Successful risk mapping: which methods?
As part of a risk management approach, it’s always a good idea to map out the organization’s risks. But there are several ways of doing this. So, which methods should you choose? Here’s an update from our risk management expert, Grégoire Mottier.
First and foremost, a corporate risk map visualizes risks in the form of tables and graphs, making their analysis easier and more comprehensible. But how do you go about it, and where do you start?
How do I go about it?
To answer this question, it is useful to go back to the fundamental concepts proposed by the ISO 31000 standard, which includes the following phases:
The analysis and evaluation phases will be the focus of our attention, since they involve assigning scores (analysis, frequency and severity) and comparing them with risk criteria, in order to decide how to deal with them. These criteria will be determined by the organization on the basis of tolerance levels (acceptance), regulatory requirements, corporate objectives and current practices or standards in the activity in question.
Analysis scales
For the “analysis” part, the literature refers to “qualitative, quantitative or numerical” scales. On this subject, we have observed methodologies on the market that simply refer to notions of occurrence, without using temporal notions, by simply indicating the fact that a risk was “frequent” or “rare” without any other precision or reference in time. In our experience, this approach is to be avoided, and we would prefer a quotation using a time reference such as this one:
- Every day: Risks that can occur on a daily basis.
- Monthly: Risk that may occur every month.
- Annual: Risk that may occur once a year.
- Decennial: Risk that may occur once every ten years.
The concept of severity
With regard to the notion of severity, some authors refer to scales with rather general definitions, of which the following is an example:
- Minor: Low or negligible impact. Little or no effect on operations, safety or reputation.
- Moderate: Significant but manageable impact. Affects certain operations, with limited effects on safety or reputation.
- Significant: Major impact. Interruption of certain operations, high risk to safety, or damage to reputation.
- Severe: Very high impact. Major disruption, serious security risks, or significant reputational damage.
- Catastrophic: Extreme impact. Severe damage, endangerment of human life, or irreparable damage to reputation.
For our part, we will favour a classification by domains divided into:
- environmental impacts,
- financial consequences,
- damage to image or reputation,
- damage to employee health (this last category is often included in the financial consequences).
With a classification by area, risk treatment measures will be much richer than if only the financial impact, for example, were taken into account.
Score each risk
Once the frequency (f) and severity (g) ratings have been determined, we can then apply the fxg operation to obtain a score that will enable the organization to deal with this risk as effectively as possible. But more precisely, why is it useful to give scores to different risks? Well, to:
- Enable them to be quantified as objectively as possible
- Facilitate prioritization of treatment measures
- Track them and observe their evolution over time
By way of example, these scores can be represented as follows, on a scale from 1 to 25:
But how are the various scores determined? While some of them may depend on objective criteria or KPIs (absenteeism rates, defects on a product line, etc.), others necessarily depend on the sometimes subjective perception of stakeholders, with no recourse to statistical elements. In this context, and when several people are involved as stakeholders in elements linked to risk management, there is a strong temptation to proceed by voting on frequency and quality elements to express a final score. In our view, this strategy is unsatisfactory and will ultimately become a source of frustration for many people. It is far more appropriate to use a genuine consensus between “risk owners” to deliver the scores in question, with the following advantages:
- Greater consistency with organizational objectives
- Better understanding of risks and the factors that determine them
- Reduced tensions and disagreements between stakeholders
- Greater involvement and commitment from risk owners
In all cases, and irrespective of the methodology used, the absence of denial and risk management within an organization that has adopted a “right to error culture” will remain indispensable framework conditions for successful risk mapping!