You are on page 1of 15

Management of Risk: Guidance for

Practitioners and the international standard
on risk management, ISO 31000:2009
Michael Dallas, Director, APM Group Ltd

White Paper
April 2013

© The Stationery Office 2013

2    Management of Risk: Guidance for Practitioners and the international standard on risk management. ISO 31000:2009 Contents 1 Introduction 3 2 Section-by-section comparison 4 3 How M_o_R meets ISO 31000 5 4 Key areas of similarity and difference 5 Appendix A Comparative glossary 6 Appendix B Map of M_o_R against ISO 31000 7 References 15 Acknowledgements 15 Trade marks and statements 15 © The Stationery Office 2013 .

ISO 31000:2009   3 1 Introduction ■■ Whereas M_o_R provides the basis for qualifications in the management of risk. This ensures the latest consensus on best practice is it is comforting that M_o_R is compliant with ISO 31000. people ISO 31000 provides a set of principles to inform a framework are able to work together more easily and with fewer within which an organization can manage risk and a process by misunderstandings. something which is also differences) as summarized here: recommended in ISO 31000. as each should ■■ Once standards have been established. but differs. ISO 31000 provides principles and generic guidelines on Rather than reflecting inconsistencies. comparative table is provided in Appendix A. these. and how to undertake ■■ Terminology is provided in both publications.2 of achieving its objectives. contrast.4 does include ■■ The content of ISO 31000 forms a checklist against which an details of some risk assessment techniques. However. through a risk management. ISO/IEC 31010. ISO 31000 does not. in turn. risk management throughout all organizations. Risk principles and activities required. ■■ There are no significant areas of disagreement between the but not how activities are done. comply with relevant legal and regulatory requirements and respond to arising opportunities Why standards help improve risk management and threats. In simple terms: ■■ Both documents see risk management as a fundamental requirement to help organizations deliver their objectives. embedding good risk management practice and the principles and guidelines in ISO 31000 (but with some improving maturity in its application. Another ISO publication. ISO/IEC 31010 leads to fewer organizations missing vital activities that provides a basis for decisions to be made about which approach national (or international) consensus deems necessary for the to use to treat particular risks and to select the best options. activities and roles. included and any omissions or clarifications dealt with. two publications in the overall approach and processes for ■■ M_o_R describes both what needs to be done. This and effectiveness of controls already in place. the differences between harmonizing standards and introducing risk management ISO 31000 and M_o_R referred to in the preceding paragraph within an organization or for an activity. publications Consequently it is some six times longer than the standard. By effective management of risk. set of principles. Management of Risk: Guidance for Practitioners and the international standard on risk management. ■■ ISO 31000 defines what needs to be done and by whom. The purpose of this White Paper ISO 31000 This White Paper is intended to show how Management of Standards seek to provide their readers with a concise summary Risk: Guidance for Practitioners (M_o_R®)1 can be used to help of the topic covered. © The Stationery Office 2013 . legislation in certain countries may continuous improvement by being periodically reviewed and require organizations to comply with ISO 31000. It sets out the guidelines for implementing M_o_R was first published in 2002 and has since undergone effective risk management in an organization. concepts and activities for managing risk and is intended to harmonize risk management processes in existing and A comparison of both publications future standards. In this way all users of standards benefit from the collective The international standard ISO 31000 covers the key experience of all other users. highlight the fact that each document is designed to serve a different purpose. This happens in two ways: Management – Risk Assessment Techniques. It is not intended to promote uniformity of management vocabulary. ISO 31000 summarizes the key concepts organizations ensure their risk management approach meets and activities that an organization needs to undertake in the requirements of ISO 31000:2009: Risk Management – order to manage risk effectively. It does not define any particular techniques effectiveness to be used but stresses that the organization should apply Standards can improve the effectiveness of risk management by risk identification tools and techniques that are suited to providing generic guidelines and drawing attention to the key its objectives. A the activities. rely on the use of a consistent vocabulary. By standardizing the use of words in a particular context. As its title two revisions to reflect comments received from users and implies. M_o_R provides guidance for practitioners on changes in management methods. It is broadly consistent with managing risk. Risk assessment provides an understanding of risks that could affect an organization can assess the completeness of its own organization’s achievement of its objectives and the adequacy approaches in terms of both principles and activities. ■■ M_o_R is designed for practical use and provides much more The different purposes served by both detailed guidance on how to implement risk management. ISO Guide 73:20093 provides a risk which it can do this. and thus increase its chances Principles and Guidelines. In this respect updated. M_o_R contains an extensive appendix devoted to the ■■ Effective management relies on good communications and description of commonly used techniques. they can promote customize its approach to address its particular objectives and operational needs.

however. programme. M_o_R is based on four core One of the quality criteria for the 2010 revision of M_o_R was concepts – principles. Structure Although superficially different. consisting of identification. will have an effect (positive or negative) on the ■■ M_o_R is designed for practical application of risk achievement of objectives’. M_o_R includes the need for a plan to embed risk managed. approach. treatment. a framework and standard that was in place at the time. activities that should be undertaken. techniques. These are informed by corporate governance principles and ISO 31000. ensuring risks are effectively section. project and operational levels. ISO 31000 includes the need for continuous management practice. audiences. ‘risk register’. defines risk as ‘effect of uncertainty on objectives’. covering application at strategic. M_o_R is longer and much more detailed. M_o_R does is on how it contributes to corporate governance and internal not prescribe how an organization should implement risk control. Since M_o_R is designed © The Stationery Office 2013 . from twelve to eight. whereas M_o_R uses the term and miscellaneous. The main difference is that M_o_R is aimed at creating and maintaining records and monitoring and reporting those responsible for implementing and overseeing risk progress. The ISO 31000 principles are identified by a letter sections on perspectives. approach (M_o_R) and within an organization and cover similar ground.4    Management of Risk: Guidance for Practitioners and the international standard on risk management. structure. 2 Section-by-section While M_o_R states that they are essential for the maintenance comparison of good practice. use different terms. One area of difference is that M_o_R Appendix B provides a tabular comparison of the two includes the principle of creating a supportive culture within the publications. assessment. the review – while ISO 31000 describes principles. Only M_o_R is designed to underpin qualifications in management but allows it to customize its approach within the risk management. It is hardly surprising. and embedding and that the guidance must be compatible with BS 31100:2008. monitoring and review. Introduction Both publications describe setting up a policy aligned with the In their introductions both publications outline their intended organization’s objectives.5 mode. principles. This White Paper shows the relationship between M_o_R and M_o_R supplements the above core concepts with ISO 31000. The summary in this section seeks to emphasize organization. ISO 31000 simply emphasizes that they should be adhered to. Both documents see effective risk management as being very Process relevant to the achievement of an organization’s objectives and The process for managing risk is essentially the same in describe consistent approaches to managing risk. The BS Principles 31100:2011 principles are not repeated here as this would be an The third edition of M_o_R reduces the number of principles unnecessary duplication. the main components are very similar. While both publications list similar benefits of risk management in an organization. embed and review. ISO 31000 speaks of keeping records without specifying what form these records should take. In this respect it serves a similar purpose to ISO 31000. guidelines to suit its operating environment and processes. We have structured the Approach (M_o_R) and framework (ISO 31000) comparison in seven parts. holds for a comparison of the principles of M_o_R with those in BS 31100:2011. which has replaced BS 31100:2008. while the standard is aimed at those improvement. therefore. it provides no detail. organizational standards. process. which in M_o_R is dealt with in a separate responsible for developing policy. although they framework (ISO 31000). ISO 31000’s definition is similar and management methods. Risk Management. While the standard acknowledges some of these The comparison of M_o_R principles with ISO 31000 also aspects. together with Code of Practice and Guidance for the Implementation of BS document outlines. reflecting the contents of M_o_R: These sections describe how the principles should be applied introduction. ISO 31000 emphasizes the need for such a culture the similarities as much as the differences between them. the main components of Compatibility with BS 31100:2008 each publication are very similar. that there is a strong alignment between the two. the emphasis within M_o_R Although it is designed for practical use. For example. a health check and maturity ISO 31000. a process. but does not include it as one of the principles. ■■ ISO 31000 is designed to help assess how completely the risk management method has been applied. perspectives. ISO 31000:2009 As such: M_o_R defines risk as ‘an uncertain event or set of events that. should it occur. both publications. assessing its effectiveness and setting up the management in the culture of the organization. notation that was adopted in BS 31100:2011.

processes. the requisite steps are only outlined under various M_o_R is designed as a guide for practitioners in risk headings. M_o_R contains descriptions of well risk management is used in an organization. M_o_R contains appendices giving outlines of commonly used documents and techniques and a process for assessing how As a guide to practitioners. It provides the basis for Foundation and ISO 31000 refers to the need for these things but provides little Practitioner qualifications (area B). For more Figure 1 outlines the main areas of overlap between M_o_R detail. to enable organizations to harmonize risk entire chapter to how risk management may be applied at management processes in existing and future standards. Both documents stress the need to embed risk management into the organization’s management processes. M_o_R devotes an aim. prescribe which tools and techniques to use. However. project and management maturity and to identify areas for improvement. Both publications contain the same scope of principles. Appendix B contains a detailed comparison. It does functions. It also sets 3 How M_o_R meets ISO out what is needed for compliance with legal and regulatory requirements and international norms (area C). services and assets. ISO 31000:2009 5 to guide the practitioner. – identify. application for the management of risk across an organization and suggests its use throughout the life of the organization (as distinct from that of a programme or project). It comprises four key stages throughout the life of an organization and its activities. While the need to do so is acknowledged within difference ISO 31000. on the other in the way of detail or method. and ISO 31000. projects. hand. Management of Risk: Guidance for Practitioners and the international standard on risk management. assess. indeed. processes and approaches to managing risk. programme. plan and implement – all underpinned by Thus it may be concluded that if an organization is using M_o_R effective communication. it does not of activities. ISO 31000. specifically states that it is not intended for the purpose of certification. programme. The main points of consistency are: ■ Risk management is very relevant to the achievement of an organization’s objectives ■ They share consistent principles ■ They recommend a similar approach to the application of risk management Figure 1 Key areas of similarity and difference between M_o_R ■ They promote the use of similar risk management processes and ISO 31000 ■ They encourage the integration within the organization’s culture and management processes © The Stationery Office 2013 . A ISO 31000 outlines a rather broader range of areas of comparative table is included in Appendix A. however. exceeds them in that it provides much of the detail and method that is Embed and review not covered in the standard. project and operational levels. strategies and decisions. in fact it devotes a specific chapter to 4 Key areas of similarity and this subject. management. its coverage of the process is more ■ They both emphasize risk management application detailed than that of ISO 31000. It describes a commonly used techniques and explains how the approach suggested maturity model to measure the current level of risk and processes are used at strategic. Its use enables an organization to comply with the requirements of ISO 31000 in full. strategic. particularly within ‘framework’. Because M_o_R and ISO 31000 have a different structure and purpose. it meets the requirements of ISO 31000 and. Both publications contain glossaries explaining the meaning of the terms used but these are different in each one. operational levels. operations. 31000 This section summarizes how M_o_R meets the requirements of the International Standard. Perspectives ISO 31000 refers to the application of risk management ISO 31000 is intended to set out the principles and generic throughout the life of an organization and across a wide range guidelines for organizations to manage risk. clause-by-clause comparisons are inappropriate. please refer to Appendix A. Both state similar aims for risk management and contain compatible Miscellaneous terms (area A). M_o_R places greater emphasis on integrating it into the culture of the organization.

6    Management of Risk: Guidance for Practitioners and the international standard on risk management. M_o_R term ISO 31000 term Same terms used in both publications Residual risk Residual risk Risk Risk Risk evaluation Risk evaluation Risk identification Risk identification Risk management Risk management Risk management policy Risk management policy Risk owner Risk owner Risk profile Risk profile Stakeholder Stakeholder Different terms used in each publication Broadly covered by ‘approach’ Risk management framework Communications plan describes the process Communication and consultation Included in ‘embed and review’ Review Covered by ‘identify context’ External context Covered by ‘identify context’ Internal context Covered by ‘identify context’ Risk criteria Identify context Establishing the context Impact or risk effect Consequence Implement Risk treatment Included in ‘implement’ Monitoring Probability Likelihood Risk appetite Risk attitude Risk cause Risk source Risk estimation Risk analysis Risk event Event Covered by ‘risk identification’. See also ‘implement’ Control Severity of risk Level of risk © The Stationery Office 2013 . The table below provides a comparison of Section 2 of ISO 31000 (terms and definitions) with the equivalent terms in M_o_R. ‘estimation’ and ‘evaluation’ Risk assessment Risk management process guide describes the process Risk management process Risk management strategy Risk management plan Risk response. The M_o_R glossary is more extensive than the one in ISO 31000. ISO 31000:2009 Appendix A Comparative glossary Terminology differs in some respects between M_o_R and ISO 31000 but each publication includes equivalent terms.

Not intended for certification. relevant to any (strategic. contribution made to corporate governance and internal control. Basis for APMG Certification. publication. guides. of risk in any context. ■■ Responsible for risk management guidance. etc. that. covering four perspectives Organization. Defines risk as ‘an uncertain event or set of events Defines risk as ‘effect of uncertainty on objectives’. private or community enterprise.and activity-focused. procedures. Summary While each document has a different approach to its introduction. Part of Cabinet Office Best Management Practice An International Organization for Standardization Guidance portfolio. programme. will have an effect (positive or negative) on the achievement of objectives’. Lists main benefits but also emphasizes the Lists just the main benefits. a bringing together principles. individual. they are not contradictory but see effective risk management as being very relevant to the achievement of an organization’s objectives. linking together principles. should it occur. Provides a route map for undertaking risk Describes a generic approach for managing any sort management in a repeatable and consistent manner. Audience includes people who are: Audience includes people who are: ■■ Responsible for putting in place a risk ■■ Responsible for developing risk management management framework policy ■■ Responsible for reviewing and improving risk ■■ Accountable for ensuring risk is managed management ■■ Evaluating the effectiveness in managing risk ■■ Managing risk within one of the four perspectives ■■ Engaged in developing standards. © The Stationery Office 2013 . ISO 31000:2009   7 Appendix B Map of M_o_R against ISO 31000 The table below provides a direct comparison of M_o_R with ISO 31000 against categories that are common to both publications. process. Management of Risk: Guidance for Practitioners and the international standard on risk management. Category M_o_R ISO 31000 Introduction Organization-focused. project and operational). an approach and a framework and a process. public. group or relevant to both the public and private sectors.

plus the review communicate activity The standard is silent on the supplements to the Embedding and reviewing M_o_R framework provided within M_o_R. M_o_R provides more depth of coverage. © The Stationery Office 2013 . and reviewing M_o_R.8    Management of Risk: Guidance for Practitioners and the international standard on risk management. compared with the 24 pages of ISO 31000. ISO 31000:2009 Structure Based on four core concepts: Based on three main clauses: M_o_R principles Principles ■■ Eight universal. However. risk treatment. ■■ Guidance on the need to integrate risk management into the organization’s culture and how to do this The above is supplemented by chapters/appendices on: Perspectives ■■ Describes how the principles. project and operational levels Document outlines ■■ Typical contents for key risk management documents Common techniques ■■ Overviews of a selection of techniques that may be used and guidance on which to select Health check ■■ How to check the current health of application in an organization and identify where it might be improved Maturity model ■■ A format for benchmarking an organization’s current capability and maturity in risk management and how to improve areas to increase maturity levels. with the ISO 31000 framework being addressed by M_o_R’s approach and embedding. approach and process are applied at strategic. plan and implement. comprising 145 pages. assessment. self-validating and empowering ■■ Eleven principles that an organization should principles that provide a guide to effective risk comply with for risk management to be effective management Framework M_o_R approach ■■ Provides the foundations and arrangements that ■■ The way in which the principles may be will embed risk management in the organization implemented. establishing the context. programme. and monitoring and assess. risk ■■ Describes the four primary steps of identify. This should be customized for the Process organization ■■ Describes the five activities of communication and M_o_R process consultation. Summary The main components of each document are very similar.

Informed by corporate governance principles and Prefix letters indicate those used in ISO 31000 ISO 31000. assesses and controls risk e) Systematic. for risk management to be effective. Management of Risk: Guidance for Practitioners and the international standard on risk management. iterative and responsive to change ■■ Is revised to take account of changes in context g) and j) align with M_o_R’s fits the context Engages stakeholders i) Transparent and inclusive ■■ To understand their requirements and perceptions ■■ Involves stakeholders at all levels of risk. and to influence their contribution h) Takes account of human and cultural factors ■■ People. (placed in same order as the M_o_R principles to which they relate). Aligns with objectives d) Explicitly addresses uncertainty ■■ Focuses on those uncertainties that have the ■■ Its nature and how it may be addressed potential to impact the achievement of an ■■ Aligns with M_o_R’s objectives organization’s objectives Fits the context g) Tailored ■■ Bespoke design of the risk management approach ■■ Aligns with external and internal context and risk to match the organization’s context profile j) Dynamic. structured and timely ■■ Leading to efficiency and consistent. comparable and reliable results b)and e) align partially with M_o_R’s ‘provides clear guidance’ principle Informs decision-making c) Part of decision-making ■■ Helps decision-makers understand the relative ■■ Helps decision-makers make informed choices merits. ISO 31000:2009   9 Principles Essential for the development and maintenance of Organizations should comply with these principles good risk management practice. threats and opportunities related to their ■■ Aligns with M_o_R’s ‘informs decision-making’ decisions © The Stationery Office 2013 . external or internal can affect achievement of objectives i) and h) align with M_o_R’s ‘engages stakeholders’ Provides clear guidance b) An integral part of all organizational processes ■■ All stakeholders understand how the organization ■■ Not a stand-alone activity identifies.

(M_o_R) and the organization. although ISO 31000 is far less detailed. framework (ISO 31000) Risk management policy Mandate and commitment ■■ How risk management will be implemented ■■ Define policy. determine throughout an organization to support the performance indicators realization of its objectives ■■ Align with organizational objectives ■■ Legal and regulatory compliance Design of framework for managing risk ■■ Understanding the organization and its context ■■ Establishing a policy ■■ Ensure accountability ■■ Integrate into other processes ■■ Allocate appropriate resources ■■ Establish internal and external communications and reporting © The Stationery Office 2013 . There is good alignment over most of the principles.10    Management of Risk: Guidance for Practitioners and the international standard on risk management. risk ■■ Organizations should develop and improve their responses. Approach The way in which the principles should be applied in Underpins successful management of risk. ISO 31000:2009 Facilitates continual improvement k) Facilitates continual improvement ■■ Uses historical data to inform estimates. Summary The ISO 31000 principles have been reordered to demonstrate an approximate alignment between the two documents. forecasts and decisions maturity f) Based on best available information ■■ Some factual. some may be uncertain or require judgement k) and f) align with M_o_R’s ‘facilitates continual improvement’ Creates a supportive culture ■■ None of the ISO 31000 principles align to M_o_R’s ‘creates a supportive culture’ ■■ A culture that recognizes uncertainty and supports considered risk-taking Achieves measurable value a) Creates and protects value ■■ Using a structured approach to risk management ■■ Contributes to achievement of objectives and creates and protects organizational value. align with culture. improved performance ■■ Aligns with M_o_R’s ‘achieves measurable value’.

Management of Risk: Guidance for Practitioners and the international standard on risk management. Summary The ground covered under M_o_R’s ‘approach’ is dealt with by the ‘frameworks’ and other clauses in ISO 31000 and in much less detail. policy and plan Records and documentation Process guidance including keeping records (ISO does not use the term ‘risk register’ or ‘issue log’) Risk register are contained under ‘process’ below. ■■ Captures and maintains information on all identified threats and opportunities relating to a specific organizational activity Issue register ■■ Captures and maintains information on all identified issues that are happening now and require action Risk improvement plan ■■ Assists with embedding risk management into the culture of the organization Risk communications plan ■■ Describes how information will be disseminated to and received from stakeholders of an organizational activity Risk response plan ■■ Detail specific plans for responding to a single risk or linked set of risks Risk progress report ■■ Provides regular progress information on risk management within a particular organizational activity. ISO 31000:2009   11 Risk management process guide Implementing risk management ■■ Describes how the M_o_R process steps will be ■■ Implement framework carried out in the organization ■■ Implement processes Risk management strategies Monitoring and review of framework ■■ Describes the specific risk management activities ■■ Ensure effectiveness and continuity in support of that will be undertaken for a particular organization performance organizational activity Continual improvement of framework ■■ Decide how to improve framework. © The Stationery Office 2013 .

impact and proximity of each risk ■■ Evaluate to assist decision-making by comparing Assess – evaluate with criteria. to determine how to treat risk if at ■■ Understand the risk exposure faced by the activity all by looking at the net effect of identified threats and opportunities on an activity when aggregated together Plan Treatment ■■ Prepare specific management responses to ■■ Selecting and implementing options for remove or reduce threats and to maximize modifying risks opportunities. stressing that these should be integrated in management. in the scope of the process itself order to shape the risk management strategy Identify risks Assessment ■■ Identify risks to the activity objectives with the ■■ Includes identification. Outlines main process steps. embedded in Provides a comparison with HM Treasury’s Orange the culture and tailored to suit the organization. obtaining corrective action where responses do not match new information. Assessing effectiveness. identifying new risks expectations See details of documentation under M_o_R Recording the process to provide traceability and ‘approach’ in previous section. their consequences and their likelihood of are most important and urgent by understanding occurring the probability. Both publications include helpful figures showing the relationship between the key process steps.12    Management of Risk: Guidance for Practitioners and the international standard on risk management. © The Stationery Office 2013 . basis for improvement. Key to the identification of new stages of the process risks of changes to existing risks Identify context Establishing the context ■■ Understand how the planned activity fits into the ■■ Articulates its objectives. ISO 31000:2009 Process Describes the management of risk process steps. defines parameters to wider organization and market/society and the take into account when managing risk and sets organization’s approach to risk management. Summary ISO 31000 covers very similar ground to M_o_R but in less detail. analysis and evaluation of aim of minimizing threats while maximizing risks opportunities ■■ Identification generates a comprehensive list of Assess – estimate risks ■■ Analysis to understand causes and sources of ■■ Prioritize individual risks so that it is clear which risks. The key process steps described are: Communication throughout the process Communication and consultation ■■ An activity that is carried out throughout the ■■ With external and internal stakeholders at all whole process. Book.6 Similar to the processes described in M_o_R but less detail. Pre-empt surprises ■■ Take account of costs and efforts against benefits Implement ■■ Develop and implement plans ■■ Ensure that the planned risk management actions Monitoring and review are implemented and monitored and to take ■■ Part of plan.

Framework. ■■ Process: an integral part of management. © The Stationery Office 2013 . including regular reviews to ensure effective organization’s management processes. align it with management. the organization’s objectives and culture and provide appropriate resources and management support are referred to within Clause 4. review and update/improvement. While the need to do so is acknowledged within ISO 31000. particularly within ‘framework’. building a risk management culture Overcoming the common barriers to success ■■ By regular communications and by obtaining and developing senior management commitment and support Identifying and establishing the opportunities for change ■■ Using trigger points to establish a continual cycle of monitoring. the requisite steps are only outlined under various headings. implemented and improved by staff embedded in culture and practice. valued. Embedding the principles ■■ Start with the principles and by appreciating what There are also references under the organization would look and feel like should these be embedded ■■ Introduction: implicit references to the need to integrate risk management ■■ Principles: integral part of all organizational Changing the culture for risk management processes. Management of Risk: Guidance for Practitioners and the international standard on risk management. part of decision-making ■■ The M_o_R approach needs to be understood. tailored to the across the organization business ■■ Establishing the context as an activity at the start of the risk management process Measuring the value ■■ Annex A: Attributes of enhanced risk ■■ Using a range of indictors to judge the success of management. Summary M_o_R devotes a specific chapter to integrating risk management into the organization. ISO 31000:2009   13 Embed and Integrating risk management into the organization’s The need to integrate risk management into the review culture.

on the other hand. Attributes of enhanced risk management. D. approach and process Refers to the application of risk management are applied at the strategic. time and cost constraints Operational ■■ Maintaining appropriate levels of business services to existing and new customers. Summary M_o_R contains a much more detailed analysis of the difference in approach from the different management perspectives. A. ISO 31000:2009 Perspectives Describes how the principles. performance goals ■■ Full accountability for those involved ■■ Application in all decision-making ■■ Continual communications ■■ Full integration in the organization’s governance structure.3. Project ■■ Delivering defined outputs to an appropriate level of quality with agreed scope. Common Outline descriptions of commonly used techniques Refers to the need for specific techniques but techniques for each step of the M_o_R process. processes. model the current level of risk management maturity and to refers to developing an appropriate level of identify areas for improvement. Summary While the need to improve organizational performance is acknowledged in ISO 31000. ISO 31000 merely acknowledges that risk management may be used at all these levels and more. The attributes described are: Also refers to other maturity models and provides a high-level description of the Portfolio. functions. These requirements would include the specialist areas in Appendix E of M_o_R. E. projects. provides no details. provides a template for a maturity model that can be customized to the needs of the organization. vitality and viability Also refers to application at differing levels implicitly Programme under ■■ Transforming business strategy into new ways of ■■ Section 5. framework is based on the M_o_R principles. project and throughout the life of an organization and across operational perspectives. a wide range of activities. operations. ■■ Ensuring overall business success. Attributes of enhanced risk management. no details. Scope). B. Document Suggested outlines of commonly used risk Refers to the need for documentation but provides outlines management documents. Establishing the context working that deliver measurable benefits to the organization ■■ Annex A. no mechanism is proposed for doing so. Risk Provides introductions to specialist areas of Section 3. its activities. services Strategic and assets (Section 1. Annex A refers to full integration in the organization’s governance structure. C. The not provide a method. Programme ■■ Continual improvement through setting of and Project Management Maturity Model (P3M3). © The Stationery Office 2013 . strategies and decisions.14    Management of Risk: Guidance for Practitioners and the international standard on risk management. performance in risk management. programme. Health check Describes a process and framework for assessing how Refers to the need to continually improve but does well risk management is used in an organization. Principles a) to c) require an specialisms risk management and references to additional organization to apply risk management across all information on them. Maturity Describes a suggested maturity model to measure Annex A. M_o_R.

third Sourced by TSO and published on edition. 2012. project. Reuse of this White Paper is permitted 2009. British Centre/White-Papers/ Standards Institution. ■■ Business continuity management ■■ Incident and crisis management ■■ Health and safety management ■■ Security risk management ■■ Financial risk management ■■ Environmental risk management ■■ Reputational risk management ■■ Contract risk management. programme. no on these: specific guidance is provided. 2010. The Stationery www. 2004. A copy of these terms can be provided on application to 6 The Orange Book. omissions or inaccuracies. 7 Best Management Practice Portfolio: Common Glossary of Terms and Definitions. Office of Government Commerce. Best Management Practice. effort is made to ensure the accuracy and reliability of the information. The internationally renowned portfolio is adopted as best practice through high quality training. HM Treasury. TSO cannot accept responsibility for errors. Best Management Practice is the overarching brand that umbrellas multiple Cabinet Office best practice products. Management of Risk: Guidance for Practitioners and the international standard on risk management. St Crispins. Techniques. M_o_R provides guidance for good practice in these areas whereas ISO 31000 does not. Available at Management of Risk – Principles and Best Management Practice White Paper Permissions. ISO 31000:2009   15 M_o_R identifies the following eight risk specialisms Although application in these specialist areas is and directs the reader to more detailed information implicit in the way the document is drafted. TSO. United Kingdom. © Copyright TSO. publications. Risk Management – Risk Assessment change without notice. M_o_R® is a registered trade mark of the Cabinet Office. Concepts. International Organization for Standardization. 3 ISO Guide 73:2009. risk. logos and jackets International Organization for Standardization. Guidance for the Implementation of BS ISO 31000. NR3 1PD. International Organization for Standardization. Summary Once again. Risk Management – Principles and advice of any sort and no liability is accepted for any loss Guidelines. These differ from Management Practice glossary M_o_R. Code of Practice and http://www. value and service management disciplines. Risk management. 2009 are correct at time of going to press but may be subject to 4 ISO/IEC 31010:2009. While every 2009. 2011. Our White Paper series should not be taken as constituting 2 ISO 31000:2009.pdf Trade marks and statements The Swirl logo™ is a trade mark of the Cabinet Risk Management – diagrams. software tools and consultancy for portfolio. Norfolk. solely in accordance with the permission terms at 5 BS 31100:2011. resulting from use of or reliance on its content. Glossary Commonly used terms consistent with the Best Terms and definitions provided. Norwich. © The Stationery Office 2013 . Some common terms such as ‘risk register’ are not used Index Alphabetical index to key terms and topics Contents list by topic References Acknowledgements 1 Management of Risk: Guidance for gempdf/BMP_Common_Glossary_2012. Duke St.