M_o_R syllabus 2010 v2.2

Version 2.2 (Status - Live) Owner: Chief Examiner

© The APM Group Ltd 2010. This document is not to be reproduced or re-sold without express permission from The APM Group Ltd. M_o_R® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. The Swirl logo™ is a Trade Mark of the Office of Government Commerce

M_o_R Syllabus December 2010

© The APM Group Ltd 2010. This document is not to be reproduced or re-sold without express permission from The APM Group Ltd

1 Introduction This document details the 2010 M_o_R syllabus produced to coincide with the refresh of the 2010 M_o_R Guide. In March 2011, a revised version of this document may be issued to correct errors and omissions. The M_o_R guide is intended to help organizations put in place an effective framework for risk management. This will help them make informed decisions about the risks that affect their strategic, programme, project and operational objectives. The guide provides a route map for risk management, bringing together principles, an approach, a process with a set of interrelated process steps, and pointers to more detailed sources of advice on risk management techniques and specialisms. It also provides advice on how the principles, approach and processes should be embedded, reviewed and applied differently depending on the nature of the objectives at risk. The primary purpose of the syllabus is to provide a basis for accreditation of people involved with risk management. It documents the learning outcomes related to the use of M_o_R, and describes the requirements a candidate is expected to meet to demonstrate that these learning outcomes have been achieved at each qualification level. M_o_R qualifications are currently offered are two levels: Foundation and Practitioner. The target audience for this document is:

• Exam Board • Exam Panel • Accredited Training Organizations

This syllabus informs the design of the exams and provides accredited training organizations with a more detailed breakdown of what the exams will assess. Details on the exam structure and content are documented in the M_o_R Foundation and Practitioner Designs.

2 Foundation Qualification

2.1 Purpose of the Foundation Qualification The purpose of the Foundation qualification is to confirm that a candidate is able to demonstrate a knowledge and comprehension of the four elements of the M_o_R framework:

• Principles • Approach • Processes • Embedding and reviewing

and how they support corporate governance. The Foundation qualification is also a pre-requisite for the Practitioner qualification.

2.2 Target Audience M_o_R Foundation is suitable for any organization or individual seeing the need for guidance on a controlled approach to identifying, analyzing and managing risk at strategic, programme, project and operational perspectives. The Foundation is aimed at

• Business Change Managers • Programme and Project Managers • Risk Managers • Business and Programme and Project Support staff and managers • Operational staff and managers • Staff and Managers from other disciplines, particularly those responsible for

establishing standards and /or integrating them with MSP and PRINCE2


2.3 High-level Performance Definition of a Successful Foundation Candidate At Foundation level, the candidate should understand the key principles and terminology within the M_o_R guidance. Specifically the candidate should:

• Know facts, terms and concepts relating to o M_o_R o The M_o_R principles o The M_o_R approach documents o The M_o_R process o The Embedding and reviewing of risk management into the culture of an

organization o The M_o_R perspectives o The M_o_R techniques o The M_o_R risk specialisms

• Understand how the following are used in M_o_R: o The Framework o The Principles and their main mechanisms o The Approach o The Process steps o The need for integrating risk management into the culture of an

organization o The Perspectives o The Techniques o The Risk specialisms

3 Practitioner Qualification

3.1 Purpose of the Practitioner Qualification The purpose of the Practitioner qualification is to confirm whether the candidate has achieved sufficient understanding of how to apply and tailor M_o_R in a scenario situation. Individuals should be able to demonstrate Foundation competencies and, with suitable direction, should be able to start applying the M_o_R framework to a particular organisational perspective, but may not be sufficiently skilled to do this appropriately for all situations. Their individual risk management expertise, complexity of the governance environment in place and the support provided for risk management in their work environment will all be factors that affect what the Practitioner can achieve.

3.2 Target Audience This qualification is aimed at anyone working within a corporate governance environment that has responsibilities for identifying, assessing, planning, or managing risks, or reporting on risk management activities across the organization.

3.3 High Level Performance Definition of a Successful Practitioner Candidate In addition to the knowledge and understanding from foundation, practitioner candidates should be able to:


• For a given scenario, identify, analyse and distinguish between appropriate and

inappropriate application of the o M_o_R framework o M_o_R principles o M_o_R approach documents o M_o_R process steps o Methods for Embedding and reviewing risk management o M_o_R framework elements at each perspective o M_o_R process techniques

• For a given scenario, apply and tailor the following when implementing risk management throughout an organization or updating the current risk management practices:

o M_o_R framework o M_o_R principles o M_o_R approach documents o M_o_R process steps o The techniques for Embedding and reviewing risk management o The M_o_R process techniques

4 Learning Outcomes Assessment Model A classification widely used when designing assessments for certification and education is the Bloom’s Taxonomy of Educational Objectives. This classifies learning objectives into six ascending learning levels, each defining a higher degree of competencies and skills. (Bloom et al, 1956, Taxonomy of Educational Objectives). APMG has adapted this into a four-step variation of the Bloom’s model (The APMG Learning Outcomes Assessment Model) which defines the standard for each qualification’s Learning Outcome Assessment Model. The Model is used as a basis for classifying learning outcomes when developing exam qualification schemes and syllabi. This structured approach helps to ensure:

• There is a clear delineation in learning level content between different qualification levels

• Learning outcomes are documented consistently across different areas of the guide

• Exam questions and papers are pitched consistently and appropriately for each of the learning levels

4.1 M_o_R Learning Outcome Assessment Model For M_o_R the four levels of learning outcomes are shown below. These learning outcomes are independent of the method used to assess whether a qualification level has been achieved.


M_o_R Learning Outcomes Assessment Model

1.Knowledge 2. Comprehension 3. Application 4. Analysis

Generic Definition from APMG Learning Outcomes Assessment Model

Know key facts, terms and concepts from the manual/guidance

Understand key concepts from the manual/guidance

Be able to apply key concepts relating to the syllabus area for a given scenario

Be able to identify, analyse and distinguish between appropriate and inappropriate use of the method/guidance for a given scenario situation

Qualification Learning Outcome Assessment Model

Know facts, including terms, concepts, principles, model types and components, tools, techniques, roles and responsibilities from the guidance. Specifically, recall facts and terminology relating to i. The nature of risk ii. Risk management as

part of corporate governance

iii. Principles iv. Approach v. Process and supporting

techniques vi. Embedding and

reviewing vii. Perspectives viii. Risk specialisms

Understand the concepts, principles, processes, themes, organizational factors and roles and can explain how these are applied to justify, implement and use an M_o_R approach at each perspective in the organization

Be able to demonstrate application of the M_o_R principles for each of the perspectives through: i. Creation of the

documents which define the approach

ii. Use of the process steps, supported by the techniques

iii. Use of methods to embed M_o_R and review its effectiveness

iv. Ability to relate the above to the risk specialisms

Be able identify, analyse and distinguish between appropriate and inappropriate use of M_o_R through appraisal of its application for a given scenario


5 Syllabus Presentation For each of the above learning levels, the syllabus defines the individual learning outcomes required for the qualification. Each learning outcome is then supported by a description of the requirements that a candidate is expected to meet to demonstrate that the learning outcome has been achieved at the qualification level indicated. These are shown as syllabus topics. All Foundation-level requirements are assumed to have been met for Practitioner-level and are not directly assessed again, although Foundation-level knowledge and understanding will be used when demonstrating Practitioner application and analysis learning outcomes. Each of the syllabus areas is presented in a similar format as follows: 1. Syllabus Area Unit of learning – e.g. a chapter of the manual/guidance

document.

2. Learning Outcome A statement of what a candidate will be expected to know, understand or do.

3. Level Classification of the learning outcome against the APMG Learning Outcomes Assessment Model.

4 Topic Description of what is required of the candidate to demonstrate that a learning outcome has been achieved at the qualification level indicated.

6 Syllabus Areas

Syllabus Area Code

Syllabus Area Title

IG Introduction & Glossary

PI Principles

AP Approach

PR Process

ER Embedding & Review

PE Perspectives

CT Common Techniques

RS Risk Specialisms

Notes: I. Questions based on a syllabus area may refer to material from other sections

of the M_o_R Guide II. The Practitioner Tools and Techniques syllabus area includes a reference to

The ABC Guide Part A – Techniques guide (hereafter known as the ABC Guide) which is available to candidates prior to and during the Practitioner Examination.


IG Introduction and Glossary (IG)

Foundation

Practitioner

Primary

Manual

Reference

Level Topic

Know facts, terms and concepts relating to M_o_R. Specifically to recall:

01 01 The drivers for increased focus on risk management, corporate governance and internal control as a result of legislation and increased focus on formal risk management.

1.5 1.6

01 02 Definitions of the terms used in the M_o_R framework, risk management and Corporate governance:

1. Risk 2. Issue 3. Probability 4. Impact 5. Threat 6. Opportunity 7. Risk management 8. Risk exposure 9. Corporate governance 10. Internal control

1.1 – 1.8, Glossary

01 03 Concepts: 1. The main elements of the M_o_R framework (Principles,

Approach, Process and Embedding and reviewing) 2. The actions needed for effective risk management (identify,

assess, control) 3. The benefits of risk management 4. Where (which perspective) and when to apply risk

management e.g. when critical decisions are being made

1.1 - 1.4, 1.7 – 1.8

Understand how the M_o_R framework is used. Specifically to identify:

02 01 The purpose of each of the elements of the M_o_R framework

1.1

02 02 The differences between corporate governance, internal control and risk management 1.5, 1.6

02 03 How decisions about risk vary depending on whether the organizational objectives are:

1. Long-term 2. Medium-term, or 3. Short-term

1.7

02 04 How risk management supports better decision-making 1.7

02 05 The inter-relationship between corporate governance and internal controls 1.5, 1.6

02 06 How effective risk management is likely to improve performance against objectives 1.4


IG Introduction and Glossary (IG)

Foundation

Practitioner

Primary

Manual

Reference

Be able to apply the M_o_R framework when implementing risk management throughout an organization or updating the current risk management practices for a given scenario. Specifically to:

03 01 Identify the benefits from implementing or improving on risk management 1.4


PI M_o_R Principles (PI)

Foundation

Practitioner

Primary

Manual

Reference

Level Topic

Know the facts, terms and concepts relating to the M_o_R principles. Specifically to recall:

01 01 That the principles are informed by corporate governance principles and ISO31000:2009 2.1

01 02 Definitions of the terms used in the principles: 1. Risk capacity 2. Risk appetite 3. Risk tolerance 4. Escalation 5. Key performance indicators 6. Early warning indicators 7. Risk management health check 8. Risk management maturity model


01 03 Concepts 1. The eight M_o_R principles 2. The seven principles that enable risk management 3. The principle that results from implementing risk

management well 4. The main mechanisms that support each principle, e.g. KPIs,

EWIs, tolerance etc

2.1 2.1 2.1 2.2 – 2.9

Understand how the M_o_R principles are used and the main mechanisms, e.g. appetite, capacity, tolerance, EWI, KPI etc, that support them. Specifically to identify:

02 01 The purpose of each of the M_o_R principles 2.2 – 2.9

02 02 The primary outcome from satisfying each of the principles 2.2. – 2.9

02 03 How the principles support corporate governance and internal control 2.1

02 04 The differences between the main mechanisms that support each principle 2.2 – 2.9

02 05 How the principles provide the foundation for scalable and context-specific practices to be developed and refined 2.2 – 2.9

Be able to apply the relevant M_o_R principles when implementing risk management throughout an organization or updating the current risk management practices for a given scenario. Specifically to identify how the M_o_R principles:

03 01 Support corporate governance and internal controls 2.1 – 2.9


AP M_o_R Approach (AP)

Foundation

Practitioner

Primary

Manual

Reference

Level Topic

Know the facts, terms and concepts relating to the M_o_R approach documents. Specifically to recall:

01 01 Definition of the terms used in the M_o_R approach documents (risk management policy, risk management process guide, risk management strategy, risk register, issue register)

3.1 – 3.11

01 02 Concepts: 1. The central set of M_o_R approach documents:

a. Risk management policy b. Risk management process guide c. Risk management strategies for each organizational

activity 2. The categories of supporting documents:

a. Records b. Plans c. Reports

3. The documents in the supporting categories: a. Records – risk register, issue register b. Plans – risk improvement plan, risk communication

plan, risk response plan c. Reports – risk progress reports

4. The concept of a hierarchy of approach documents

3.1 – 3.11

Understand the contents of the M_o_R approach documents, how the approach documents relate to the principles and how they are applied throughout the M_o_R framework. Specifically to identify:

02 01 The purpose of each of the documents 3.2 – 3.10

02 02 The recommended contents of: 1. Risk management policy 2. Risk management process guide 3. Risk management strategies for each organizational activity 4. Risk register

3.2– 3.5, Appendix A

02 03 The difference and relationship between risk owner and risk actionee Glossary

02 04 The difference between issues and risks Glossary

02 05 The difference between cause, event and effect when expressing a risk Appendix B.3.9

02 06 The recommended contents of: 1. Issue register 2. Risk improvement plan 3. Risk communication plan 4. Risk response plan 5. Risk progress report

Appendix A

02 07 The relationship between the M_o_R approach documents 3.11


AP M_o_R Approach (AP)

Foundation

Practitioner

Primary

Manual

Reference

02 08 The factors that should be considered in the creation of the M_o_R approach documents 3.1 – 3.11


PR M_o_R Processes (PR)

Foundation

Practitioner

Primary

Manual

Reference

Level Topic

Know the facts, terms and concepts of the M_o_R process. Specifically to recall:

01 01 Facts: 1. That M_o_R is aligned with the Orange book 2. That M_o_R is an iterative process

4.1

01 02 Definitions of the following terms used in the process steps and sub-steps:

1. Probability (inherent and residual) 2. Impact (inherent and residual) 3. Proximity 4. Expected value 5. Secondary risks 6. Risk owner 7. Risk actionee 8. Stakeholder


01 03 Concepts: 1. The steps in the M_o_R process 2. The common terminology used to describe each step 3. The sub-steps in the Identify and Assess steps 4. The common process barriers to success in implementing the

risk management process 5. The sequence of the steps 6. The techniques recommended for first use in each step

4.1, 4.2, 4.4 – 4.9

Understand how the M_o_R process steps are used to identify, assess and control risk. Specifically to identify:

02 01 The purpose or goal of each process step and sub-step 4.4 – 4.9

02 02 For each sub-step: 1. Inputs 2. Tasks 3. Techniques 4. Outputs

4.4 – 4.9

02 03 The part played by communications throughout the process 4.3

02 04 In which process steps the M_o_R approach documents are developed, used or updated

4.3 – 4.9

02 05 Stakeholders and their importance to the identification, assessment and control of risk 4.4

02 06 The relationship between the process barriers and other aspects of M_o_R, e.g. Embedding and reviewing and health checks 4.2

02 07 The common process barriers to the implementation of risk management 4.1


PR M_o_R Processes (PR)

Foundation

Practitioner

Primary

Manual

Reference

02 08 The difference between inherent, secondary and residual risks Appendix A.4.1, Glossary


ER Embedding and reviewing (ER)

Foundation

Practitioner

Primary

Manual

Reference

Level Topic

Know the facts, terms and concepts relating to Embedding and reviewing of risk management into the culture of an organization. Specifically to recall:

01 01 Definitions of terms used in Embedding and reviewing the implementation of risk management 5.1 – 5.6

01 02 Concepts: 1. The methods for assessing the success of embedding risk

management 2. The common barriers to success in implementing risk

management 3. The ways to review how well risk management has been

embedded

5.2, 5.5, 5.2, Appendix C, Appendix D

Understand the need for integrating risk management into the culture of an organization. Specifically to identify:

02 01 The purpose of Embedding and reviewing risk management 5.1

02 02 The purpose of a risk management health check 5.2, Appendix C

02 03 The purpose of a risk management maturity model 5.2, Appendix D

02 04 The methods to measure success in implementing risk management 5.4

02 05 The difference between a risk management health check and a risk management maturity model

5.2, Appendix C, Appendix D

02 06 The methods for obtaining and developing senior management commitment and support

5.5

02 07 The methods for building and developing a risk-aware organizational culture

5.5

02 08 The risk review and trigger points as opportunities for change 5.6

02 09 Issues relating to Embedding and reviewing risk management 5.1, 5.3, 5.5

Be able to apply and tailor the techniques for Embedding and reviewing risk management when implementing or updating risk management for a given scenario. Specifically to identify :

03 01 How to apply methods for obtaining and developing senior management commitment and support 5.5

03 02 How to apply methods for building and developing a risk-aware culture 5.5


PE Perspectives (PE)

Foundation

Practitioner

Primary

Manual

Reference

Level Topic

Know the facts, terms and concepts of the M_o_R perspectives. Specifically to recall:

01 01 Definitions of terms used in the perspectives 1. Contingency 2. Enterprise Risk Management (ERM) 3. Central Risk Function

6.1 – 6.8

01 02 Concepts: 1. The four M_o_R perspectives 2. The relationship between the perspectives and long-,

medium- and short-term organizational objectives 3. The typical objectives at each perspective

6.1 – 6.5, 6.7, 6.8

01 03 The risk management roles and responsibilities 6.8

Understand how the M_o_R perspectives are used. Specifically to identify:

02 01 For the Strategic perspective: 1. Introduction (section 6.1) - The reasons for the perspective 2. Fits the context principle - The types of risk and focus of

concern 3. Fits the context principle - The typical areas of uncertainty 4. Engages stakeholders principle - The interests of

stakeholders 5. Provides clear guidance principle and section 6.8 - The risk

management roles and responsibilities

6.1, 6.2, 6.8

02 02 For the Programme perspective: 1. Introduction (section 6.1) - The reasons for the perspective 2. Fits the context principle - The types of risk and focus of




6.1, 6.3, 6.8

02 03 For the Project perspective: 1. Introduction (section 6.1) - The reasons for the perspective 2. Fits the context principle - The types of risk and focus of




6.1, 6.4, 6.8



Foundation

Practitioner

Primary

Manual

Reference

02 04 For the Operational perspective: 1. Introduction (section 6.1) - The reasons for the perspective 2. Fits the context principle - The types of risk and focus of




6.1, 6.5, 6.8

02 05 The purpose of integrating risk management across the perspectives 6.7

02 06 The performance and process measures of value enabled by risk management 6.6

02 07 The relationship between the perspectives 6.2 – 6.5

Be able to apply and tailor the M_o_R framework to organizational perspectives when implementing or updating risk management for a given scenario. Specifically to:

03 01 For the Strategic perspective: 1. Identify and justify how application of the M_o_R framework

supports corporate governance and internal controls 2. Identify whether clear objectives are set, and stakeholders

are identified and engaged with their views on risks and objectives understood

3. Identify the content, risk information required for decision-making and actions to be taken when producing and tailoring the M_o_R approach documents

4. Apply the tasks and techniques in the M_o_R process steps and sub-steps from the information provided

5. Apply the methods for embedding and reviewing risk management

6. Assign the risk management roles and responsibilities to scenario roles

7. Apply methods to identify performance and measure success in implementing risk management, including: a. How to apply a risk management health check to an

organizational activity b. Analysis of a report produced as a result of performing a

risk management health check on an organizational activity

c. How to apply a risk management maturity model to an organizational activity

d. Analysis of a report produced as a result of applying a risk management maturity model to an organizational activity

8. Identify the need to escalate (and delegate) risks between perspectives, that this is connected to the setting of tolerance thresholds, and that this may be done via Risk reports

9. Whether an M_o_R process technique has been applied

4.4 – 4.8, 6.2, 6.8, Appendix A



Foundation

Practitioner

Primary

Manual

Reference

correctly as described in both the M_o_R Guide and the ABC Guide

03 02 For the Programme perspective: 1. Identify and justify how application of the M_o_R framework













9. Whether an M_o_R process technique has been applied correctly as described in either the M_o_R Guide and the ABC Guide

4.4 - 4.8, 6.3, 6.8, Appendix A

03 03 For the Project perspective: 1. Identify and justify how application of the M_o_R framework






6. Assign the risk management roles and responsibilities to

4.4 - 4.8, 6.4, 6.8, Appendix A



Foundation

Practitioner

Primary

Manual

Reference

scenario roles 7. Apply methods to identify performance and measure

success in implementing risk management, including: a. How to apply a risk management health check to an






9. Whether an M_o_R process technique has been applied correctly as described in both the M_o_R Guide and the ABC Guide

03 04 For the Operational perspective: 1. Identify and justify how application of the M_o_R framework












8. Identify the need to escalate (and delegate) risks between

perspectives, that this is connected to the setting of tolerance

4.4 - 4.8, 6.5, 6.8, Appendix A,



Foundation

Practitioner

Primary

Manual

Reference

thresholds, and that this may be done via Risk reports 9. Whether an M_o_R process technique has been applied

correctly as described in both the M_o_R Guide and the ABC Guide

Be able to identify, analyse and distinguish between appropriate and inappropriate application of the M_o_R framework elements at each perspective for a given scenario Specifically to analyse:

04 01 At the Strategic perspective: 1. Performance and process measures enabled by risk

management 2. The M_o_R approach documents and whether any of them

contain errors or omissions 3. The application of the M_o_R process and its suitability for

supporting corporate governance and internal controls 4. The methods for measuring the success of implementing risk

management 5. Assignment of risk management responsibilities to scenario

roles 6. The identified perspective performance and process

measures enabled by the M_o_R principles

3.2 – 3.10, 4.4 – 4.9, 5.2, 6.2, 6.6, 6.8, Appendix B, ABC Guide

04 02 At the Programme perspective: 1. Performance and process measures enabled by risk








04 03 At the Project perspective: 1. Performance and process measures enabled by risk










Foundation

Practitioner

Primary

Manual

Reference

04 04 At the Operational perspective: 1. Performance and process measures enabled by risk









CT Common Techniques (CT)

Foundation

Practitioner

Primary

Manual

Reference

Level Topic

Know the facts, terms and concepts of the M_o_R techniques. Specifically to recall:

01 01 Concepts: The techniques recommended for their first use in the:

1. Identify – context step 2. Identify – risks step 3. Assess - estimate step 4. Assess - evaluate step 5. Plan step 6. Implement step

Plus 7. The outputs from each technique

Appendix B

01 02 Definitions of the terms used in the techniques: 1. Risk descriptions 2. Risk response planning

Appendix B

Understand how the M_o_R techniques are used. Specifically to identify:

02 01 The purpose of each technique Appendix B

02 02 How each technique is used within the M_o_R process

Chapter 4, Appendix B

02 03 Benefits and limitations of each technique Appendix B


RS Risk Specialisms (RS)

Foundation

Practitioner

Primary

Manual

Reference

Level Topic

Know the facts, terms and concepts of the M_o_R risk specialisms. Specifically to recall:

01 01 Definitions of terms used in the risk specialisms: 1. Business Continuity Management 2. Disaster recovery 3. Incident management and crisis management

Appendix E

01 02 Concepts: 1. The list of risk specialisms 2. The scope of each specialism

Appendix E

Understand how the M_o_R risk specialisms are used. Specifically to identify:

02 01 The purpose of each risk management specialism

Appendix E

02 02 How the risk specialisms relate to each other

Appendix E

02 03 The relationships between the M_o_R framework and the risk specialisms

Appendix E

02 04 How the risk management specialisms contribute to good risk management

Appendix E