Management of risk introduction
- 1. M_o_R Management of Risk Introduction Spyros Ktenas MBA, BSc(IT), PMI PfMP, PRINCE2, PMI ACP, ITIL, M_o_R http://open-works.org/profiles/spyros-ktenas M_o_R, Guide for Practitioners is Property of AXELOS, https://www.axelos.com/ 1
- 2. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas M_o_R framework M_o_R framework M_o_R principles Principles are essential for the development and maintenance of good risk management practice. They are informed by corporate governance principles and the international standard for risk management, ISO31000: 2009. They are high-level and universally applicable statements that provide guidance to organizations as they design an appropriate approach to risk management as part of their internal controls. M_o_R approach Principles need to be adapted and adopted to suit each individual organization. An organization’s approach to the principles needs to be agreed and defined within a risk management policy, process guide and strategies. M_o_R process The process is divided into four main steps: identify, assess, plan and implement. Each step describes the inputs, outputs, tasks and techniques involved to ensure that the overall process is effective. Embedding and reviewing M_o_R Having put in place an approach and process that satisfy the principles, an organization should ensure that they are consistently applied across the organization and that their application undergoes continual improvement in order for them to be effective. 2
- 3. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Definitions Risk is defined as ‘an uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives. A risk is measured by the combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives.’ The combined effect of risks to a set of objectives is known as risk exposure, and is the extent of the risk borne by that part of the organization at that time. the term ‘risk management’ refers to the systematic application of principles, an approach and a process to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for proactive decision-making. Risks need to be: Identified This involves considering uncertainties that would affect the achievement of objectives within the context of a particular organizational activity and then describing them to ensure that there is a common understanding. Assessed This involves estimating the probability, impact and proximity of individual risks so they can be prioritized, and understanding the overall level of risk (risk exposure) associated with the organizational activity. Controlled This involves planning appropriate responses to risks, assigning owners and actionees and then implementing, monitoring and controlling these responses. 3
- 4. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Where and when should risk management be applied? Should be applied continuously with information made available when critical decisions are being made Strategic decisions are primarily concerned with long-term goals; Medium-term goals are usually addressed through programmes and projects to bring about business change At the operational level, the emphasis is on short-term goals to ensure ongoing continuity of business services. Decisions about risk at this level, however, must also support the achievement of long- and medium-term goals. Risk management should be the basis for effective management of an organization at all times, including in support of decision-making when planning the introduction of change to any of the organizational perspectives described above. 4
- 5. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Risk specialisms In addition to application across the strategic, programme, project and operational perspectives, the guidance within M_o_R applies to the work carried out by risk specialists who focus on particular types of risk in an organization Business continuity management Incident and crisis management Health and safety management Security risk management Financial risk management Environmental risk management Reputational risk management Contract risk management. Although portfolio, programme and project risk management is a specialism as defined here, it is omitted from this list as programmes and projects are covered as specific M_o_R perspectives. 5
- 6. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Principles A framework for risk management that can be applied to any organization regardless of its size, complexity, location, or sector. This is possible because M_o_R is principles-based. Principles are characterized as: Universal in that they apply to every organization Self-validating in that they have been proven in practice over many years Empowering because they give risk practitioners added confidence and ability to influence and shape risk management across the organization. Effective risk management satisfies the following eight principles. The first seven principles are enablers. The final principle is the result of implementing risk management well. 1. Aligns with objectives 2. Fits the context 3. Engages stakeholders 4. Provides clear guidance 5. Informs decision-making 6. Facilitates continual improvement 7. Creates a supportive culture 8. Achieves measurable value 6
- 7. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Management of risk approach Collectively the principles provide a foundation from which the risk management approach for an organization can be developed. This chapter describes the M_o_R approach. An organization can adapt this approach to meet its specific needs and objectives. Central to the M_o_R approach is the creation of a set of documentation comprising: Risk management policy Risk management process guide Risk management strategies for each organizational activity. The policy, process guide and strategies provide the explanation of how the organization will implement risk management. They describe the activities to be undertaken, the sequence in which these are carried out, and the roles and responsibilities necessary for their delivery. 7
- 8. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Management of risk approach In support of the risk management policy, process guide and strategies, the M_o_R approach also recommends the use of other documents. These documents fall into three categories – records, plans and reports – as listed below: Records Risk register Issue register Plans Risk improvement plan Risk communications plan Risk response plan Reports Risk progress report 8
- 9. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Management of risk approach - 7 Relationship between documents 9
- 10. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Management of risk process It is divided into four primary steps known as: Identify Assess -Communicate Plan -Embed and review Implement They are carried out in sequence, as any one step cannot be undertaken until the preceding step has been completed. They are all repetitive in nature in that when additional information becomes available, it is often necessary to revisit earlier steps and carry them out again, to achieve a complete picture of the risks to the activity at that time. ‘Communicate’ deliberately stands alone as the findings of any individual step may be communicated to management for action prior to the completion of the overall process ‘Embed and review’ embraces all of the steps in the process as this activity looks at each individual step in turn to determine its contribution to the overall effectiveness of the complete process. 10
- 11. Spyros Ktenas | http://open-works.org/profiles/spyros-ktenas Management of risk process 11 An explanation of the terminology used to describe each process step is as follows: Goals are the key outcomes of the process. For instance, the process goal for the identify step is to identify both the threats and opportunities facing the activity under examination as comprehensively as possible. Inputs describe the information that is transformed by the process. The absence of appropriate inputs may prevent a process from taking place effectively. Partially completed inputs may enable a process to be completed but in many instances would require a process to be repeated when more complete information was available. Outputs describe the information produced by the process, which will form the inputs to the subsequent process step. Techniques describe the recognized risk management tools and techniques that may be applied to the process step to help create the outputs. Some techniques are useful in more than one steps Tasks are the actions that need to be completed to transform the inputs into the outputs with the aid of the techniques.