What is M_o_R?

The M_o_R guide is intended to help organisations put in place an effective framework for taking informed decisions about the risks that affect their performance objectives across all organisational activities, whether these be strategic, programme, project or operational. M_o_R defines risk as "an uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives". With this definition 'threat' is used to describe an uncertain event that could have a negative impact on objectives or benefits; and 'opportunity' is used to describe an uncertain event that could have a favourable impact on objectives or benefits.

A major factor influencing the drive towards more formalised approaches to risk management has been the increased focus given to corporate governance in both the UK and the US following high-profile collapses of companies such as Bank of Credit and Commerce International, the Maxwell Communication Corporation plc, and Enron and WorldCom.

Risk management should be most rigorously applied where critical decisions are being made. Decisions about risk will vary depending on whether the risk relates to long-, medium- or short-term goals.

• Strategic decisions are primarily concerned with long-term goals; these set the context for decisions at other levels of the organisation. The risks associated with strategic decisions may not become apparent until well into the future. Thus it is essential to review these decisions and associated risks on a regular basis
  
  
• Medium-term goals are usually addressed through programmes and projects to bring about business change. Decisions relating to medium-term goals are narrower in scope than strategic ones, particularly in terms of timeframe and financial responsibilities
  
  
• At the operational level the emphasis is on the short-term goals to ensure ongoing continuity of business services; however, decisions about risk at this level must also support the achievement of the long- and medium-term goals.

The M_o_R framework is based on four core concepts of:

• M_o_R Principles. These are essential for the development of good risk management practice. They are all derived from corporate governance principles in the recognition that risk management is a subset of an organisation's internal controls
• M_o_R Approach. The principles need to be adapted and adopted to suit each individual organisation. Accordingly, an organisation's approach to the principles needs to be agreed and defined within a Risk Management Policy, Process Guide and Strategies, and supported by the use of Risk Registers and Issue Logs
• M_o_R Processes. There are four main process steps, which describe the inputs, outputs and activities involved in ensuring that risks are identified, assessed and controlled
• Embedding and Reviewing M_o_R. Having put in place the principles, approach and processes, an organisation needs to ensure that they are consistently applied across the organisation and that their application undergoes continual improvement in order for them to be effective.

Click on the diagram on the right to view the M_o_R Framework in a larger format.

The core M_o_R publication, Management Of Risk: Guidance for Practitioners, has been revised. Find out more about the 3rd Edition of the guide.

The information on this page is derived from the document "Management of Risk– The Facts" by Graham Williams, which can be downloaded in PDF format.