Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

Management of Risk (M_o_R®) study guide mind map by Mind Map: Management of Risk
(M_o_R®) study guide mind
map
5.0 stars - 46 reviews range from 0 to 5

Management of Risk (M_o_R®) study guide mind map

M_o_R® is a registered trademark of AXELOS Limited. M_o_R® logo courtesy of the AXELOS Limited. Trademarks are properties of the holders, who are not affiliated with mind map author.

Software for Risk Management and GRC

ActiveRisk

Active Risk Manager (ARM)

Agiliance

Agiliance RiskVision

Agiliance RiskVision Platform

Archer

RSA Archer Risk Management

Bwise

BWise Risk Management

Chase Cooper Ltd.

aCCelerate

Cura

Enterprise Risk Management (ERM)

Enablon RM

Enablon RM – Risk Management

Evantix GRC, LLC.

Hiperos

3PM PLATFORM

MKinsight

ERP (Enterprise Risk Management)

LockPath

Intaver

Risky Project

MetricStream

Risk Management System

Modulo

Enterprise Risk Management (ERM)

Northwest Controlling Corporation Ltd.

Enterprise Risk Manager

Risk Wizard Pty Ltd.

Risk Wizard

PAN Software Pty. Ltd.

RiskWare

Prevalent Networks

Prevalent Vendor Risk Manager (PVRM)

Process Unity

Enterprise Risk Management

Resolver

Ballot

Palisade

@RISK Software

Rsam

Rsam Enterprise Risk Management (ERM)

Shared Assessments

Symantec

SAS

Book Runner

Wynyard

Wynyard Risk Management for ERM

M_o_R® Principles (8)

Page 13

What are principles?

Principles are universally applicable statements., Principles are generic principles - the way in which they are applied must be tailored to suit the organizational circumstances, whilst ensuring the underlying rationale is maintained., Prainciples are the common, universal and high-level factors that underpin success., Principles are universal, self-validating and empowering., They provide guidance to organizations., They guide the organization on what to aim for.

What are M_o_R® principles?

Because M_o_R® is principles-based, it is able to provide a framework for risk management that can be applied to any organization regardless of its size, complexity, location, or the sector within which it operates.

Principles are based on UK Corporate Governance Code and are aligned to ISO 31000:2009, Management of Risk: Guidance for Practitioners and the international standard on risk management, ISO 31000:2009, M_o_R® is designed as a guide for practitioners in risk management. Its use enables an organization to comply with the requirements of ISO 31000 in full.

Each M_o_R® Principle is applied accross 4 different Perspectives separately

Principles are essential for the development and maintenance of good risk management practice.

The first 7 principles are enablers., The final 8th principle is the result of implementing risk management well.

1. Align with objectives

As the purpose of risk management is to strive to understand and manage the threats and opportunities arising from the objectives of the organization or activity, risk management can only commence when it is clear what these objectives are.

Risk management aligns continually with organizational objectives, goals, mission, vision etc., Objectives may change over time so a key aspect of successful risk management is the shared understanding between stakeholders that risk is dynamic and not static. It is therefore important that risk management anticipates, and is responsive to, change - from within the organisation and in the wider context.

Uncertainty is only important and becomes risk if it impacts (positively or negatively) organization objectives.

Organisations must pay close attention to understanding objectives so that an appropriate balance can be achieved between maximizing opportunities and minimizing threats.

The amount of risk that an organisation is willing to take and the associated amount of risk management that is carried out must align with the organisation’s objectives and it is therefore important for the organisation to determine it risk capacity and risk appetite., It is a prerequisite for identifying risks.

Objectives are different in each perspective:, Strategic, overall efficiency of the organisation’s work and the degree to which users, customers, regulators and shareholders are satisfied with performance, and the organisation’s reputation is enhanced, Programme, relate to the desired change outcomes, Project, focused on delivery of the required scope to the right quality, on time within budget etc., Operational, routines and processes used to create products and services

Principle supported by:, Risk Management Policies, Risk Management Strategies, Risk Capacity, Tolerance, Appetite, Risk Capacity, The maximum amount of risk that an organisation or subset of it, can bear, The maximum amount of risk that an organisation or subset of it, can bear, Risk Tolerance, The threshold levels of risk exposure that, with appropriate approvals, can be exceeded, but which when exceeded will trigger some form of response, Risk Appetite, The amount of risk the organisation, or subset of it, is willing to accept

2. Fits the context

Risk management is designed to fit the current context., Adapting the M_o_R® Approach documents cost-effectively to meet the needs of the specific organizational activity (programme, project, business as usual)., Adapting software for Risk Management suited and tailored to meet the needs of the specific organizational activity (programme, project, business as usual).

Understanding of the external and internal context and it’s change., Establishing the context, Define the external and internal parameters that organisations must consider when they manage risk., External context, An organisation’s external context includes all of the external environmental parameters and factors that influence how it manages risk and tries to achieve its objectives., e.g., Sector, Markets, Locations, Technologies, Regulatory regimes, Stakeholder values, Perceptions, Relationships, Cultural, Political, Financial, Economic, Natural, Social, Internal context, An organisation’s internal context includes all of the internal environmental parameters and factors that influence how it manages risk and tries to achieve its objectives., e.g., Culture, Formal and Informal structures, Stakeholder inter-relationships, People, Deployed processes, Approach to governance, Contractual relationships, Organisation capabilities, Standards, Technology, The goal of Identify - Context process step is to obtain information about the planned activity and how it fits into the wider organisation and market / society.

Context will change over time, ”Fits the Context” principle is a dynamic activity.

The amount of risk management that is carried out may be affected by the external context in which the organisation operates.

Context is different in each perspective:, Strategic, Programme, Project, Operational

Principle supported by:, Establishing the context, External context, Internal context, Risk Management Strategies

3. Engage stakeholders

Risk management engages stakeholders and deals with differing perceptions of risk., Risk management should engage with all primary stakeholders to ensure that the objectives of the organization or activity under examination are established and agreed., All major stakeholders should be identified and engaged.

Each organization activity has it's own set of stakeholders and decision-makers., Each with different objectives.

Communication with different stakeholder groups to ensure that their perceptions are clearly understood., A stakeholder is a person / group / organization (internal or external) that can affect or be affected by a decision or an activity., Stakeholders also include those who have the perception that a decision or an activity can affect them., Stakeholders can be clients, partners, suppliers, regulators, decision-makers, staff and any group who have an interest in the organisation.

Different stakeholder groups often have different perceptions of risk., Different stakeholders can either facilitate or hinder the achievement of objectives., It is therefore important to adopt the appropriate level and style of communication with different stakeholder groups to ensure that their perceptions are clearly understood.

When new projects are started, all relevant stakeholders should be informed of this.

Ensuring proactive and timely involvement of stakeholders helps to:, Improve risk identification, Ensure that differences are understood and resolved, Increase ownership of actions, Minimize resistance

Stakeholders are different in each perspective:, Strategic, Programme, Project, Operational

Principle supported by:, Workshops, Meetings, Interviews, Risk Management Communication Plans, Risk Progress Reports

4. Provides clear guidance

Risk management provides clear and coherent guidance to stakeholders., Risk management practices must be clear so stakeholders can understand how the organisation identifies, assesses and controls risks to objectives.

A coherent approach brings consistency and a clear understanding of how much effort to invest in risk management and when., Risk management must be integrated to form a coherent approach across the organisation., Coherent approach brings consistency and a clear understanding of how much effort to invest in risk management and when.

Risk practices must be:, Logical, Orderly, Consistent

It is important to avoid a one-size fits all / ‘tick-box’ approach to risk management as this would leave the organisation highly exposed to risk.

Principle supported by:, Risk Management Policies, Risk Management Process Guide, Risk Management Strategies

5. Informs decision-making

Risk management is linked to and informs decision-making across the organization.

Given that risks influence every decision, risk management must help decision-makers understand the relative merits, threat and opportunities associated with different courses of action so they can make an informed choice., The main mechanism to achieve this is through the application of risk tolerance thresholds for each organisational objective., The tolerances are defined by considering the risk appetite for each activity in question in the context of the overall organisations risk capacity.

EWI - a leading indicator of a KPI., Leading indicators for organisational objectives measured ultimately by a key performance indicator.

A KPI is a performance measure used to help evaluate progress., Measures of performance used to help organisations define and evaluate how successful they are in making progress towards their objectives., KPI should be the vital navigation instruments used by managers to understand whether their business is on a successful voyage of whether it is veering off the proseprous path., KPIs should form part of the decision-making process for every employee, and everyone should be able to answer the question “How will what I am doing affect our KPIs?” in relation to every aspect of their job., Ensure everybody understands how the metrics you are gathering will affect your strategic priorities., This will increase the “buy in” - how personally involved and enthusiastic about your priorities your staff feel, and ensure that constant review and improvement are at the heart of every level of your business., If a KPI isn’t useful in helping you or others in your business make better decisions which in turn will improve your business’s performance, then it’s just noise., 25 Need-to-Know Key Performance Indicators, http://www.amazon.co.uk/gp/product/1292016477/

Principle supported by:, Risk Management Strategies, Risk Management Communication Plans

6. Facilitates continual improvement

Organizations that are interested in continual improvement should develop strategies to improve their risk maturity to enable them to plan and implement step changes in their risk management practices

Risk management uses historical data and facilitates learning and continual improvement.

There are several ways in which risk management facilitates the continual improvement principle.

Learn from experience by collecting actual performance data to accumulate historical data to draw upon., This can help to inform estimates, risk responses, forecasts and decisions.

M_o_R® Health Check can support internal control., System of internal control to safeguard shareholders., Healthcheck checks the status and robustness of current risk management and helps to identify areas for improvement.

Another method that can help organisations to decide how to continually improve is the maturity model., You need to prepare a realistic plan to modify practices in risk management, in order to meet the needs of the next level of maturity., The transition from one level of maturity to another should be managed as a project - with clear objectives, resources, schedule and business justification.

Principle supported by:, M_o_R® Health Check, M_o_R® Maturity Model, Risk Improvement Plans

7. Creates a supportive culture

Senior managers need to demonstrate the importance of risk management via policies and actions., Chairman of the Board should be in relation to risk management act as a sponsor.

Organizations should establish the right culture to support management of risk throughout the organization., Senior management should allow an open and general discussion of the risks, without fear of retribution (a climate of mutual trust)., Publication and dissemination of articles on risk.

A supportive culture will be one that embeds risk management into day-to-day operations and recognises the benefits of risk management., Risk management needs to be embedded into day-to-day activities and wins and losses need to be treated as opportunities for improvement., Leaders of risk management - to promote best practices in daily activities.

Risk management creates a culture that recognizes uncertainty and supports considered risk-taking., The inclusion of responsibility for risk management to job descriptions, objectives of employees and periodic evaluations.

For risk management to add value, an organisational culture must be created which recognizes that taking calculated chances is appropriate when matched to appetite., Having zero risk is nether achievable or even desirable.

Management culture based on rapid punishment of staff, prefers to focus on the negative phenomena, not eliminates the tendency to blame and reluctant to spend time looking for the root cause, is an obstacle., Established a code of conduct, policy on human resources and incentive schemes are important factors to support effective risk management.

The organization should be used in a sustainable way both systems consisting of motivation, as well as for punishment.

Organizations should implement risk management in all its branches, so that it becomes part of the routine activity.

A number of indicators can be used to judge the success of efforts to build a risk management culture., Questionnaires, To collect information, Benchmarks, To measure the impact that an awareness programme has had on an organisation, Return on the value/cost deployed, i.e. benefits achieved as a result of investment made, Degree of risk management integration, The extent to which risk management has been integrated within the culture of the organisation, Freedom, detail and speed of identification/reporting, A measurement of the improvement risk management has had to the organisation, Ease of making and understanding risk based decisions, Risk-aware culture, Enables preventative and proactive views and decisions to be made as part of a risk-informed decision-making process.

Principle supported by:, Risk Management Policies, "learning culture"

8. Achieves measurable value

Using a structured approach to risk management is intended to create and protect organisational value, however value is measured in a particular organisation.

Risk management enables achievement of measurable organizational value., Tracks the performance of the organization with regard to regulatory controls., ”Prevention is better than cure”

This principle is an outcome of all previous principles.

Investing in risk management is expected to provide a tangible return for the organisation., It is important to establish baselines and processes to measure performance and ensure that investment is justified on an on-going basis.

The organisation should not just measure process compliance, but show that risk management has:, Reduced waste / re-work levels, Increased client / user confidence, Improved regulatory performance

M_o_R® Approach (9)

Image courtesy of the AXELOS Ltd.

There are likely to be many instances of each type of document in larger organisations.

The way in which the M_o_R® Principles are implemented will vary from organization to organization. Collectively the principles provide a foundation from which risk management practices can be developed.

These practices describe how risk management will be applied throughout an organization - the M_o_R® Approach.

Central documents

The corporate risk policies, processes, strategies and plans describe:, Activities which are routinely subject to risk identification, assessment and control, When risk processes should be carried out, Who will undertake risk management steps, Who will oversee the application of risk management, The benefits the process aims to achieve.

Risk Management Policy (A.1), What is it?, Provides a high-level statement showing how risk management will be handled throughout the organisation., In some circumstances the policy can contain a detailed description of the risk management process, or in others, it can provide a high-level view with a fuller description being provided in a separate document., The purpose of the Risk Management Policy is to communicate how risk management will be implemented throughout an organisation to support the realisation of its strategic objectives., The risk management policy is to communicate how risk management will be implemented throughout an organisation (or part of an organisation) to support the realisation of its strategic objectives., Describes why risk management is important to the organization, and the specific objectives served by implementing a formal risk management approach, It strives to accomplish uniformity across risk management processes., Aims to remove ambiguity about the organisation’s risk appetite and when to escalate risk, and describes the format, timing and content of reports., The policy provides a common language in as much as it is tailored to the organisation. It aims for uniformity in terms of how it is implemented., For smaller organisations there may only be a single policy., Whatever the situation, each policy should be reviewed and updated at least annually., In general WHY and HOW., Recommended content, Introduction, Risk appetite and capacity, Risk tolerance thresholds, Procedure for escalation and delegation, Roles and responsibilities, Glossary of terms, Risk management proces, KPIs and EWIs, When risk management should be implemented, Reporting, Budget, Quality assurance, Annual review

Risk Management Process Guide (A.2), What is it?, Describes the series of steps (from identify through to implement) and their respective associated activities, necessary to implement risk management., The purpose of the Risk Management Process Guide is to describe the series of steps and the respective associated activities, necessary to implement risk management., The process should be tailored to the organisation and be suitable for types of activity across the organisation., It should be applicable to all levels of management and activity., This document should describe a best practice approach that will support a consistent method and deliver effective risk management., Describes how an organization intends to carry out risk management and the role and responsibility of people who perform risk management related tasks, Recommended content, Introduction, Roles and responsibilities, Steps in the process, Tools and techniques, Templates, Glossary of terms, cross reference to glossary from policy

Risk Management Strategy (A.3), What is it?, The purpose of the Risk Management Strategy is to describe for a particular organisational activity the specific risk management activities that will be undertaken., Separate Risk Management Strategies should be produced for each organization activity undertaken within the strategic, programme, project and operational perspectives., Describes risk categories for a particular activity (programme, project, business as usual / BaU), Explain the amount of risk an organizational activity wants to take in particular activity (programme, project, business as usual), Communicate the amount of risk that can be taken in practicular activity (programme, project, business as usual) without escalation, It may include an organisational chart and describe the roles and responsibilities., Gain a common understanding of the definition of a medium impact, Recommended content, Introduction, Summary of the risk management process as applicable to the activity (with reference to the process guide), Tools and techniques, Records, Reporting, Roles and responsibilities, Scales for estimating probability and impact, Risk tolerance thresholds, Risk categories, Budget required, Templates, EWIs for KPIs, Timing of risk management activities, Glossary of terms

Supportive documents

Records, Risk Register (A.4), What is it?, The purpose of the Risk Register is to capture and maintain information on all of the identified threats and opportunities relating to a specific organisational activity., To capture and maintain information on all of the identified threats and opportunities relating to a specific organizational activity (programme, project, business as usual), Organization should also maintain a Risk Register for each organizational activity., Recommended content, Risk identifier, Risk category, Date raised, Raised by, Risk description, Probability:, Before response, After response, Impact:, Before response, After response, Expected value for each risk:, Before response, After response, Proximity, Risk response option, Risk response action, Residual (post-response) risk:, Probability, Impact, Expected value, Proximity, Secondary risks, Action status, Risk status, Risk owner, Risk actionee, Issue Register (A.5), What is it?, The purpose of the Issue Register is to capture and maintain information in a consistent, structured manner on all of the identified issues that have already occurred and require action., To capture and maintain information in a consistent, structured manner on all of the identified issues that are happening now and require action., Organization should also maintain a Issue Register for each organizational activity., Recommended content, Issue identifier, Issue type, Date raised, Raised by, Issue description, Severity, Priority, Action required, Date action to be implemented, Action status, Issue status, Issue owner

Plans, Risk Improvement Plan (A.6), What is it?, To assist with embedding risk management into the culture of the organization and to document planned improvements, Recommended content, Current date, Category group, Existing behaviours, Existing behaviours, Target date, Mechanisms, Measurement, Risk Communication Plan (A.7), What is it?, To describe how information will be disseminated to, and received from, all relevant stakeholders of a particular organizational activity (programme, project, business as usual), Recommended content, Key elements of information to be distributed, Roles and responsibilities for communication, List of stakeholders and information requirements, Communication mechanisms, Process for handling feedback, Schedule of communication activities, Risk Response Plan (A.8), What is it?, Extension of Risk Register, To detail specific plans for responding to a single or linked set of risks., Could be a document initiating separate subproject as a response to a single or linked set of risks., Recommended content, Risk identifier, Risk description(s), Proximity, Pre-response probability and impact (and expected value where used), Risk owner, Response plans (who, what, when, where in detail), Residual (post-response) risk:, Probability, Impact, Expected value, Proximity, Residual proximity, Response costs

Reports, Risk Progress Report (A.9), What is it?, Compares actual performance of risk response actions to planned outcomes (in implement step in M_o_R® Process), To provide regular progress information to management on risk management within a particular organizational activity (programme, project, business as usual)., Recommended content, Trends of overall risk exposure, Numbers and trends of risks emerging in the different risk categories, Anticipated new risks that will require specific management attention

M_o_R® Roles and Responsibilities (6)

Senior Team

could be in real life a ..., Board, Management Board, Executive team, C-level executives, Steering group, Project Steering Committee (or Project Board), Program Steering Committee, Sponsoring group, ...

Responsibilities, Writes, owns and assures adherence to the risk management policy, Defines the overall risk appetite, Reviews the risk management strategy, Approves funding for risk management, Monitors the risk profile, Assures clarity of role and responsibility of other stakeholders, Assists with assessing the risk context, Monitors and acts on escalated risks, Establishes governance

The Senior Manager appointed to represent the senior team

could be in real life a ..., Sponsor, The Accounting Officer (public sector), CEO (private sector), Senior Responsible Owner (SRO), e.g. Executive in PRINCE2®, e.g. Senior Responsible Owner in MSP®, Chief Risk Officer (CRO), Chief Information Risk Officer (CIRO), Technical Information Security Officer (TISO), Business Information Security Officer (BISO), ...

Responsibilities, Ensures that appropriate governance and internal controls are in place, Ensures risk management strategy exists, Defines and monitors risk tolerances, Ensures the risk management policy is implemented, Monitors and assesses the balance within the set of risks, Owns and manages escalated risks as appropriate, Ensures that adequate resources are available to implement the Risk Management Strategy, Agrees on the information that will be reported to more senior stakeholders, Assists the team in embedding the necessary risk management practices, Contributes to identification of key risk areas and assures that Risk Registers are in place for each

Manager

could be in real life a ..., Programme Manager, Project Manager, Product Manager, Product Owner, Risk Manager, Operations Manager, Support Manager, Customer Relationships Manager, ...

Responsibilities, Ensures that Risk Registers, a risk review process and an escalation process are in place, Validates risk assessments, Identifies the need for investment to fund risks, Owns individual risks (including those delegated by the senior manager), Escalates or delegates risks to higher or lower levels in the organization as required, Ensures participation in the delivery of risk management, Explicitly identifies risk management duties within the terms of engagement of other managers involved in achieving specific objectives, Agrees with risk specialists on the timing, number and content of the risk management interventions, Agrees the timing and content of Risk Progress Reports, Agrees the involvement of the risk manager, audit committee and risk committee as appropriate, Establishes how risk management will be integrated with change control and performance management

Assurance

could be in real life a ..., Portfolio Office, Programme Office, Project Office, Internal / External Auditor, Compliance unit, ...

Responsibilities, Assures the senior team that risk accountabilities exist, Assures compliance with guidance on internal control, Reviews progress and plans in developing and applying the Risk Management Policy, Reviews the results of the assessments of management of risk, Makes formal assessments and reports of management of risk implementation, Ensures risk information is available to inform decision-making

Risk Specialist

could be in real life a ..., Risk Practitioner, Risk Coordinator, Risk Facilitator, ...

Responsibilities, Ensures the Risk Management Policy is implemented, Carries out ongoing management of risk maturity assessments, Develops plans to improve the management of risk, Develops management of risk guidance and training, Identifies lessons learned and disseminates learning, Undertakes risk management training and holds seminars to embed risk management, Prepares Risk Management Strategies, Prepares stakeholder analysis, Prepares a risk breakdown structure or similar, Participates in option analysis, Carries out risk management interventions, Prepares meeting/workshop aids, Facilitates risk meetings / workshops, Identifies risks, Undertakes qualitative and quantitative assessment of risks, Prepares Risk Management Reports

Team

could be in real life a ..., Company employees, Factory employess, Project / Programme team members, ...

Responsibilities, Participates (as appropriate) in the identification, assessment, planning and management of threats and opportunities, Understands the Risk Management Policy and how it affects them, Implements the Risk Management Policy within their areas of responsibility, Escalates risks as necessary as defined by the Risk Management Policy

M_o_R® Process (1)

Image courtesy of the AXELOS Ltd.

M_o_R® Process is sequential

M_o_R® Process is based on process defined in UK HM Treasury - The Orange Book [2004]

Each M_o_R® Process exists in one Perspective - each M_o_R® Process is dedicated to specific organizational activity (programme, project, business as usual)

e.g. each programme, project has it's own M_o_R® Process with dedicated process owner - in M_o_R® known as Manager (e.g. Programme Manager, Project Manager)

Each process step consists of:

Image courtesy of the AXELOS Ltd.

Goals, The key outcomes of the process

Inputs, The information (documents) that is transformed by the process

Outputs, The information (documents) produced (or updated) by the process

Techniques, The recognized risk management techniques that may be applied (are recommeded by M_o_R®) to the process step to help create the outputs

Tasks, The actions that need to be completed to transform the inputs into the outputs with the aid of the techniques.

Communicate is not a separate step, communication is done as constant activity.

The activity ‘communicate’ deliberately stands alone as the findings of any individual step may be communicated to management for action prior to the completion of the overall process.

M_o_R® Process has 4 primary process steps. First 2 steps (Identify and Assess) have 2 substeps (Identify - Context, Identify - Risks and Assess - Estimate, Assess - Evaluate) ... yes it's quite bizzare, and for some unclear based on above image, but that's how M_o_R® Process is designed.

https://www.youtube.com/watch?v=YtUkePfNFQ8#t=285

1. Identify, 1. Identify - Context, Goal, The primary purpose of this step is to obtain information about the planned activity., Understanding the stakeholders and their objectives, Describe the roles and responsibilities for a specific activity (portfolio, programme, project or business as usual), Obtain information about the planned activity (portfolio, programme, project or business as usual) and how it fits into the wider organisation, understanding the activity objective, scope, assumptions, constraints, stakeholders, environment and approach to risk management., Developed Risk Management Strategy, What are the objectives of the project, programme?, What is the scope of the project, programme?, What assumptions have been made?, How complete is the information?, How important is the project, programme?, What is the environment in which it operates the entire organization (industry, market, products, services, etc.)?, The organization's approach to risk management?, Recommended techniques by M_o_R®, Stakeholder analysis (category of techniques), PESTLE analysis, SWOT analysis, Horizon scanning, Probability Impact Grid, 1. Identify - Risks, Goal, The primary goal of this step is to identify the risks to the organisation that would reduce or remove the likelihood of the organisation reaching its objectives while maximising the opportunities that could lead to improved performance., Identify the risks to the activity with the aim of minimising the threats while maximising the opportunities, Identify and describe the threats / opportunities to the organization activity that may reduce / increase the likelihood of an activity succeeding, Defining key performance indicators (KPIs) for the activity's objectives, Recommended techniques by M_o_R®, Checklists, Prompt list, Cause and effect diagram, Group techniques (category), Questionnaires, Individual interviews, Assumptions analysis, Constraints analysis, Risk descriptions

2. Assess, 2. Assess - Estimate, Goal, The primary goal of this step is to assess each of the threats and the opportunities to the organisation in terms of their probability (likelihood) and impact (consequence) of each risk., Understanding the proximity (i.e. when the risk will occur) will also be considered., The proximity of the threats and opportunities, understood as a time when they can materialize., Assess the probability and impact of risks that may occur during the activity, M_o_R does not requires approach in determining Probability, Impact and Proximity you will choose, Qualitative analysis (intuition/perception/opinion), Qualitative analysis is used in any one of the following circumstances:, As an initial screening activity to identify risks that require more detailed analysis., Where the level of risk does not justify the time and effort required for quantitative analysis., Where the numerical data are unavailable or inadequate for quantitative analysis., Quantitative analysis (numerical/statistical/historical data), Recommended techniques by M_o_R®, Probability assessment, Impact assessment, Proximity assessment, Expected value assessment, EV, 2. Assess - Evaluate, Goal, The primary goal of this step is to understand the net effect of the identified threats and opportunities on an activity when aggregated together., Understanding the exposure faced by looking at the risks both individually, and as an aggregated threat to the activity., Calculate the net effect of an activity’s risks, Calculate the total risk exposure faced by the activity, Recommended techniques by M_o_R®, Summary risk profiles, Summary expected value assessment, Probabilistic risk models, Probability trees, Sensitivity analysis

3. Plan, 3. Plan, Goal, The primary goal of the plan step is to prepare and evaluate specific management responses to the threats and opportunities identified, ideally to remove or reduce the threats and to maximise the opportunities., Step is performed in order to realizing the project team was not surprised when the data will risk materialization., Estimated residual value of each risk in Risk Register, Recommended techniques by M_o_R®, Risk response planning, Cost-benefit analysis, Decision trees

4. Implement, 4. Implement, Goal, The primary goal of this step is to ensure that the planned risk management actions are implemented and monitored as to their effectiveness, and corrective action is taken where responses do not match expectations., Ensure that the planned risk management actions are implemented and that the planned actions are having the desired effect., Perform additional actions where the residual risk is not within an acceptable level, Corrective action should be taken to plans where the responses are meeting the expectations., Recommended techniques by M_o_R®, Update summary risk profiles, Risk exposure trends, Update probabilistic risk models

Communicate, Rather than being a distinct step in the process, communication is an activity that is carried out throughout the whole process., Effective communication is key to the identification of new threats and opportunities or changes to existing risks., It is also important for management to engage with and seek the participation of staff and the wider stakeholders population., Communication will play a major role in achieving such engagement and participation.

Common process bariers for success according to M_o_R®.

Lack of an organizational culture that appreciates the benefits of risk management

Immature risk management practices

Lack of risk facilitation resources and time

Lack of policies, process, strategies and plans

Lack of a senior management sponsorship

Lack of training, awernesss, knowledge and formal risk tools and techniques

Lack of clear guidance for managers and staff

Lack of incentives for participation in risk management activities

M_o_R® Techniques (27)

Techniques recommended and used in M_o_R®, but not M_o_R® specific

Stakeholder analysis (category)

RACI, variants, RACI, Responsible, Assists, Consulted, Informed, RACI, Recommends, Approves, Consulted, Informed, alternatives, RASCI, RACI-VS, RACIO, DACI, RAPID®

Staholder Map

Influence / Interest matrix / Power-impact matrix / Power-impact grid, Identifies the importance of stakeholders to an activity, example

PESTLE analysis

A popular technique for identifying external factors

Help to capture understanding about aspects of the context by using the prompts, Political, Economic, Sociological, Technological, Legal and Environmental (or similar alternative), Political, What are the key political factors?, Political factors refer to the degree of government intervention in the economy. The legal and regulatory factors included are labor laws, tax policies, consumer protection laws, employment laws, environmental regulations, and tariff & trade restrictions., e.g., Government stability., Freedom of speech, corruption, party in control, Regulation trends., Tax policy, and trade controls., War, Government policy, Elections, Terrorism, Likely changes to the political environment, Economical, What are the important economic factors?, Economical factors include the inflation rate, exchange rate, interest rate, employment/ unemployment rate and other economic growth indicators. The economic factors faced by an organization have a significant impact on how a business carries on its operations in the future., e.g., Stage of business cycle., Current and projected economic growth, International trends, Job growth, Inflation and interest rates., Unemployment and labor supply., Levels of disposable income across economy and income distribution., Globalization., Likely changes to the economic environment, Socialogical / Social, What cultural aspects are most important?, Social factors include different cultural and demographic aspects of society that form the macro-environment of the organization. Social factors include career attributes, age distribution, population and its growth rate, health consciousness and safety awareness., e.g., Population growth and demographics., Health, education and social mobility of the population, Consumer attitudes, Advertising and media, National and regional culture, Lifestyle choices and attitudes to these., Levels of health and education, Major events, Socio-cultural changes, Technological, What technological innovations are likely to occur?, Technology is evolving at a rapid pace and consumers are becoming extremely tech-savvy. With the advent of new technology, older technology gets outdated and obsolete., The technological factors an organization faces include technological changes, R&D activity, obsolescence rate, automation and of course, innovation., e.g., Impact of new technologies., Inventions and innovations, The internet and how it affects working and business, Licensing and patents, Research funding and development, Legal, What current and impending legislation may affect the industry?, Legal factors include discrimination law, consumer law, antitrust law, employment law, and health and safety law., e.g., Home legislation, International legislation, Employment law, New laws, Regulatory bodies, Environmental regulation, Industry-specific regulations, Consumer protection, Environmental, What are the environmental considerations?, Environmental factors include ecological and environmental aspects such as weather, climate, and climate change, which may especially affect industries such as tourism, farming, and insurance., e.g., Ecology, International environmental issues, National environmental issues, Local environmental issues, Environmental regulations, Organizational culture, Staff morale and attitudes

variants, ETPS, Economic, Technical, Political, and Social, PEST, Political, Economic, Social, and Technological, PESTELI, PESTLESS, PESTLIED, Political, Economic, Social, Technological, Legal, International, Environmental, and Demographic, STEEPLE, Social, Technological, Economic, Ethical, Political, Legal, and Environmental, STEEPLED, Social, Technological, Economic, Environmental, Political, Legal, Educational, and Demographic, STEP, Strategic Trend Evaluation Process, STEPE, Social, Technological, Economic, Political, and Ecological

http://en.wikipedia.org/wiki/PEST_analysis

SWOT analysis

External factors that may affect the organization's objectives

Commonly used for uncertainty identification in project / programme / strategic risk management, the SWOT analysis considers risk from both the internal and external environment.

Strengths, Internal factors of a corporation that help to achieve objectives.

Weaknesses, Internal factors that obstruct achieving objectives and can be improved.

Opportunities, Factors that are not currently present in the organisation, but could reflect positively on achieving our objectives.

Threats, Factors that are not currently present in the organisation, but could reflect negatively on achieving our objectives if they occur.

http://en.wikipedia.org/wiki/SWOT_analysis

Horizon scanning

Systematic examination of likely future developments that are at the margins of current thinking and planning

Horizon scanning is a means of identifying future risks, opportunities and improvement ideas.

Probability impact grid

a.k.a. Risk Matrix

Probabilty Impact grids are very common in risk management/internal control and it is also common to assign a summary risk score by combining the 'probability' and 'impact' ratings.

Risks across the organization’s portfolio can be compared between each ther using same probability impact grid, example, Grid contains ranking values that may be used to rank threats and opportunities qualitatively, The probability scales are measures of probability derived from percentages, and the impact scales are selected to reflect the level of impact on project / programme objectives

Same scale for each risks (each project / programme has it's own probability impact grid)

http://en.wikipedia.org/wiki/Risk_Matrix

Checklists

Checklists for risk identification can be developed based on historical information and knowledge that has been accumulated from previous similar projects and from other sources of information

One advantage of using a checklist is that risk identification is quick and simple

One disadvantage is that it is impossible to build an exhaustive checklist of risks, and the user may be effectively limited to the categories in the list

It is important to review the checklist as a formal step of every project / programme closing procedure to improve the list of potential risks, to improve the description of risks

Prompt list

Help ensure all aspects are covered when attempting to identify risks

Similar to checklists

Rather than seeking to pre-identify every risk , prompt lists simply identify the various categories of risk that should be considered

The classic prompt list categories where political, economic, social and technological, giving rise to PEST analysis

example, Risk Breakdown Structure (RBS)

Cause and effect diagrams

a.k.a. Ishikawa diagram

a.k.a. Fishbone diagram

Type of Diagramming techniques

The Ishikawa (cause-effect or fishbone) diagram can indeed be used for risk identification

Diagram graphically helps identify and organize possible causes (source) for a specific risk or area of concern.

http://en.wikipedia.org/wiki/Ishikawa_diagram

Group techniques (category)

Brainstorming, Unrestrained or unstructured group discussion, Discussion should be led by an experienced facilitator, Ideas are not initially censored, all ideas should be recorded no matter how relevant they initially appear to be, Even bad ideas may trigger good suggestions from other members of the group, http://en.wikipedia.org/wiki/Brainstorming

Nominal group, Nominal group technique takes brainstorming a step further by adding a voting process to rank the ideas that are generated, Versus using simple voting, each participant must provide their input and there is discussion regarding the relative ranking that result, This allows participants to be more engaged in the discussion and in the solutions, http://en.wikipedia.org/wiki/Nominal_group_technique

Delphi, Another type of survey, Acknowledged experts are asked to comment on risks anonymously and independently, variants, Wideband Delphi, http://en.wikipedia.org/wiki/Delphi_method

Questionnaires

Measuring the effect that risk management is having on the culture of an organization

http://en.wikipedia.org/wiki/Questionnaire

Individual interviews

Effective way of capturing risks

When people are not inhibited by management and peers, they tend to be far more open about their concerns

Assumptions analysis

Assumptions analysis is a powerful way of exposing project-specific risks, since it addresses the particular assumptions made about a given project.

Requires planners to identify all assumptions being made in the project planning stage as a means of risk reduction

Each assumption is then analyzed to determine its accuracy and to identify all potential project risks if the assumption if later found to be inaccurate.

A simple IF-THEN statement can be written for each assumption

Constraints analysis

Risk descriptions

Probability assessment

Estimating the likelihood of a risk occurring

Investigating the likelihood that each specific risk will occur

Impact assessment

Investigating the potential effect on a project objective such as schedule, cost, quality or performance (negative effects for threats and positive effects for opportunities)

Proximity assessment

Expected value assessment

Summary risk profiles

Are based on Probability impact grid, Probability impact grid provides scales for probability and impact upon which Summary risk profile is populated with current risk status

Colors represent progress with risk response, Often RAG system is used or extended RAG, R - Red, A - Amber, G - Green, extended RAG example

example

Summary expected value assessment

Probabilistic risk models

Probability trees

http://en.wikipedia.org/wiki/Tree_diagram_(probability_theory)

Sensitivity analysis

Used for determining which risks may have the most potential impact on the project / programme

In sensitivity analysis one looks at the effect of varying the inputs of a mathematical model on the output of the model itself

Examining the effect of the uncertainty of each project element to a specific project objective, when all other uncertain elements are held at their baseline values

http://en.wikipedia.org/wiki/Sensitivity_analysis

Risk response planning

Cost-benefit analysis

http://en.wikipedia.org/wiki/Cost%E2%80%93benefit_analysis

Decision trees

Decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.

A decision tree consists of 3 types of nodes:, Decision nodes - commonly represented by squares, Chance nodes - represented by circles, End nodes - represented by triangles

Drawn from left to right, a decision tree has only burst nodes (splitting paths) but no sink nodes (converging paths).

http://en.wikipedia.org/wiki/Decision_tree

Risk exposure trends

see Risk Techniques mind map (extending M_o_R®)

see also Risk Management Techniques in: IEC/FDIS 31010 Risk Management - Risk Assessment Techniques

M_o_R® Official publications

Copyright © AXELOS Limited.

Management of Risk: Guidance for Practitioners

ISBN-13: 978-0113312740

Published: 2010

Pages: 154

http://www.amazon.co.uk/Management-risk-guidance-practitioners-Government/dp/0113312741/

The most important, key position on M_o_R® preparing for exams Foundation and Practitioner.

Management of Risk Pocketbook

ISBN-13: 978-0113312986

Published: 2010

Pages: 59

http://www.amazon.co.uk/Management-risk-pocketbook-pack-copies/dp/0113312989

M_o_R® Perspectives (4)

Image courtesy of the AXELOS Ltd.

M_o_R® defines 4 Perspectives

Strategic, Long term goals, sets the context for decisions at other levels., Management of risk at the strategic level is concerned with setting strategic direction and balancing potential opportunity against the costs and risks., High level appraisals of strategic risks are a major feature of the business case when plans for change are being considered., At the strategic level the concerns are about where the organisation wants to go, how to get there and how to ensure survival., goal, Ensuring business success of the organization., Management of stakeholder perceptions that would affect the reputation of an organization., time-frame, long-term goals, context, business success, business vitality, finance, reputation, core services, organization / enterprise capabilities, resources, ..., portfolio management, MoP® - Management of Portofolio standard, see MoP® mind map, Those with key responsibilities for risk management from this perspective will be the Management Board, The Accounting Officer (public sector) or CEO (private sector), the Executive Management Team and the Head(s) of the Audit and/or Risk Committees.

Programme, At the programme level, managers are responsible for transforming high level strategy into new ways of working to deliver benefits to the organisation., goal, Delivering business change with measurable benefits., Delivering business transformation., Delivering outcomes., time-frame, medium-term goals, in general length of the programme, context, benefits, capabilities, possibilities, business transformation, ..., programme management, MSP® - Managing Successful Programmes standard, see MSP® mind map, Those with key responsibilities for risk management from this perspective will be the Sponsoring Group, Programme Board, Senior Responsible Owner (SRO), Programme Manager and Business Change Managers (BCMs).

Project, Risk management at the project level focuses on keeping unwanted outcomes to the minimum., Decisions about risk management at this level form an important part of the business case; where providers and/or partners are involved you must gain a shared view of the risks and how they will be manag, goal, Producing defined business change products within time, cost, scope etc. constraints., Delivering products / outputs., time-frame, medium-term goals, in general length of the project, context, time, budget, quality, scope, ..., project management, PRINCE2® - PRojects IN Controlled Environments 2, see PRINCE2® mind map, PRINCE2 Agile®, see PRINCE2 Agile® mind map, Those with key responsibilities for risk management from this perspective will be the Project Board, Project Sponsor (or SRO or Executive), and Project Manager.

Operational, Risk management at the operational level is primarily concerned with continuity of business services., Emphasis is on short-term goals to ensure ongoing continuity of business services, Decisions about risk at this level must also support the achievement of long- and medium-term goals., goal, Maintaining business services to appropriate levels., Day-to-day management., Business as Usual (BaU)., Ensure ongoing continuity of business services., time-frame, short-term goals, context, quality of service, volume, internal control, revenue, staff, staff health, fatal accidents, customer turnover, ..., Those with key responsibilities for risk management from this perspective will be the Executive Management Team, Operational Directors / Heads of Operations, and Operational Managers.

Each organizational activity (programme, project) in each perspective has it's own M_o_R® Process

e.g. each project on Project Perspective has its own M_o_R® Process and Project Manger responsible for this process.

M_o_R® Related resources

The Orange Book - Management of Risk - Principles and Concepts [2004]

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/220647/orange_book.pdf

What is it?, Document which defines process for risk management which is a foundation of M_o_R® process. M_o_R® process is very similar to Orange Book process, Knowledge from this publication is not checked on M_o_R® exams.

UK Corporate Governance Code [09.2012]

https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/UK-Corporate-Governance-Code-September-2012.aspx

What is it?, Document which is a foundation for M_o_R® and M_o_R® Principles, Knowledge from this publication is not checked on M_o_R® exams.

M_o_R® - process based standard and framework from UK (not methodology) for general (not industry specific e.g. IT or Engineering) corporate-wide / holistic Risk Management, yet (arguably) M_o_R® is not considered to be an Enterprise Risk Management (ERM) standard. M_o_R® is one of the 12 recognized globally and practically proven management standards from AXELOS® Global Best Practice family of UK standards.

M_o_R® v1 was published in 05.2002.

M_o_R® v2 was published in 03.2006.

M_o_R® v3, newest version is from 12.2010.

How M_o_R® fits into AXELOS® Global Best Practices family of UK standards.

M_o_R® in AXELOS® Global Best Practices family

AXELOS® Global Best Practices family of standards from UK.

PRINCE2® Agile, see PRINCE2® Agile mind map

ITIL®, see ITIL® mind map

M_o_R® - Management of Risk, see M_o_R® mind map

MoV® - Management of Value, see MoV® mind map

MoP® - Management of Portfolios, see MoP® mind map

MSP® - Managing Successful Programmes, see MSP® mind map

PRINCE2® - PRojects IN Changing Environments, see PRINCE2® mind map

P3O® - Portfolio, Programme and Project Office, see P3O® mind map

yet remember - "In reality there are no such things as best practices. There are only practices that are good within a certain context."

Since 2000 the Office of Government Commerce (OGC), former owner of PRINCE2® (and other Best Management Practices) has been the custodian of the portfolio on behalf of UKG. In June 2010 as a result of UKG reorganisation the Minister for the Cabinet Office announced that the PRINCE2® functions have moved into Cabinet Office.

AXELOS are a new joint venture company, created by the Cabinet Office on behalf of Her Majesty’s Government (HMG) in the United Kingdom and Capita plc to run the Best Management Practice portfolio, now called AXELOS Global Best Practice

https://www.gov.uk/government/publications/best-management-practice-portfolio/about-the-office-of-government-commerce

M_o_R® consists of: 1 Framework, 8 Principles, 4 Perspectives, 1 Process (sequential with 4 main steps and 2 substeps), 6 Roles, 9 Documents, 27 Techniques.

Download: Best Management Practice - M_o_R 10 Years on presentation v0.3 [18.05.2012]

Download: M_o_R® - Processes vs Techniques Matrix

M_o_R® Framework (1)

Image courtesy of the AXELOS Ltd.

The M_o_R® Framework consists of 4 components:

M_o_R® Principles, outer ring, Derived from corporate governance principles presented in UK Corporate Governance Code [newest version, 09.2012] in the recognition that risk management is a subset of an organization's internal controls., The M_o_R principles are intended to guide rather than dictate so that organizations can develop their own policies, process, strategies and plans to meet their specific needs., M_o_R® Principles are guidlines / best practices but not strict rules in comparision to PRINCE2® principles., For risk management to become more than a compliance-led activity within an organization, the value of risk management, measured by the return on investment (ROI) of risk management work, must be determined and communicated., see M_o_R Principles for more information ...

M_o_R® Process, inner ring (including Communicate), 4 main process steps, which describe the inputs, outputs and activities involved in ensuring that risk is managed., The process is divided into 4 main process steps: identify, assess, plan and implement., Each step describes the inputs, outputs, tasks and techniques involved to ensure that the overall process is effective., see M_o_R Process for more information ...

M_o_R® Approach, arrows, The way in which the principles are implemented will vary from organization to organization., Accordingly, an organization’s approach to the principles needs to be agreed and defined within a Risk Management Policy, Process Guide and Strategies., Organizations should develop an approach to the management of risk that reflects their unique objectives., It is common for organizations to describe their approach through their policies, processes, strategies and plans., Principles need to be adapted and adopted to suit each individual organization., M_o_R® is not 'one size fits all', M_o_R® has to be tailored to organisation context, market, sector etc., M_o_R® is generic - not industry specific (i.e. IT, Engineering, Helthcare etc.), Principles needs to adopted and adapted within M_o_R® documents like:, Risk Management Policy, Risk Management Process Guide, Risk Management Strategies, Risk Register, Issue Register, ..., see M_o_R Apporach for more information ...

Embed and Review M_o_R, middle ring, Risk management should be integrated into the culture of the organization., How an organization manages risk is an expression of its core values and communicates to stakeholders its appetite for and attitude to risk-taking., A disconnected or unmanaged approach to risk management is more likely to lead to reactive rather than proactive management where unforeseen issues are commonplace., It is important therefore to embed risk management into the culture and to put in place mechanisms to review and confirm that the approach to risk management remains appropriate given the organization’s objectives and context., Health checks and maturity models are methods to support organizational efforts to gain maximum value from their investment in risk management, M_o_R® Principles, Approach and Processes, an organization needs to ensure they are consistently applied (implemented and sustained) and that their application involves continual improvement for better effectiveness and lessons learned application., Having put in place an approach and process that satisfy the principles, an organization should ensure that these are consistently applied across the organization and that their application undergoes continual improvement in order for them to remain effective., see Risk Management Health Check for more information ..., see Risk Management Maturity Model for more information ...

M_o_R® Non-official publications

Risk Management Based on M_o_R: A Management Guide

ISBN-13: 978-9077212684

Published: 2006

Pages: 72

http://www.amazon.com/Risk-Management-Guide-Based-M_o_R/dp/907721268X

Publication is based on older version of M_o_R - version 2

M_o_R® Official resources

Copyright © AXELOS Limited.

M_o_R® sample exams, available online

M_o_R® Foundation, http://online.apmg-exams.com/index.aspx?subid=35&masterid=5

M_o_R® examination syllabus

EN, http://www.mor-officialsite.com/nmsruntime/saveasdialog.aspx?lID=432&sID=143

PL, http://www.mor-officialsite.com/nmsruntime/saveasdialog.aspx?lID=550&sID=143

M_o_R® glossary

EN, http://www.mor-officialsite.com/nmsruntime/saveasdialog.aspx?lID=398&sID=177

PL, http://www.mor-officialsite.com/nmsruntime/saveasdialog.aspx?lID=400&sID=177

M_o_R® White Papers

Everything you wanted to know about Management of Risk (M_o_R®) in less than 1000 words, http://www.axelos.com/gempdf/MoR_1000Words_White_Paper_Dec11.pdf

Management of Risk: Guidance for Practitioners and the international standard on risk management, ISO 31000:2009, http://www.axelos.com/gempdf/Management_of_Risk_Guidance_for_Practitioners_and_the_International_Standard_on_Risk_Management_ISO31000_2009.pdf

Corporate Governance and Management of Risk (M_o_R®), http://www.best-management-practice.com/gempdf/Corporate_Governance_and_Management_of_Risk.pdf

Applying Management of Risk (M_o_R®) for Public Services, http://www.best-management-practice.com/gempdf/Applying_Management_of_Risk_for_Public_Services_White_Paper_Dec2009.pdf

M_o_R® website

http://www.mor-officialsite.com/

Risk Specialism

Risk specialism means nothing more than risk management standards / norms / frameworks dedicated to specific domain (IT, environment, etc.), rather than generic risk management like M_o_R®

M_o_R® official Handbook mentions several risk management standards as listed below.

Yet there is a "forest" of standards dedicated to risk management in specific field.

Business continuity management (BCM)

ISO 22301, http://www.iso.org/iso/catalogue_detail?csnumber=50038

BS 25999-1, http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030157563&rdt=wmt

BS 25999-2, http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030169700&rdt=wmt

BS 25777, http://shop.bsigroup.com/ProductDetail/?pid=000000000030166966

Incident and crisis management

ISO/IEC 27035, http://www.iso.org/iso/catalogue_detail?csnumber=44379

The Business Continuity Institute, www.thebci.org

Health and safety management

BS OHSAS 18001

Security risk management

ISO/EIC 27001, http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

ISO/IEC 27005, http://www.iso.org/iso/catalogue_detail?csnumber=56742

ISO/IEC 27034, http://www.iso.org/iso/catalogue_detail.htm?csnumber=44378

Financial risk management

Bank for International Settlements, www.bis.org

BESEL III

ISO/IEC TR 27015, http://www.iso.org/iso/catalogue_detail?csnumber=43755

Environmental risk management

ISO 14001, http://www.iso.org/iso/iso14000

Reputational risk management

Contract risk management

Good Practice Contract Management Framework

M_o_R® Risk Management Maturity Model (1)

Maturity Models are a valuable tool in enabling organizations to benchmark their current capability and maturity (in risk, quality, project, programme management - depending on maturity model), and for understanding how and where improvement may be achieved.

Risk Maturity Model is a commonly accepted reference model or framework of mature practices for appraising an organization’s risk management competency.

The common structure for a maturity model is a matrix.

A format for benchmarking an organization’s current capability and maturity in risk management and how to improve areas to increase maturity levels

Maturity models are typically composed of four or five levels of maturity and the quality of the processes within each level is described by the use of assessment criteria.

There is no limit on the number of criteria that might be adopted, although models commonly contain fewer than 10 to avoid becoming unwieldy.

Provide a well-structured and detailed guide to facilitate the progressive incremental improvement in risk management practices.

A risk maturity model enables organisations to determine through the use of assessment their level of risk management maturity when measured against the criteria included in the model.

A maturity model provides:

A starting point for moving forward

A road-map for process improvement

A vehicle for benchmarking the risk management processes

A place to capture the organisation’s previous experiences and current capabilities

A common language

A communication tool to describe succinctly the current status and what is possible

A framework for prioritizing actions

A way of describing what improvement means specific to the organisation

A shared goal

Help to motivate staff

Help to reach strategic objectives

To maintain maturity, organisations will need to:

Establish continual improvement process

Use lessons learned to inform and refine existing processes

Apply audit & review techniques to ensure effective risk management techniques are effective

Invest in improving risk processes, tools, techniques and training

Keep policies and internal guidance up-to-date

Ensure they apply risk management to all types of activities

Maintain the risk management culture

The M_o_R principles outline examples of where measurable organisational value would be expected as a result of implementing risk management and embedding a risk-based approach to decision-making into the organisational culture.

The use of maturity models is now widespread, with international adoption across multiple industries.

not only Risk Maturity Models, Quality, Integration, Project Managment, etc.

see Maturity Models mind map

M_o_R® Risk Management Health Check (1)

The management of risk health check is a tool for checking the health of current risk management practices and for identifying areas where its application might be improved.

In M_o_R® it is just a set of questions dedicated to check how well each M_o_R® principle was implemented., For each principle there are more than more or less 15 questions to ask.

Health check presented in M_o_R® is only a starting point. It should be adopted and adapted to particular organization.

It is recommended that the 8 management of risk principles are used as a framework for structuring the assessment.

The health check is most useful when preparing and carrying out an organisation-wide assessment.

The health check assesses risk management practice.

To be effective, the health check should be formally administered and repeated to monitor changes over time.

It provides a ‘snapshot’ of the health of risk management at a particular time.

The health check might prove useful:

When considering a new investment

As an integral part of business planning

When preparing to establish commitment to improving risk management

Before or to complement a gateway review

When developing an annual operational plan

May be used for:

Self-assessment

Peer review

External assessment

Each health check will occur using the following steps:

Preparation

Data collection

Data analysis, Identify trends and patterns, note strengths and deficiencies, identify 3 -5 key themes, conduct intermediate review with the sponsor and identify recommendations.

Review and report

M_o_R® Risk Response Options (8)

for Threats (-)

Avoid, This option is about making the uncertain situation certain by removing the risk, This can often be achieved by removing the cause of a threat, Risk avoidance is achieved by deciding not to undertake a risk by either not taking part in a certain risky activity or by abandoning an asset / source that generates the risk, Avoiding all risks is not a viable strategy, If we do not take risks, we cannot gain the benefits that can aris, Outcome = risk probability of occurrence is 0%, It simply means to conduct activity where the risk is not met

Reduce (a.k.a Modification), This option chooses definite action now to change the probability and/or impact of the risk, The term ‘mitigate’ is relevant when discussing reduction of a threat, i.e. making the threat less likely to occur and/or reducing the impact if it did., Because this option commits the organization to costs for reduction/enhancement now, response costs must be justified in terms of the change to residual risk, Reduce probability (a.k.a. Prevent), Reduce impact (a.k.a. Mitigate), Reduce probability & impact simultaneously

for Opportunities (+)

Exploit, Exploiting the opportunity aims to make the most of an opportunity that arises to make the probability of its outcome to be 100%., It uses extensive measures to ensure that the opportunity becomes a certainty., Outcome = risk probability of occurrence is 100%, Risk becomes an issue (opportunity becomes a certainty)

Enhance (a.k.a. Improve), Control methods put in place to increase the likelihood or increase the impact of the opportunity., Enhancement methods are not as extensive as exploit controls because they do not aim at making the opportunity a certainty., Increse probability (but still <100%), Increse impact, Increse probability & impact simultaneously

for Threats & Opportunities

Transfer, by transferring risk firms remove their own responsibility for dealing with risk events to someone outside of the organisation / programme / project etc., the most typical examples are taking out insurance and outsourcing., (for opportunity) it aims to transfer the opportunity to a more specialised organisation that will help maximise its effects., As name suggest 2nd party is needed for transfer, Transfer means transfering all (100%) impact to 2nd party, You can transfer impact, but you cannot transfer accountability for risk!

Share, Share’ is an option that is different in nature to the transfer response, It seeks for multiple parties (2+), typically within a supply chain, to share the risk on a pain/gain share basis, Rarely can risks be entirely shared in this way (for example, the primary risk taker will always need to protect their brand and reputation), but this can be a successful way of encouraging collaboration on risk management activities, particularly in programmes and projects, To share the risk on a pain/gain basis, As name suggest 2nd party is needed for sharing, Sharing means sharing at least small percentage of impact with 2nd party

Accept (a.k.a Retention), The organisation ‘takes the chance’ that the risk will occur, with its full impact if it did, There is no change to residual risk with the accept option, but neither are any costs incurred now to manage the risk, or to prepare to manage the risk in future, Accepting an opportunity basically leaves everything to chance, Passive Acceptance, Highly NOT recommended, not present in M_o_R®, without monitoring, Active Acceptance, Risk still MUST be actively monitored for any changes in nature (probability, impact, etc.), with monitoring

Prepare Contingent Plans, This option involves preparing plans now, but not taking action now, Most usually associated with the accept option, preparing contingent plans in this instance is saying: ‘We will accept the risk for now, but we'll make a plan for what we’ll do if the situation changes.', This option applies equally to other responses and is often referred to as a ‘fallback’ plan, i.e. what we will do if the original response doesn’t work., Fallback plans apply to all other strategies, even avoiding a threat and exploiting an opportunity, because the plan to avoid/exploit may not be successful despite good intentions., Only reduces impact, Does not changes probability

Effect of responses

Basic risk definitions (according to AXELOS®)

Portfolios / Programme / Project Management

Portfolio Management, A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual (BAU).

Programme Management, The action of carrying out the coordinated organization, direction and implementation of a dossier of projects and transformation activities to achieve outcomes and realize benefits of strategic importance to the business.

Project Management, The planning, delegating, monitoring and control of all aspects of the project, and the motivation of those involved, to achieve the project objectives within the expected performance targets for time, cost, quality, scope, benefits and risks.

Project / Programme / Portfolios

Portfolio, An organization’s change portfolio is the totality of its investment (or segment thereof) in the changes required to achieve its strategic objectives.

Programme, A programme is a temporary, flexible organization created to coordinate, direct and oversee the implementation of a set of related projects and activities in order to deliver outcomes and benefits related to the organization’s strategic objectives., 3 types of programmes, Vision-led programme, Emergent programme, Compliance programme

Project, A temporary organization, usually existing for a much shorter time than a programme, which will deliver one or more outputs in accordance with a specific business case., A particular project may or may not be part of a programme., Whereas programmes deal with outcomes, projects deal with outputs., 5 types of projects, Compulsory project, Not-for-profit project, Evolving (Agile, RUP) project, Customer/supplier project, Multi-organization project

Risk Capacity, Tolerance, Appetite

Risk Capacity, The maximum amount of risk that an organisation or subset of it, can bear, The maximum amount of risk that an organisation or subset of it, can bear

Risk Tolerance, The threshold levels of risk exposure that, with appropriate approvals, can be exceeded, but which when exceeded will trigger some form of response

Risk Appetite, The amount of risk the organisation, or subset of it, is willing to accept

Risk:

An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives

Threat (-), An uncertain event that could have a negative impact on objectives or benefits

Opportunity (+), An uncertain event that could have a favourable impact on objectives or benefits

There are a variety of definitions for project risk, although they all possess the basic “uncertainty” and “that matters” components:, “An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.” (PMBOK), “An uncertain event or set of circumstances that, should it occur, will have an effect on the achievement of the project’s objectives.” (M_o_R), “Uncertainty of outcome, whether positive opportunity or negative threat.” (PRINCE2), “Loss multiplied by likelihood, where risk is the product of the expected consequences or impact (loss or gain) of the risk event should it occur and the probability (likelihood) that the event will occur.” (ISO/IEO), “The effect of uncertainty on objectives.” (ISO 31000: 2009), “A possible future issue that can be avoided or mitigated.” (CWS), “Any factor that might interfere with the successful completion of a project.” (www.gantthead.com)

Risk Exposure

The combined effect of risks to a set of objectives

Output, Capability, Outcome, Benefits

Output, The deliverable, or output developed by a project from a planned activity. Any project's specialists products. (tangible or intangible), e.g., A new just-in-time stock control system, A new IT system, Staff training programme, Revised process

Capability, The completed set of project outputs required to deliver an outcome; exists prior to transition., e.g., The combination of the outputs ready to ’go live’.

Outcome, A new operational state achieved after transition of the capability into live operations. Result of the change derived fron USING the project's outputs., e.g., The right materials are available, at the right time, and in the right place

Benefit, The MEASURABLE improvement resulting from an OUTCOME perceived as an ADVANTAGE by ONE or MORE of stakeholders, which contributes towards one or more organizational objectives(s)., e.g., Fewer stock-outs and consequent interruptions to production., Reduced obsolescent stock and hence lower write-offs., Reduced stock holdings and so less working capital tied up.

Dis-benefit, An outcome perceived as NEGATIVE by ONE or MORE stakeholders. Dis-benefits are actual consequences not risks.

Interactive M_o_R® Glossary

Interactive M_o_R® Glossary

M_o_R® Foundation exam prep questions

http://miroslawdabrowski.com/downloads/M_o_R/Exam%20prep%20questions/

3rd party

Exam-Summaries, http://www.exam-summaries.com/project-programme-management/m-o-r-management-of-risk/212-m-o-r-management-of-risk-9

ILX, http://www.ilxgroup.com/management-of-risk-downloads.asp

This freeware, non-commercial mind map (aligned with the newest version of M_o_R®) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the standard and framework M_o_R® and as a learning tool for candidates wanting to gain M_o_R® qualification. (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Please don't hesitate to contact me for :-) Mirosław Dąbrowski, Poland/Warsaw.

http://www.miroslawdabrowski.com

http://www.linkedin.com/in/miroslawdabrowski

https://www.google.com/+MiroslawDabrowski

https://play.spotify.com/user/miroslawdabrowski/

https://twitter.com/mirodabrowski

miroslaw_dabrowski