You are on page 1of 15

Management of Risk: Guidance for

Practitioners and the international standard
on risk management, ISO 31000:2009
Michael Dallas, Director, APM Group Ltd

White Paper
April 2013

© The Stationery Office 2013

2    Management of Risk: Guidance for Practitioners and the international standard on risk management. ISO 31000:2009 Contents 1 Introduction 3 2 Section-by-section comparison 4 3 How M_o_R meets ISO 31000 5 4 Key areas of similarity and difference 5 Appendix A Comparative glossary 6 Appendix B Map of M_o_R against ISO 31000 7 References 15 Acknowledgements 15 Trade marks and statements 15 © The Stationery Office 2013 .

through a risk management. ■■ M_o_R is designed for practical use and provides much more The different purposes served by both detailed guidance on how to implement risk management. two publications in the overall approach and processes for ■■ M_o_R describes both what needs to be done. comparative table is provided in Appendix A. ISO 31000:2009   3 1 Introduction ■■ Whereas M_o_R provides the basis for qualifications in the management of risk. concepts and activities for managing risk and is intended to harmonize risk management processes in existing and A comparison of both publications future standards. It sets out the guidelines for implementing M_o_R was first published in 2002 and has since undergone effective risk management in an organization. In this way all users of standards benefit from the collective The international standard ISO 31000 covers the key experience of all other users. as each should ■■ Once standards have been established. It does not define any particular techniques effectiveness to be used but stresses that the organization should apply Standards can improve the effectiveness of risk management by risk identification tools and techniques that are suited to providing generic guidelines and drawing attention to the key its objectives. ISO 31000 summarizes the key concepts organizations ensure their risk management approach meets and activities that an organization needs to undertake in the requirements of ISO 31000:2009: Risk Management – order to manage risk effectively. It is not intended to promote uniformity of management vocabulary. activities and roles. In simple terms: ■■ Both documents see risk management as a fundamental requirement to help organizations deliver their objectives. In this respect updated. ISO/IEC 31010 leads to fewer organizations missing vital activities that provides a basis for decisions to be made about which approach national (or international) consensus deems necessary for the to use to treat particular risks and to select the best options. By standardizing the use of words in a particular context. © The Stationery Office 2013 . Management of Risk: Guidance for Practitioners and the international standard on risk management. This ensures the latest consensus on best practice is it is comforting that M_o_R is compliant with ISO 31000. It is broadly consistent with managing risk. ■■ There are no significant areas of disagreement between the but not how activities are done. contrast. M_o_R contains an extensive appendix devoted to the ■■ Effective management relies on good communications and description of commonly used techniques. embedding good risk management practice and the principles and guidelines in ISO 31000 (but with some improving maturity in its application. and thus increase its chances Principles and Guidelines. ISO/IEC 31010. ISO Guide 73:20093 provides a risk which it can do this. included and any omissions or clarifications dealt with. ISO 31000 does not. However. they can promote customize its approach to address its particular objectives and operational needs. As its title two revisions to reflect comments received from users and implies. Risk assessment provides an understanding of risks that could affect an organization can assess the completeness of its own organization’s achievement of its objectives and the adequacy approaches in terms of both principles and activities. these. ISO 31000 provides principles and generic guidelines on Rather than reflecting inconsistencies. legislation in certain countries may continuous improvement by being periodically reviewed and require organizations to comply with ISO 31000.4 does include ■■ The content of ISO 31000 forms a checklist against which an details of some risk assessment techniques. Risk principles and activities required. in turn. and how to undertake ■■ Terminology is provided in both publications.2 of achieving its objectives. rely on the use of a consistent vocabulary. Another ISO publication. something which is also differences) as summarized here: recommended in ISO 31000. This happens in two ways: Management – Risk Assessment Techniques. people ISO 31000 provides a set of principles to inform a framework are able to work together more easily and with fewer within which an organization can manage risk and a process by misunderstandings. ■■ ISO 31000 defines what needs to be done and by whom. publications Consequently it is some six times longer than the standard. A the activities. the differences between harmonizing standards and introducing risk management ISO 31000 and M_o_R referred to in the preceding paragraph within an organization or for an activity. This and effectiveness of controls already in place. but differs. set of principles. The purpose of this White Paper ISO 31000 This White Paper is intended to show how Management of Standards seek to provide their readers with a concise summary Risk: Guidance for Practitioners (M_o_R®)1 can be used to help of the topic covered. M_o_R provides guidance for practitioners on changes in management methods. comply with relevant legal and regulatory requirements and respond to arising opportunities Why standards help improve risk management and threats. highlight the fact that each document is designed to serve a different purpose. By effective management of risk. risk management throughout all organizations.

defines risk as ‘effect of uncertainty on objectives’. reflecting the contents of M_o_R: These sections describe how the principles should be applied introduction. Structure Although superficially different. This White Paper shows the relationship between M_o_R and M_o_R supplements the above core concepts with ISO 31000. M_o_R includes the need for a plan to embed risk managed. While both publications list similar benefits of risk management in an organization. which in M_o_R is dealt with in a separate responsible for developing policy. which has replaced BS 31100:2008. a process. notation that was adopted in BS 31100:2011. approach. consisting of identification. For example. organizational standards. While the standard acknowledges some of these The comparison of M_o_R principles with ISO 31000 also aspects. The main difference is that M_o_R is aimed at creating and maintaining records and monitoring and reporting those responsible for implementing and overseeing risk progress. Since M_o_R is designed © The Stationery Office 2013 . techniques. These are informed by corporate governance principles and ISO 31000. embed and review.5 mode. whereas M_o_R uses the term and miscellaneous. holds for a comparison of the principles of M_o_R with those in BS 31100:2011. will have an effect (positive or negative) on the ■■ M_o_R is designed for practical application of risk achievement of objectives’. approach (M_o_R) and within an organization and cover similar ground. M_o_R is based on four core One of the quality criteria for the 2010 revision of M_o_R was concepts – principles. Introduction Both publications describe setting up a policy aligned with the In their introductions both publications outline their intended organization’s objectives. ISO 31000 emphasizes the need for such a culture the similarities as much as the differences between them. both publications. programme. the main components are very similar. ISO 31000’s definition is similar and management methods. together with Code of Practice and Guidance for the Implementation of BS document outlines. from twelve to eight. it provides no detail. that there is a strong alignment between the two. principles. structure. M_o_R is longer and much more detailed. but does not include it as one of the principles. Risk Management. the review – while ISO 31000 describes principles. project and operational levels. ■■ ISO 31000 is designed to help assess how completely the risk management method has been applied. therefore. The ISO 31000 principles are identified by a letter sections on perspectives. 2 Section-by-section While M_o_R states that they are essential for the maintenance comparison of good practice. ‘risk register’. ISO 31000 speaks of keeping records without specifying what form these records should take. treatment. audiences. assessing its effectiveness and setting up the management in the culture of the organization. The BS Principles 31100:2011 principles are not repeated here as this would be an The third edition of M_o_R reduces the number of principles unnecessary duplication. process. The summary in this section seeks to emphasize organization.4    Management of Risk: Guidance for Practitioners and the international standard on risk management. In this respect it serves a similar purpose to ISO 31000. while the standard is aimed at those improvement. ISO 31000 simply emphasizes that they should be adhered to. ISO 31000 includes the need for continuous management practice. and embedding and that the guidance must be compatible with BS 31100:2008. One area of difference is that M_o_R Appendix B provides a tabular comparison of the two includes the principle of creating a supportive culture within the publications. use different terms. covering application at strategic. It is hardly surprising. ISO 31000:2009 As such: M_o_R defines risk as ‘an uncertain event or set of events that. M_o_R does is on how it contributes to corporate governance and internal not prescribe how an organization should implement risk control. although they framework (ISO 31000). the emphasis within M_o_R Although it is designed for practical use. perspectives. should it occur. We have structured the Approach (M_o_R) and framework (ISO 31000) comparison in seven parts. the main components of Compatibility with BS 31100:2008 each publication are very similar. ensuring risks are effectively section. activities that should be undertaken. monitoring and review. a framework and standard that was in place at the time. guidelines to suit its operating environment and processes. Only M_o_R is designed to underpin qualifications in management but allows it to customize its approach within the risk management. however. Both documents see effective risk management as being very Process relevant to the achievement of an organization’s objectives and The process for managing risk is essentially the same in describe consistent approaches to managing risk. a health check and maturity ISO 31000. assessment.

31000 This section summarizes how M_o_R meets the requirements of the International Standard. and ISO 31000. plan and implement – all underpinned by Thus it may be concluded that if an organization is using M_o_R effective communication. It describes a commonly used techniques and explains how the approach suggested maturity model to measure the current level of risk and processes are used at strategic. M_o_R devotes an aim. programme. It provides the basis for Foundation and ISO 31000 refers to the need for these things but provides little Practitioner qualifications (area B). M_o_R contains descriptions of well risk management is used in an organization. programme. in fact it devotes a specific chapter to 4 Key areas of similarity and this subject. It comprises four key stages throughout the life of an organization and its activities. operations. to enable organizations to harmonize risk entire chapter to how risk management may be applied at management processes in existing and future standards. It does functions. operational levels. Both documents stress the need to embed risk management into the organization’s management processes. assess. It also sets 3 How M_o_R meets ISO out what is needed for compliance with legal and regulatory requirements and international norms (area C). Its use enables an organization to comply with the requirements of ISO 31000 in full. Both publications contain glossaries explaining the meaning of the terms used but these are different in each one. M_o_R places greater emphasis on integrating it into the culture of the organization. While the need to do so is acknowledged within difference ISO 31000. particularly within ‘framework’. Appendix B contains a detailed comparison. the requisite steps are only outlined under various M_o_R is designed as a guide for practitioners in risk headings. Management of Risk: Guidance for Practitioners and the international standard on risk management. project and operational levels. its coverage of the process is more ■ They both emphasize risk management application detailed than that of ISO 31000. on the other in the way of detail or method. management. specifically states that it is not intended for the purpose of certification. it meets the requirements of ISO 31000 and. M_o_R contains appendices giving outlines of commonly used documents and techniques and a process for assessing how As a guide to practitioners. ISO 31000:2009 5 to guide the practitioner. However. Perspectives ISO 31000 refers to the application of risk management ISO 31000 is intended to set out the principles and generic throughout the life of an organization and across a wide range guidelines for organizations to manage risk. hand. A ISO 31000 outlines a rather broader range of areas of comparative table is included in Appendix A. clause-by-clause comparisons are inappropriate. please refer to Appendix A. exceeds them in that it provides much of the detail and method that is Embed and review not covered in the standard. however. indeed. For more Figure 1 outlines the main areas of overlap between M_o_R detail. processes. it does not of activities. strategic. The main points of consistency are: ■ Risk management is very relevant to the achievement of an organization’s objectives ■ They share consistent principles ■ They recommend a similar approach to the application of risk management Figure 1 Key areas of similarity and difference between M_o_R ■ They promote the use of similar risk management processes and ISO 31000 ■ They encourage the integration within the organization’s culture and management processes © The Stationery Office 2013 . project and management maturity and to identify areas for improvement. application for the management of risk across an organization and suggests its use throughout the life of the organization (as distinct from that of a programme or project). ISO 31000. strategies and decisions. prescribe which tools and techniques to use. services and assets. – identify. projects. Both publications contain the same scope of principles. processes and approaches to managing risk. Because M_o_R and ISO 31000 have a different structure and purpose. Both state similar aims for risk management and contain compatible Miscellaneous terms (area A).

ISO 31000:2009 Appendix A Comparative glossary Terminology differs in some respects between M_o_R and ISO 31000 but each publication includes equivalent terms. The M_o_R glossary is more extensive than the one in ISO 31000. See also ‘implement’ Control Severity of risk Level of risk © The Stationery Office 2013 . The table below provides a comparison of Section 2 of ISO 31000 (terms and definitions) with the equivalent terms in M_o_R. M_o_R term ISO 31000 term Same terms used in both publications Residual risk Residual risk Risk Risk Risk evaluation Risk evaluation Risk identification Risk identification Risk management Risk management Risk management policy Risk management policy Risk owner Risk owner Risk profile Risk profile Stakeholder Stakeholder Different terms used in each publication Broadly covered by ‘approach’ Risk management framework Communications plan describes the process Communication and consultation Included in ‘embed and review’ Review Covered by ‘identify context’ External context Covered by ‘identify context’ Internal context Covered by ‘identify context’ Risk criteria Identify context Establishing the context Impact or risk effect Consequence Implement Risk treatment Included in ‘implement’ Monitoring Probability Likelihood Risk appetite Risk attitude Risk cause Risk source Risk estimation Risk analysis Risk event Event Covered by ‘risk identification’.6    Management of Risk: Guidance for Practitioners and the international standard on risk management. ‘estimation’ and ‘evaluation’ Risk assessment Risk management process guide describes the process Risk management process Risk management strategy Risk management plan Risk response.

© The Stationery Office 2013 . Part of Cabinet Office Best Management Practice An International Organization for Standardization Guidance portfolio. Lists main benefits but also emphasizes the Lists just the main benefits. contribution made to corporate governance and internal control. will have an effect (positive or negative) on the achievement of objectives’. linking together principles. Basis for APMG Certification. procedures. ■■ Responsible for risk management guidance. Management of Risk: Guidance for Practitioners and the international standard on risk management. guides. group or relevant to both the public and private sectors. Category M_o_R ISO 31000 Introduction Organization-focused. an approach and a framework and a process. Not intended for certification. relevant to any (strategic. covering four perspectives Organization. Defines risk as ‘an uncertain event or set of events Defines risk as ‘effect of uncertainty on objectives’. project and operational). public. they are not contradictory but see effective risk management as being very relevant to the achievement of an organization’s objectives.and activity-focused. individual. Summary While each document has a different approach to its introduction. publication. of risk in any context. should it occur. programme. process. private or community enterprise. a bringing together principles. that. Provides a route map for undertaking risk Describes a generic approach for managing any sort management in a repeatable and consistent manner. etc. ISO 31000:2009   7 Appendix B Map of M_o_R against ISO 31000 The table below provides a direct comparison of M_o_R with ISO 31000 against categories that are common to both publications. Audience includes people who are: Audience includes people who are: ■■ Responsible for putting in place a risk ■■ Responsible for developing risk management management framework policy ■■ Responsible for reviewing and improving risk ■■ Accountable for ensuring risk is managed management ■■ Evaluating the effectiveness in managing risk ■■ Managing risk within one of the four perspectives ■■ Engaged in developing standards.

programme. © The Stationery Office 2013 . plus the review communicate activity The standard is silent on the supplements to the Embedding and reviewing M_o_R framework provided within M_o_R. This should be customized for the Process organization ■■ Describes the five activities of communication and M_o_R process consultation. risk treatment. risk ■■ Describes the four primary steps of identify. compared with the 24 pages of ISO 31000. M_o_R provides more depth of coverage. ISO 31000:2009 Structure Based on four core concepts: Based on three main clauses: M_o_R principles Principles ■■ Eight universal. assessment. establishing the context. project and operational levels Document outlines ■■ Typical contents for key risk management documents Common techniques ■■ Overviews of a selection of techniques that may be used and guidance on which to select Health check ■■ How to check the current health of application in an organization and identify where it might be improved Maturity model ■■ A format for benchmarking an organization’s current capability and maturity in risk management and how to improve areas to increase maturity levels. ■■ Guidance on the need to integrate risk management into the organization’s culture and how to do this The above is supplemented by chapters/appendices on: Perspectives ■■ Describes how the principles. and reviewing M_o_R. with the ISO 31000 framework being addressed by M_o_R’s approach and embedding.8    Management of Risk: Guidance for Practitioners and the international standard on risk management. and monitoring and assess. Summary The main components of each document are very similar. However. comprising 145 pages. approach and process are applied at strategic. plan and implement. self-validating and empowering ■■ Eleven principles that an organization should principles that provide a guide to effective risk comply with for risk management to be effective management Framework M_o_R approach ■■ Provides the foundations and arrangements that ■■ The way in which the principles may be will embed risk management in the organization implemented.

assesses and controls risk e) Systematic. (placed in same order as the M_o_R principles to which they relate). Informed by corporate governance principles and Prefix letters indicate those used in ISO 31000 ISO 31000. threats and opportunities related to their ■■ Aligns with M_o_R’s ‘informs decision-making’ decisions © The Stationery Office 2013 . and to influence their contribution h) Takes account of human and cultural factors ■■ People. for risk management to be effective. Aligns with objectives d) Explicitly addresses uncertainty ■■ Focuses on those uncertainties that have the ■■ Its nature and how it may be addressed potential to impact the achievement of an ■■ Aligns with M_o_R’s objectives organization’s objectives Fits the context g) Tailored ■■ Bespoke design of the risk management approach ■■ Aligns with external and internal context and risk to match the organization’s context profile j) Dynamic. comparable and reliable results b)and e) align partially with M_o_R’s ‘provides clear guidance’ principle Informs decision-making c) Part of decision-making ■■ Helps decision-makers understand the relative ■■ Helps decision-makers make informed choices merits. iterative and responsive to change ■■ Is revised to take account of changes in context g) and j) align with M_o_R’s fits the context Engages stakeholders i) Transparent and inclusive ■■ To understand their requirements and perceptions ■■ Involves stakeholders at all levels of risk. ISO 31000:2009   9 Principles Essential for the development and maintenance of Organizations should comply with these principles good risk management practice. structured and timely ■■ Leading to efficiency and consistent. Management of Risk: Guidance for Practitioners and the international standard on risk management. external or internal can affect achievement of objectives i) and h) align with M_o_R’s ‘engages stakeholders’ Provides clear guidance b) An integral part of all organizational processes ■■ All stakeholders understand how the organization ■■ Not a stand-alone activity identifies.

risk ■■ Organizations should develop and improve their responses. forecasts and decisions maturity f) Based on best available information ■■ Some factual. Summary The ISO 31000 principles have been reordered to demonstrate an approximate alignment between the two documents. improved performance ■■ Aligns with M_o_R’s ‘achieves measurable value’. There is good alignment over most of the principles. align with culture. (M_o_R) and the organization.10    Management of Risk: Guidance for Practitioners and the international standard on risk management. ISO 31000:2009 Facilitates continual improvement k) Facilitates continual improvement ■■ Uses historical data to inform estimates. although ISO 31000 is far less detailed. determine throughout an organization to support the performance indicators realization of its objectives ■■ Align with organizational objectives ■■ Legal and regulatory compliance Design of framework for managing risk ■■ Understanding the organization and its context ■■ Establishing a policy ■■ Ensure accountability ■■ Integrate into other processes ■■ Allocate appropriate resources ■■ Establish internal and external communications and reporting © The Stationery Office 2013 . Approach The way in which the principles should be applied in Underpins successful management of risk. some may be uncertain or require judgement k) and f) align with M_o_R’s ‘facilitates continual improvement’ Creates a supportive culture ■■ None of the ISO 31000 principles align to M_o_R’s ‘creates a supportive culture’ ■■ A culture that recognizes uncertainty and supports considered risk-taking Achieves measurable value a) Creates and protects value ■■ Using a structured approach to risk management ■■ Contributes to achievement of objectives and creates and protects organizational value. framework (ISO 31000) Risk management policy Mandate and commitment ■■ How risk management will be implemented ■■ Define policy.

ISO 31000:2009   11 Risk management process guide Implementing risk management ■■ Describes how the M_o_R process steps will be ■■ Implement framework carried out in the organization ■■ Implement processes Risk management strategies Monitoring and review of framework ■■ Describes the specific risk management activities ■■ Ensure effectiveness and continuity in support of that will be undertaken for a particular organization performance organizational activity Continual improvement of framework ■■ Decide how to improve framework. Management of Risk: Guidance for Practitioners and the international standard on risk management. ■■ Captures and maintains information on all identified threats and opportunities relating to a specific organizational activity Issue register ■■ Captures and maintains information on all identified issues that are happening now and require action Risk improvement plan ■■ Assists with embedding risk management into the culture of the organization Risk communications plan ■■ Describes how information will be disseminated to and received from stakeholders of an organizational activity Risk response plan ■■ Detail specific plans for responding to a single risk or linked set of risks Risk progress report ■■ Provides regular progress information on risk management within a particular organizational activity. Summary The ground covered under M_o_R’s ‘approach’ is dealt with by the ‘frameworks’ and other clauses in ISO 31000 and in much less detail. policy and plan Records and documentation Process guidance including keeping records (ISO does not use the term ‘risk register’ or ‘issue log’) Risk register are contained under ‘process’ below. © The Stationery Office 2013 .

6 Similar to the processes described in M_o_R but less detail. their consequences and their likelihood of are most important and urgent by understanding occurring the probability. Pre-empt surprises ■■ Take account of costs and efforts against benefits Implement ■■ Develop and implement plans ■■ Ensure that the planned risk management actions Monitoring and review are implemented and monitored and to take ■■ Part of plan. ISO 31000:2009 Process Describes the management of risk process steps. The key process steps described are: Communication throughout the process Communication and consultation ■■ An activity that is carried out throughout the ■■ With external and internal stakeholders at all whole process. stressing that these should be integrated in management. Assessing effectiveness. © The Stationery Office 2013 . in the scope of the process itself order to shape the risk management strategy Identify risks Assessment ■■ Identify risks to the activity objectives with the ■■ Includes identification. embedded in Provides a comparison with HM Treasury’s Orange the culture and tailored to suit the organization. obtaining corrective action where responses do not match new information. Key to the identification of new stages of the process risks of changes to existing risks Identify context Establishing the context ■■ Understand how the planned activity fits into the ■■ Articulates its objectives. basis for improvement. to determine how to treat risk if at ■■ Understand the risk exposure faced by the activity all by looking at the net effect of identified threats and opportunities on an activity when aggregated together Plan Treatment ■■ Prepare specific management responses to ■■ Selecting and implementing options for remove or reduce threats and to maximize modifying risks opportunities. Book. identifying new risks expectations See details of documentation under M_o_R Recording the process to provide traceability and ‘approach’ in previous section. Outlines main process steps. Summary ISO 31000 covers very similar ground to M_o_R but in less detail. defines parameters to wider organization and market/society and the take into account when managing risk and sets organization’s approach to risk management. Both publications include helpful figures showing the relationship between the key process steps. analysis and evaluation of aim of minimizing threats while maximizing risks opportunities ■■ Identification generates a comprehensive list of Assess – estimate risks ■■ Analysis to understand causes and sources of ■■ Prioritize individual risks so that it is clear which risks.12    Management of Risk: Guidance for Practitioners and the international standard on risk management. impact and proximity of each risk ■■ Evaluate to assist decision-making by comparing Assess – evaluate with criteria.

Embedding the principles ■■ Start with the principles and by appreciating what There are also references under the organization would look and feel like should these be embedded ■■ Introduction: implicit references to the need to integrate risk management ■■ Principles: integral part of all organizational Changing the culture for risk management processes. the organization’s objectives and culture and provide appropriate resources and management support are referred to within Clause 4. Management of Risk: Guidance for Practitioners and the international standard on risk management. ISO 31000:2009   13 Embed and Integrating risk management into the organization’s The need to integrate risk management into the review culture. align it with management. implemented and improved by staff embedded in culture and practice. the requisite steps are only outlined under various headings. review and update/improvement. part of decision-making ■■ The M_o_R approach needs to be understood. valued. particularly within ‘framework’. Framework. While the need to do so is acknowledged within ISO 31000. Summary M_o_R devotes a specific chapter to integrating risk management into the organization. © The Stationery Office 2013 . including regular reviews to ensure effective organization’s management processes. ■■ Process: an integral part of management. building a risk management culture Overcoming the common barriers to success ■■ By regular communications and by obtaining and developing senior management commitment and support Identifying and establishing the opportunities for change ■■ Using trigger points to establish a continual cycle of monitoring. tailored to the across the organization business ■■ Establishing the context as an activity at the start of the risk management process Measuring the value ■■ Annex A: Attributes of enhanced risk ■■ Using a range of indictors to judge the success of management.

model the current level of risk management maturity and to refers to developing an appropriate level of identify areas for improvement. Scope). The not provide a method. provides a template for a maturity model that can be customized to the needs of the organization. services Strategic and assets (Section 1. project and throughout the life of an organization and across operational perspectives. its activities. a wide range of activities. ISO 31000 merely acknowledges that risk management may be used at all these levels and more. D. ISO 31000:2009 Perspectives Describes how the principles.3. B. ■■ Ensuring overall business success. Maturity Describes a suggested maturity model to measure Annex A. processes. Document Suggested outlines of commonly used risk Refers to the need for documentation but provides outlines management documents. © The Stationery Office 2013 . vitality and viability Also refers to application at differing levels implicitly Programme under ■■ Transforming business strategy into new ways of ■■ Section 5. These requirements would include the specialist areas in Appendix E of M_o_R. A. Summary While the need to improve organizational performance is acknowledged in ISO 31000.14    Management of Risk: Guidance for Practitioners and the international standard on risk management. Principles a) to c) require an specialisms risk management and references to additional organization to apply risk management across all information on them. E. approach and process Refers to the application of risk management are applied at the strategic. time and cost constraints Operational ■■ Maintaining appropriate levels of business services to existing and new customers. Summary M_o_R contains a much more detailed analysis of the difference in approach from the different management perspectives. Establishing the context working that deliver measurable benefits to the organization ■■ Annex A. provides no details. Attributes of enhanced risk management. Risk Provides introductions to specialist areas of Section 3. Attributes of enhanced risk management. performance goals ■■ Full accountability for those involved ■■ Application in all decision-making ■■ Continual communications ■■ Full integration in the organization’s governance structure. M_o_R. strategies and decisions. no details. functions. C. performance in risk management. framework is based on the M_o_R principles. The attributes described are: Also refers to other maturity models and provides a high-level description of the Portfolio. programme. Project ■■ Delivering defined outputs to an appropriate level of quality with agreed scope. no mechanism is proposed for doing so. on the other hand. projects. Health check Describes a process and framework for assessing how Refers to the need to continually improve but does well risk management is used in an organization. operations. Annex A refers to full integration in the organization’s governance structure. Common Outline descriptions of commonly used techniques Refers to the need for specific techniques but techniques for each step of the M_o_R process. Programme ■■ Continual improvement through setting of and Project Management Maturity Model (P3M3).

com/ gempdf/BMP_Common_Glossary_2012. Techniques. risk. Content. omissions or Office. Concepts. publications. M_o_R provides guidance for good practice in these areas whereas ISO 31000 does not. third Sourced by TSO and published on edition. Office of Government effort is made to ensure the accuracy and reliability of the information. ■■ Business continuity management ■■ Incident and crisis management ■■ Health and safety management ■■ Security risk management ■■ Financial risk management ■■ Environmental risk management ■■ Reputational risk management ■■ Contract risk management. Reuse of this White Paper is permitted 2009. St Crispins. NR3 1PD. Summary Once again. 2011. The Stationery www. 7 Best Management Practice Portfolio: Common Glossary of Terms and Definitions. Some common terms such as ‘risk register’ are not used Index Alphabetical index to key terms and topics Contents list by topic References Acknowledgements 1 Management of Risk: Guidance for Practitioners. Risk management. Our White Paper series should not be taken as constituting 2 ISO 31000:2009. 3 ISO Guide 73:2009. Risk Management – Risk Assessment change without notice. While every 2009. © The Stationery Office 2013 . 2004. Management of Risk – Principles and Best Management Practice White Paper Permissions. programme. solely in accordance with the permission terms at 5 BS 31100:2011. HM Treasury. diagrams. © Copyright TSO. logos and jackets International Organization for Standardization. ISO 31000:2009   15 M_o_R identifies the following eight risk specialisms Although application in these specialist areas is and directs the reader to more detailed information implicit in the way the document is drafted. 2012. Glossary Commonly used terms consistent with the Best Terms and definitions provided. M_o_R® is a registered trade mark of the Cabinet Office. Duke St. project. International Organization for Standardization. Risk Management – Principles and advice of any sort and no liability is accepted for any loss Guidelines. no on these: specific guidance is provided.pdf Trade marks and statements The Swirl logo™ is a trade mark of the Cabinet Office. 2009 are correct at time of going to press but may be subject to 4 ISO/IEC 31010:2009. Risk Management – Guidance for the Implementation of BS ISO 31000. Best Management Practice. TSO cannot accept responsibility for errors. A copy of these terms can be provided on application to 6 The Orange Book. Best Management Practice is the overarching brand that umbrellas multiple Cabinet Office best practice products. resulting from use of or reliance on its content. TSO. United Norwich. software tools and consultancy for portfolio. Management of Risk: Guidance for Practitioners and the international standard on risk management. Code of Practice and http://www. 2010. British Centre/White-Papers/ Standards Institution. These differ from Management Practice glossary M_o_R. Norfolk. International Organization for Standardization. The internationally renowned portfolio is adopted as best practice through high quality training. value and service management disciplines. Available at