Management of Risk (M_o_R®) study guide mind map
M_o_R® - process based standard and framework from UK (not methodology) for general (not industry specific e.g. IT or Engineering) corporate-wide / holistic Risk Management, yet (arguably) M_o_R® is not considered to be an Enterprise Risk Management (ERM) standard. M_o_R® is one of the 10 recognized globally and practically proven management standards from AXELOS® Global Best Practice family of UK standards. M_o_R® is a registered trade mark of AXELOS Limited.
1. MoR® Foundation courseware
2. Software for Risk Management and GRC
2.1. ActiveRisk
2.1.1. Active Risk Manager (ARM)
2.2. Agiliance
2.2.1. Agiliance RiskVision
2.2.2. Agiliance RiskVision Platform
2.3. Archer
2.3.1. RSA Archer Risk Management
2.4. Bwise
2.4.1. BWise Risk Management
2.5. Chase Cooper Ltd.
2.5.1. aCCelerate
2.6. Cura
2.6.1. Enterprise Risk Management (ERM)
2.7. Enablon RM
2.7.1. Enablon RM – Risk Management
2.8. Evantix GRC, LLC.
2.9. Hiperos
2.9.1. 3PM PLATFORM
2.10. MKinsight
2.10.1. ERP (Enterprise Risk Management)
2.11. LockPath
2.12. Intaver
2.12.1. Risky Project
2.13. MetricStream
2.13.1. Risk Management System
2.14. Modulo
2.14.1. Enterprise Risk Management (ERM)
2.15. Northwest Controlling Corporation Ltd.
2.15.1. Enterprise Risk Manager
2.16. Risk Wizard Pty Ltd.
2.16.1. Risk Wizard
2.17. PAN Software Pty. Ltd.
2.17.1. RiskWare
2.18. Prevalent Networks
2.18.1. Prevalent Vendor Risk Manager (PVRM)
2.19. Process Unity
2.19.1. Enterprise Risk Management
2.20. Resolver
2.20.1. Ballot
2.21. Palisade
2.21.1. @RISK Software
2.22. Rsam
2.22.1. Rsam Enterprise Risk Management (ERM)
2.23. Shared Assessments
2.24. Symantec
2.25. SAS
2.25.1. Book Runner
2.26. Wynyard
2.26.1. Wynyard Risk Management for ERM
3. M_o_R® Principles (8)
3.1. What are principles?
3.1.1. Principles are universally applicable statements.
3.1.1.1. Principles are generic principles - the way in which they are applied must be tailored to suit the organizational circumstances, whilst ensuring the underlying rationale is maintained.
3.1.1.2. Prainciples are the common, universal and high-level factors that underpin success.
3.1.1.3. Principles are universal, self-validating and empowering.
3.1.1.4. They provide guidance to organizations.
3.1.1.5. They guide the organization on what to aim for.
3.2. What are M_o_R® principles?
3.2.1. Because M_o_R® is principles-based, it is able to provide a framework for risk management that can be applied to any organization regardless of its size, complexity, location, or the sector within which it operates.
3.2.2. Principles are based on UK Corporate Governance Code and are aligned to ISO 31000:2009
3.2.2.1. Management of Risk: Guidance for Practitioners and the international standard on risk management, ISO 31000:2009
3.2.2.2. M_o_R® is designed as a guide for practitioners in risk management. Its use enables an organization to comply with the requirements of ISO 31000 in full.
3.2.3. Each M_o_R® Principle is applied accross 4 different Perspectives separately
3.2.4. Principles are essential for the development and maintenance of good risk management practice.
3.2.5. The first 7 principles are enablers.
3.2.5.1. The final 8th principle is the result of implementing risk management well.
3.3. 1. Align with objectives
3.3.1. As the purpose of risk management is to strive to understand and manage the threats and opportunities arising from the objectives of the organization or activity, risk management can only commence when it is clear what these objectives are.
3.3.2. Risk management aligns continually with organizational objectives, goals, mission, vision etc.
3.3.2.1. Objectives may change over time so a key aspect of successful risk management is the shared understanding between stakeholders that risk is dynamic and not static. It is therefore important that risk management anticipates, and is responsive to, change - from within the organisation and in the wider context.
3.3.3. Uncertainty is only important and becomes risk if it impacts (positively or negatively) organization objectives.
3.3.4. Organisations must pay close attention to understanding objectives so that an appropriate balance can be achieved between maximizing opportunities and minimizing threats.
3.3.5. The amount of risk that an organisation is willing to take and the associated amount of risk management that is carried out must align with the organisation’s objectives and it is therefore important for the organisation to determine it risk capacity and risk appetite.
3.3.5.1. It is a prerequisite for identifying risks.
3.3.6. Objectives are different in each perspective:
3.3.6.1. Strategic
3.3.6.1.1. overall efficiency of the organisation’s work and the degree to which users, customers, regulators and shareholders are satisfied with performance, and the organisation’s reputation is enhanced
3.3.6.2. Programme
3.3.6.2.1. relate to the desired change outcomes
3.3.6.3. Project
3.3.6.3.1. focused on delivery of the required scope to the right quality, on time within budget etc.
3.3.6.4. Operational
3.3.6.4.1. routines and processes used to create products and services
3.3.7. Principle supported by:
3.3.7.1. Risk Management Policies
3.3.7.2. Risk Management Strategies
3.3.7.3. Risk Capacity, Tolerance, Appetite
3.3.7.3.1. Risk Capacity
3.3.7.3.2. Risk Tolerance
3.3.7.3.3. Risk Appetite
3.4. 2. Fits the context
3.4.1. Risk management is designed to fit the current context.
3.4.1.1. Adapting the M_o_R® Approach documents cost-effectively to meet the needs of the specific organizational activity (programme, project, business as usual).
3.4.1.2. Adapting software for Risk Management suited and tailored to meet the needs of the specific organizational activity (programme, project, business as usual).
3.4.2. Understanding of the external and internal context and it’s change.
3.4.2.1. Establishing the context
3.4.2.1.1. Define the external and internal parameters that organisations must consider when they manage risk.
3.4.2.2. External context
3.4.2.2.1. An organisation’s external context includes all of the external environmental parameters and factors that influence how it manages risk and tries to achieve its objectives.
3.4.2.2.2. e.g.
3.4.2.3. Internal context
3.4.2.3.1. An organisation’s internal context includes all of the internal environmental parameters and factors that influence how it manages risk and tries to achieve its objectives.
3.4.2.3.2. e.g.
3.4.2.4. The goal of Identify - Context process step is to obtain information about the planned activity and how it fits into the wider organisation and market / society.
3.4.3. Context will change over time, ”Fits the Context” principle is a dynamic activity.
3.4.4. The amount of risk management that is carried out may be affected by the external context in which the organisation operates.
3.4.5. Context is different in each perspective:
3.4.5.1. Strategic
3.4.5.2. Programme
3.4.5.3. Project
3.4.5.4. Operational
3.4.6. Principle supported by:
3.4.6.1. Establishing the context
3.4.6.1.1. External context
3.4.6.1.2. Internal context
3.4.6.2. Risk Management Strategies
3.5. 3. Engage stakeholders
3.5.1. Risk management engages stakeholders and deals with differing perceptions of risk.
3.5.1.1. Risk management should engage with all primary stakeholders to ensure that the objectives of the organization or activity under examination are established and agreed.
3.5.1.2. All major stakeholders should be identified and engaged.
3.5.2. Each organization activity has it's own set of stakeholders and decision-makers.
3.5.2.1. Each with different objectives.
3.5.3. Communication with different stakeholder groups to ensure that their perceptions are clearly understood.
3.5.3.1. A stakeholder is a person / group / organization (internal or external) that can affect or be affected by a decision or an activity.
3.5.3.2. Stakeholders also include those who have the perception that a decision or an activity can affect them.
3.5.3.3. Stakeholders can be clients, partners, suppliers, regulators, decision-makers, staff and any group who have an interest in the organisation.
3.5.4. Different stakeholder groups often have different perceptions of risk.
3.5.4.1. Different stakeholders can either facilitate or hinder the achievement of objectives.
3.5.4.2. It is therefore important to adopt the appropriate level and style of communication with different stakeholder groups to ensure that their perceptions are clearly understood.
3.5.5. When new projects are started, all relevant stakeholders should be informed of this.
3.5.6. Ensuring proactive and timely involvement of stakeholders helps to:
3.5.6.1. Improve risk identification
3.5.6.2. Ensure that differences are understood and resolved
3.5.6.3. Increase ownership of actions
3.5.6.4. Minimize resistance
3.5.7. Stakeholders are different in each perspective:
3.5.7.1. Strategic
3.5.7.2. Programme
3.5.7.3. Project
3.5.7.4. Operational
3.5.8. Principle supported by:
3.5.8.1. Workshops
3.5.8.2. Meetings
3.5.8.3. Interviews
3.5.8.4. Risk Management Communication Plans
3.5.8.5. Risk Progress Reports
3.6. 4. Provides clear guidance
3.6.1. Risk management provides clear and coherent guidance to stakeholders.
3.6.1.1. Risk management practices must be clear so stakeholders can understand how the organisation identifies, assesses and controls risks to objectives.
3.6.2. A coherent approach brings consistency and a clear understanding of how much effort to invest in risk management and when.
3.6.2.1. Risk management must be integrated to form a coherent approach across the organisation.
3.6.2.2. Coherent approach brings consistency and a clear understanding of how much effort to invest in risk management and when.
3.6.3. Risk practices must be:
3.6.3.1. Logical
3.6.3.2. Orderly
3.6.3.3. Consistent
3.6.4. It is important to avoid a one-size fits all / ‘tick-box’ approach to risk management as this would leave the organisation highly exposed to risk.
3.6.5. Principle supported by:
3.6.5.1. Risk Management Policies
3.6.5.2. Risk Management Process Guide
3.6.5.3. Risk Management Strategies
3.7. 5. Informs decision-making
3.7.1. Risk management is linked to and informs decision-making across the organization.
3.7.2. Given that risks influence every decision, risk management must help decision-makers understand the relative merits, threat and opportunities associated with different courses of action so they can make an informed choice.
3.7.2.1. The main mechanism to achieve this is through the application of risk tolerance thresholds for each organisational objective.
3.7.2.1.1. The tolerances are defined by considering the risk appetite for each activity in question in the context of the overall organisations risk capacity.
3.7.3. EWI - a leading indicator of a KPI.
3.7.3.1. Leading indicators for organisational objectives measured ultimately by a key performance indicator.
3.7.4. A KPI is a performance measure used to help evaluate progress.
3.7.4.1. Measures of performance used to help organisations define and evaluate how successful they are in making progress towards their objectives.
3.7.4.2. KPI should be the vital navigation instruments used by managers to understand whether their business is on a successful voyage of whether it is veering off the proseprous path.
3.7.4.3. KPIs should form part of the decision-making process for every employee, and everyone should be able to answer the question “How will what I am doing affect our KPIs?” in relation to every aspect of their job.
3.7.4.4. Ensure everybody understands how the metrics you are gathering will affect your strategic priorities.
3.7.4.4.1. This will increase the “buy in” - how personally involved and enthusiastic about your priorities your staff feel, and ensure that constant review and improvement are at the heart of every level of your business.
3.7.4.5. If a KPI isn’t useful in helping you or others in your business make better decisions which in turn will improve your business’s performance, then it’s just noise.
3.7.4.6. 25 Need-to-Know Key Performance Indicators
3.7.4.6.1. http://www.amazon.co.uk/gp/product/1292016477/
3.7.5. Principle supported by:
3.7.5.1. Risk Management Strategies
3.7.5.2. Risk Management Communication Plans
3.8. 6. Facilitates continual improvement
3.8.1. Organizations that are interested in continual improvement should develop strategies to improve their risk maturity to enable them to plan and implement step changes in their risk management practices
3.8.2. Risk management uses historical data and facilitates learning and continual improvement.
3.8.3. There are several ways in which risk management facilitates the continual improvement principle.
3.8.4. Learn from experience by collecting actual performance data to accumulate historical data to draw upon.
3.8.4.1. This can help to inform estimates, risk responses, forecasts and decisions.
3.8.5. M_o_R® Health Check can support internal control.
3.8.5.1. System of internal control to safeguard shareholders.
3.8.5.2. Healthcheck checks the status and robustness of current risk management and helps to identify areas for improvement.
3.8.6. Another method that can help organisations to decide how to continually improve is the maturity model.
3.8.6.1. You need to prepare a realistic plan to modify practices in risk management, in order to meet the needs of the next level of maturity.
3.8.6.2. The transition from one level of maturity to another should be managed as a project - with clear objectives, resources, schedule and business justification.
3.8.7. Principle supported by:
3.8.7.1. M_o_R® Health Check
3.8.7.2. M_o_R® Maturity Model
3.8.7.3. Risk Improvement Plans
3.9. 7. Creates a supportive culture
3.9.1. Senior managers need to demonstrate the importance of risk management via policies and actions.
3.9.1.1. Chairman of the Board should be in relation to risk management act as a sponsor.
3.9.2. Organizations should establish the right culture to support management of risk throughout the organization.
3.9.2.1. Senior management should allow an open and general discussion of the risks, without fear of retribution (a climate of mutual trust).
3.9.2.2. Publication and dissemination of articles on risk.
3.9.3. A supportive culture will be one that embeds risk management into day-to-day operations and recognises the benefits of risk management.
3.9.3.1. Risk management needs to be embedded into day-to-day activities and wins and losses need to be treated as opportunities for improvement.
3.9.3.2. Leaders of risk management - to promote best practices in daily activities.
3.9.4. Risk management creates a culture that recognizes uncertainty and supports considered risk-taking.
3.9.4.1. The inclusion of responsibility for risk management to job descriptions, objectives of employees and periodic evaluations.
3.9.5. For risk management to add value, an organisational culture must be created which recognizes that taking calculated chances is appropriate when matched to appetite.
3.9.5.1. Having zero risk is nether achievable or even desirable.
3.9.6. Management culture based on rapid punishment of staff, prefers to focus on the negative phenomena, not eliminates the tendency to blame and reluctant to spend time looking for the root cause, is an obstacle.
3.9.6.1. Established a code of conduct, policy on human resources and incentive schemes are important factors to support effective risk management.
3.9.7. The organization should be used in a sustainable way both systems consisting of motivation, as well as for punishment.
3.9.8. Organizations should implement risk management in all its branches, so that it becomes part of the routine activity.
3.9.9. A number of indicators can be used to judge the success of efforts to build a risk management culture.
3.9.9.1. Questionnaires
3.9.9.1.1. To collect information
3.9.9.2. Benchmarks
3.9.9.2.1. To measure the impact that an awareness programme has had on an organisation
3.9.9.3. Return on the value/cost deployed
3.9.9.3.1. i.e. benefits achieved as a result of investment made
3.9.9.4. Degree of risk management integration
3.9.9.4.1. The extent to which risk management has been integrated within the culture of the organisation
3.9.9.5. Freedom, detail and speed of identification/reporting
3.9.9.5.1. A measurement of the improvement risk management has had to the organisation
3.9.9.6. Ease of making and understanding risk based decisions
3.9.9.7. Risk-aware culture
3.9.9.7.1. Enables preventative and proactive views and decisions to be made as part of a risk-informed decision-making process.
3.9.10. Principle supported by:
3.9.10.1. Risk Management Policies
3.9.10.2. "learning culture"
3.10. 8. Achieves measurable value
3.10.1. Using a structured approach to risk management is intended to create and protect organisational value, however value is measured in a particular organisation.
3.10.2. Risk management enables achievement of measurable organizational value.
3.10.2.1. Tracks the performance of the organization with regard to regulatory controls.
3.10.2.2. ”Prevention is better than cure”
3.10.3. This principle is an outcome of all previous principles.
3.10.4. Investing in risk management is expected to provide a tangible return for the organisation.
3.10.4.1. It is important to establish baselines and processes to measure performance and ensure that investment is justified on an on-going basis.
3.10.5. The organisation should not just measure process compliance, but show that risk management has:
3.10.5.1. Reduced waste / re-work levels
3.10.5.2. Increased client / user confidence
3.10.5.3. Improved regulatory performance
4. M_o_R® Approach (9)
4.1. There are likely to be many instances of each type of document in larger organisations.
4.2. The way in which the M_o_R® Principles are implemented will vary from organization to organization. Collectively the principles provide a foundation from which risk management practices can be developed.
4.2.1. These practices describe how risk management will be applied throughout an organization - the M_o_R® Approach.
4.3. Central documents
4.3.1. The corporate risk policies, processes, strategies and plans describe:
4.3.1.1. Activities which are routinely subject to risk identification, assessment and control
4.3.1.2. When risk processes should be carried out
4.3.1.3. Who will undertake risk management steps
4.3.1.4. Who will oversee the application of risk management
4.3.1.5. The benefits the process aims to achieve.
4.3.2. Risk Management Policy (A.1)
4.3.2.1. What is it?
4.3.2.1.1. Provides a high-level statement showing how risk management will be handled throughout the organisation.
4.3.2.1.2. The purpose of the Risk Management Policy is to communicate how risk management will be implemented throughout an organisation to support the realisation of its strategic objectives.
4.3.2.1.3. Describes why risk management is important to the organization, and the specific objectives served by implementing a formal risk management approach
4.3.2.1.4. It strives to accomplish uniformity across risk management processes.
4.3.2.1.5. For smaller organisations there may only be a single policy.
4.3.2.1.6. Whatever the situation, each policy should be reviewed and updated at least annually.
4.3.2.1.7. In general WHY and HOW.
4.3.2.2. Recommended content
4.3.2.2.1. Introduction
4.3.2.2.2. Risk appetite and capacity
4.3.2.2.3. Risk tolerance thresholds
4.3.2.2.4. Procedure for escalation and delegation
4.3.2.2.5. Roles and responsibilities
4.3.2.2.6. Glossary of terms
4.3.2.2.7. Risk management proces
4.3.2.2.8. KPIs and EWIs
4.3.2.2.9. When risk management should be implemented
4.3.2.2.10. Reporting
4.3.2.2.11. Budget
4.3.2.2.12. Quality assurance
4.3.2.2.13. Annual review
4.3.3. Risk Management Process Guide (A.2)
4.3.3.1. What is it?
4.3.3.1.1. Describes the series of steps (from identify through to implement) and their respective associated activities, necessary to implement risk management.
4.3.3.1.2. The purpose of the Risk Management Process Guide is to describe the series of steps and the respective associated activities, necessary to implement risk management.
4.3.3.1.3. The process should be tailored to the organisation and be suitable for types of activity across the organisation.
4.3.3.1.4. It should be applicable to all levels of management and activity.
4.3.3.1.5. This document should describe a best practice approach that will support a consistent method and deliver effective risk management.
4.3.3.1.6. Describes how an organization intends to carry out risk management and the role and responsibility of people who perform risk management related tasks
4.3.3.2. Recommended content
4.3.3.2.1. Introduction
4.3.3.2.2. Roles and responsibilities
4.3.3.2.3. Steps in the process
4.3.3.2.4. Tools and techniques
4.3.3.2.5. Templates
4.3.3.2.6. Glossary of terms
4.3.4. Risk Management Strategy (A.3)
4.3.4.1. What is it?
4.3.4.1.1. The purpose of the Risk Management Strategy is to describe for a particular organisational activity the specific risk management activities that will be undertaken.
4.3.4.1.2. Separate Risk Management Strategies should be produced for each organization activity undertaken within the strategic, programme, project and operational perspectives.
4.3.4.1.3. Describes risk categories for a particular activity (programme, project, business as usual / BaU)
4.3.4.1.4. Explain the amount of risk an organizational activity wants to take in particular activity (programme, project, business as usual)
4.3.4.1.5. Communicate the amount of risk that can be taken in practicular activity (programme, project, business as usual) without escalation
4.3.4.1.6. It may include an organisational chart and describe the roles and responsibilities.
4.3.4.1.7. Gain a common understanding of the definition of a medium impact
4.3.4.2. Recommended content
4.3.4.2.1. Introduction
4.3.4.2.2. Summary of the risk management process as applicable to the activity (with reference to the process guide)
4.3.4.2.3. Tools and techniques
4.3.4.2.4. Records
4.3.4.2.5. Reporting
4.3.4.2.6. Roles and responsibilities
4.3.4.2.7. Scales for estimating probability and impact
4.3.4.2.8. Risk tolerance thresholds
4.3.4.2.9. Risk categories
4.3.4.2.10. Budget required
4.3.4.2.11. Templates
4.3.4.2.12. EWIs for KPIs
4.3.4.2.13. Timing of risk management activities
4.3.4.2.14. Glossary of terms
4.4. Supportive documents
4.4.1. Records
4.4.1.1. Risk Register (A.4)
4.4.1.1.1. What is it?
4.4.1.1.2. Recommended content
4.4.1.2. Issue Register (A.5)
4.4.1.2.1. What is it?
4.4.1.2.2. Recommended content
4.4.2. Plans
4.4.2.1. Risk Improvement Plan (A.6)
4.4.2.1.1. What is it?
4.4.2.1.2. Recommended content
4.4.2.2. Risk Communication Plan (A.7)
4.4.2.2.1. What is it?
4.4.2.2.2. Recommended content
4.4.2.3. Risk Response Plan (A.8)
4.4.2.3.1. What is it?
4.4.2.3.2. Recommended content
4.4.3. Reports
4.4.3.1. Risk Progress Report (A.9)
4.4.3.1.1. What is it?
4.4.3.1.2. Recommended content
5. M_o_R® Roles and Responsibilities (6)
5.1. Senior Team
5.1.1. could be in real life a ...
5.1.1.1. Board
5.1.1.2. Management Board
5.1.1.3. Executive team
5.1.1.4. C-level executives
5.1.1.5. Steering group
5.1.1.5.1. Project Steering Committee (or Project Board)
5.1.1.5.2. Program Steering Committee
5.1.1.6. Sponsoring group
5.1.1.7. ...
5.1.2. Responsibilities
5.1.2.1. Writes, owns and assures adherence to the risk management policy
5.1.2.2. Defines the overall risk appetite
5.1.2.3. Reviews the risk management strategy
5.1.2.4. Approves funding for risk management
5.1.2.5. Monitors the risk profile
5.1.2.6. Assures clarity of role and responsibility of other stakeholders
5.1.2.7. Assists with assessing the risk context
5.1.2.8. Monitors and acts on escalated risks
5.1.2.9. Establishes governance
5.2. The Senior Manager appointed to represent the senior team
5.2.1. could be in real life a ...
5.2.1.1. Sponsor
5.2.1.2. The Accounting Officer (public sector)
5.2.1.3. CEO (private sector)
5.2.1.4. Senior Responsible Owner (SRO)
5.2.1.4.1. e.g. Executive in PRINCE2®
5.2.1.4.2. e.g. Senior Responsible Owner in MSP®
5.2.1.5. Chief Risk Officer (CRO)
5.2.1.6. Chief Information Risk Officer (CIRO)
5.2.1.7. Technical Information Security Officer (TISO)
5.2.1.8. Business Information Security Officer (BISO)
5.2.1.9. ...
5.2.2. Responsibilities
5.2.2.1. Ensures that appropriate governance and internal controls are in place
5.2.2.2. Ensures risk management strategy exists
5.2.2.3. Defines and monitors risk tolerances
5.2.2.4. Ensures the risk management policy is implemented
5.2.2.5. Monitors and assesses the balance within the set of risks
5.2.2.6. Owns and manages escalated risks as appropriate
5.2.2.7. Ensures that adequate resources are available to implement the Risk Management Strategy
5.2.2.8. Agrees on the information that will be reported to more senior stakeholders
5.2.2.9. Assists the team in embedding the necessary risk management practices
5.2.2.10. Contributes to identification of key risk areas and assures that Risk Registers are in place for each
5.3. Manager
5.3.1. could be in real life a ...
5.3.1.1. Programme Manager
5.3.1.2. Project Manager
5.3.1.3. Product Manager
5.3.1.4. Product Owner
5.3.1.5. Risk Manager
5.3.1.6. Operations Manager
5.3.1.7. Support Manager
5.3.1.8. Customer Relationships Manager
5.3.1.9. ...
5.3.2. Responsibilities
5.3.2.1. Ensures that Risk Registers, a risk review process and an escalation process are in place
5.3.2.2. Validates risk assessments
5.3.2.3. Identifies the need for investment to fund risks
5.3.2.4. Owns individual risks (including those delegated by the senior manager)
5.3.2.5. Escalates or delegates risks to higher or lower levels in the organization as required
5.3.2.6. Ensures participation in the delivery of risk management
5.3.2.7. Explicitly identifies risk management duties within the terms of engagement of other managers involved in achieving specific objectives
5.3.2.8. Agrees with risk specialists on the timing, number and content of the risk management interventions
5.3.2.9. Agrees the timing and content of Risk Progress Reports
5.3.2.10. Agrees the involvement of the risk manager, audit committee and risk committee as appropriate
5.3.2.11. Establishes how risk management will be integrated with change control and performance management
5.4. Assurance
5.4.1. could be in real life a ...
5.4.1.1. Portfolio Office
5.4.1.2. Programme Office
5.4.1.3. Project Office
5.4.1.4. Internal / External Auditor
5.4.1.5. Compliance unit
5.4.1.6. ...
5.4.2. Responsibilities
5.4.2.1. Assures the senior team that risk accountabilities exist
5.4.2.2. Assures compliance with guidance on internal control
5.4.2.3. Reviews progress and plans in developing and applying the Risk Management Policy
5.4.2.4. Reviews the results of the assessments of management of risk
5.4.2.5. Makes formal assessments and reports of management of risk implementation
5.4.2.6. Ensures risk information is available to inform decision-making
5.5. Risk Specialist
5.5.1. could be in real life a ...
5.5.1.1. Risk Practitioner
5.5.1.2. Risk Coordinator
5.5.1.3. Risk Facilitator
5.5.1.4. ...
5.5.2. Responsibilities
5.5.2.1. Ensures the Risk Management Policy is implemented
5.5.2.2. Carries out ongoing management of risk maturity assessments
5.5.2.3. Develops plans to improve the management of risk
5.5.2.4. Develops management of risk guidance and training
5.5.2.5. Identifies lessons learned and disseminates learning
5.5.2.6. Undertakes risk management training and holds seminars to embed risk management
5.5.2.7. Prepares Risk Management Strategies
5.5.2.8. Prepares stakeholder analysis
5.5.2.9. Prepares a risk breakdown structure or similar
5.5.2.10. Participates in option analysis
5.5.2.11. Carries out risk management interventions
5.5.2.12. Prepares meeting/workshop aids
5.5.2.13. Facilitates risk meetings / workshops
5.5.2.14. Identifies risks
5.5.2.15. Undertakes qualitative and quantitative assessment of risks
5.5.2.16. Prepares Risk Management Reports
5.6. Team
5.6.1. could be in real life a ...
5.6.1.1. Company employees
5.6.1.2. Factory employess
5.6.1.3. Project / Programme team members
5.6.1.4. ...
5.6.2. Responsibilities
5.6.2.1. Participates (as appropriate) in the identification, assessment, planning and management of threats and opportunities
5.6.2.2. Understands the Risk Management Policy and how it affects them
5.6.2.3. Implements the Risk Management Policy within their areas of responsibility
5.6.2.4. Escalates risks as necessary as defined by the Risk Management Policy
6. M_o_R® Process (1)
6.1. M_o_R® Process is sequential
6.2. M_o_R® Process is based on process defined in UK HM Treasury - The Orange Book [2004]
6.3. Each M_o_R® Process exists in one Perspective - each M_o_R® Process is dedicated to specific organizational activity (programme, project, business as usual)
6.3.1. e.g. each programme, project has it's own M_o_R® Process with dedicated process owner - in M_o_R® known as Manager (e.g. Programme Manager, Project Manager)
6.4. Each process step consists of:
6.4.1. Goals
6.4.1.1. The key outcomes of the process
6.4.2. Inputs
6.4.2.1. The information (documents) that is transformed by the process
6.4.3. Outputs
6.4.3.1. The information (documents) produced (or updated) by the process
6.4.4. Techniques
6.4.4.1. The recognized risk management techniques that may be applied (are recommeded by M_o_R®) to the process step to help create the outputs
6.4.5. Tasks
6.4.5.1. The actions that need to be completed to transform the inputs into the outputs with the aid of the techniques.
6.5. Communicate is not a separate step, communication is done as constant activity.
6.5.1. The activity ‘communicate’ deliberately stands alone as the findings of any individual step may be communicated to management for action prior to the completion of the overall process.
6.6. M_o_R® Process has 4 primary process steps. First 2 steps (Identify and Assess) have 2 substeps (Identify - Context, Identify - Risks and Assess - Estimate, Assess - Evaluate) ... yes it's quite bizzare, and for some unclear based on above image, but that's how M_o_R® Process is designed.
6.6.1. https://www.youtube.com/watch?v=YtUkePfNFQ8#t=285
6.6.2. 1. Identify
6.6.2.1. 1. Identify - Context
6.6.2.1.1. Goal
6.6.2.1.2. Recommended techniques by M_o_R®
6.6.2.2. 1. Identify - Risks
6.6.2.2.1. Goal
6.6.2.2.2. Recommended techniques by M_o_R®
6.6.3. 2. Assess
6.6.3.1. 2. Assess - Estimate
6.6.3.1.1. Goal
6.6.3.1.2. M_o_R does not requires approach in determining Probability, Impact and Proximity you will choose
6.6.3.1.3. Recommended techniques by M_o_R®
6.6.3.2. 2. Assess - Evaluate
6.6.3.2.1. Goal
6.6.3.2.2. Recommended techniques by M_o_R®
6.6.4. 3. Plan
6.6.4.1. 3. Plan
6.6.4.1.1. Goal
6.6.4.1.2. Recommended techniques by M_o_R®
6.6.5. 4. Implement
6.6.5.1. 4. Implement
6.6.5.1.1. Goal
6.6.5.1.2. Recommended techniques by M_o_R®
6.6.6. Communicate
6.6.6.1. Rather than being a distinct step in the process, communication is an activity that is carried out throughout the whole process.
6.6.6.2. Effective communication is key to the identification of new threats and opportunities or changes to existing risks.
6.6.6.3. It is also important for management to engage with and seek the participation of staff and the wider stakeholders population.
6.6.6.4. Communication will play a major role in achieving such engagement and participation.
6.7. Common process bariers for success according to M_o_R®.
6.7.1. Lack of an organizational culture that appreciates the benefits of risk management
6.7.2. Immature risk management practices
6.7.3. Lack of risk facilitation resources and time
6.7.4. Lack of policies, process, strategies and plans
6.7.5. Lack of a senior management sponsorship
6.7.6. Lack of training, awernesss, knowledge and formal risk tools and techniques
6.7.7. Lack of clear guidance for managers and staff
6.7.8. Lack of incentives for participation in risk management activities
7. M_o_R® Techniques (27)
7.1. Techniques recommended and used in M_o_R®, but not M_o_R® specific
7.2. Stakeholder analysis (category)
7.2.1. RACI
7.2.1.1. variants
7.2.1.1.1. RACI
7.2.1.1.2. RACI
7.2.1.2. alternatives
7.2.1.2.1. RASCI
7.2.1.2.2. RACI-VS
7.2.1.2.3. RACIO
7.2.1.2.4. DACI
7.2.1.2.5. RAPID®
7.2.2. Staholder Map
7.2.3. Influence / Interest matrix / Power-impact matrix / Power-impact grid
7.2.3.1. Identifies the importance of stakeholders to an activity
7.2.3.1.1. example
7.3. PESTLE analysis
7.3.1. A popular technique for identifying external factors
7.3.2. Help to capture understanding about aspects of the context by using the prompts, Political, Economic, Sociological, Technological, Legal and Environmental (or similar alternative)
7.3.2.1. Political
7.3.2.1.1. What are the key political factors?
7.3.2.1.2. Political factors refer to the degree of government intervention in the economy. The legal and regulatory factors included are labor laws, tax policies, consumer protection laws, employment laws, environmental regulations, and tariff & trade restrictions.
7.3.2.1.3. e.g.
7.3.2.2. Economical
7.3.2.2.1. What are the important economic factors?
7.3.2.2.2. Economical factors include the inflation rate, exchange rate, interest rate, employment/ unemployment rate and other economic growth indicators. The economic factors faced by an organization have a significant impact on how a business carries on its operations in the future.
7.3.2.2.3. e.g.
7.3.2.3. Socialogical / Social
7.3.2.3.1. What cultural aspects are most important?
7.3.2.3.2. Social factors include different cultural and demographic aspects of society that form the macro-environment of the organization. Social factors include career attributes, age distribution, population and its growth rate, health consciousness and safety awareness.
7.3.2.3.3. e.g.
7.3.2.4. Technological
7.3.2.4.1. What technological innovations are likely to occur?
7.3.2.4.2. Technology is evolving at a rapid pace and consumers are becoming extremely tech-savvy. With the advent of new technology, older technology gets outdated and obsolete.
7.3.2.4.3. e.g.
7.3.2.5. Legal
7.3.2.5.1. What current and impending legislation may affect the industry?
7.3.2.5.2. Legal factors include discrimination law, consumer law, antitrust law, employment law, and health and safety law.
7.3.2.5.3. e.g.
7.3.2.6. Environmental
7.3.2.6.1. What are the environmental considerations?
7.3.2.6.2. Environmental factors include ecological and environmental aspects such as weather, climate, and climate change, which may especially affect industries such as tourism, farming, and insurance.
7.3.2.6.3. e.g.
7.3.3. variants
7.3.3.1. ETPS
7.3.3.1.1. Economic, Technical, Political, and Social
7.3.3.2. PEST
7.3.3.2.1. Political, Economic, Social, and Technological
7.3.3.3. PESTELI
7.3.3.4. PESTLESS
7.3.3.5. PESTLIED
7.3.3.5.1. Political, Economic, Social, Technological, Legal, International, Environmental, and Demographic
7.3.3.6. STEEPLE
7.3.3.6.1. Social, Technological, Economic, Ethical, Political, Legal, and Environmental
7.3.3.7. STEEPLED
7.3.3.7.1. Social, Technological, Economic, Environmental, Political, Legal, Educational, and Demographic
7.3.3.8. STEP
7.3.3.8.1. Strategic Trend Evaluation Process
7.3.3.9. STEPE
7.3.3.9.1. Social, Technological, Economic, Political, and Ecological
7.3.4. http://en.wikipedia.org/wiki/PEST_analysis
7.4. SWOT analysis
7.4.1. External factors that may affect the organization's objectives
7.4.2. Commonly used for uncertainty identification in project / programme / strategic risk management, the SWOT analysis considers risk from both the internal and external environment.
7.4.3. Strengths
7.4.3.1. Internal factors of a corporation that help to achieve objectives.
7.4.4. Weaknesses
7.4.4.1. Internal factors that obstruct achieving objectives and can be improved.
7.4.5. Opportunities
7.4.5.1. Factors that are not currently present in the organisation, but could reflect positively on achieving our objectives.
7.4.6. Threats
7.4.6.1. Factors that are not currently present in the organisation, but could reflect negatively on achieving our objectives if they occur.
7.4.7. http://en.wikipedia.org/wiki/SWOT_analysis
7.5. Horizon scanning
7.5.1. Systematic examination of likely future developments that are at the margins of current thinking and planning
7.5.2. Horizon scanning is a means of identifying future risks, opportunities and improvement ideas.
7.6. Probability impact grid
7.6.1. a.k.a. Risk Matrix
7.6.2. Probabilty Impact grids are very common in risk management/internal control and it is also common to assign a summary risk score by combining the 'probability' and 'impact' ratings.
7.6.3. Risks across the organization’s portfolio can be compared between each ther using same probability impact grid
7.6.3.1. example
7.6.3.2. Grid contains ranking values that may be used to rank threats and opportunities qualitatively
7.6.3.3. The probability scales are measures of probability derived from percentages, and the impact scales are selected to reflect the level of impact on project / programme objectives
7.6.4. Same scale for each risks (each project / programme has it's own probability impact grid)
7.6.5. http://en.wikipedia.org/wiki/Risk_Matrix
7.7. Checklists
7.7.1. Checklists for risk identification can be developed based on historical information and knowledge that has been accumulated from previous similar projects and from other sources of information
7.7.2. One advantage of using a checklist is that risk identification is quick and simple
7.7.3. One disadvantage is that it is impossible to build an exhaustive checklist of risks, and the user may be effectively limited to the categories in the list
7.7.4. It is important to review the checklist as a formal step of every project / programme closing procedure to improve the list of potential risks, to improve the description of risks
7.8. Prompt list
7.8.1. Help ensure all aspects are covered when attempting to identify risks
7.8.2. Similar to checklists
7.8.3. Rather than seeking to pre-identify every risk , prompt lists simply identify the various categories of risk that should be considered
7.8.4. The classic prompt list categories where political, economic, social and technological, giving rise to PEST analysis
7.8.5. example
7.8.5.1. Risk Breakdown Structure (RBS)
7.9. Cause and effect diagrams
7.9.1. a.k.a. Ishikawa diagram
7.9.2. a.k.a. Fishbone diagram
7.9.3. Type of Diagramming techniques
7.9.4. The Ishikawa (cause-effect or fishbone) diagram can indeed be used for risk identification
7.9.5. Diagram graphically helps identify and organize possible causes (source) for a specific risk or area of concern.
7.9.6. http://en.wikipedia.org/wiki/Ishikawa_diagram
7.10. Group techniques (category)
7.10.1. Brainstorming
7.10.1.1. Unrestrained or unstructured group discussion
7.10.1.2. Discussion should be led by an experienced facilitator
7.10.1.3. Ideas are not initially censored, all ideas should be recorded no matter how relevant they initially appear to be
7.10.1.3.1. Even bad ideas may trigger good suggestions from other members of the group
7.10.1.4. http://en.wikipedia.org/wiki/Brainstorming
7.10.2. Nominal group
7.10.2.1. Nominal group technique takes brainstorming a step further by adding a voting process to rank the ideas that are generated
7.10.2.1.1. Versus using simple voting, each participant must provide their input and there is discussion regarding the relative ranking that result
7.10.2.1.2. This allows participants to be more engaged in the discussion and in the solutions
7.10.2.2. http://en.wikipedia.org/wiki/Nominal_group_technique
7.10.3. Delphi
7.10.3.1. Another type of survey
7.10.3.2. Acknowledged experts are asked to comment on risks anonymously and independently
7.10.3.3. variants
7.10.3.3.1. Wideband Delphi
7.10.3.4. http://en.wikipedia.org/wiki/Delphi_method
7.11. Questionnaires
7.11.1. Measuring the effect that risk management is having on the culture of an organization
7.11.2. http://en.wikipedia.org/wiki/Questionnaire
7.12. Individual interviews
7.12.1. Effective way of capturing risks
7.12.2. When people are not inhibited by management and peers, they tend to be far more open about their concerns
7.13. Assumptions analysis
7.13.1. Assumptions analysis is a powerful way of exposing project-specific risks, since it addresses the particular assumptions made about a given project.
7.13.2. Requires planners to identify all assumptions being made in the project planning stage as a means of risk reduction
7.13.3. Each assumption is then analyzed to determine its accuracy and to identify all potential project risks if the assumption if later found to be inaccurate.
7.13.4. A simple IF-THEN statement can be written for each assumption
7.14. Constraints analysis
7.15. Risk descriptions
7.16. Probability assessment
7.16.1. Estimating the likelihood of a risk occurring
7.16.2. Investigating the likelihood that each specific risk will occur
7.17. Impact assessment
7.17.1. Investigating the potential effect on a project objective such as schedule, cost, quality or performance (negative effects for threats and positive effects for opportunities)
7.18. Proximity assessment
7.19. Expected value assessment
7.20. Summary risk profiles
7.20.1. Are based on Probability impact grid
7.20.1.1. Probability impact grid provides scales for probability and impact upon which Summary risk profile is populated with current risk status
7.20.2. Colors represent progress with risk response
7.20.2.1. Often RAG system is used or extended RAG
7.20.2.1.1. R - Red
7.20.2.1.2. A - Amber
7.20.2.1.3. G - Green
7.20.2.1.4. extended RAG example
7.20.3. example
7.21. Summary expected value assessment
7.22. Probabilistic risk models
7.23. Probability trees
7.23.1. http://en.wikipedia.org/wiki/Tree_diagram_(probability_theory)
7.24. Sensitivity analysis
7.24.1. Used for determining which risks may have the most potential impact on the project / programme
7.24.2. In sensitivity analysis one looks at the effect of varying the inputs of a mathematical model on the output of the model itself
7.24.3. Examining the effect of the uncertainty of each project element to a specific project objective, when all other uncertain elements are held at their baseline values
7.24.4. http://en.wikipedia.org/wiki/Sensitivity_analysis
7.25. Risk response planning
7.26. Cost-benefit analysis
7.26.1. http://en.wikipedia.org/wiki/Cost%E2%80%93benefit_analysis
7.27. Decision trees
7.27.1. Decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
7.27.2. A decision tree consists of 3 types of nodes:
7.27.2.1. Decision nodes - commonly represented by squares
7.27.2.2. Chance nodes - represented by circles
7.27.2.3. End nodes - represented by triangles
7.27.3. Drawn from left to right, a decision tree has only burst nodes (splitting paths) but no sink nodes (converging paths).
7.27.4. http://en.wikipedia.org/wiki/Decision_tree
7.28. Risk exposure trends
7.29. see Risk Techniques mind map (extending M_o_R®)
7.30. see also Risk Management Techniques in: IEC/FDIS 31010 Risk Management - Risk Assessment Techniques
8. M_o_R® Official publications
8.1. Management of Risk: Guidance for Practitioners
8.1.1. ISBN-13: 978-0113312740
8.1.2. Published: 2010
8.1.3. Pages: 154
8.1.4. http://www.amazon.co.uk/Management-risk-guidance-practitioners-Government/dp/0113312741/
8.1.5. The most important, key position on M_o_R® preparing for exams Foundation and Practitioner.
8.2. Management of Risk Pocketbook
8.2.1. ISBN-13: 978-0113312986
8.2.2. Published: 2010
8.2.3. Pages: 59
8.2.4. http://www.amazon.co.uk/Management-risk-pocketbook-pack-copies/dp/0113312989
9. M_o_R® Perspectives (4)
9.1. M_o_R® defines 4 Perspectives
9.1.1. Strategic
9.1.1.1. Long term goals, sets the context for decisions at other levels.
9.1.1.2. Management of risk at the strategic level is concerned with setting strategic direction and balancing potential opportunity against the costs and risks.
9.1.1.3. High level appraisals of strategic risks are a major feature of the business case when plans for change are being considered.
9.1.1.4. At the strategic level the concerns are about where the organisation wants to go, how to get there and how to ensure survival.
9.1.1.5. goal
9.1.1.5.1. Ensuring business success of the organization.
9.1.1.5.2. Management of stakeholder perceptions that would affect the reputation of an organization.
9.1.1.6. time-frame
9.1.1.6.1. long-term goals
9.1.1.7. context
9.1.1.7.1. business success
9.1.1.7.2. business vitality
9.1.1.7.3. finance
9.1.1.7.4. reputation
9.1.1.7.5. core services
9.1.1.7.6. organization / enterprise capabilities
9.1.1.7.7. resources
9.1.1.7.8. ...
9.1.1.7.9. portfolio management
9.1.1.8. Those with key responsibilities for risk management from this perspective will be the Management Board, The Accounting Officer (public sector) or CEO (private sector), the Executive Management Team and the Head(s) of the Audit and/or Risk Committees.
9.1.2. Programme
9.1.2.1. At the programme level, managers are responsible for transforming high level strategy into new ways of working to deliver benefits to the organisation.
9.1.2.2. goal
9.1.2.2.1. Delivering business change with measurable benefits.
9.1.2.2.2. Delivering business transformation.
9.1.2.2.3. Delivering outcomes.
9.1.2.3. time-frame
9.1.2.3.1. medium-term goals
9.1.2.3.2. in general length of the programme
9.1.2.4. context
9.1.2.4.1. benefits
9.1.2.4.2. capabilities
9.1.2.4.3. possibilities
9.1.2.4.4. business transformation
9.1.2.4.5. ...
9.1.2.4.6. programme management
9.1.2.5. Those with key responsibilities for risk management from this perspective will be the Sponsoring Group, Programme Board, Senior Responsible Owner (SRO), Programme Manager and Business Change Managers (BCMs).
9.1.3. Project
9.1.3.1. Risk management at the project level focuses on keeping unwanted outcomes to the minimum.
9.1.3.2. Decisions about risk management at this level form an important part of the business case; where providers and/or partners are involved you must gain a shared view of the risks and how they will be manag
9.1.3.3. goal
9.1.3.3.1. Producing defined business change products within time, cost, scope etc. constraints.
9.1.3.3.2. Delivering products / outputs.
9.1.3.4. time-frame
9.1.3.4.1. medium-term goals
9.1.3.4.2. in general length of the project
9.1.3.5. context
9.1.3.5.1. time
9.1.3.5.2. budget
9.1.3.5.3. quality
9.1.3.5.4. scope
9.1.3.5.5. ...
9.1.3.5.6. project management
9.1.3.6. Those with key responsibilities for risk management from this perspective will be the Project Board, Project Sponsor (or SRO or Executive), and Project Manager.
9.1.4. Operational
9.1.4.1. Risk management at the operational level is primarily concerned with continuity of business services.
9.1.4.2. Emphasis is on short-term goals to ensure ongoing continuity of business services
9.1.4.3. Decisions about risk at this level must also support the achievement of long- and medium-term goals.
9.1.4.4. goal
9.1.4.4.1. Maintaining business services to appropriate levels.
9.1.4.4.2. Day-to-day management.
9.1.4.4.3. Business as Usual (BaU).
9.1.4.4.4. Ensure ongoing continuity of business services.
9.1.4.5. time-frame
9.1.4.5.1. short-term goals
9.1.4.6. context
9.1.4.6.1. quality of service
9.1.4.6.2. volume
9.1.4.6.3. internal control
9.1.4.6.4. revenue
9.1.4.6.5. staff
9.1.4.6.6. staff health
9.1.4.6.7. fatal accidents
9.1.4.6.8. customer turnover
9.1.4.6.9. ...
9.1.4.7. Those with key responsibilities for risk management from this perspective will be the Executive Management Team, Operational Directors / Heads of Operations, and Operational Managers.
9.2. Each organizational activity (programme, project) in each perspective has it's own M_o_R® Process
9.2.1. e.g. each project on Project Perspective has its own instance of M_o_R® Process and Project Manager accountable or responsible for this process.
10. M_o_R® Related resources
10.1. The Orange Book - Management of Risk - Principles and Concepts [2004]
10.1.1. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/220647/orange_book.pdf
10.1.2. What is it?
10.1.2.1. Document which defines process for risk management which is a foundation of M_o_R® process. M_o_R® process is very similar to Orange Book process
10.1.2.2. Knowledge from this publication is not checked on M_o_R® exams.
10.2. UK Corporate Governance Code [09.2012]
10.2.1. https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/UK-Corporate-Governance-Code-September-2012.aspx
10.2.2. What is it?
10.2.2.1. Document which is a foundation for M_o_R® and M_o_R® Principles
10.2.2.2. Knowledge from this publication is not checked on M_o_R® exams.
11. M_o_R® - process based standard and framework from UK (not methodology) for general (not industry specific e.g. IT or Engineering) corporate-wide / holistic Risk Management, yet (arguably) by some people M_o_R® is not considered to be an Enterprise Risk Management (ERM) standard. M_o_R® is one of the 12 recognized globally and practically proven management standards from AXELOS® Global Best Practice family of UK standards.
11.1. M_o_R® v1 was published in 05.2002.
11.2. M_o_R® v2 was published in 03.2006.
11.3. M_o_R® v3, newest version is from 12.2010.
11.4. How M_o_R® fits into AXELOS® Global Best Practices family of UK standards.
11.4.1. M_o_R® in AXELOS® Global Best Practices family
11.5. AXELOS® Global Best Practices family of standards from UK.
11.5.1. PRINCE2® Agile
11.5.1.1. see PRINCE2® Agile mind map
11.5.2. ITIL®
11.5.2.1. see ITIL® mind map
11.5.3. M_o_R® - Management of Risk
11.5.3.1. see M_o_R® mind map
11.5.4. MoV® - Management of Value
11.5.4.1. see MoV® mind map
11.5.5. MoP® - Management of Portfolios
11.5.5.1. see MoP® mind map
11.5.6. MSP® - Managing Successful Programmes
11.5.6.1. see MSP® mind map
11.5.7. PRINCE2® - PRojects IN Changing Environments
11.5.7.1. see PRINCE2® mind map
11.5.8. P3O® - Portfolio, Programme and Project Office
11.5.8.1. see P3O® mind map
11.5.9. yet remember - "In reality there are no such things as best practices. There are only practices that are good within a certain context."
11.6. Since 2000 the Office of Government Commerce (OGC), former owner of PRINCE2® (and other Best Management Practices) has been the custodian of the portfolio on behalf of UKG. In June 2010 as a result of UKG reorganisation the Minister for the Cabinet Office announced that the PRINCE2® functions have moved into Cabinet Office.
11.6.1. AXELOS are a new joint venture company, created by the Cabinet Office on behalf of Her Majesty’s Government (HMG) in the United Kingdom and Capita plc to run the Best Management Practice portfolio, now called AXELOS Global Best Practice
11.6.2. https://www.gov.uk/government/publications/best-management-practice-portfolio/about-the-office-of-government-commerce
12. M_o_R® consists of: 1 Framework, 8 Principles, 4 Perspectives, 1 Process (sequential with 4 main steps and 2 substeps), 6 Roles, 9 Documents, 27 Techniques.
12.1. Download: Best Management Practice - M_o_R 10 Years on presentation v0.3 [18.05.2012]
12.2. Download: M_o_R® - Processes vs Techniques Matrix
13. M_o_R® Framework (1)
13.1. The M_o_R® Framework consists of 4 components:
13.1.1. M_o_R® Principles
13.1.1.1. outer ring
13.1.1.1.1. Derived from corporate governance principles presented in UK Corporate Governance Code [newest version, 09.2012] in the recognition that risk management is a subset of an organization's internal controls.
13.1.1.1.2. The M_o_R® principles are intended to guide rather than dictate so that organizations can develop their own policies, process, strategies and plans to meet their specific needs.
13.1.1.1.3. The M_o_R® Principles are guidlines / best practices but not strict rules in comparision to PRINCE2® principles.
13.1.1.1.4. For risk management to become more than a compliance-led activity within an organization, the value of risk management, measured by the return on investment (ROI) of risk management work, must be determined and communicated.
13.1.1.1.5. see M_o_R Principles for more information ...
13.1.2. M_o_R® Process
13.1.2.1. inner ring (including Communicate)
13.1.2.1.1. 4 main process steps, which describe the inputs, outputs and activities involved in ensuring that risk is managed.
13.1.2.1.2. The process is divided into 4 main process steps: identify, assess, plan and implement.
13.1.2.1.3. see M_o_R Process for more information ...
13.1.3. M_o_R® Approach
13.1.3.1. arrows
13.1.3.1.1. The way in which the principles are implemented will vary from organization to organization.
13.1.3.1.2. Organizations should develop an approach to the management of risk that reflects their unique objectives.
13.1.3.1.3. Principles need to be adapted and adopted to suit each individual organization.
13.1.3.1.4. Principles needs to adopted and adapted within M_o_R® documents like:
13.1.4. Embed and Review M_o_R
13.1.4.1. middle ring
13.1.4.1.1. Risk management should be integrated into the culture of the organization.
13.1.4.1.2. How an organization manages risk is an expression of its core values and communicates to stakeholders its appetite for and attitude to risk-taking.
13.1.4.1.3. A disconnected or unmanaged approach to risk management is more likely to lead to reactive rather than proactive management where unforeseen issues are commonplace.
13.1.4.1.4. It is important therefore to embed risk management into the culture and to put in place mechanisms to review and confirm that the approach to risk management remains appropriate given the organization’s objectives and context.
13.1.4.1.5. M_o_R® Principles, Approach and Processes, an organization needs to ensure they are consistently applied (implemented and sustained) and that their application involves continual improvement for better effectiveness and lessons learned application.
13.1.4.1.6. Having put in place an approach and process that satisfy the principles, an organization should ensure that these are consistently applied across the organization and that their application undergoes continual improvement in order for them to remain effective.
13.1.4.1.7. see Risk Management Health Check for more information ...
13.1.4.1.8. see Risk Management Maturity Model for more information ...
14. M_o_R® Non-official publications
14.1. Risk Management Based on M_o_R: A Management Guide
14.1.1. ISBN-13: 978-9077212684
14.1.2. Published: 2006
14.1.3. Pages: 72
14.1.4. http://www.amazon.com/Risk-Management-Guide-Based-M_o_R/dp/907721268X
14.1.5. Publication is based on older version of M_o_R - version 2
15. M_o_R® Official resources
15.1. M_o_R® sample exams, available online
15.1.1. M_o_R® Foundation
15.1.1.1. http://online.apmg-exams.com/index.aspx?subid=35&masterid=5
15.2. M_o_R® examination syllabus
15.2.1. EN
15.2.1.1. http://www.mor-officialsite.com/nmsruntime/saveasdialog.aspx?lID=432&sID=143
15.2.2. PL
15.2.2.1. http://www.mor-officialsite.com/nmsruntime/saveasdialog.aspx?lID=550&sID=143
15.3. M_o_R® glossary
15.3.1. EN
15.3.1.1. http://www.mor-officialsite.com/nmsruntime/saveasdialog.aspx?lID=398&sID=177
15.3.2. PL
15.3.2.1. http://www.mor-officialsite.com/nmsruntime/saveasdialog.aspx?lID=400&sID=177
15.4. M_o_R® White Papers
15.4.1. Everything you wanted to know about Management of Risk (M_o_R®) in less than 1000 words
15.4.1.1. http://www.axelos.com/gempdf/MoR_1000Words_White_Paper_Dec11.pdf
15.4.2. Management of Risk: Guidance for Practitioners and the international standard on risk management, ISO 31000:2009
15.4.2.1. http://www.axelos.com/gempdf/Management_of_Risk_Guidance_for_Practitioners_and_the_International_Standard_on_Risk_Management_ISO31000_2009.pdf
15.4.3. Corporate Governance and Management of Risk (M_o_R®)
15.4.3.1. http://www.best-management-practice.com/gempdf/Corporate_Governance_and_Management_of_Risk.pdf
15.4.4. Applying Management of Risk (M_o_R®) for Public Services
15.4.4.1. http://www.best-management-practice.com/gempdf/Applying_Management_of_Risk_for_Public_Services_White_Paper_Dec2009.pdf
15.5. M_o_R® website
15.5.1. http://www.mor-officialsite.com/
16. Risk Specialism
16.1. Risk specialism means nothing more than risk management standards / norms / frameworks dedicated to specific domain (IT, environment, etc.), rather than generic risk management like M_o_R®
16.2. M_o_R® official Handbook mentions several risk management standards as listed below.
16.2.1. Yet there is a "forest" of standards dedicated to risk management in specific field.
16.3. Business continuity management (BCM)
16.3.1. ISO 22301
16.3.1.1. http://www.iso.org/iso/catalogue_detail?csnumber=50038
16.3.2. BS 25999-1
16.3.2.1. http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030157563&rdt=wmt
16.3.3. BS 25999-2
16.3.3.1. http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030169700&rdt=wmt
16.3.4. BS 25777
16.3.4.1. http://shop.bsigroup.com/ProductDetail/?pid=000000000030166966
16.4. Incident and crisis management
16.4.1. ISO/IEC 27035
16.4.1.1. http://www.iso.org/iso/catalogue_detail?csnumber=44379
16.4.2. The Business Continuity Institute
16.4.2.1. www.thebci.org
16.5. Health and safety management
16.5.1. BS OHSAS 18001
16.6. Security risk management
16.6.1. ISO/EIC 27001
16.6.1.1. http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
16.6.2. ISO/IEC 27005
16.6.2.1. http://www.iso.org/iso/catalogue_detail?csnumber=56742
16.6.3. ISO/IEC 27034
16.6.3.1. http://www.iso.org/iso/catalogue_detail.htm?csnumber=44378
16.7. Financial risk management
16.7.1. Bank for International Settlements
16.7.1.1. www.bis.org
16.7.2. BESEL III
16.7.3. ISO/IEC TR 27015
16.7.3.1. http://www.iso.org/iso/catalogue_detail?csnumber=43755
16.8. Environmental risk management
16.8.1. ISO 14001
16.8.1.1. http://www.iso.org/iso/iso14000
16.9. Reputational risk management
16.10. Contract risk management
16.10.1. Good Practice Contract Management Framework
17. M_o_R® Risk Management Maturity Model (1)
17.1. Maturity Models are a valuable tool in enabling organizations to benchmark their current capability and maturity (in risk, quality, project, programme management - depending on maturity model), and for understanding how and where improvement may be achieved.
17.1.1. Risk Maturity Model is a commonly accepted reference model or framework of mature practices for appraising an organization’s risk management competency.
17.1.2. The common structure for a maturity model is a matrix.
17.2. A format for benchmarking an organization’s current capability and maturity in risk management and how to improve areas to increase maturity levels
17.2.1. Maturity models are typically composed of four or five levels of maturity and the quality of the processes within each level is described by the use of assessment criteria.
17.2.2. There is no limit on the number of criteria that might be adopted, although models commonly contain fewer than 10 to avoid becoming unwieldy.
17.3. Provide a well-structured and detailed guide to facilitate the progressive incremental improvement in risk management practices.
17.3.1. A risk maturity model enables organisations to determine through the use of assessment their level of risk management maturity when measured against the criteria included in the model.
17.4. A maturity model provides:
17.4.1. A starting point for moving forward
17.4.2. A road-map for process improvement
17.4.3. A vehicle for benchmarking the risk management processes
17.4.4. A place to capture the organisation’s previous experiences and current capabilities
17.4.5. A common language
17.4.6. A communication tool to describe succinctly the current status and what is possible
17.4.7. A framework for prioritizing actions
17.4.8. A way of describing what improvement means specific to the organisation
17.4.9. A shared goal
17.4.10. Help to motivate staff
17.4.11. Help to reach strategic objectives
17.5. To maintain maturity, organisations will need to:
17.5.1. Establish continual improvement process
17.5.2. Use lessons learned to inform and refine existing processes
17.5.3. Apply audit & review techniques to ensure effective risk management techniques are effective
17.5.4. Invest in improving risk processes, tools, techniques and training
17.5.5. Keep policies and internal guidance up-to-date
17.5.6. Ensure they apply risk management to all types of activities
17.5.7. Maintain the risk management culture
17.6. The M_o_R principles outline examples of where measurable organisational value would be expected as a result of implementing risk management and embedding a risk-based approach to decision-making into the organisational culture.
17.7. The use of maturity models is now widespread, with international adoption across multiple industries.
17.7.1. not only Risk Maturity Models
17.7.1.1. Quality
17.7.1.2. Integration
17.7.1.3. Project Managment
17.7.1.4. etc.
17.7.2. see Maturity Models mind map
18. M_o_R® Risk Management Health Check (1)
18.1. The management of risk health check is a tool for checking the health of current risk management practices and for identifying areas where its application might be improved.
18.1.1. In M_o_R® it is just a set of questions dedicated to check how well each M_o_R® principle was implemented.
18.1.1.1. For each principle there are more than more or less 15 questions to ask.
18.2. Health check presented in M_o_R® is only a starting point. It should be adopted and adapted to particular organization.
18.2.1. It is recommended that the 8 management of risk principles are used as a framework for structuring the assessment.
18.3. The health check is most useful when preparing and carrying out an organisation-wide assessment.
18.4. The health check assesses risk management practice.
18.4.1. To be effective, the health check should be formally administered and repeated to monitor changes over time.
18.4.2. It provides a ‘snapshot’ of the health of risk management at a particular time.
18.5. The health check might prove useful:
18.5.1. When considering a new investment
18.5.2. As an integral part of business planning
18.5.3. When preparing to establish commitment to improving risk management
18.5.4. Before or to complement a gateway review
18.5.5. When developing an annual operational plan
18.6. May be used for:
18.6.1. Self-assessment
18.6.2. Peer review
18.6.3. External assessment
18.7. Each health check will occur using the following steps:
18.7.1. Preparation
18.7.2. Data collection
18.7.3. Data analysis
18.7.3.1. Identify trends and patterns, note strengths and deficiencies, identify 3 -5 key themes, conduct intermediate review with the sponsor and identify recommendations.
18.7.4. Review and report
19. M_o_R® Risk Response Options (8)
19.1. for Threats (-)
19.1.1. Avoid
19.1.1.1. This option is about making the uncertain situation certain by removing the risk
19.1.1.1.1. This can often be achieved by removing the cause of a threat
19.1.1.2. Risk avoidance is achieved by deciding not to undertake a risk by either not taking part in a certain risky activity or by abandoning an asset / source that generates the risk
19.1.1.3. Avoiding all risks is not a viable strategy
19.1.1.3.1. If we do not take risks, we cannot gain the benefits that can aris
19.1.1.4. Outcome = risk probability of occurrence is 0%
19.1.1.5. It simply means to conduct activity where the risk is not met
19.1.2. Reduce (a.k.a Modification)
19.1.2.1. This option chooses definite action now to change the probability and/or impact of the risk
19.1.2.1.1. The term ‘mitigate’ is relevant when discussing reduction of a threat, i.e. making the threat less likely to occur and/or reducing the impact if it did.
19.1.2.2. Because this option commits the organization to costs for reduction/enhancement now, response costs must be justified in terms of the change to residual risk
19.1.2.3. Reduce probability (a.k.a. Prevent)
19.1.2.4. Reduce impact (a.k.a. Mitigate)
19.1.2.5. Reduce probability & impact simultaneously
19.2. for Opportunities (+)
19.2.1. Exploit
19.2.1.1. Exploiting the opportunity aims to make the most of an opportunity that arises to make the probability of its outcome to be 100%.
19.2.1.2. It uses extensive measures to ensure that the opportunity becomes a certainty.
19.2.1.3. Outcome = risk probability of occurrence is 100%
19.2.1.3.1. Risk becomes an issue (opportunity becomes a certainty)
19.2.2. Enhance (a.k.a. Improve)
19.2.2.1. Control methods put in place to increase the likelihood or increase the impact of the opportunity.
19.2.2.2. Enhancement methods are not as extensive as exploit controls because they do not aim at making the opportunity a certainty.
19.2.2.3. Increse probability (but still <100%)
19.2.2.4. Increse impact
19.2.2.5. Increse probability & impact simultaneously
19.3. for Threats & Opportunities
19.3.1. Transfer
19.3.1.1. by transferring risk firms remove their own responsibility for dealing with risk events to someone outside of the organisation / programme / project etc.
19.3.1.1.1. the most typical examples are taking out insurance and outsourcing.
19.3.1.2. (for opportunity) it aims to transfer the opportunity to a more specialised organisation that will help maximise its effects.
19.3.1.3. As name suggest 2nd party is needed for transfer
19.3.1.4. Transfer means transfering all (100%) impact to 2nd party
19.3.1.5. You can transfer impact, but you cannot transfer accountability for risk!
19.3.2. Share
19.3.2.1. Share’ is an option that is different in nature to the transfer response
19.3.2.1.1. It seeks for multiple parties (2+), typically within a supply chain, to share the risk on a pain/gain share basis
19.3.2.2. To share the risk on a pain/gain basis
19.3.2.3. As name suggest 2nd party is needed for sharing
19.3.2.4. Sharing means sharing at least small percentage of impact with 2nd party
19.3.3. Accept (a.k.a Retention)
19.3.3.1. The organisation ‘takes the chance’ that the risk will occur, with its full impact if it did
19.3.3.2. There is no change to residual risk with the accept option, but neither are any costs incurred now to manage the risk, or to prepare to manage the risk in future
19.3.3.3. Accepting an opportunity basically leaves everything to chance
19.3.3.4. Passive Acceptance
19.3.3.4.1. Highly NOT recommended, not present in M_o_R®
19.3.3.4.2. without monitoring
19.3.3.5. Active Acceptance
19.3.3.5.1. Risk still MUST be actively monitored for any changes in nature (probability, impact, etc.)
19.3.3.5.2. with monitoring
19.3.4. Prepare Contingent Plans
19.3.4.1. This option involves preparing plans now, but not taking action now
19.3.4.2. Most usually associated with the accept option, preparing contingent plans in this instance is saying: ‘We will accept the risk for now, but we'll make a plan for what we’ll do if the situation changes.'
19.3.4.3. This option applies equally to other responses and is often referred to as a ‘fallback’ plan, i.e. what we will do if the original response doesn’t work.
19.3.4.4. Fallback plans apply to all other strategies, even avoiding a threat and exploiting an opportunity, because the plan to avoid/exploit may not be successful despite good intentions.
19.3.4.5. Only reduces impact
19.3.4.6. Does not changes probability
19.4. Effect of responses
20. Basic risk definitions (according to AXELOS®)
20.1. Portfolios / Programme / Project Management
20.1.1. Portfolio Management
20.1.1.1. A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual (BAU).
20.1.2. Programme Management
20.1.2.1. The action of carrying out the coordinated organization, direction and implementation of a dossier of projects and transformation activities to achieve outcomes and realize benefits of strategic importance to the business.
20.1.3. Project Management
20.1.3.1. The planning, delegating, monitoring and control of all aspects of the project, and the motivation of those involved, to achieve the project objectives within the expected performance targets for time, cost, quality, scope, benefits and risks.
20.2. Project / Programme / Portfolios
20.2.1. Portfolio
20.2.1.1. An organization’s change portfolio is the totality of its investment (or segment thereof) in the changes required to achieve its strategic objectives.
20.2.2. Programme
20.2.2.1. A programme is a temporary, flexible organization created to coordinate, direct and oversee the implementation of a set of related projects and activities in order to deliver outcomes and benefits related to the organization’s strategic objectives.
20.2.2.2. 3 types of programmes
20.2.2.2.1. Vision-led programme
20.2.2.2.2. Emergent programme
20.2.2.2.3. Compliance programme
20.2.3. Project
20.2.3.1. A temporary organization, usually existing for a much shorter time than a programme, which will deliver one or more outputs in accordance with a specific business case.
20.2.3.2. A particular project may or may not be part of a programme.
20.2.3.3. Whereas programmes deal with outcomes, projects deal with outputs.
20.2.3.4. 5 types of projects
20.2.3.4.1. Compulsory project
20.2.3.4.2. Not-for-profit project
20.2.3.4.3. Evolving (Agile, RUP) project
20.2.3.4.4. Customer/supplier project
20.2.3.4.5. Multi-organization project
20.3. Risk Capacity, Tolerance, Appetite
20.3.1. Risk Capacity
20.3.1.1. The maximum amount of risk that an organisation or subset of it, can bear
20.3.1.2. The maximum amount of risk that an organisation or subset of it, can bear
20.3.2. Risk Tolerance
20.3.2.1. The threshold levels of risk exposure that, with appropriate approvals, can be exceeded, but which when exceeded will trigger some form of response
20.3.3. Risk Appetite
20.3.3.1. The amount of risk the organisation, or subset of it, is willing to accept
20.4. Risk:
20.4.1. An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives
20.4.2. Threat (-)
20.4.2.1. An uncertain event that could have a negative impact on objectives or benefits
20.4.3. Opportunity (+)
20.4.3.1. An uncertain event that could have a favourable impact on objectives or benefits
20.4.4. There are a variety of definitions for project risk, although they all possess the basic “uncertainty” and “that matters” components:
20.4.4.1. “An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.” (PMBOK)
20.4.4.2. “An uncertain event or set of circumstances that, should it occur, will have an effect on the achievement of the project’s objectives.” (M_o_R)
20.4.4.3. “Uncertainty of outcome, whether positive opportunity or negative threat.” (PRINCE2)
20.4.4.4. “Loss multiplied by likelihood, where risk is the product of the expected consequences or impact (loss or gain) of the risk event should it occur and the probability (likelihood) that the event will occur.” (ISO/IEO)
20.4.4.5. “The effect of uncertainty on objectives.” (ISO 31000: 2009)
20.4.4.6. “A possible future issue that can be avoided or mitigated.” (CWS)
20.4.4.7. “Any factor that might interfere with the successful completion of a project.” (www.gantthead.com)
20.5. Risk Exposure
20.5.1. The combined effect of risks to a set of objectives
20.6. Output, Capability, Outcome, Benefits
20.6.1. Output
20.6.1.1. The deliverable, or output developed by a project from a planned activity. Any project's specialists products. (tangible or intangible)
20.6.1.2. e.g.
20.6.1.2.1. A new just-in-time stock control system
20.6.1.2.2. A new IT system
20.6.1.2.3. Staff training programme
20.6.1.2.4. Revised process
20.6.2. Capability
20.6.2.1. The completed set of project outputs required to deliver an outcome; exists prior to transition.
20.6.2.2. e.g.
20.6.2.2.1. The combination of the outputs ready to ’go live’.
20.6.3. Outcome
20.6.3.1. A new operational state achieved after transition of the capability into live operations. Result of the change derived fron USING the project's outputs.
20.6.3.2. e.g.
20.6.3.2.1. The right materials are available, at the right time, and in the right place
20.6.4. Benefit
20.6.4.1. The MEASURABLE improvement resulting from an OUTCOME perceived as an ADVANTAGE by ONE or MORE of stakeholders, which contributes towards one or more organizational objectives(s).
20.6.4.2. e.g.
20.6.4.2.1. Fewer stock-outs and consequent interruptions to production.
20.6.4.2.2. Reduced obsolescent stock and hence lower write-offs.
20.6.4.2.3. Reduced stock holdings and so less working capital tied up.
20.6.5. Dis-benefit
20.6.5.1. An outcome perceived as NEGATIVE by ONE or MORE stakeholders. Dis-benefits are actual consequences not risks.
21. Interactive M_o_R® Glossary
21.1. Interactive M_o_R® Glossary
22. M_o_R® Foundation exam prep questions
22.1. http://miroslawdabrowski.com/downloads/M_o_R/Exam%20prep%20questions/
22.2. 3rd party
22.2.1. Exam-Summaries
22.2.1.1. http://www.exam-summaries.com/project-programme-management/m-o-r-management-of-risk/212-m-o-r-management-of-risk-9
22.2.2. ILX
22.2.2.1. http://www.ilxgroup.com/management-of-risk-downloads.asp
23. This freeware, non-commercial mind map (aligned with the newest version of M_o_R®) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the standard and framework M_o_R® and as a learning tool for candidates wanting to gain M_o_R® qualification. (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)
23.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website: www.miroslawdabrowski.com
23.1.1. http://www.miroslawdabrowski.com
23.1.2. http://www.linkedin.com/in/miroslawdabrowski
23.1.3. https://www.google.com/+MiroslawDabrowski
23.1.4. https://play.spotify.com/user/miroslawdabrowski/
23.1.5. https://twitter.com/mirodabrowski
23.1.6. miroslaw_dabrowski