When we live in uncertain economic times the OGC’s Management of Risk could be the go-to guidance to train for, so that your decisions are less about luck and more about good judgement
- What is risk?
That depends; it can mean different things to different people. If you’re organising a garden party rain is a negative risk; if you’re a gardener rain is a positive risk. For an organisation, risk is a threat or an opportunity that could affect it for better or worse or for richer or poorer.
- What is risk management?
It’s all about how you assess and handle those potential threats and opportunities. Back to the weather analogy: if bad weather is a risk that you didn’t consider then a downpour might force you to ditch your garden party; if you did factor it in and ordered tarpaulin, then whatever the weather, you’re good to go.
- Why manage risk and why train for it?
Well, I guess it depends on whether you want to gamble on all your decisions being right! Do risk management and do it right and you can cut the chances of failing to achieve your objectives; don’t do it or do it wrong and you can pay a price in terms of cost, time and performance across your organisation.
- Why train to use the OGC’s M_o_R to control risks?
After all, how hard can risk management be? For decades, for millennia even, organisations and cultures have managed risk without it. Where M_o_R scores, though, is that it’s the complete deal. It provides a generic framework. It’s transparent, consistent and repeatable. It’s organic and evolves. It ties in with other OGC products such as P3O, PRINCE2, MSP and ITIL. In short, Management of Risk supports the control of any risk that could affect the achievement of objectives as case studies show.
- So what’s the M_o_R framework?
Supplying structure to the guidance and supporting corporate governance, the framework is founded on four core concepts: principles, approach, processes and the idea of embedding and reviewing M_o_R so it’s part of company culture.
- What are the principles?
Coming in at an even dozen and with clear ties to corporate governance, these form the basis on which organisations can develop practices to control risks. They are: organisational context, stakeholder involvement, organisational objectives, M_o_R approach, reporting, roles and responsibilities, support structure, early warning indicators, review cycle, overcoming barriers to M_o_R, supporting culture, and finally, continual improvement, a sure sign of mature risk management.
- What’s the M_o_R approach?
As always, principles must be put into practice. The M_o_R dozen are the basis on which you can develop sound practices for undertaking risk management suitable for your specific organisation. They are set up in evolving documents: risk management policy, process guide and plans. The guidance helps you further by discussing risk tolerances, by considering responses for positive and negative risks and by outlining how risk registers and issue logs can be used.
- What are the processes?
No prizes for guessing that the four process steps of risk management are identify, assess, plan and implement. The M_o_R guidance goes further though. For each process it explains: goals (outcomes), inputs (information in), outputs (information out), barriers (possible challenges), techniques (recognized ones) and tasks (that change inputs into outputs). Communication is naturally critical to success so it is woven into the whole process and keeps management in the picture.
- What does embedding and reviewing involve and is it necessary?
If you’re after tick-box style risk management, then M_o_R is not for you. Sure, it provides a route map, checklists and so forth, but its success comes from ensuring risk management is applied across an organisation with constant review and improvement built in. So there’s detail on measuring benefits and success, modifying behaviour on risk management, roles and responsibilities and much more. One of the main themes that comes through it all is that everyone in the organisation has to commit.
- What could M_o_R do for the organisation?
The pay-off can be huge. Corporate governance needs are met. Building risk management culture into your organisation will mean that corporate decisions are based on solid information. People feel they have permission to notice and communicate risks. They own and monitor risks; they are accountable for them and proactively manage them. As a result your organisation avoids or mitigates the effects of risks and your company’s chance of achieving strategic objectives improves as many businesses have found to their advantage.Useful Risk Links:
- ILX has a raft of options on M_o_R training that take the risk out of learning.
- Rolling out e-learning across a company can seem daunting and this is where ILX Connect can help to make sure that your training is effective so you can manage risk in your company.
- Call it crystal ball gazing, call it educated deductions, there are some interesting views on what this year could bring on the World Economic Forum website from the Risk Response Network in Global Risks 2011 Sixth Edition and on the Eurasia Group website in Top Risks 2011. Control Risk has launched RiskMap 2011 to assess issues for 2011 and beyond.
- The Global Enterprise Risk Management Survey 2010 might also be of interest.
- The Office of Government Commerce’s website will of course provide detailed information on all aspects of Management of Risk.
- To find an accredited training provider call in first at the APMG website, a source of valuable information on M_o_R.
- If Managing Risks in Projects, rather than M_o_R is more your bag, then e-learning can provide an effective and cost-efficient training option. OGC and KPMG research shows that poor risk management can affect the prospect of project success.
- The new 2010 3rd Edition of Management of Risk: Guidance for Practitioners with its important changes is set out in an accessible way. It covers new risk specialisms, explains principles effectively and clarifies roles, policies, strategies and plans.