Measuring and managing risks is transitioning from an intuitive art to a craft and science. To introduce quantification to this area that involves qualitative reasoning and subjectivity, at some stage each identified risk requires some form of ranking, such as by level of importance – high, medium and low. Since the importance of a risk event includes not just its impact but also its probability of occurrence, developing a risk map can be a superior method to quantify the risks and then collectively associate and rationalize them with a reasoned level of spending for risk mitigation. A risk map helps an organization visualize all risks on a single page.
Exhibit 1 displays a risk map with the vertical axis reflecting the magnitude of impact of the risk event and the horizontal axis reflecting the probability of its occurrence. Individual risk events located in the map are inherent risks and not yet selected for mitigation actions; that evaluation comes next. The risks located in the lower left area require periodic glances to monitor if the risk is growing; for these there is nominal to no risk mitigation spending. At the other extreme, risk events in the upper right area deserve risk mitigation spending with frequent monitoring.
The risks in the risk map are evaluated for mitigation action. What this risk map reveals is that risks number 2, 3, and 8 are in a critical zone. The size of the circle represents the level of risk mitigation spending. Management must decide if it can accept these three risks considering their potential impact and likelihood. If not, management might choose to avoid whatever is creating the risk. Some mitigation action might be considered that would drive the risks to a more acceptable level in terms of impact and likelihood. As examples, an action might result in transferring some of the risk through a joint venture; or it might involve incurring additional expense through hedging.
Management must decide on the cost versus benefits of the mitigation actions. Will the mitigation action, if pursued, move a risk event within the pre-defined risk appetite guidelines? Is the residual risk remaining after mitigation action acceptable? If not, what additional action can be taken? How much will the additional action cost, and what will be the potential benefits in terms of reducing impact and likelihood? After these decisions are made, then similar to the strategic projects and initiatives derived from an organization’s strategy map to derive its balanced scorecard metrics, risk mitigation actions can also be budgeted.
In this post, I have used the term “management” repeatedly to describe the person or persons who will/should decide the direction that risk will take. There is an ongoing debate today as to whether boards should take a more active role in risk management strategy, especially risk appetite. In your organization, what expectation is there for the board to set risk appetite strategy?