M_o_R® was frist published in 2002; its current version is the 2010 Edition. The approach was originally designed for use by the UK Government and is now owned by AXELOS. It is used in the public and private sectors alike.
Management of Risk is of enterprise-wide importance, and can be applied to the three core elements of a business (see Figure):
• Strategic – business direction
• Change – turning strategy into action, including programme, project and change management
• Operational – day-to-day operation and support of the business
In this way, the strategy for managing risk should be managed from the top of the organization while being embedded into the normal working routines and activities of the organization.
There are eight principles, which are consistent with corporate governance principles and the international standard for risk management ISO 31000: 2009. The principles are: Aligns with objectives; Fits the context; Engages stakeholders; Provides clear guidance; Informs decision-making; Facilitates continual improvement; Creates a supportive culture; Achieves measurable value.
An overall strategic framework, including a policy document, is also of key importance. It needs to include the following elements: risk identification; risk evaluation; setting acceptable levels of risk; identifying suitable responses to risks; risk ownership; implementing responses to risks; gaining assurance about the effectiveness of the responses; embedding, reporting and review.
Once a framework is in place, a common approach can be used across the business, bringing together disparate risk disciplines and functions into a consolidated and consistent approach.