Welcome Guest! To enable all features please Login or Register.



#1 Posted : Monday, January 5, 2015 9:11:25 PM(UTC)

Rank: Administration

Groups: Registered, Administrators
Joined: 10/23/2013(UTC)
Posts: 7

Risk Maps: Caveat Emptor

Risk mapping is a technique promulgated by experts and practitioners of ERM which graphically communicates the risk portfolio of an organization for a period of time, before and after treatment. For example, a Risk Map might resemble a color coded quadrant with one axis for the likelihood scale and another for the magnitude scale of the organization’s most important risks. In the quadrant, the lowest risks would be on the bottom left in a greenish section, and the highest risks would be on the top right in a red hued section. Between the bottom left and top right there would be gradients morphing from green to red, with intermediary risks situated according to relative likelihood and magnitude. Each risk is presented twice in the graph, once before treatment and once after treatment, often with connecting arrows and/or an alphanumeric index, but could also be used to show the movement of risks over time. This note addresses concerns regarding Risk Maps that focus on pre and post treatment presentations of risks.

Risk Maps are very useful for communicating high-level risk portfolios to senior management primarily because they provide a concise visual summary from which boards can efficiently develop expectations of their risk management program, and impact of risk on their plans during the planning horizon. However, Risk Maps should be viewed with a degree of professional skepticism due to the following concerns.

a) Volatility – Forward looking Risk Maps cannot accurately take into consideration the prospective likelihood and impact of risk, particular high velocity risks that arise periodically;
b) Treatment Expectations – A forward looking Risk Map provides a false sense of security which is underpinned by assumptions regarding the predictability of treatment effectiveness;
c) Accountability – The approach also relieves the risk manager of results based reporting.

We do not intend to completely discount the use of pre and post treatment Risk Maps because they are valuable, even if only as an agenda item to facilitate the necessary board discussions regarding the scope of risks and the reasonability of treatment plans. Our suggestion is that when such tools are used, they should be supported with practices that address the aforementioned concerns.

Addressing Volatility

A Risk Map combines numerous risks together without considering the inherent differences among them. For example, it may present the risk of a new regulation which is a binary risk as a low likelihood, medium magnitude risk, alongside a supplier failure risk, also denoted as low likelihood and medium magnitude. However, the supplier failure risk is one that the organization may face many times during the planning cycle. Thus while these risks may appear similar in terms of the level of effort and resources required to treat, in reality, supplier risk is inherently more volatile, and the Risk Map is not a good tool for capturing volatility or the cumulative effect of errors in likelihood and impact estimates.

We recommend augmenting the Risk Map with a more detailed, systematic risk database that specifically identifies each instance of a risk as a separate exposure, thereby enabling the treatment of each exposure. In this way, any changes in likelihood and magnitude during the period can be factored into the treatment process, while creating an audit trail of deviations from anticipated likelihood and magnitude levels.

Setting Treatment Expectations

When a board is presented with a Risk Map that presents risk likelihood and magnitude before and after treatment, they are implicitly being invited to take two leaps of faith in their risk management program. Using the regulation example from above, suppose the Risk Map presents the post treatment risk as low likelihood and low magnitude. Not only is this information not knowable, since the event horizon has not come to pass, even under the assumption that the treatment selected is executed, it still leaves the question regarding its effectiveness. To be sure, predicting post treatment risk magnitude and likelihood is actually recommended by the IIA, and is a standard practice among risk managers. However, it is meaningless to assess treatments in advance without continuous measurement and evaluation against expectations. To ensure the integrity of the risk management process, we recommend the following:

-Establish benchmarks for each treatment, using quantitative targets where possible, and support post treatment assessments with actual residual risk estimates;
-Ensure each treatment has an accountable owner, and establish a separate person as the owner for the follow up;
-Perform follow ups for all treatments at predetermined points in time, as often as necessary as the exposures unfold, and assess the actual effectiveness of treatments, documenting lessons learned where applicable;
-Periodically report all material “less then effective” treatments to the board along with lessons learned and action plans;
-Make lessons learned available to the broader organization.

Establishing Accountability

Risk Maps, as noted above, are brilliantly concise vehicles for quickly setting expectations with boards regarding inherent and residual risks facing the organization. In order to foster trust in the risk management program regarding the expectations that are being communicated, boards should be provided with historical performance indicators as well. This can take the form of a rolling twelve month history of treatments categorized by effectiveness. When such reporting is used, it is acceptable for internal auditing to review the process of report creation, and provide opinions regarding the report. Such opinions should accompany the report. Using historical results in advance of presenting forward looking Risk Maps sets the tone for the discussion regarding pending risks, and also communicates a strong tone of urgency and accountability characteristic of a quality risk management program.

Edited by user Saturday, April 18, 2015 2:00:46 AM(UTC)  | Reason: spelling and grammar :)

Thank You
Risk Control Assoc. Admin
Users browsing this topic
Guest (7997)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.