The Management of Risk (M_o_R) Guide is intended to help organisations put in place an effective framework for risk management, helping decision making based on risks that affect strategic, programme, project and operational objectives.
The M_o_R framework is based on the following four core concepts.
- M_o_R Principles
- M_o_R Approach
- M_o_R Process
- Embedding and reviewing M_o_R
Use the tabs above for more information on these areas.
Principles are universally applicable statements that provide guidance to organisations as they design an appropriate approach to risk management as part of their internal controls. There are eight principles in the M_o_R guide. The first seven are enablers, and the final principle is a result of implementing risk management well.
- Aligns with objectives
- Fits the context
- Engages stakeholders
- Provides clear guidance
- Informs decision-making
- Facilitates continual improvement
- Creates a supportive culture
- Achieves measurable value
An organisation's approach to the principles needs to be agreed and defined. This approach should be defined within a set of documentation, including:
- Risk management policy - to communicate why and how risk management will be implemented throughout the organisation
- Risk management process guide - to describe how the M_o_R process steps (identify, assess, plan, implement) will be carried out in the organisation
- Risk management strategies - A risk management strategy describes the specific risk management activities that will be undertaken for a particular organisational activity
In support of the above, the use of the following should be utilised to support the risk management approach:
- Records - to capture information (Risk register; Issue register)
- Plans - to plan risk response activity (Risk improvement plan; Risk communication plan; Risk response plan)
- Reports - to communicate information on risk (Risk progress report)
The process is divided into four main steps.
This step consists of two main areas:
- Identify context
- Identify risks
Identify Context is to obtain information about the planned activity and how it fits into the wider organisation, understanding the activity objective, scope, assumptions, constraints, stakeholders, environment and approach to risk management.
Identify Risks is to identify the risks to the activity with the aim of minimising the threats while maximising the opportunities, and includes:
- identifying threats and opportunities
- preparing a risk register
- preparing key performance indicators and early warning indicators
- understanding the stakeholder's view of the risks
This step consists of two main areas:
- Assess - estimate
- Assess - evaluate
Assess - estimate is concerned with understanding the probability (likelihood) and the impact (consequence) of each risk. Proximity (i.e. when the risk will occur) will also be considered. A number of risk techniques are outlined in the M_o_R guide including:
- probability assessment
- impact assessment
- proximity assessment
- expected value assessment
Assess - evaluate is concerned with understanding the exposure faced by looking at the risks both individually, and as an aggregated threat to the activity. A number of techniques are outlined in the M_o_R guide, including:
- summary risk profiles
- summary expected value assessment
- probability risk models
- probability trees
- sensitivity analysis
This step is to prepare specific management responses to the threats and opportunities identified. The actions in this step include
- identifying and planning responses to each risk identified
- identifying an owner for each risk identified
- identifying risk actionees for each risk identified
- maintaining information in the Risk Register
- creating and maintaining Risk Response Plans
The Implement step is to ensure that the planned risk management actions are implemented and that the planned actions are having the desired effect. Corrective action should be taken to plans where the responses are meeting the expectations.
Throughout the process effective communication is essential to ensure that the process continues to be in line with the policy, strategies and plans.
Embedding and reviewing M_o_R
Having put in place an approach and process that satisfy the principles, an organisation should ensure that they are consistently applied across the organisation and that their application undergoes continual improvement in order for them to be effective.