Welcome to the inaugural chapter of my “how-to ERM” series! I will share my thoughts and practical advice to make your journey up the risk-maturity ladder more efficient. This first post is about risk mapping, giving some thought on how to separate the wheat from the chuff. Pondering about quantification, mitigation, reporting and adjustment will follow over the coming months, so stay tuned.
Risk Mapping: focus on what REALLY matters
I really enjoy creating risk maps. The task demands lateral thinking, I can interact with different people and creatively challenge their views, sometimes new ideas and opportunities emerge from the journey and the “grit, spit and some duct tape”1 part of it often is good fun.
How to go about it?
I find it useful to apply a disciplined, four-round, iterative approach to come up with a map that matters.
Round 1: Compile a very broad and wide map of risks covering all (yes, all!)functions of the company. Interviews, workshops, brainstorming, e-voting, etc – all works provided it is done thoroughly and consistently. It is perfectly OK to go long at this initial stage. People are always eager to share their views on risks; hence this initial round of mapping is mostly very straightforward.
Round 2: condense the list down to approximately 40 entries. At first glance, this looks like a gigantic task, but upon closer inspection, it becomes manageable. The guiding principle: “keep what matters at enterprise level”.
Round 3 : now is the time to get serious with senior management! The list is condensed down to approximately 15 entries. McKinsey refers to this as “the firm’s big bets”, a term that describes the list’s focus and relevance very well. The board-approved risk appetite and input from senior management guide this process. Again, an experienced practitioner can ease the process significantly. Ultimately, that “top 15” chart will make it to the board. The board and management will focus on that list and ensure that appropriate mitigation actions are put in place and follow-up on relevant progress.
Round 4 : at this stage I recommend a preliminary discussion with the risk committee of the board even if not all risks are quantified and/or sufficiently mitigated. Don’t take offence if new items make it onto the list or your favorite doesn’t get all the attention. After all, boards do look at risk differently than senior management, maybe they are more strategically inclined or they put more emphasis on qualitative factors, such as reputation. After round four, the list is good to go and the journey shifts towards quantification.
Here is an example of the selection process: this very website is an important component of the branding and marketing efforts I undertake for Megrow, hence a consideration about “Megrow’s website inaccessible” will be on the initial list. In other words, at micro level a “404 page” when accessing megrow.asia is undesirable. However, at enterprise level I can live with a few days’ downtime and manage it via an increased presence on social media. In other words, “website downtime” will NOT make it to round three of the process.
Shall we talk about how I can smoothen your journey up the risk maturity ladder? Contact me at firstname.lastname@example.org
This is risk culture!
1 adapted from the movie Madagascar 2