FR | NL | EN
   About us     Contact     Glossary index     Sitemap   

   Home > Management of Risk (M_o_R)

Management of Risk (M_o_R)     Print

Management of Risk (M_o_R) M_o_R provides a generic framework for the management of risk across all parts of an organisation - strategic, programme, project and operational. It incorporates all the activities required to identify and control the exposure to any type of risk, positive or negative, which may have an impact on the achievement of your organisation's business objectives.

The task of OGC's Management of Risk (M_o_R) is to enable any organisation to make cost effective use of a risk process that has a series of well defined steps. The aim is to support better decision making through a good understanding of risks and their likely impact. 

Reasons for adopting M_o_R

A major factor influencing the drive towards more formalised approaches to risk management has been the increased focus given to Corporate Governance.

M_o_R audience

Risk management should be most rigorously applied where critical decisions are being made. Decisions about risk will vary depending on whether the risk relates to long-, medium- or short-term goals.

  • Strategic decisions are primarily concerned with long-term goals; these set the context for decisions at other levels of the organisation. The risks associated with strategic decisions may not become apparent until well into the future. Thus it is essential to review these decisions and associated risks on a regular basis.
  • Medium-term goals are usually addressed through programmes and projects to bring about business change. Decisions relating to medium-term goals are narrower in scope than strategic ones, particularly in terms of timeframe and financial responsibilities.
  • At the operational level the emphasis is on the short-term goals to ensure ongoing continuity of business services; however, decisions about risk at this level must also support the achievement of the long- and medium-term goals.

The M_o_R framework

The M_o_R framework is based on four core concepts of:

  • M_o_R Principles. These are essential for the development of good risk management practice. They are all derived from corporate governance principles in the recognition that risk management is a subset of an organisation’s internal controls. 
  • M_o_R Approach. The principles need to be adapted and adopted to suit each individual organisation. Accordingly, an organisation’s approach to the principles needs to be agreed and defined within a Risk Management Policy, Process Guide and Strategies, and supported by the use of Risk Registers and Issue Logs.
  • M_o_R Processes. There are four main process steps, which describe the inputs, outputs and activities involved in ensuring that risks are identified, assessed and controlled.
  • Embedding and Reviewing M_o_R. Having put in place the principles, approach and processes, an organisation needs to ensure that they are consistently applied across the organisation and that their application undergoes continual improvement in order for them to be effective.

M_o_R principles

Principle Description
Organisational context The starting point for risk management is to understand the context of the organisation or activity under examination and hence avoid blind spots. Context includes the political, economic, social, technological, legal and environmental backdrop.
Stakeholder involvement Risk management should engage with all primary stakeholders to ensure that the objectives of the organisation or activity under examination are established and agreed.
Organisational objectives As the purpose of risk management is to strive to understand and manage the threats and opportunities arising from the objectives of the organisation or activity, risk management can only commence when it is clear what these objectives are.
M_o_R approach Organisations should develop an approach to the management of risk that reflects their unique objectives. It is common for organisations to describe their approach through their policies, processes, strategies and plans.
Reporting The governing body of the organisation should receive, review and act on risk management reports. As a result, a fundamental aspect of risk management is the timely communication of risk information to the management team to enable it to make informed decisions.
Roles and responsibilities Organisations should establish clear roles and responsibilities for the management of risk in terms of leadership, direction, control, ongoing risk management, reporting and reviewing.
Support structure A risk management team is required to ensure that the policies are adhered to, the process is followed, appropriate techniques are adopted, reports are issued to meet senor management and board requirements, the regulators’ guidelines are adhered to and best practice is followed – all at the appropriate time.
Early warning indicators Organisations should establish early warning indicators for critical business activities to provide information on the potential sources of risk. These will enable risk management to be proactive and to anticipate potential problems.
Review cycle As with an organisation’s objectives, its internal organisation and environment within which it operates are continually evolving. A sound and effective risk process is contingent on regular reviews of the risks faced and the policies, processes and strategies it is adopting to manage them.
Overcoming barriers to M_o_R There needs to be recognition that even though an organisation has risk management policies, processes and strategies in place, this will not automatically lead to robust, effective and efficient risk management practices. There are a number of barriers to the implementation of risk management that need to be addressed.
Supportive culture Organisations should establish the right culture to support management of risk throughout the organisation. A supportive culture will be one that embeds risk management into day-to-day operations and recognises the benefits of risk management.
Continual improvement Organisations that are interested in continual improvement should develop strategies to improve their risk maturity to enable them to plan and implement step changes in their risk management practices.

Management of Risk Approach

The way in which the M_o_R principles are implemented will vary from organisation to organisation. Collectively they provide a base on which the organisation’s risk practices can be developed. These practices describe how risk management will be undertaken throughout the organisation, i.e. the M_o_R approach. To capture and communicate these practices it is common to create a series of living documents called: • Risk Management Policy • Risk Management Process Guide • Risk Management Strategies • Risk Register • Issue Log

Risk Management Policy

The purpose of the Risk Management Policy is to communicate how risk management will be implemented throughout an organisation to support the realisation of its strategic objectives. The policy communicates why risk management should be undertaken and how it relates to the corporate objectives, and it provides a common language. It strives to accomplish uniformity across risk management processes; it aims to remove ambiguity about the organisation’s risk appetite and when to escalate risk, and describes the format, timing and content of reports.

Risk Management Process Guide

The purpose of the Risk Management Process Guide is to describe the series of steps and the respective associated activities, necessary to implement risk management. The process should be tailored to the organisation and be suitable for types of activity across the organisation. It should be applicable to all levels of management and activity. This document should describe a best practice approach that will support a consistent method and deliver effective risk management. This guide could be incorporated into the Risk Management Policy.

Risk Management Strategies

The purpose of the Risk Management Strategy is to describe for a particular organisational activity the specific risk management activities that will be undertaken. Strategies are typically prepared for a particular strategic initiative, a programme, a project or an operational area within the organisation. Each strategy should be tailored to each specific activity, while at the same time reflecting the Risk Management Policy and Process Guide.

Risk Register

The purpose of the Risk Register is to capture and maintain information on all of the identified threats and opportunities relating to a specific organisational activity. The precise content of the Risk Register will vary but the layout of the register should reflect the sequence in which the information is captured.

Issue Log

The purpose of the issue Log is to capture and maintain information in a consistent, structured manner on all of the identified issues that have already occurred and require action. These issues may include risks that have materialised and have changed from possible events to actual events. As with the Risk Register the precise content of the Issue Log will vary but the layout of the log should reflect the sequence in which the information is captured.


  • The main benefit of applying an effective approach to risk management is the likely improvement of the organisation against its objectives by contributing towards:
  • Better service delivery
  • Reduction in management time spent fire-fighting
  • Increased likelihood of change initiatives being achieved 
  • More focus internally on doing the right things properly
  • Better basis for strategy setting
  • Achievement of competitive advantage
  • Fewer sudden shocks and unwelcome surprises
  • More efficient use of resources
  • Reduced waste and fraud, and better value for money
  • Improved innovation

Source: OGC

QAP © 2010 | advice[at] | audit[at]
   Audit     Advisory     Training     Change     Disclaimer     Copyright