Management of Risk (M_o_R®) study guide mind map

M_o_R® - process based standard and framework from UK (not methodology) for general (not industry specific e.g. IT or Engineering) corporate-wide / holistic Risk Management, yet (arguably) M_o_R® is not considered to be an Enterprise Risk Management (ERM) standard. M_o_R® is one of the 10 recognized globally and practically proven management standards from AXELOS® Global Best Practice family of UK standards. M_o_R® is a registered trade mark of AXELOS Limited.

Get Started. It's Free
or sign up with your email address
Management of Risk (M_o_R®) study guide mind map by Mind Map: Management of Risk (M_o_R®) study guide mind map

1. MoR® Foundation courseware

2. Software for Risk Management and GRC

2.1. ActiveRisk

2.1.1. Active Risk Manager (ARM)

2.2. Agiliance

2.2.1. Agiliance RiskVision

2.2.2. Agiliance RiskVision Platform

2.3. Archer

2.3.1. RSA Archer Risk Management

2.4. Bwise

2.4.1. BWise Risk Management

2.5. Chase Cooper Ltd.

2.5.1. aCCelerate

2.6. Cura

2.6.1. Enterprise Risk Management (ERM)

2.7. Enablon RM

2.7.1. Enablon RM – Risk Management

2.8. Evantix GRC, LLC.

2.9. Hiperos


2.10. MKinsight

2.10.1. ERP (Enterprise Risk Management)

2.11. LockPath

2.12. Intaver

2.12.1. Risky Project

2.13. MetricStream

2.13.1. Risk Management System

2.14. Modulo

2.14.1. Enterprise Risk Management (ERM)

2.15. Northwest Controlling Corporation Ltd.

2.15.1. Enterprise Risk Manager

2.16. Risk Wizard Pty Ltd.

2.16.1. Risk Wizard

2.17. PAN Software Pty. Ltd.

2.17.1. RiskWare

2.18. Prevalent Networks

2.18.1. Prevalent Vendor Risk Manager (PVRM)

2.19. Process Unity

2.19.1. Enterprise Risk Management

2.20. Resolver

2.20.1. Ballot

2.21. Palisade

2.21.1. @RISK Software

2.22. Rsam

2.22.1. Rsam Enterprise Risk Management (ERM)

2.23. Shared Assessments

2.24. Symantec

2.25. SAS

2.25.1. Book Runner

2.26. Wynyard

2.26.1. Wynyard Risk Management for ERM

3. M_o_R® Principles (8)

3.1. What are principles?

3.1.1. Principles are universally applicable statements. Principles are generic principles - the way in which they are applied must be tailored to suit the organizational circumstances, whilst ensuring the underlying rationale is maintained. Prainciples are the common, universal and high-level factors that underpin success. Principles are universal, self-validating and empowering. They provide guidance to organizations. They guide the organization on what to aim for.

3.2. What are M_o_R® principles?

3.2.1. Because M_o_R® is principles-based, it is able to provide a framework for risk management that can be applied to any organization regardless of its size, complexity, location, or the sector within which it operates.

3.2.2. Principles are based on UK Corporate Governance Code and are aligned to ISO 31000:2009 Management of Risk: Guidance for Practitioners and the international standard on risk management, ISO 31000:2009 M_o_R® is designed as a guide for practitioners in risk management. Its use enables an organization to comply with the requirements of ISO 31000 in full.

3.2.3. Each M_o_R® Principle is applied accross 4 different Perspectives separately

3.2.4. Principles are essential for the development and maintenance of good risk management practice.

3.2.5. The first 7 principles are enablers. The final 8th principle is the result of implementing risk management well.

3.3. 1. Align with objectives

3.3.1. As the purpose of risk management is to strive to understand and manage the threats and opportunities arising from the objectives of the organization or activity, risk management can only commence when it is clear what these objectives are.

3.3.2. Risk management aligns continually with organizational objectives, goals, mission, vision etc. Objectives may change over time so a key aspect of successful risk management is the shared understanding between stakeholders that risk is dynamic and not static. It is therefore important that risk management anticipates, and is responsive to, change - from within the organisation and in the wider context.

3.3.3. Uncertainty is only important and becomes risk if it impacts (positively or negatively) organization objectives.

3.3.4. Organisations must pay close attention to understanding objectives so that an appropriate balance can be achieved between maximizing opportunities and minimizing threats.

3.3.5. The amount of risk that an organisation is willing to take and the associated amount of risk management that is carried out must align with the organisation’s objectives and it is therefore important for the organisation to determine it risk capacity and risk appetite. It is a prerequisite for identifying risks.

3.3.6. Objectives are different in each perspective: Strategic overall efficiency of the organisation’s work and the degree to which users, customers, regulators and shareholders are satisfied with performance, and the organisation’s reputation is enhanced Programme relate to the desired change outcomes Project focused on delivery of the required scope to the right quality, on time within budget etc. Operational routines and processes used to create products and services

3.3.7. Principle supported by: Risk Management Policies Risk Management Strategies Risk Capacity, Tolerance, Appetite Risk Capacity Risk Tolerance Risk Appetite

3.4. 2. Fits the context

3.4.1. Risk management is designed to fit the current context. Adapting the M_o_R® Approach documents cost-effectively to meet the needs of the specific organizational activity (programme, project, business as usual). Adapting software for Risk Management suited and tailored to meet the needs of the specific organizational activity (programme, project, business as usual).

3.4.2. Understanding of the external and internal context and it’s change. Establishing the context Define the external and internal parameters that organisations must consider when they manage risk. External context An organisation’s external context includes all of the external environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. e.g. Internal context An organisation’s internal context includes all of the internal environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. e.g. The goal of Identify - Context process step is to obtain information about the planned activity and how it fits into the wider organisation and market / society.

3.4.3. Context will change over time, ”Fits the Context” principle is a dynamic activity.

3.4.4. The amount of risk management that is carried out may be affected by the external context in which the organisation operates.

3.4.5. Context is different in each perspective: Strategic Programme Project Operational

3.4.6. Principle supported by: Establishing the context External context Internal context Risk Management Strategies

3.5. 3. Engage stakeholders

3.5.1. Risk management engages stakeholders and deals with differing perceptions of risk. Risk management should engage with all primary stakeholders to ensure that the objectives of the organization or activity under examination are established and agreed. All major stakeholders should be identified and engaged.

3.5.2. Each organization activity has it's own set of stakeholders and decision-makers. Each with different objectives.

3.5.3. Communication with different stakeholder groups to ensure that their perceptions are clearly understood. A stakeholder is a person / group / organization (internal or external) that can affect or be affected by a decision or an activity. Stakeholders also include those who have the perception that a decision or an activity can affect them. Stakeholders can be clients, partners, suppliers, regulators, decision-makers, staff and any group who have an interest in the organisation.

3.5.4. Different stakeholder groups often have different perceptions of risk. Different stakeholders can either facilitate or hinder the achievement of objectives. It is therefore important to adopt the appropriate level and style of communication with different stakeholder groups to ensure that their perceptions are clearly understood.

3.5.5. When new projects are started, all relevant stakeholders should be informed of this.

3.5.6. Ensuring proactive and timely involvement of stakeholders helps to: Improve risk identification Ensure that differences are understood and resolved Increase ownership of actions Minimize resistance

3.5.7. Stakeholders are different in each perspective: Strategic Programme Project Operational

3.5.8. Principle supported by: Workshops Meetings Interviews Risk Management Communication Plans Risk Progress Reports

3.6. 4. Provides clear guidance

3.6.1. Risk management provides clear and coherent guidance to stakeholders. Risk management practices must be clear so stakeholders can understand how the organisation identifies, assesses and controls risks to objectives.

3.6.2. A coherent approach brings consistency and a clear understanding of how much effort to invest in risk management and when. Risk management must be integrated to form a coherent approach across the organisation. Coherent approach brings consistency and a clear understanding of how much effort to invest in risk management and when.

3.6.3. Risk practices must be: Logical Orderly Consistent

3.6.4. It is important to avoid a one-size fits all / ‘tick-box’ approach to risk management as this would leave the organisation highly exposed to risk.

3.6.5. Principle supported by: Risk Management Policies Risk Management Process Guide Risk Management Strategies

3.7. 5. Informs decision-making

3.7.1. Risk management is linked to and informs decision-making across the organization.

3.7.2. Given that risks influence every decision, risk management must help decision-makers understand the relative merits, threat and opportunities associated with different courses of action so they can make an informed choice. The main mechanism to achieve this is through the application of risk tolerance thresholds for each organisational objective. The tolerances are defined by considering the risk appetite for each activity in question in the context of the overall organisations risk capacity.

3.7.3. EWI - a leading indicator of a KPI. Leading indicators for organisational objectives measured ultimately by a key performance indicator.

3.7.4. A KPI is a performance measure used to help evaluate progress. Measures of performance used to help organisations define and evaluate how successful they are in making progress towards their objectives. KPI should be the vital navigation instruments used by managers to understand whether their business is on a successful voyage of whether it is veering off the proseprous path. KPIs should form part of the decision-making process for every employee, and everyone should be able to answer the question “How will what I am doing affect our KPIs?” in relation to every aspect of their job. Ensure everybody understands how the metrics you are gathering will affect your strategic priorities. This will increase the “buy in” - how personally involved and enthusiastic about your priorities your staff feel, and ensure that constant review and improvement are at the heart of every level of your business. If a KPI isn’t useful in helping you or others in your business make better decisions which in turn will improve your business’s performance, then it’s just noise. 25 Need-to-Know Key Performance Indicators

3.7.5. Principle supported by: Risk Management Strategies Risk Management Communication Plans

3.8. 6. Facilitates continual improvement

3.8.1. Organizations that are interested in continual improvement should develop strategies to improve their risk maturity to enable them to plan and implement step changes in their risk management practices

3.8.2. Risk management uses historical data and facilitates learning and continual improvement.

3.8.3. There are several ways in which risk management facilitates the continual improvement principle.

3.8.4. Learn from experience by collecting actual performance data to accumulate historical data to draw upon. This can help to inform estimates, risk responses, forecasts and decisions.

3.8.5. M_o_R® Health Check can support internal control. System of internal control to safeguard shareholders. Healthcheck checks the status and robustness of current risk management and helps to identify areas for improvement.

3.8.6. Another method that can help organisations to decide how to continually improve is the maturity model. You need to prepare a realistic plan to modify practices in risk management, in order to meet the needs of the next level of maturity. The transition from one level of maturity to another should be managed as a project - with clear objectives, resources, schedule and business justification.

3.8.7. Principle supported by: M_o_R® Health Check M_o_R® Maturity Model Risk Improvement Plans

3.9. 7. Creates a supportive culture

3.9.1. Senior managers need to demonstrate the importance of risk management via policies and actions. Chairman of the Board should be in relation to risk management act as a sponsor.

3.9.2. Organizations should establish the right culture to support management of risk throughout the organization. Senior management should allow an open and general discussion of the risks, without fear of retribution (a climate of mutual trust). Publication and dissemination of articles on risk.

3.9.3. A supportive culture will be one that embeds risk management into day-to-day operations and recognises the benefits of risk management. Risk management needs to be embedded into day-to-day activities and wins and losses need to be treated as opportunities for improvement. Leaders of risk management - to promote best practices in daily activities.

3.9.4. Risk management creates a culture that recognizes uncertainty and supports considered risk-taking. The inclusion of responsibility for risk management to job descriptions, objectives of employees and periodic evaluations.

3.9.5. For risk management to add value, an organisational culture must be created which recognizes that taking calculated chances is appropriate when matched to appetite. Having zero risk is nether achievable or even desirable.

3.9.6. Management culture based on rapid punishment of staff, prefers to focus on the negative phenomena, not eliminates the tendency to blame and reluctant to spend time looking for the root cause, is an obstacle. Established a code of conduct, policy on human resources and incentive schemes are important factors to support effective risk management.

3.9.7. The organization should be used in a sustainable way both systems consisting of motivation, as well as for punishment.

3.9.8. Organizations should implement risk management in all its branches, so that it becomes part of the routine activity.

3.9.9. A number of indicators can be used to judge the success of efforts to build a risk management culture. Questionnaires To collect information Benchmarks To measure the impact that an awareness programme has had on an organisation Return on the value/cost deployed i.e. benefits achieved as a result of investment made Degree of risk management integration The extent to which risk management has been integrated within the culture of the organisation Freedom, detail and speed of identification/reporting A measurement of the improvement risk management has had to the organisation Ease of making and understanding risk based decisions Risk-aware culture Enables preventative and proactive views and decisions to be made as part of a risk-informed decision-making process.

3.9.10. Principle supported by: Risk Management Policies "learning culture"

3.10. 8. Achieves measurable value

3.10.1. Using a structured approach to risk management is intended to create and protect organisational value, however value is measured in a particular organisation.

3.10.2. Risk management enables achievement of measurable organizational value. Tracks the performance of the organization with regard to regulatory controls. ”Prevention is better than cure”

3.10.3. This principle is an outcome of all previous principles.

3.10.4. Investing in risk management is expected to provide a tangible return for the organisation. It is important to establish baselines and processes to measure performance and ensure that investment is justified on an on-going basis.

3.10.5. The organisation should not just measure process compliance, but show that risk management has: Reduced waste / re-work levels Increased client / user confidence Improved regulatory performance

4. M_o_R® Approach (9)

4.1. There are likely to be many instances of each type of document in larger organisations.

4.2. The way in which the M_o_R® Principles are implemented will vary from organization to organization. Collectively the principles provide a foundation from which risk management practices can be developed.

4.2.1. These practices describe how risk management will be applied throughout an organization - the M_o_R® Approach.

4.3. Central documents

4.3.1. The corporate risk policies, processes, strategies and plans describe: Activities which are routinely subject to risk identification, assessment and control When risk processes should be carried out Who will undertake risk management steps Who will oversee the application of risk management The benefits the process aims to achieve.

4.3.2. Risk Management Policy (A.1) What is it? Provides a high-level statement showing how risk management will be handled throughout the organisation. The purpose of the Risk Management Policy is to communicate how risk management will be implemented throughout an organisation to support the realisation of its strategic objectives. Describes why risk management is important to the organization, and the specific objectives served by implementing a formal risk management approach It strives to accomplish uniformity across risk management processes. For smaller organisations there may only be a single policy. Whatever the situation, each policy should be reviewed and updated at least annually. In general WHY and HOW. Recommended content Introduction Risk appetite and capacity Risk tolerance thresholds Procedure for escalation and delegation Roles and responsibilities Glossary of terms Risk management proces KPIs and EWIs When risk management should be implemented Reporting Budget Quality assurance Annual review

4.3.3. Risk Management Process Guide (A.2) What is it? Describes the series of steps (from identify through to implement) and their respective associated activities, necessary to implement risk management. The purpose of the Risk Management Process Guide is to describe the series of steps and the respective associated activities, necessary to implement risk management. The process should be tailored to the organisation and be suitable for types of activity across the organisation. It should be applicable to all levels of management and activity. This document should describe a best practice approach that will support a consistent method and deliver effective risk management. Describes how an organization intends to carry out risk management and the role and responsibility of people who perform risk management related tasks Recommended content Introduction Roles and responsibilities Steps in the process Tools and techniques Templates Glossary of terms

4.3.4. Risk Management Strategy (A.3) What is it? The purpose of the Risk Management Strategy is to describe for a particular organisational activity the specific risk management activities that will be undertaken. Separate Risk Management Strategies should be produced for each organization activity undertaken within the strategic, programme, project and operational perspectives. Describes risk categories for a particular activity (programme, project, business as usual / BaU) Explain the amount of risk an organizational activity wants to take in particular activity (programme, project, business as usual) Communicate the amount of risk that can be taken in practicular activity (programme, project, business as usual) without escalation It may include an organisational chart and describe the roles and responsibilities. Gain a common understanding of the definition of a medium impact Recommended content Introduction Summary of the risk management process as applicable to the activity (with reference to the process guide) Tools and techniques Records Reporting Roles and responsibilities Scales for estimating probability and impact Risk tolerance thresholds Risk categories Budget required Templates EWIs for KPIs Timing of risk management activities Glossary of terms

4.4. Supportive documents

4.4.1. Records Risk Register (A.4) What is it? Recommended content Issue Register (A.5) What is it? Recommended content

4.4.2. Plans Risk Improvement Plan (A.6) What is it? Recommended content Risk Communication Plan (A.7) What is it? Recommended content Risk Response Plan (A.8) What is it? Recommended content

4.4.3. Reports Risk Progress Report (A.9) What is it? Recommended content

5. M_o_R® Roles and Responsibilities (6)

5.1. Senior Team

5.1.1. could be in real life a ... Board Management Board Executive team C-level executives Steering group Project Steering Committee (or Project Board) Program Steering Committee Sponsoring group ...

5.1.2. Responsibilities Writes, owns and assures adherence to the risk management policy Defines the overall risk appetite Reviews the risk management strategy Approves funding for risk management Monitors the risk profile Assures clarity of role and responsibility of other stakeholders Assists with assessing the risk context Monitors and acts on escalated risks Establishes governance

5.2. The Senior Manager appointed to represent the senior team

5.2.1. could be in real life a ... Sponsor The Accounting Officer (public sector) CEO (private sector) Senior Responsible Owner (SRO) e.g. Executive in PRINCE2® e.g. Senior Responsible Owner in MSP® Chief Risk Officer (CRO) Chief Information Risk Officer (CIRO) Technical Information Security Officer (TISO) Business Information Security Officer (BISO) ...

5.2.2. Responsibilities Ensures that appropriate governance and internal controls are in place Ensures risk management strategy exists Defines and monitors risk tolerances Ensures the risk management policy is implemented Monitors and assesses the balance within the set of risks Owns and manages escalated risks as appropriate Ensures that adequate resources are available to implement the Risk Management Strategy Agrees on the information that will be reported to more senior stakeholders Assists the team in embedding the necessary risk management practices Contributes to identification of key risk areas and assures that Risk Registers are in place for each

5.3. Manager

5.3.1. could be in real life a ... Programme Manager Project Manager Product Manager Product Owner Risk Manager Operations Manager Support Manager Customer Relationships Manager ...

5.3.2. Responsibilities Ensures that Risk Registers, a risk review process and an escalation process are in place Validates risk assessments Identifies the need for investment to fund risks Owns individual risks (including those delegated by the senior manager) Escalates or delegates risks to higher or lower levels in the organization as required Ensures participation in the delivery of risk management Explicitly identifies risk management duties within the terms of engagement of other managers involved in achieving specific objectives Agrees with risk specialists on the timing, number and content of the risk management interventions Agrees the timing and content of Risk Progress Reports Agrees the involvement of the risk manager, audit committee and risk committee as appropriate Establishes how risk management will be integrated with change control and performance management

5.4. Assurance

5.4.1. could be in real life a ... Portfolio Office Programme Office Project Office Internal / External Auditor Compliance unit ...

5.4.2. Responsibilities Assures the senior team that risk accountabilities exist Assures compliance with guidance on internal control Reviews progress and plans in developing and applying the Risk Management Policy Reviews the results of the assessments of management of risk Makes formal assessments and reports of management of risk implementation Ensures risk information is available to inform decision-making

5.5. Risk Specialist

5.5.1. could be in real life a ... Risk Practitioner Risk Coordinator Risk Facilitator ...

5.5.2. Responsibilities Ensures the Risk Management Policy is implemented Carries out ongoing management of risk maturity assessments Develops plans to improve the management of risk Develops management of risk guidance and training Identifies lessons learned and disseminates learning Undertakes risk management training and holds seminars to embed risk management Prepares Risk Management Strategies Prepares stakeholder analysis Prepares a risk breakdown structure or similar Participates in option analysis Carries out risk management interventions Prepares meeting/workshop aids Facilitates risk meetings / workshops Identifies risks Undertakes qualitative and quantitative assessment of risks Prepares Risk Management Reports

5.6. Team

5.6.1. could be in real life a ... Company employees Factory employess Project / Programme team members ...

5.6.2. Responsibilities Participates (as appropriate) in the identification, assessment, planning and management of threats and opportunities Understands the Risk Management Policy and how it affects them Implements the Risk Management Policy within their areas of responsibility Escalates risks as necessary as defined by the Risk Management Policy

6. M_o_R® Process (1)

6.1. M_o_R® Process is sequential

6.2. M_o_R® Process is based on process defined in UK HM Treasury - The Orange Book [2004]

6.3. Each M_o_R® Process exists in one Perspective - each M_o_R® Process is dedicated to specific organizational activity (programme, project, business as usual)

6.3.1. e.g. each programme, project has it's own M_o_R® Process with dedicated process owner - in M_o_R® known as Manager (e.g. Programme Manager, Project Manager)

6.4. Each process step consists of:

6.4.1. Goals The key outcomes of the process

6.4.2. Inputs The information (documents) that is transformed by the process

6.4.3. Outputs The information (documents) produced (or updated) by the process

6.4.4. Techniques The recognized risk management techniques that may be applied (are recommeded by M_o_R®) to the process step to help create the outputs

6.4.5. Tasks The actions that need to be completed to transform the inputs into the outputs with the aid of the techniques.

6.5. Communicate is not a separate step, communication is done as constant activity.

6.5.1. The activity ‘communicate’ deliberately stands alone as the findings of any individual step may be communicated to management for action prior to the completion of the overall process.

6.6. M_o_R® Process has 4 primary process steps. First 2 steps (Identify and Assess) have 2 substeps (Identify - Context, Identify - Risks and Assess - Estimate, Assess - Evaluate) ... yes it's quite bizzare, and for some unclear based on above image, but that's how M_o_R® Process is designed.


6.6.2. 1. Identify 1. Identify - Context Goal Recommended techniques by M_o_R® 1. Identify - Risks Goal Recommended techniques by M_o_R®

6.6.3. 2. Assess 2. Assess - Estimate Goal M_o_R does not requires approach in determining Probability, Impact and Proximity you will choose Recommended techniques by M_o_R® 2. Assess - Evaluate Goal Recommended techniques by M_o_R®

6.6.4. 3. Plan 3. Plan Goal Recommended techniques by M_o_R®

6.6.5. 4. Implement 4. Implement Goal Recommended techniques by M_o_R®

6.6.6. Communicate Rather than being a distinct step in the process, communication is an activity that is carried out throughout the whole process. Effective communication is key to the identification of new threats and opportunities or changes to existing risks. It is also important for management to engage with and seek the participation of staff and the wider stakeholders population. Communication will play a major role in achieving such engagement and participation.

6.7. Common process bariers for success according to M_o_R®.

6.7.1. Lack of an organizational culture that appreciates the benefits of risk management

6.7.2. Immature risk management practices

6.7.3. Lack of risk facilitation resources and time

6.7.4. Lack of policies, process, strategies and plans

6.7.5. Lack of a senior management sponsorship

6.7.6. Lack of training, awernesss, knowledge and formal risk tools and techniques

6.7.7. Lack of clear guidance for managers and staff

6.7.8. Lack of incentives for participation in risk management activities

7. M_o_R® Techniques (27)

7.1. Techniques recommended and used in M_o_R®, but not M_o_R® specific

7.2. Stakeholder analysis (category)

7.2.1. RACI variants RACI RACI alternatives RASCI RACI-VS RACIO DACI RAPID®

7.2.2. Staholder Map

7.2.3. Influence / Interest matrix / Power-impact matrix / Power-impact grid Identifies the importance of stakeholders to an activity example

7.3. PESTLE analysis

7.3.1. A popular technique for identifying external factors

7.3.2. Help to capture understanding about aspects of the context by using the prompts, Political, Economic, Sociological, Technological, Legal and Environmental (or similar alternative) Political What are the key political factors? Political factors refer to the degree of government intervention in the economy. The legal and regulatory factors included are labor laws, tax policies, consumer protection laws, employment laws, environmental regulations, and tariff & trade restrictions. e.g. Economical What are the important economic factors? Economical factors include the inflation rate, exchange rate, interest rate, employment/ unemployment rate and other economic growth indicators. The economic factors faced by an organization have a significant impact on how a business carries on its operations in the future. e.g. Socialogical / Social What cultural aspects are most important? Social factors include different cultural and demographic aspects of society that form the macro-environment of the organization. Social factors include career attributes, age distribution, population and its growth rate, health consciousness and safety awareness. e.g. Technological What technological innovations are likely to occur? Technology is evolving at a rapid pace and consumers are becoming extremely tech-savvy. With the advent of new technology, older technology gets outdated and obsolete. e.g. Legal What current and impending legislation may affect the industry? Legal factors include discrimination law, consumer law, antitrust law, employment law, and health and safety law. e.g. Environmental What are the environmental considerations? Environmental factors include ecological and environmental aspects such as weather, climate, and climate change, which may especially affect industries such as tourism, farming, and insurance. e.g.

7.3.3. variants ETPS Economic, Technical, Political, and Social PEST Political, Economic, Social, and Technological PESTELI PESTLESS PESTLIED Political, Economic, Social, Technological, Legal, International, Environmental, and Demographic STEEPLE Social, Technological, Economic, Ethical, Political, Legal, and Environmental STEEPLED Social, Technological, Economic, Environmental, Political, Legal, Educational, and Demographic STEP Strategic Trend Evaluation Process STEPE Social, Technological, Economic, Political, and Ecological


7.4. SWOT analysis

7.4.1. External factors that may affect the organization's objectives

7.4.2. Commonly used for uncertainty identification in project / programme / strategic risk management, the SWOT analysis considers risk from both the internal and external environment.

7.4.3. Strengths Internal factors of a corporation that help to achieve objectives.

7.4.4. Weaknesses Internal factors that obstruct achieving objectives and can be improved.

7.4.5. Opportunities Factors that are not currently present in the organisation, but could reflect positively on achieving our objectives.

7.4.6. Threats Factors that are not currently present in the organisation, but could reflect negatively on achieving our objectives if they occur.


7.5. Horizon scanning

7.5.1. Systematic examination of likely future developments that are at the margins of current thinking and planning

7.5.2. Horizon scanning is a means of identifying future risks, opportunities and improvement ideas.

7.6. Probability impact grid

7.6.1. a.k.a. Risk Matrix

7.6.2. Probabilty Impact grids are very common in risk management/internal control and it is also common to assign a summary risk score by combining the 'probability' and 'impact' ratings.

7.6.3. Risks across the organization’s portfolio can be compared between each ther using same probability impact grid example Grid contains ranking values that may be used to rank threats and opportunities qualitatively The probability scales are measures of probability derived from percentages, and the impact scales are selected to reflect the level of impact on project / programme objectives

7.6.4. Same scale for each risks (each project / programme has it's own probability impact grid)


7.7. Checklists

7.7.1. Checklists for risk identification can be developed based on historical information and knowledge that has been accumulated from previous similar projects and from other sources of information

7.7.2. One advantage of using a checklist is that risk identification is quick and simple

7.7.3. One disadvantage is that it is impossible to build an exhaustive checklist of risks, and the user may be effectively limited to the categories in the list

7.7.4. It is important to review the checklist as a formal step of every project / programme closing procedure to improve the list of potential risks, to improve the description of risks

7.8. Prompt list

7.8.1. Help ensure all aspects are covered when attempting to identify risks

7.8.2. Similar to checklists

7.8.3. Rather than seeking to pre-identify every risk , prompt lists simply identify the various categories of risk that should be considered

7.8.4. The classic prompt list categories where political, economic, social and technological, giving rise to PEST analysis

7.8.5. example Risk Breakdown Structure (RBS)

7.9. Cause and effect diagrams

7.9.1. a.k.a. Ishikawa diagram

7.9.2. a.k.a. Fishbone diagram

7.9.3. Type of Diagramming techniques

7.9.4. The Ishikawa (cause-effect or fishbone) diagram can indeed be used for risk identification

7.9.5. Diagram graphically helps identify and organize possible causes (source) for a specific risk or area of concern.


7.10. Group techniques (category)

7.10.1. Brainstorming Unrestrained or unstructured group discussion Discussion should be led by an experienced facilitator Ideas are not initially censored, all ideas should be recorded no matter how relevant they initially appear to be Even bad ideas may trigger good suggestions from other members of the group

7.10.2. Nominal group Nominal group technique takes brainstorming a step further by adding a voting process to rank the ideas that are generated Versus using simple voting, each participant must provide their input and there is discussion regarding the relative ranking that result This allows participants to be more engaged in the discussion and in the solutions

7.10.3. Delphi Another type of survey Acknowledged experts are asked to comment on risks anonymously and independently variants Wideband Delphi

7.11. Questionnaires

7.11.1. Measuring the effect that risk management is having on the culture of an organization


7.12. Individual interviews

7.12.1. Effective way of capturing risks

7.12.2. When people are not inhibited by management and peers, they tend to be far more open about their concerns

7.13. Assumptions analysis

7.13.1. Assumptions analysis is a powerful way of exposing project-specific risks, since it addresses the particular assumptions made about a given project.

7.13.2. Requires planners to identify all assumptions being made in the project planning stage as a means of risk reduction

7.13.3. Each assumption is then analyzed to determine its accuracy and to identify all potential project risks if the assumption if later found to be inaccurate.

7.13.4. A simple IF-THEN statement can be written for each assumption

7.14. Constraints analysis

7.15. Risk descriptions

7.16. Probability assessment

7.16.1. Estimating the likelihood of a risk occurring

7.16.2. Investigating the likelihood that each specific risk will occur

7.17. Impact assessment

7.17.1. Investigating the potential effect on a project objective such as schedule, cost, quality or performance (negative effects for threats and positive effects for opportunities)

7.18. Proximity assessment

7.19. Expected value assessment

7.20. Summary risk profiles

7.20.1. Are based on Probability impact grid Probability impact grid provides scales for probability and impact upon which Summary risk profile is populated with current risk status

7.20.2. Colors represent progress with risk response Often RAG system is used or extended RAG R - Red A - Amber G - Green extended RAG example

7.20.3. example

7.21. Summary expected value assessment

7.22. Probabilistic risk models

7.23. Probability trees


7.24. Sensitivity analysis

7.24.1. Used for determining which risks may have the most potential impact on the project / programme

7.24.2. In sensitivity analysis one looks at the effect of varying the inputs of a mathematical model on the output of the model itself

7.24.3. Examining the effect of the uncertainty of each project element to a specific project objective, when all other uncertain elements are held at their baseline values


7.25. Risk response planning

7.26. Cost-benefit analysis


7.27. Decision trees

7.27.1. Decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.

7.27.2. A decision tree consists of 3 types of nodes: Decision nodes - commonly represented by squares Chance nodes - represented by circles End nodes - represented by triangles

7.27.3. Drawn from left to right, a decision tree has only burst nodes (splitting paths) but no sink nodes (converging paths).


7.28. Risk exposure trends

7.29. see Risk Techniques mind map (extending M_o_R®)

7.30. see also Risk Management Techniques in: IEC/FDIS 31010 Risk Management - Risk Assessment Techniques

8. M_o_R® Official publications

8.1. Management of Risk: Guidance for Practitioners

8.1.1. ISBN-13: 978-0113312740

8.1.2. Published: 2010

8.1.3. Pages: 154


8.1.5. The most important, key position on M_o_R® preparing for exams Foundation and Practitioner.

8.2. Management of Risk Pocketbook

8.2.1. ISBN-13: 978-0113312986

8.2.2. Published: 2010

8.2.3. Pages: 59


9. M_o_R® Perspectives (4)

9.1. M_o_R® defines 4 Perspectives

9.1.1. Strategic Long term goals, sets the context for decisions at other levels. Management of risk at the strategic level is concerned with setting strategic direction and balancing potential opportunity against the costs and risks. High level appraisals of strategic risks are a major feature of the business case when plans for change are being considered. At the strategic level the concerns are about where the organisation wants to go, how to get there and how to ensure survival. goal Ensuring business success of the organization. Management of stakeholder perceptions that would affect the reputation of an organization. time-frame long-term goals context business success business vitality finance reputation core services organization / enterprise capabilities resources ... portfolio management Those with key responsibilities for risk management from this perspective will be the Management Board, The Accounting Officer (public sector) or CEO (private sector), the Executive Management Team and the Head(s) of the Audit and/or Risk Committees.

9.1.2. Programme At the programme level, managers are responsible for transforming high level strategy into new ways of working to deliver benefits to the organisation. goal Delivering business change with measurable benefits. Delivering business transformation. Delivering outcomes. time-frame medium-term goals in general length of the programme context benefits capabilities possibilities business transformation ... programme management Those with key responsibilities for risk management from this perspective will be the Sponsoring Group, Programme Board, Senior Responsible Owner (SRO), Programme Manager and Business Change Managers (BCMs).

9.1.3. Project Risk management at the project level focuses on keeping unwanted outcomes to the minimum. Decisions about risk management at this level form an important part of the business case; where providers and/or partners are involved you must gain a shared view of the risks and how they will be manag goal Producing defined business change products within time, cost, scope etc. constraints. Delivering products / outputs. time-frame medium-term goals in general length of the project context time budget quality scope ... project management Those with key responsibilities for risk management from this perspective will be the Project Board, Project Sponsor (or SRO or Executive), and Project Manager.

9.1.4. Operational Risk management at the operational level is primarily concerned with continuity of business services. Emphasis is on short-term goals to ensure ongoing continuity of business services Decisions about risk at this level must also support the achievement of long- and medium-term goals. goal Maintaining business services to appropriate levels. Day-to-day management. Business as Usual (BaU). Ensure ongoing continuity of business services. time-frame short-term goals context quality of service volume internal control revenue staff staff health fatal accidents customer turnover ... Those with key responsibilities for risk management from this perspective will be the Executive Management Team, Operational Directors / Heads of Operations, and Operational Managers.

9.2. Each organizational activity (programme, project) in each perspective has it's own M_o_R® Process

9.2.1. e.g. each project on Project Perspective has its own instance of M_o_R® Process and Project Manager accountable or responsible for this process.

10. M_o_R® Related resources

10.1. The Orange Book - Management of Risk - Principles and Concepts [2004]


10.1.2. What is it? Document which defines process for risk management which is a foundation of M_o_R® process. M_o_R® process is very similar to Orange Book process Knowledge from this publication is not checked on M_o_R® exams.

10.2. UK Corporate Governance Code [09.2012]


10.2.2. What is it? Document which is a foundation for M_o_R® and M_o_R® Principles Knowledge from this publication is not checked on M_o_R® exams.

11. M_o_R® - process based standard and framework from UK (not methodology) for general (not industry specific e.g. IT or Engineering) corporate-wide / holistic Risk Management, yet (arguably) by some people M_o_R® is not considered to be an Enterprise Risk Management (ERM) standard. M_o_R® is one of the 12 recognized globally and practically proven management standards from AXELOS® Global Best Practice family of UK standards.

11.1. M_o_R® v1 was published in 05.2002.

11.2. M_o_R® v2 was published in 03.2006.

11.3. M_o_R® v3, newest version is from 12.2010.

11.4. How M_o_R® fits into AXELOS® Global Best Practices family of UK standards.

11.4.1. M_o_R® in AXELOS® Global Best Practices family

11.5. AXELOS® Global Best Practices family of standards from UK.

11.5.1. PRINCE2® Agile see PRINCE2® Agile mind map

11.5.2. ITIL® see ITIL® mind map

11.5.3. M_o_R® - Management of Risk see M_o_R® mind map

11.5.4. MoV® - Management of Value see MoV® mind map

11.5.5. MoP® - Management of Portfolios see MoP® mind map

11.5.6. MSP® - Managing Successful Programmes see MSP® mind map

11.5.7. PRINCE2® - PRojects IN Changing Environments see PRINCE2® mind map

11.5.8. P3O® - Portfolio, Programme and Project Office see P3O® mind map

11.5.9. yet remember - "In reality there are no such things as best practices. There are only practices that are good within a certain context."

11.6. Since 2000 the Office of Government Commerce (OGC), former owner of PRINCE2® (and other Best Management Practices) has been the custodian of the portfolio on behalf of UKG. In June 2010 as a result of UKG reorganisation the Minister for the Cabinet Office announced that the PRINCE2® functions have moved into Cabinet Office.

11.6.1. AXELOS are a new joint venture company, created by the Cabinet Office on behalf of Her Majesty’s Government (HMG) in the United Kingdom and Capita plc to run the Best Management Practice portfolio, now called AXELOS Global Best Practice


12. M_o_R® consists of: 1 Framework, 8 Principles, 4 Perspectives, 1 Process (sequential with 4 main steps and 2 substeps), 6 Roles, 9 Documents, 27 Techniques.

12.1. Download: Best Management Practice - M_o_R 10 Years on presentation v0.3 [18.05.2012]

12.2. Download: M_o_R® - Processes vs Techniques Matrix

13. M_o_R® Framework (1)

13.1. The M_o_R® Framework consists of 4 components:

13.1.1. M_o_R® Principles outer ring Derived from corporate governance principles presented in UK Corporate Governance Code [newest version, 09.2012] in the recognition that risk management is a subset of an organization's internal controls. The M_o_R® principles are intended to guide rather than dictate so that organizations can develop their own policies, process, strategies and plans to meet their specific needs. The M_o_R® Principles are guidlines / best practices but not strict rules in comparision to PRINCE2® principles. For risk management to become more than a compliance-led activity within an organization, the value of risk management, measured by the return on investment (ROI) of risk management work, must be determined and communicated. see M_o_R Principles for more information ...

13.1.2. M_o_R® Process inner ring (including Communicate) 4 main process steps, which describe the inputs, outputs and activities involved in ensuring that risk is managed. The process is divided into 4 main process steps: identify, assess, plan and implement. see M_o_R Process for more information ...

13.1.3. M_o_R® Approach arrows The way in which the principles are implemented will vary from organization to organization. Organizations should develop an approach to the management of risk that reflects their unique objectives. Principles need to be adapted and adopted to suit each individual organization. Principles needs to adopted and adapted within M_o_R® documents like:

13.1.4. Embed and Review M_o_R middle ring Risk management should be integrated into the culture of the organization. How an organization manages risk is an expression of its core values and communicates to stakeholders its appetite for and attitude to risk-taking. A disconnected or unmanaged approach to risk management is more likely to lead to reactive rather than proactive management where unforeseen issues are commonplace. It is important therefore to embed risk management into the culture and to put in place mechanisms to review and confirm that the approach to risk management remains appropriate given the organization’s objectives and context. M_o_R® Principles, Approach and Processes, an organization needs to ensure they are consistently applied (implemented and sustained) and that their application involves continual improvement for better effectiveness and lessons learned application. Having put in place an approach and process that satisfy the principles, an organization should ensure that these are consistently applied across the organization and that their application undergoes continual improvement in order for them to remain effective. see Risk Management Health Check for more information ... see Risk Management Maturity Model for more information ...

14. M_o_R® Non-official publications

14.1. Risk Management Based on M_o_R: A Management Guide

14.1.1. ISBN-13: 978-9077212684

14.1.2. Published: 2006

14.1.3. Pages: 72


14.1.5. Publication is based on older version of M_o_R - version 2

15. M_o_R® Official resources

15.1. M_o_R® sample exams, available online

15.1.1. M_o_R® Foundation

15.2. M_o_R® examination syllabus

15.2.1. EN

15.2.2. PL

15.3. M_o_R® glossary

15.3.1. EN

15.3.2. PL

15.4. M_o_R® White Papers

15.4.1. Everything you wanted to know about Management of Risk (M_o_R®) in less than 1000 words

15.4.2. Management of Risk: Guidance for Practitioners and the international standard on risk management, ISO 31000:2009

15.4.3. Corporate Governance and Management of Risk (M_o_R®)

15.4.4. Applying Management of Risk (M_o_R®) for Public Services

15.5. M_o_R® website


16. Risk Specialism

16.1. Risk specialism means nothing more than risk management standards / norms / frameworks dedicated to specific domain (IT, environment, etc.), rather than generic risk management like M_o_R®

16.2. M_o_R® official Handbook mentions several risk management standards as listed below.

16.2.1. Yet there is a "forest" of standards dedicated to risk management in specific field.

16.3. Business continuity management (BCM)

16.3.1. ISO 22301

16.3.2. BS 25999-1

16.3.3. BS 25999-2

16.3.4. BS 25777

16.4. Incident and crisis management

16.4.1. ISO/IEC 27035

16.4.2. The Business Continuity Institute

16.5. Health and safety management

16.5.1. BS OHSAS 18001

16.6. Security risk management

16.6.1. ISO/EIC 27001

16.6.2. ISO/IEC 27005

16.6.3. ISO/IEC 27034

16.7. Financial risk management

16.7.1. Bank for International Settlements

16.7.2. BESEL III

16.7.3. ISO/IEC TR 27015

16.8. Environmental risk management

16.8.1. ISO 14001

16.9. Reputational risk management

16.10. Contract risk management

16.10.1. Good Practice Contract Management Framework

17. M_o_R® Risk Management Maturity Model (1)

17.1. Maturity Models are a valuable tool in enabling organizations to benchmark their current capability and maturity (in risk, quality, project, programme management - depending on maturity model), and for understanding how and where improvement may be achieved.

17.1.1. Risk Maturity Model is a commonly accepted reference model or framework of mature practices for appraising an organization’s risk management competency.

17.1.2. The common structure for a maturity model is a matrix.

17.2. A format for benchmarking an organization’s current capability and maturity in risk management and how to improve areas to increase maturity levels

17.2.1. Maturity models are typically composed of four or five levels of maturity and the quality of the processes within each level is described by the use of assessment criteria.

17.2.2. There is no limit on the number of criteria that might be adopted, although models commonly contain fewer than 10 to avoid becoming unwieldy.

17.3. Provide a well-structured and detailed guide to facilitate the progressive incremental improvement in risk management practices.

17.3.1. A risk maturity model enables organisations to determine through the use of assessment their level of risk management maturity when measured against the criteria included in the model.

17.4. A maturity model provides:

17.4.1. A starting point for moving forward

17.4.2. A road-map for process improvement

17.4.3. A vehicle for benchmarking the risk management processes

17.4.4. A place to capture the organisation’s previous experiences and current capabilities

17.4.5. A common language

17.4.6. A communication tool to describe succinctly the current status and what is possible

17.4.7. A framework for prioritizing actions

17.4.8. A way of describing what improvement means specific to the organisation

17.4.9. A shared goal

17.4.10. Help to motivate staff

17.4.11. Help to reach strategic objectives

17.5. To maintain maturity, organisations will need to:

17.5.1. Establish continual improvement process

17.5.2. Use lessons learned to inform and refine existing processes

17.5.3. Apply audit & review techniques to ensure effective risk management techniques are effective

17.5.4. Invest in improving risk processes, tools, techniques and training

17.5.5. Keep policies and internal guidance up-to-date

17.5.6. Ensure they apply risk management to all types of activities

17.5.7. Maintain the risk management culture

17.6. The M_o_R principles outline examples of where measurable organisational value would be expected as a result of implementing risk management and embedding a risk-based approach to decision-making into the organisational culture.

17.7. The use of maturity models is now widespread, with international adoption across multiple industries.

17.7.1. not only Risk Maturity Models Quality Integration Project Managment etc.

17.7.2. see Maturity Models mind map

18. M_o_R® Risk Management Health Check (1)

18.1. The management of risk health check is a tool for checking the health of current risk management practices and for identifying areas where its application might be improved.

18.1.1. In M_o_R® it is just a set of questions dedicated to check how well each M_o_R® principle was implemented. For each principle there are more than more or less 15 questions to ask.

18.2. Health check presented in M_o_R® is only a starting point. It should be adopted and adapted to particular organization.

18.2.1. It is recommended that the 8 management of risk principles are used as a framework for structuring the assessment.

18.3. The health check is most useful when preparing and carrying out an organisation-wide assessment.

18.4. The health check assesses risk management practice.

18.4.1. To be effective, the health check should be formally administered and repeated to monitor changes over time.

18.4.2. It provides a ‘snapshot’ of the health of risk management at a particular time.

18.5. The health check might prove useful:

18.5.1. When considering a new investment

18.5.2. As an integral part of business planning

18.5.3. When preparing to establish commitment to improving risk management

18.5.4. Before or to complement a gateway review

18.5.5. When developing an annual operational plan

18.6. May be used for:

18.6.1. Self-assessment

18.6.2. Peer review

18.6.3. External assessment

18.7. Each health check will occur using the following steps:

18.7.1. Preparation

18.7.2. Data collection

18.7.3. Data analysis Identify trends and patterns, note strengths and deficiencies, identify 3 -5 key themes, conduct intermediate review with the sponsor and identify recommendations.

18.7.4. Review and report

19. M_o_R® Risk Response Options (8)

19.1. for Threats (-)

19.1.1. Avoid This option is about making the uncertain situation certain by removing the risk This can often be achieved by removing the cause of a threat Risk avoidance is achieved by deciding not to undertake a risk by either not taking part in a certain risky activity or by abandoning an asset / source that generates the risk Avoiding all risks is not a viable strategy If we do not take risks, we cannot gain the benefits that can aris Outcome = risk probability of occurrence is 0% It simply means to conduct activity where the risk is not met

19.1.2. Reduce (a.k.a Modification) This option chooses definite action now to change the probability and/or impact of the risk The term ‘mitigate’ is relevant when discussing reduction of a threat, i.e. making the threat less likely to occur and/or reducing the impact if it did. Because this option commits the organization to costs for reduction/enhancement now, response costs must be justified in terms of the change to residual risk Reduce probability (a.k.a. Prevent) Reduce impact (a.k.a. Mitigate) Reduce probability & impact simultaneously

19.2. for Opportunities (+)

19.2.1. Exploit Exploiting the opportunity aims to make the most of an opportunity that arises to make the probability of its outcome to be 100%. It uses extensive measures to ensure that the opportunity becomes a certainty. Outcome = risk probability of occurrence is 100% Risk becomes an issue (opportunity becomes a certainty)

19.2.2. Enhance (a.k.a. Improve) Control methods put in place to increase the likelihood or increase the impact of the opportunity. Enhancement methods are not as extensive as exploit controls because they do not aim at making the opportunity a certainty. Increse probability (but still <100%) Increse impact Increse probability & impact simultaneously

19.3. for Threats & Opportunities

19.3.1. Transfer by transferring risk firms remove their own responsibility for dealing with risk events to someone outside of the organisation / programme / project etc. the most typical examples are taking out insurance and outsourcing. (for opportunity) it aims to transfer the opportunity to a more specialised organisation that will help maximise its effects. As name suggest 2nd party is needed for transfer Transfer means transfering all (100%) impact to 2nd party You can transfer impact, but you cannot transfer accountability for risk!

19.3.2. Share Share’ is an option that is different in nature to the transfer response It seeks for multiple parties (2+), typically within a supply chain, to share the risk on a pain/gain share basis To share the risk on a pain/gain basis As name suggest 2nd party is needed for sharing Sharing means sharing at least small percentage of impact with 2nd party

19.3.3. Accept (a.k.a Retention) The organisation ‘takes the chance’ that the risk will occur, with its full impact if it did There is no change to residual risk with the accept option, but neither are any costs incurred now to manage the risk, or to prepare to manage the risk in future Accepting an opportunity basically leaves everything to chance Passive Acceptance Highly NOT recommended, not present in M_o_R® without monitoring Active Acceptance Risk still MUST be actively monitored for any changes in nature (probability, impact, etc.) with monitoring

19.3.4. Prepare Contingent Plans This option involves preparing plans now, but not taking action now Most usually associated with the accept option, preparing contingent plans in this instance is saying: ‘We will accept the risk for now, but we'll make a plan for what we’ll do if the situation changes.' This option applies equally to other responses and is often referred to as a ‘fallback’ plan, i.e. what we will do if the original response doesn’t work. Fallback plans apply to all other strategies, even avoiding a threat and exploiting an opportunity, because the plan to avoid/exploit may not be successful despite good intentions. Only reduces impact Does not changes probability

19.4. Effect of responses

20. Basic risk definitions (according to AXELOS®)

20.1. Portfolios / Programme / Project Management

20.1.1. Portfolio Management A coordinated collection of strategic processes and decisions that together enable the most effective balance of organizational change and business as usual (BAU).

20.1.2. Programme Management The action of carrying out the coordinated organization, direction and implementation of a dossier of projects and transformation activities to achieve outcomes and realize benefits of strategic importance to the business.

20.1.3. Project Management The planning, delegating, monitoring and control of all aspects of the project, and the motivation of those involved, to achieve the project objectives within the expected performance targets for time, cost, quality, scope, benefits and risks.

20.2. Project / Programme / Portfolios

20.2.1. Portfolio An organization’s change portfolio is the totality of its investment (or segment thereof) in the changes required to achieve its strategic objectives.

20.2.2. Programme A programme is a temporary, flexible organization created to coordinate, direct and oversee the implementation of a set of related projects and activities in order to deliver outcomes and benefits related to the organization’s strategic objectives. 3 types of programmes Vision-led programme Emergent programme Compliance programme

20.2.3. Project A temporary organization, usually existing for a much shorter time than a programme, which will deliver one or more outputs in accordance with a specific business case. A particular project may or may not be part of a programme. Whereas programmes deal with outcomes, projects deal with outputs. 5 types of projects Compulsory project Not-for-profit project Evolving (Agile, RUP) project Customer/supplier project Multi-organization project

20.3. Risk Capacity, Tolerance, Appetite

20.3.1. Risk Capacity The maximum amount of risk that an organisation or subset of it, can bear The maximum amount of risk that an organisation or subset of it, can bear

20.3.2. Risk Tolerance The threshold levels of risk exposure that, with appropriate approvals, can be exceeded, but which when exceeded will trigger some form of response

20.3.3. Risk Appetite The amount of risk the organisation, or subset of it, is willing to accept

20.4. Risk:

20.4.1. An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives

20.4.2. Threat (-) An uncertain event that could have a negative impact on objectives or benefits

20.4.3. Opportunity (+) An uncertain event that could have a favourable impact on objectives or benefits

20.4.4. There are a variety of definitions for project risk, although they all possess the basic “uncertainty” and “that matters” components: “An uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.” (PMBOK) “An uncertain event or set of circumstances that, should it occur, will have an effect on the achievement of the project’s objectives.” (M_o_R) “Uncertainty of outcome, whether positive opportunity or negative threat.” (PRINCE2) “Loss multiplied by likelihood, where risk is the product of the expected consequences or impact (loss or gain) of the risk event should it occur and the probability (likelihood) that the event will occur.” (ISO/IEO) “The effect of uncertainty on objectives.” (ISO 31000: 2009) “A possible future issue that can be avoided or mitigated.” (CWS) “Any factor that might interfere with the successful completion of a project.” (

20.5. Risk Exposure

20.5.1. The combined effect of risks to a set of objectives

20.6. Output, Capability, Outcome, Benefits

20.6.1. Output The deliverable, or output developed by a project from a planned activity. Any project's specialists products. (tangible or intangible) e.g. A new just-in-time stock control system A new IT system Staff training programme Revised process

20.6.2. Capability The completed set of project outputs required to deliver an outcome; exists prior to transition. e.g. The combination of the outputs ready to ’go live’.

20.6.3. Outcome A new operational state achieved after transition of the capability into live operations. Result of the change derived fron USING the project's outputs. e.g. The right materials are available, at the right time, and in the right place

20.6.4. Benefit The MEASURABLE improvement resulting from an OUTCOME perceived as an ADVANTAGE by ONE or MORE of stakeholders, which contributes towards one or more organizational objectives(s). e.g. Fewer stock-outs and consequent interruptions to production. Reduced obsolescent stock and hence lower write-offs. Reduced stock holdings and so less working capital tied up.

20.6.5. Dis-benefit An outcome perceived as NEGATIVE by ONE or MORE stakeholders. Dis-benefits are actual consequences not risks.

21. Interactive M_o_R® Glossary

21.1. Interactive M_o_R® Glossary

22. M_o_R® Foundation exam prep questions


22.2. 3rd party

22.2.1. Exam-Summaries

22.2.2. ILX

23. This freeware, non-commercial mind map (aligned with the newest version of M_o_R®) was carefully hand crafted with passion and love for learning and constant improvement as well for promotion the standard and framework M_o_R® and as a learning tool for candidates wanting to gain M_o_R® qualification. (please share, like and give feedback - your feedback and comments are my main motivation for further elaboration. THX!)

23.1. Questions / issues / errors? What do you think about my work? Your comments are highly appreciated. Feel free to visit my website:






23.1.6. miroslaw_dabrowski