In addition to this article, you may want to read Questions to consider before starting your risk mapping.
The cornerstone of a typical risk management approach, risk mapping is often a first and crucial step to generate momentum. But practically, how is this key project to be conducted?
A typical risk mapping exercise will comprise 4 phases:
Preparatory activities will for the most part consist in defining a planning, identifying contributors, and pinning down a framework.
This is an especially important step when it comes to the first mapping exercise. In particular, it will be necessary to ensure that executive management supports the project so that it is properly and efficiently positioned. It will also be necessary to define the scope of analysis, i.e. what is a “risk” to your organisation? What are the risks to be addressed? (360°? specific risk topics? Or exclusion of certain subjects?) as well as the part of the organizations to be covered (all activities or certain activities only) and the deployment methods (top-down vs. bottom-up).
In addition to the methodological options on assessment scales and the approach to documenting risks, the selection of stakeholders to be involved in the process is key, as they will usually provide most of the content for the analysis. A balanced, carefully selected panel can go a long way towards securing the exhaustiveness and relevance of the exercise.
Preparation also involves sequencing and planning the entire process, from kick-off to wrap-up – not just the first steps. You will want clear and reasonably close deadlines to avoid losing momentum and putting a strain on the project.
Finally, communication. In a first implementation, you may consider taking the occasion to raise awareness, ‘market’ the organisation’s risk management approach, its raison d’être and objectives.
The key challenges of risk identification are to secure completeness and an appropriate level of detail, depending on the scope of your risk map. No silver bullet for this we’re afraid – but there are a number of different techniques to guide you. Actually there are a lot of techniques, and we couldn’t possibly detail all of them.
But first things first – a rather obvious prerequisite is a good knowledge of the organisation: its culture & management style, geographical footprint, activities, competitive or regulatory environment, etc. Again, pretty obvious, but it never hurts to be reminded of this every now and again.
Risk identification techniques will usually combine a retrospective analysis (e.g. lessons learned, claims history), an assessment of the current situation as well as more prospective reviews – typically over the time horizon of a strategic plan, e.g. 3, 5 or 10 years. The anchor of risk identification in an Enterprise Risk Management context will be (strategic) objectives. What are our objectives, and what could undermine our ability to achieve these objectives? A systemic approach to the organization can also be used. In this approach, the organization is modelled as a system, operating in an environment (market, competition, authorities…). It is made up of subsystems (etc. manufacturing sites, support functions, points of sale…) taking part in interactions – incoming and outgoing flows: physical, financial, intangible (think contracts, IP). Risks are identified at the level of each element, and in interactions. Finally, identification can be based on a “risk universe”, i.e. a catalogue of risks classified by category. This document can be the result of an initial risk mapping exercise or a brainstorming on whatever risk topics seem relevant to investigate.
Risk identification generally involves a lot of interactions with the various individuals involved in operations, support functions, and management – think lots of questions, interviews, workshops, off-the-record or coffee-time chat, anything goes really, although we strongly recommend a structured approach to these discussions. You will also want to look outside of your organisation – benchmark is key. You probably have your own past lives in other positions, companies or geographies to start with. Go out there and reach out to peers in other organisations. Also, a wealth publicly available information is a couple of clicks away if you invest some time on research. Above call, be (reasonably) sceptical and creative.
During this step, you will be consolidating collected data to produce a documented list of risks, usually known as “risk register”. This is where you will have to determine the granularity of your analysis, primarily conditioned by the number of risks (generally between 20 and 30 for a top-down mapping / executive committee view of key risks). The most common pitfall at this stage will be lack of homogeneity, i.e. combining too many topics into an overly macro risk on one side, and having extremely specific risks on the other. It is common practice is to classify risks by family or category, e.g. strategic risks, operational risks, human risks, intangible risks, etc. In addition your summary risk register, you may want to document risk sheets, going deeper into detail, in causes, potential impacts, existing mitigation capabilities, areas for improvement,… the list goes on, depending on the quantity and quality of data you will have garnered. If you are short on time, not willing or able to extensively document risks, focus on scenarios. You should have at least one scenario for each risk. A scenario basically is a short story of how the risk would materialise, with quantitative assumptions if at all possible, even orders of magnitude of impacts typically. It is absolutely key for risk assessment – more on this below. When defining this scenario, you will want to focus on the plausible worst case, i.e. the worst case given whatever mitigation capabilities exist.
Once you are all set with your risk register / risk sheets, your next step will be risk assessment & prioritisation.
This step consists in assessing risks and highlighting priorities for actions, usually by means of assessment ‘scales’. As already said above -but there are things that bear repetition- risk assessment should be scenario-based. And why is that, you might ask? Risk assessment is essentially a judgement on the future, a discipline in which we humans cannot exactly boast an outstanding track record. Documenting reasonably precise scenarios allows judging on a clearly stated, common, challengeable basis and plays a role in containing biases. We did say contain, not avoid. Spoiler: bias is pretty much unavoidable, inherent in human judgement, and some may argue the very stuff of risk assessment.
So, with this in mind, in a typical ERM context you will be answering (or most probably, having others answer) 2 questions:
1/ what is the maximum impact of the scenario?
2/ what is the likelihood of this scenario materialising with this level of impact?
You may consider adding a third element to the recipe, zooming out from the scenario to evaluate room for improvement – in plain English: how much can we, or are we willing to (cue risk appetite) improve our mitigation capabilities on this risk?
You should do fine if you follow these simple steps – and keep in mind the exercise is all about prioritising risks to enable reasonably informed decisions on where to allocate resources for risk mitigation.
There are a number of ways you can conduct risk assessment – by yourself, through a survey, workshops, or a combination. We do recommend you set up a workshop with the individuals you interviewed, 10-12 maximum (you will want decision makers and subject matter experts). Surveys can help, but if appropriately moderated, nothing beats face-to-face debate, especially in an ERM / Executive Committee context. After all, risk assessment is in itself a management decision.
The workshop will consist in aligning participants on a consensus on risk assessment. Make sure you devote sufficient time preparing the workshop – risk assessment debates can give very different results depending on how the moderator steers the discussion. You have to be able to challenge group decisions, raise flags, ensure everyone has their say, and be mindful of the time. A visual, professional tool can also come in handy to moderate discussions and show / fine-tune results in real time. This visualization also allows highlighting “priority risks”, the real deliverable of a risk mapping process. Priority risks are those deemed most critical to the organisation, and for which a significant room for improvement exists.
The workshop will also be the occasion to designate risk owners, at least for each priority risk, in charge in monitoring their risk(s) and coordinate action plans.
You will have to reflect workshops discussions and decisions in your deliverables – it is quite possible additional information on risks was exchanged during the workshop or that significant adjustments to the list of risks were decided (adding or deleting a risk, splitting a risk in two…). It is actually a rather good sign: the group has taken ownership. Your report will generally include your risk register and/or risk sheets, matrices, visual and self-explanatory.
At this final stage, you will also be asking yourself the question of internal communication on the outcomes of the process. There may be confidentiality issues requiring decisions on what should be disclosed and to whom. Communication should not be overlooked. Risk management does not flourish in secret.
That’s it for now. Hopefully this (and our previous post on the 7 key questions) will help you getting started or adjust your approach.