M_O_R

M_O_R

The risk may be defined as uncertainty of outcome whether a positive opportunity or negative threat. It is the fact that there is uncertainty that creates the need for attention and formal management of risk. After all, if an organization were absolutely certain that a negative threat would materialize, there would be, little difficulty in determining an appropriate course of action.  Likewise, if an organisation could be guaranteed that the positive opportunity would be realized, then its path would be clear. Managing risks required the identification and control of the exposure to those risks which may have an impact on the achievement organization’s business objectives.

Every organisation manages its risk, but not always in a way that is visible, repeatable and consistently applied to support decision making. The purpose of formal risk management is to enable better decision making based on a sound understanding of risks and their likely impact on the achievement of objectives. An organization can gain this understanding by ensuring that it makes cost-effective use of a risk framework that has a series of well-defined steps. Decision making should include determining any appropriate actions to take to manage the risks to a level deemed to be acceptable by the organisations.

A number of different methodologies, standards and frameworks have been developed for risk management. Some focus more on generic techniques widely applicable to different levels and needs, while others are specifically concerned with risk management relating to important assets used by the organisation in the pursuit of its objectives. Each organization should determine the approach to risk management that is best suited to its needs and circumstances, and it is possible that the approach adopted will leverage the ideas reflected in more than one of the recognised standards and frameworks.

Management Of  Risk (M_O_R)

Management of risk (M_O_R) is intended to help organisations put in place an effective framework for risk management. This will help them make informed decisions about the risks that affect their strategic, programme, project and operational objectives. M_o_R provides a route map of risk management, bringing together principles, an approach, a process with a set of interrelated steps and pointers to more detailed sources of advice on risk management techniques and specialism. It also provides advice on how these principles, approach, and process should be embedded, reviewed and applied differently depending on the nature of the objectives at risk.

 

The M_O_R framework is based on four core concepts:

  • M_O_R principles Principles are essential for the development and maintenance of good risk management practice. They are informed by corporate governance principles and the international standard for risk management, ISO3100:2009. They are high level and universally applicable statements that provide guidance to organisations as they design an appropriate approach to risk management as part of their internal controls.
  • M_O_R process The process is divided into four main steps: identify, asses, plan and implement. Each step describes the inputs, outputs, tasks, and techniques involved to ensure that the overall process is effective.
  • Embedding and reviewing M_O_R Having put in place an approach and process that satisfy the principles, an organisation should ensure that they are consistently applied across the organisation and that their application undergoes continual improvement in order for them to be effective.

There are several common techniques which support risk management, including a summary risk profile. A summary risk profile is a graphical representation of information normally found in an existing risk register and helps to increase the visibility of risks

ISO 31000

ISO 31000 was published in November 2009 and is the first set of international guidelines for risk management, intended to be applicable and adaptable for any public, private or community enterprise, association, group or individual. ISO 31000 is a process-oriented rather than a control-oriented approach to risk management and provides guidance on a broader, more conceptual basis, rather than specifying all aspects of an organisation’s risk assessment and management approach. For example, ISO 31000 does not define how an organisation will create risk data or measure risk, nor does it ensure that an organisation will include a review of all risk areas relevant to the achievement of their objectives. ISO31000 was published as a standard without certification. ISO 31000 defines risks the effect of uncertainty on objectives. Risk management should be performed within a framework that provides the foundations and provisions which will embed the management of risk throughout all levels of the organisation. ISO 31000 identifies the necessary components of such a framework. as:

  • Mandate and commitment
  • Design of a framework for managing risk
  • Understanding the organisation and its context
  • Establishing risk management policy
  • Accountability
  • Integration into organisational processes
  • Resources
  • Establishing internal communication and reporting mechanisms
  • Establishing external communication and reporting mechanisms
  • Implementing risk management
  • Monitoring and review of the framework
  • Continual improvement of the framework

ISO 31000 

ISO 31000 was published in November 2009 and is the first set of international guidelines for risk management, intended to be applicable and adaptable for ‘any public, private or community enterprise, association, group or individual. ‘ISO 31000 is a process-oriented rather than a control-oriented approach to risk management and provides guidance on a broader, more conceptual basis, rather than specifying all aspects of an organisations risk assessment and management approach. For example, ISO 31000 does not define how an organisation will create the risk data or measure risk, nor does it ensure that an organisation will include a review of all risk areas relevant to the achievement of their objectives. ISO31000 was published as a standard without certification.

ISO310000 defines risk as the effect of uncertainty on objectives. Risk Management should be performed within a framework that provides the foundations and provisions which will embed the management of risk throughout all levels of the organisation. ISO31000 identifies the necessary components of such a framework as:

  • Mandate and commitment
  • Design of a framework for managing risk
  • Understanding the organisation and its context
  • Establishing risk management policy
  • Accountability
  • integration into organisational processes
  • Resources
  • Establishing internal communication and reporting mechanisms
  • Establishing external communications and reporting mechanisms
  • Implementing risk management
  • Monitoring and review of the framework
  • Continual improvement of the framework.

 

Figure 2 – ISO 31000 risk management process flow

Within this context, the risk management process is seen at a high-level figure 2. Once the framework has been established and the context understood, risk assessment is undertaken. This consist of three steps: Risk assessment is undertaken. This consist of three steps: Risk identification, risk analysis, and risk evaluation. The risk identification step is intended to create a comprehensive list of risk based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of the organisation objectives. Risk analysis involves developing a full understanding of the risk as an input to risk evaluation and the decision about which risks require treatment and the relative priorities amongst them.

Risk treatment involves the modification of risks using one or more approaches. These approaches are not necessarily mutually exclusive and may include:

  • Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
  • Taking or increasing the risk in order to pursue an opportunity
  • Removing the risk source
  • Changing the likelihood
  • Changing the consequence
  • Sharing the risks with another party or  parties
  • Retaining the risk by the informed decision

The approach described in ISO31000 provides a broad scope for each organisation to adopt the high-level principles and adapt them to their specific needs and circumstances.

ITIL Intermediate Guide Web Banner

Contact Form

Contact

Eddie Potts

Principal ITSM Consultant +44 (0)7595 205885

Now Available ITIL 4 Managing Professional Transition “ITIL v3 to ITIL 4 bridging course”  Dates Are Now Available Book Now