Though this be madness, yet there’s method in’t.
Hamlet
There are two tools of Enterprise Risk Management that gain incredible popularity in business nowadays: the first one is a risk
map (heat map) and the second one is a risk register. Describing a risk register in simple words – it is a tabular statement of identified business risks, their causes and effects, risk dimensions (Probability multiplied by Effect of an event) plus description of risk controls. There are project, departmental, corporate risk registers; even attempts to put together governmental risk registers can be found.
A risk map is, let me remind you, a visualisation of identified risks in a coordinate system (P and E). It looks convincing and appropriate for a Power Point presentation for your board of directors, but…just one important remark: a risk map is only a graphic “visualization” of the risk identified before in a risk register. It is not a tool for risk identification and analysis itself!
In fact, the existence of an active risk register simply proves that an organisation systematically manages its risks. However, the boards often declare management of risk while the answer to a simple question about a risk register is negative.
Creation of risk records, either in a form of a risk map or a risk register is certainly not a sufficient condition for effective risk management. Moreover, creation of such maps and registers
often becomes destructive and turns into a classical show killer of enterprise risk management implementation. Are you lost already? Let me explain it to you then.
A classical model of a risk
management process, either described in ISO 31000 or COSOII standards, provides for at least a few basic steps. They are: establishing the context – risk assessment
(including identification, analysis and evaluation) – risk treatment. That’s enough about theory. In practice companies begin their risk management adventure by taking first crack at an exploratory, promising, but
labour-intensive task of risk
identification and description. This is done in accordance with the art of risk management and best practice, but… how often such art turns into art for
art’s sake!
Typically, as a result of dozens risk identification workshops lengthy lists of risks containing hundreds of threats to the business are created, whereas their creators are not able to control them anymore! It is also a regular occurrence that a risk identification process lasts months longer than initially
planned (if there was any plan) and as a result risks that had been identified at the beginning of the process simply become history, unimportant rubbish in today’s fast changing business environment. Thousands of office hours were spent, hundreds of donuts (or, if you prefer, precels) consumed and litres of coffee drunk. Was it all worth it? On the other hand, such big records, even if their creators are eventually very proud of them, bring
horror to management and co-workers. “How will we be able to manage five hundred risks?”, they think desperately.
Well, the lesson learned for Risk Management is: your risk register should be built prudently. And what quantity of risks “should” your company identify is another story for the next column.
The bad news is that falling into bureaucratic identification of risks, only aimed at recording and updating, is not the only peril on a risk manager’s path. The biggest challenge, and numerous surveys prove it, is a real life use of a risk register in decision taking. It is surprising how often, even open-minded managers that used to be promoters of the risk management implementation process take even strategic decisions in complete isolation from what can be concluded from risk registers and maps. And when a company fails people say that risk management has failed. Wrong!
Systematic management (and any type of management) requires regularity and determination. It is also true that managers simply do not have time to dig through large, sluggish risk management
registers. This is the way risk registers live their own life and boards live their own and only among those who were involved in risk identification frustration is growing. “What was the purpose of our efforts?”, they ask themselves.
Thus, there is another lesson to be learned: risk identification is one thing, evaluation the other, but taking risky decisions is a
completely different, much bigger challenge.