2004.
7 Best Management Practice Portfolio: Common Glossary of Terms and Definitions. Best Management Practice, 2012. Available at http://www.best-management-pra...
Sourced by TSO and published on
Our White Paper series should not be taken as constituting advice of any sort and no liability is accepted for any loss resulting from use of or reliance on its content. While every effort is made to ensure the accuracy and reliability of the information, TSO cannot accept responsibility for errors, omissions or inaccuracies. Content, diagrams, logos and jackets are correct at time of going to press but may be subject to change without notice.
© Copyright TSO. Reuse of this White Paper is permitted solely in accordance with the permission terms
A copy of these terms can be provided on application to Best Management Practice White Paper Permissions, TSO, St Crispins, Duke St, Norwich, Norfolk, NR3 1PD, United Kingdom.