Where do you go from risk mapping?

You can’t control what you can’t measure. (DeMarco 1998)

Risk mapping is a much advocated and often used tool. Numerous articles, books, guidelines and standards have been written on the subject and software has been developed to facilitate the process ( e.g., AS/NZS 4360, 2004). It is the first stepping stone in Risk Management; the logical and systematic method of identifying, analyzing, treating and monitoring the risks and opportunities involved in any activity or process. Risk management is now becoming an integral part of any organizations planning regardless of the type of business, activity or function.

Risk Mapping

The risk mapping process is usually divided into seven ordered activities. The sequence can be as shown below, but the process can imply repeated prior activities as results of later appraisals of risky events in the process:


The objective is to separate the acceptable risks from the unacceptable risks, and to provide data to assist in the evaluation and control of risks and opportunities.

The Risk Events List

The risk list is the result of risk identification activities. It consists of a list of all risks and opportunities grouped by an agreed upon classification. It is put together by the risk identification group lead by the risk officer; the key person responsible for risk management. The risk list is the basis for the risk data database containing information about each project, risk and persons involved in risk management. The main output table is the risk register.

Risk Register

The Risk Register is a form containing a large set of fields for each risky event being analyzed and controlled. The form contains data about the event, its computational aspects and all risk response information. This register is the basis for a number of cross tables visualizing types of risk, likelihood, impact, response, responsibility etc.  Of those one is of special interest to us – the risk probability and impact matrix.

The Risk Level Matrix

The risk level matrix is based on two tables established during the third activity in the risk mapping process; the likelihood and the impact table.

The Likelihood table

During the risk analysis the potential likelihood that a given risk will occur is assessed, and an appropriate risk probability is selected from the table below:


The Impact Table

At the same time the potential impact of each risk is analyzed, and an appropriate impact level is selected from the table below:


The Risk Matrix

The risk level matrix shows the combination (product) of risk impact and probability, and is utilized to decide the relative priority of risks.  Risks that fall into the upper right triangle of the matrix are the highest priority, and should receive the majority of risk management resources during response planning and risk monitoring/control.  Risks that fall on the diagonal of the matrix are the next highest priority, followed by risks that fall into the lower left triangle of the matrix:

Risk-matrix_risk-mappingIn practice it can look like this with impact in four groups (the numbers refers to the risk description in the risk register):

Impact-vs-likelihoodFrom the graph we can see that there are no risks with high probability and high impact and that we have at least four clusters of risks (centroid method). The individual risks location determines the actions needed:

risk_map2We can multiply impact with likelihood and calculate something like expected effect and use this to rank order the risks, but this is as far as we can get with this method.

However it is a great tool for the introduction of risk management in any organization; it is easy to communicate, places responsibilities, creates awareness and most of all – lists all known hazards and risks that faces the organization.

But it has all the limitations of qualitative analysis. Word form or descriptive scales are used to describe the magnitude of potential consequences and their likelihood. No relations between the risks exist and their individual or combined effect on the P&L and Balance sheet is at best difficult to understand.

Most risks are attributable to one or more observable variables. They can be continuous or have discrete values, but they are all stochastic variables.

Now, even a “qualitative“ variable like political risk is measurable. Political risk is usually manifested as uncertainty about taxes, repatriation of funds, nationalization etc. Such risks can mostly be modeled and analyzed with decision-tree techniques, giving project value distributions for the different scenarios. Approaches like that give better control than just applying some general qualitative country risk measure.

Risk Breakdown Structure (RBS)

A first step in the direction of quantitative risk analysis can be to perform a risk breakdown analysis to source-orient the individual risks. This is usually done in descending levels increasing the details in the definition of sources of risk. This will give a better and often new understanding of the types of risk, their dependencies, root and possible covariation. (Zacharias, Panopoulos, Askounis, 2008)

RBS can be further developed using Bayesian network techniques to describe and simulate discrete types of risk, usually types of hazard, failures or fault prediction in operations. (Fenton, Neil, 2007)

But have we measured the risks and what is the organizations total risk? Is it the sum of all risks, or some average?

You can’t measure what you can’t define. (Kagan, 1993)

Can we really manage the risks and exploit the opportunities with the tool (risk model) we now have? A model is a way of representing some feature of reality. Models are not true or false. They are simply useful or not useful for some purpose.

Risk mapping is – apart from its introductory qualities to risk management – not useful for serious corporate risk analysis. It does not define total corporate risk nether does it measure it. Its focus on risk (hazard) also makes one forget about the opportunities, which has to be treated separately and not as what it really is – the other side of the probability distribution.

The road ahead

We need to move to quantitative analysis with variables that describes the operations, and where numerical values are calculated for both consequences and likelihood – combining risk and opportunity.

This implies modeling the operations in sufficient detail to describe numerically what’s going on. In paper production this means modeling the market (demand and prices), competitor behavior (market shares and sales), fx-rates for input materials and possible exports, production (wood, chemicals, recycled paper, filler, pulp, water etc, cost, machine speeds, trim width, basis weight, total efficiency, max days of production, electricity consumption, heat cost and recovery packaging, manning level, hazards etc.), labor cost, distribution cost, rebates, commissions, fixed costs, maintenance and reinvestment, interest rates, taxes etc. All of which are stochastic variable.

These variables, their shape and location are the basis for all uncertainty the firm faces whether it be risk or opportunities. The act of measuring their behavior and interrelationship helps improve precision and reduce uncertainty about the firm’s operations. (Hubbard, 2007)

To us short term risk is about the location and shape of the EBITDA distribution for the next one to three years and long term risk about the location and shape of the today’s company’s equity value distribution, calculated by estimating the company’s operations over a ten to fifteen years horizon.  Risk is then the location and left tail of the distribution while the possible opportunities (upside) are in the right tail of the same distribution. And now all kinds of tools can be used to measure risk and opportunities.

Risk mapping is in this context a little like treating a disease’s symptoms rather than the disease itself.


AS/NZS 4360:2004 http://www.saiglobal.com/shop/script/Details.asp?DocN=AS0733759041AT

Demarco, T., (1982). Controlling Software Projects. Englewood Cliffs: Yourdon Press.

Fenton, F. Neil, M. (2007, November). Managing Risk in the Modern World. Retrieved from http://www.lms.ac.uk/activities/comp_sci_com/KTR/apps_bayesian_networks.pdf

Hubbard, D., (2007). How to Measure Anything. Chichester: John Wiley & Sons.

Kagan, S. L. (1993). Defining, assessing and implementing readiness: Challenges and opportunities.

Zacharias O., Panopoulos D., Askounis D.  (2008). Large Scale Program Risk Analysis Using a Risk Breakdown Structure. European Journal of Economics, Finance and Administrative Sciences, (12), 170-181.

Print Friendly, PDF & Email


About the Author

S@R develops models for support of decision making under uncertainty. Taking advantage of recognized financial and economic theory, we customize simulation models to fit specific industries, situations and needs.

5 Enlightened Replies

Trackback  •  Comments RSS

  1. Hans Læssøe says:

    I fully agree that risk mapping does not provide the needed “image” of the overall risk exposure of a company – for that you need to go one step further – and simulate.

    Most strategic risks are not either/or – but can more or less validly/easily be described as combinations of likelihood and impact (e.g. the risk of delivery failure. To most, it is very likely that it will happen with some – minr – level of delivery, byt highly unlikely it’ll completely destroy the companie’s overall deliverability – and there is a range of combinations in between).

    In order to simulate, we must have one shared (figure based) set of scales on likelihood and impact for all risks – and we must have some “notion” of the combination of the two. actually, in a lot of cases, we may gain valuable insights from making the effort of assessing this systematically. We should – in this context – also remember that evets may happen from which we benefit, and some even, when we are hurt short term, but benefit long term (e.g. a commidity price increase is a short term risk, but when it hurts your competitors and/or substitute products more than it hurts you – it supports your competitive advantage).

    The result of multiplying likelihood and impact will provide you with the “average loss over a million years”. To risk management, this amount is NOT truly interesting as we wish to manage the exposure, not the cost base (did you go for the cost base alone, you would never ever buy an insurance). To calculate/find the combined exposure – you also need to simulate (the “million possible years”) using e.g. Monte Carlo simulation – and then look at your 5% or 1%, or whatever you decide, level of peak exposure – and compare that with your risk appetite.

    Some Monte Carlo software tools provide a “tornado” diagramme as a result of the simulation. A chart where the most important risks are shown in prioritized order – and “voila” you have identified the top risks to address and a guide as to which risks you may wish to mitigate further in order to limit your overall exposure.

    This is a field of much new thinking, and to date, only rather limited business implementation. As a Strategic Risk Manager – I am working on implementing and improving this step by step – but as the Line of Business (who own the risks, and have to do the job) also have other priorities – it is going to take a while. However, I am confident each step add true value to the company.

    Best regards
    Hans Læssøe
    Senior Director, Strategic Risk Management
    The LEGO Group

  2. S@R says:

    Thank you for sharing your views on risk mapping and risk analysis. I know that you have done a lot of useful work in this field so your comments are much appreciated. I wholeheartedly support your view on risk analysis being able to step by step add value to the company.

  3. Anton Arnesen says:

    Thank you for informing me about the article.

    The priority of our organisation with respect to risk mapping, is to help our operations master a tool where they can 1) identify, 2) analyse, 3) prioritise, 4) decide upon risk mitigating actions, and 5) follow-up the risks that threatens the objectives of the operation,

    Bringing in a communicative tool by quantifying the risks would surely improve our work. But, first our operations needs to master the basics.

    On aggregated level, quantifying is done, however not used as a decision making tool, (except for investments/projects).

    Best regards
    Anton Arnesen
    Chief Risk Officer, Elkem

  4. Here’s a comment. Great advice =) Thanks

  5. Jerry says:

    full details pls.TQ

Post a Reply