Just for you, 7 questions you want to ask yourself (and others) before setting out on your risk mapping quest. Oh, and you will want answers, too.
What is the scope of analysis? Is the risk map to cover all operations & geographies of the organisation? All processes or just the key ones? Options can be refined even further, risk mapping approaches being adjustable to investigate project risks (acquisition, construction, transformation…), or risks related to a specific topic (EHS, cyber, corruption, insurable risks…).
So your first step really is to determine your playing field.
How should I proceed with implementation? You will be faced with the usual top-down / bottom-up options. If it is to make a real difference, a company-wide top-down approach will require a very much hands-on involvement from top management – an Executive Committee-level prioritisation workshop typically. Bottom-up on the other hand will mobilise operations-level resources to identify & escalate risks at the level of divisions / business units / countries (amend & tick where appropriate) for consolidation / prioritisation.
Both approaches need a clear mandate. Both have their advantages – this being said if you are starting from scratch, top-down is the way to go to effectively kickstart a risk management program.
How should I define “risk” for the purpose of my risk mapping process? There are various frameworks or guidelines proposing a definition for risk (COSO, ISO 31000, AMF risk management framework, etc.). If you happen to find one of these suitable for your organisation, well, good for you. Otherwise, and in the (more likely) event you do not, some customisation is in order, so the definition really ‘speaks’ to your organisation. Including opportunities in the exercise, whether as a by-product or flip-side of certain risks, or in their own right, should also be considered (especially if you have strong connections with strategic planning or a similar process). Our recommendation: whatever works for you and your organisation! But the general case is you want to keep it simple, at least for your first iteration. So start with risks, whole risks and nothing but risks.
Also, you may want to illustrate with examples of what is and is not a risk according to your definition.
What is my organisation’s risk appetite? Defining risk appetite is an essential, if not the pillar of any Enterprise Risk Management programme.
Risk appetite can be defined as the amount of risk an organisation is willing to take to pursue its strategic objectives. A clearly defined risk appetite statement will allow triaging which risks to accept / monitor, mitigate, or avoid altogether. It has to be articulated and calibrated with governance bodies (Board and Executive management).
How do I assess risks? Choices, choices. Dealing with a really finite scope / risk universe – typically a project, a process, with (reliable and abundant) historic data, financial metrics -and access to said data? You may want to look at modelling, a.k.a. quantitative assessment – if your financial, statistics and probabilistic chops are up to the task. If not, or if your data is not available in sufficient quality / volume, chances are you’re in for an exercise of questionable value and relevance, albeit funny – depending on your notion of fun.
Alternatively (or in addition), and with the majority of risk management practitioners, you will be looking at defining assessment scales – say hello to Impact (or Severity), Likelihood obviously, the absolute classics.
Impact can be looked at from a purely financial standpoint, or combine financial and non-financial criteria – think human impact, reputational impact for instance. This is a management decision, directly stemming from a risk appetite statement, to be addressed in the early stages of your risk mapping process, and confirmed before proceeding to a risk assessment phase.
Example – Basic impact scale
You have several options for likelihood as well – you may go the probabilistic way (chances a risk will occur, expressed as a value between 0 and 1, or a percentage), or opt for a frequency-based approach (number of occurrences over a given time period), or a purely qualitative assessment on the plausibility of the risk.
Example – Likelihood scale (3 flavours)
So now that you’re all set with Impact and Likelihood, we suggest you add a third ingredient to the recipe – room for improvement. How much more are we willing (vs. risk appetite, again) and/or able to do to mitigate the risk? This additional criterion really helps highlighting priorities for action, targeting the most critical risks on which the organisation can actually make a difference, with significant & tangible improvement in risk mitigation.
The graphical representation of risk assessments is usually based on matrixes – a criticality matrix (Impact * Likelihood), and a prioritisation matrix as well if you assess room for improvement. So 1 or 2 matrixes – your call.
Criticality matrix
From the ArengiBox GRC solution
How do I document risks? Risk register, risk sheets… whatever format you will be using you want to single out which characteristics you will be putting front and centre, so all parties involved (assessors, management, risk owners) understand what a given risk encompasses. You will obviously be starting with a name, or title – which as you will see sometimes comes as a bit of a challenge: you want it short, you want it unambiguous, and above all to convey meaning. You may also consider categorising risks, e.g. by process, by nature (e.g. strategic, operational, legal & regulatory, etc.). You will want to document direct & indirect causes, and impacts. You will also be considering existing controls, and conversely areas for improvement -especially if you work with a 3-criteria risk assessment approach. Last but not least, we strongly recommend you define a scenario to illustrate a plausible worst case for the purpose of risk assessment.
Is the timing right?
When it comes to risk mapping (any a good many other things) “when” is as critical as “how”. Conducting your process in the midst of a merger or acquisition, or a closing period can dramatically affect results. Also, you want to make sure the immediate next steps of a risk mapping process, such as designating risk owners, defining action plans, scheduling reviews, coincide with the major processes or management rituals of your organisation (strategic planning, budget, business reviews, performance appraisals, Audit Committee meetings…). Risk management rarely lives long on its own, and works best embedded in existing activities.
Long story short: avoid the busiest periods but do not miss the train.
There you go, you’re all set. Now go map these risks!