A particular example of a risk map. Using a risk map to identify them Guide to creating a risk map

Risk map is a graphic and text description of a limited number of risks of an organization, located in a rectangular table, along one “axis” of which the impact or significance of the risk is indicated, and on the other the probability or frequency of its occurrence. Figure 1 shows a particular example of a risk map.

In fact, depending on the design goals, many different types of risk maps or variations of a given risk map can be constructed. We will further rely on the example shown in the figure. This risk map displays probability or frequency on the vertical axis and impact or significance on the horizontal axis. In this case, the probability of risk occurrence increases from bottom to top as you move along the vertical axis, and the impact of risk increases from left to right along the horizontal axis.

The Arabic numerals on the map are designations of risks that were classified into four categories of significance and six categories of probability, so that each probability/significance combination was assigned one type of risk. Such a classification, placing each risk in a specific separate “box,” is not mandatory, but simplifies the process of setting priorities, showing the position of each risk relative to others (increases the resolution of this method). The thick broken line is the critical limit of risk tolerance. When identifying critical risks, scenarios (the cause-and-effect relationship of processes, events and existing risk factors) leading to risks above this limit are considered intolerable. When developing a strategy, for example, for identified intolerable risks, before adopting this strategy, it is necessary to understand how to reduce or transfer such risks, while risks below the border are manageable in an operational manner.

We describe here procedures for mapping an organization's risks, which it can perform in-house. Generally speaking, the methodologies for constructing a risk map are as different as the risks of companies are different. Despite the apparent simplicity of the risk map, behind its construction lie not only complex quantitative assessment procedures (for example, for aggregating the views of the company’s top management about its inherent risks and placing them on the map), which can be formalized, but also an informal, logically quite complex process .

The construction of a risk map can be carried out as part of the implementation of a risk management system at the level of the entire organization, which is difficult and often impossible to accomplish internally. Or to solve a separate range of risk management tasks, for example, as part of a preliminary assessment of various development strategies. Depending on the objectives and methodology used, the organization receives various advantages and benefits. The methodology, which we will talk about in more detail in this work, is based on achieving a consensus among the company's top management about risks. The most important benefit is the decisive reduction in cycles and decision-making time.

If there were no risks, there would be no business and no reason to drink champagne. But we still have both, because risks in business are the only habitat for chance, fortune, success and new opportunities. The easiest way to puzzle a businessman is to ask him: How do you feel about risk? The first reaction will be negative: “Risks interfere with work. If it weren’t for the risks, things would be going great.”

But if we continue the conversation, it turns out that along with the risks, not only obstacles to business will disappear, but also the business itself. Paradox, not at all, because risk is the only habitat for chance, fortune and success; they do not live in other conditions. Therefore, the highest business pilotage is not the total destruction of risks, but targeted and systemic impacts on each of them, contributing to the transformation of problems into the development and success of the project as a whole.

Here's another way to confuse a businessman. Ask him: “What risks are most dangerous for the business?” First reaction: Unstable economic and political situation, gaps in legislation, corruption of officials, crime, unreliability of suppliers. And if you dig deeper, it turns out that all these risks (external) make up about 25% of all the risks of the project (project portfolio) as a whole. The remaining 75% are internal risks, located within the project team and the company. Among them are indiscipline, unformalized processes, ineffective motivation system, broken internal communications, and unqualified personnel.

What does it cost us to build a house?

In a construction company, project delivery deadlines were constantly not met, which led not only to losses (the approximate cost of one day of delay is about $12 thousand), but also to a loss of profit (about $10 thousand per day). Managers were not interested in completing projects as quickly as possible, since the motivation system included quarterly bonuses for work and a bonus for their successful completion. The sizes of these bonuses are comparable, that is, it was more profitable for the project manager to delay the delivery of the project and receive several quarterly bonuses than one for successful completion. Moreover, to begin each next stage of the project, the manager needed to collect more than 10 signatures from the heads of various departments. It is clear that these people went on vacation and were sick. Accordingly, the deadlines were delayed, even without one signature it was impossible to continue further work, although 70% of such signatures had long since lost their relevance. This example shows the impact of risks associated with staff motivation and poor internal communication. But by managing these risks, you can achieve early completion of the project, which will bring not losses, but additional profit. The motivation system should be tied to the milestones of each stage of the project. At these points, important information is transmitted and decisions are made. If this is not done, the risks that arise can lead to the failure of the entire project.

Risk management system in the company's project portfolio

Today there is a lot of talk about the implementation of a comprehensive risk management system. What is it? How does this system work? What tools does he use?

Today, a risk management system in a project portfolio exists mainly in financial institutions, companies with foreign capital and companies that have introduced a project approach into their activities (the risk management system is part of the corporate project management system). This list is due to the specifics of the activities of these companies. The banking business initially makes money on risks; for a bank, risk management is vital. Companies with foreign capital brought with them, in addition to investments, Western experience and management traditions. And in the West, risk management and the development of methods and approaches to risk management have been involved for a very long time.

One of the effective tools for risk management is a risk map. Difficulties in its preparation are often associated with unclear project goals and the lack of regulation of the main processes in the decision-making chain. It is possible to assess the impact of risks only after there is an understanding of who is really responsible for what and when all business processes are described. Also, to effectively identify risks, it is necessary to define the responsibilities and role instructions of each employee, to create a bonus system tied to a single result of the project, and not to the process. In other words, the risk management system in the project portfolio should be built by companies not in a “fire order”, but at a strategic level.

How does the risk map work?

Let's try to understand the risk map using the example of a company that supplies information security equipment. The organizational structure of this company is traditional for all similar organizations; as it turned out, it contained many risks. Let us describe the interaction of departments within the company. The sales manager, having concluded a contract, passes it on to the project manager, who delivers the products in accordance with the terms of the contract. The amount of the concluded contract is several million dollars, the customer's advance payment is 15%, the rest of the amount is paid upon delivery, the delivery period is three months.

This delivery time was predetermined by both logistics and the workload of the customer’s warehouses. To complete the transaction, the supplier had to take out a bank loan for a short period and, accordingly, at a high interest rate. Overall everything went well, if not for one “but”. After the transaction was completed, the sales manager remembered that two weeks after the contract was concluded, the customer called him.

Among other things, in this telephone conversation there was information that there was enough space in the customer’s warehouse to accommodate products. The sales manager from the supplier did not pay special attention to these words (he should not do this according to the job description approved by the company) and did not tell anyone about it. The project manager successfully delivered the products within three months.

Meanwhile, interest rates grew, and accordingly, profits decreased, because it was possible to supply the equipment and repay the loan earlier. Below is a fragment of the map regarding the risks of the entire project. Naturally, having identified and described the risks of the entire project, one should describe methods of responding to each of them (see Table 1).

Table 1. Risk map.

How many risks are possible and necessary to identify. In any project, after working with experts and clearly defining all business processes, the roles of participants and responsibility for the result, you can find 100-150 risks (remember that we have shown only a fragment of the risk map; its true dimensions are much larger).

After identifying risks at each stage of the project, they need to be ranked based on the likelihood of each risk event occurring and possible damage. The main goal of such an analysis is to determine which risks are the most significant, and to develop methods for responding to them, and to include the costs of response in the project budget. Risks are divided into systemic and critical. The source of systemic risk is not the project itself, but the organizational structure of the company as a whole. Responding to this risk will require more effort and changes will have to be implemented at the company-wide level. A critical risk poses a serious threat to the project, the source of which is the project itself. Naturally, it happens that the same risk is both systemic and critical. The project implementation scenario includes a response to critical and systemic risks (of the project portfolio), while minor risks are usually not taken into account in the plan. In order to minimize their possible impact (as well as the impact of undetected risks), reserves are created (for example, they increase the project timeline and budget by 10%).

Determination of the degree of danger of adverse events, as well as the list of events themselves, is based on an interview with the project manager. For this purpose, experts are also involved who have already implemented similar projects in the company and know what crisis situations can arise and what is the source of these crises (poor planning, poor decision-making, etc.).

It is important to remember that risk management is not a one-time event: you draw up a map and conveniently forget it. It is necessary to constantly adjust the risk map and decision-making mechanisms depending on what is happening. The risk map is formed through accumulations, it is constantly updated and undergoes major changes as the project is implemented. Many risks disappear with the completion of project stages. The likelihood and consequences of risks once identified and their priority assessment may subsequently change. New risks may also emerge. It is advisable to repeat the risk analysis so that new data is available when planning each new stage of the project.

What to do if there is no risk management system

As a rule, risks in companies are managed by special departments. However, if such a unit does not exist, then risk management is usually assigned to other departments. These departments develop mechanisms to reduce risk (for example, a reconciliation mechanism). This could be an internal audit, controlling, methodology department, or an analytical service, regardless of the name, the essence of the department’s work does not change.

In such a situation, risks are identified and eliminated during daily operations before the enterprise suffers serious losses. Naturally, working with such a manual management scheme is less effective; specialists in these departments, at best, reduce the company’s sensitivity to risk factors. For this purpose, full-time (risk managers) or freelance (consultants) specialists can be hired separately.

In conclusion, we emphasize once again that a comprehensive risk management system requires systematicity and consistency, only then will it give the desired effect. The operation of this system must be based on accumulated experience and be very flexible; the system must respond to all changes that occur. At the same time, it is useful to remember the words of the Marquis Luc de Clapier Vauvenargues: We foresee the difficulties associated with the implementation of our undertaking, but rarely think about those that are rooted in ourselves.

An effective risk management system for a project portfolio includes nine main components:

• the internal environment of the company in which the projects live determines how the risk will be identified and what decisions will be made;
• The company's goals must be clearly defined, because each of them is implemented through a project or an entire portfolio of projects. In other words, the goals that the company sets for itself determine what risks will arise. The task of a risk management system? ensure the safety of achieving your goals;
• identification of adverse events on which the achievement of set goals depends, their analysis for the existence of risks;
• risk assessment, identified risks should be analyzed from the point of view of the likelihood of a risk event and possible damage, as well as from the point of view of turning this risk (threat) into an opportunity;
• reaction to risk, determination of a possible reaction to risk: eliminate, reduce, accept or share risks. It must be taken into account that any reaction will change the project plan (as a rule, it will lengthen the project), but will make it possible to achieve the goal. To eliminate risks means to develop and carry out various preventive measures that will involve people and resources;
• information and communications, timely collection, processing and transmission of information to employees responsible for risk management;
• timely decision-making, development of scenario plans for project implementation in the event of the impact of a particular risk. Determining the mechanism for selecting these scenarios and making changes to the future project plan;
• control of business processes, internal rules, compliance with which ensures that the adopted risk response strategy is effectively implemented in daily operations;
• monitoring, previously identified risks must be constantly monitored and, if necessary, revised.

Anna Starinskaya

Views: 5 106

In the course of identifying and assessing financial risks, various graphical methods are used that provide a visual representation of the distribution of risks in time, by type of activity, by stages of a business process, in space (for example, by premises), by the amount of identified damage, etc. But the most universal information visualization tool, widely used in risk management, is the so-called risk map. It is built on the basis of a register of risks and their qualitative and quantitative characteristics obtained during the measurement process. A risk map can be built either for the entire organization or for any department. In addition, risk maps can be drawn up for the direction of the organization’s activities or for a separate project or program.

The simplest risk maps are usually presented in tabular form. In cases where qualitative and quantitative scales of probabilities and consequences are used to measure risks, matrix risk maps are used. Matrix risk map is a graphical and textual description of a limited number of risks of an organization, located in a rectangular table, on one “axis” of which the strength of impact or significance of the risk is indicated, and on the other, the probability or frequency of its occurrence. In cases where qualitative and quantitative scales of probabilities and consequences are used to measure risks, the entire range of risks is divided into cells. Due to its external similarity, such a risk map is sometimes called a “matrix”.

Generally speaking, the methodologies for constructing a risk map are as different as the risks of companies are different. The construction of a risk map can be carried out both as part of the implementation of a risk management system at the level of the entire organization, and to solve a separate range of risk management tasks. Methods that consultants (experts) use when drawing up a risk map include interview , formalized And informal questionnaires for reviews And industry research , analysis of the company's documentation set and numerical assessment methods and so on.

The composition of the team of consultants (experts) is very important for the success of the risk mapping process. When carrying out work by professional consultants, the team (working group) usually includes those specialists who have experience and expert knowledge. Experience shows that a team works effectively if it consists of six to ten people. Only by defining the boundaries of the analysis can you determine who is included in the team. When drawing up a map of the company’s financial risks, the team must include the head of the financial department, the head of the legal, control, GG departments, etc. The degree of detail required in the analysis is specific to each risk and varies from one risk to another, but depends mainly from the goals pursued by the organization.

Mapping is a complex process that involves many specific activities, but in general terms it involves visualizing identified risks. Risk identification includes financial risk analysis aimed at identification and assessment of risks.

Let us recall that identification is the first and one of the main stages of risk analysis. The results of risk identification make it possible to describe and compile a risk register. Risk assessment involves determining (calculating) the main qualitative and quantitative parameters (magnitude) of risk.

The results of risk identification and assessment are entered into financial risk maps. To build a financial risk map (hereinafter referred to as the Map), you must complete the following sequential steps and fill in all the columns of the following table (Table 2.6).

At the initial stage, identification involves choice of risk owner (risk subject). In our Map this is the line - job title.

The so-called risk owners (from English - riskowners) – These are employees, specialists whom the manager instructs to monitor the triggers of some specific risk, as well as manage response procedures in the event of this risk occurring. Employees become risk owners because of specific expertise regarding a particular issue or because they have some control over a specific risk.

Here the employee’s position is selected and the types of activities he performs and the management objects associated with these activities are identified. We will enter the selected type of activity in column 2 Maps.

The group of subjects with increased financial risk includes those that are characterized by:

• the presence of powers related to the distribution of significant financial resources;
• a high degree of freedom of action caused by the specifics of their work;
• high intensity of contacts with organizations and their representatives.

The next step is to identify a list of job responsibilities with high financial risk. Identification and assessment of risks is carried out according to a specific list of job responsibilities with a high probability of financial risks.

Column 3 Cards involves consideration and analysis of work conditions. Usually the following conditions are distinguished:

FINANCIAL RISK MAP No.________________

Department: _________________________________________________

Job title: ____________________________________________________

Filled out

(Head of unit) (signature) (Last name I. O.) (date) AGREED

Head of organization (division) ____________________________________________________________

______________________________________________________________________

• (EXPERT/CONSULTANT)
• normal (planned activities) – designated by the letter “N”;
• emergency (incidents and other emergencies) – designated by the letter “A”.

Identification of specific types of financial risks associated with selected activities is recorded in column 4 Maps.

The identified risks are described and documented in the form of a Register of Financial Risks (Table 2.7).

Table 2.7

Register of financial risks

Count 5 Cards involves the identification of existing measures against the impact of hazards (regulations, measures) for the selected type of activity (work). Measures against exposure to hazards include:

• training and advanced training in the field of minimizing financial risks;
• carrying out certification of workplaces;
• carrying out certification of workplaces according to working conditions;
• testing of implemented standards, norms, regulations;
• identifying areas of business processes not covered by controls;
• identifying ineffective controls;
• introduction of new indicators of financial risks;
• other similar measures.

Identification of incidents (commercial bribery, official forgery, trading of insider information, abuse of authority, etc.) in the organization is filled out in column 6 Maps. Information on incidents is accumulated in the table presented (Table 2.8).

Table 2.8

Information on incidents

Description of the severity of the hazardous event (assumed - in the absence of statistics) from the possible impact of the hazard (column 7 Cards) taking into account the implementation of existing measures against this impact (standards for minimizing financial risks).

The most difficult step is assessing the risk. The risk assessment associated with the identified hazard is recorded in columns 7–10 Maps.

The risk associated with an identified hazard is assessed using the following formula:

where P is risk; T – severity of harm; – probability of danger occurrence; – exposure to hazards.

The severity of harm (T) is assessed in a point system (for example, in a ten-point system) and filled out in the form of a table (Table 2.9).

Table 2.9

Severity of harm T

The severity of harm is determined by the expert assessment of the working group that conducts the mapping. They determine the severity and assign points based on the specifics of the business entity. Therefore, for example, the harm from the revocation of a license to carry out transactions in foreign currency for some organizations will be 9 points, and for others, non-core organizations, much less.

The probability of harm (B) is considered by experts in terms of the likelihood of the hazard occurring and exposure to the hazard and is filled out in the following tabular form (Table 2.10).

Table 2.10

Probability of harm B

Further, the identified risks must be sort. Let’s look at a real technique for sorting out a large number of risks, which has proven itself in more than one hundred companies. It is actively used and promoted by the Risk Management Special Interest Group ( RMSIG ) from Project Management Institute. The essence of the method is to distribute risks over a special card (its other name is PI- matrix). The map should look as shown in the table. 2.11. Typically, all identified risks are distributed among the risk team members. As a rule, the one who identified the risk is responsible for the risk (source indicated at RMC- map). Risks identified by those not present for the procedure are shared equally among all other participants. Then the participants distribute their risks into certain squares, i.e. rank the probabilities and degrees of impact of these risks.

Table 2.11

Risk sorting map

It may be necessary to improve the quality of individual decisions about the likelihood and impact of risks. It is recommended to distribute markers of different colors to team members and ask them, after reviewing all the risks, to mark those with which they do not agree and which, in their opinion, need to be discussed separately. The flagged risks are then discussed and appropriate changes made. At the end of this step, the likelihood and degree of impact of each risk on the project is considered established, and RMC- cards, the probability of a given risk and the degree of influence are entered.

In addition to the risk sorting procedure, they must be propagate those. define R.R. (from English - risk ranking) for each risk. Formula for determining R.R. is this:

R.R. = Probability of risk (IN) × Risk exposure ( Y ).

This step repeats the sorting of risks on the map, but experts advise carrying it out, since it will be needed in the future. Then you can determine which risks will be included in the risk management process. List of risks according to value R.R. allows you to sort them. In this way, risks that have a very low probability of occurring or will have a very small impact on the project can be removed from further analysis.

The most important thing at this step is to decide on the threshold values ​​of risks that will be included in further consideration. This is a complex issue on which it is difficult to give specific recommendations. The experience of the project manager plays a huge role here, as well as the risk levels that are accepted as thresholds in the company. If the company has adopted a maximum project risk level of 70, then all risks that have R.R. above 45–50 should be considered significant. All risks that have R.R. below 45–50, are documented, but are not put into risk management work. The identified risks are ranked, their written description is compiled, which is entered into a special table (Table 2.12). A similar table is filled in by each expert.

Table 2.12

Risk ranking map

The results of risk identification and assessment are entered into Maps for presentation to management. The identified, sorted and ranked risks are entered into the first version of the final Corruption Risk Map. In fact, we have already done part of this work by filling out the table. 2.6.

For a more visual representation, the identified and sorted risks are entered into a matrix Risk Map. Depending on the degree of danger, several categories of risks are distinguished. The number of categories corresponds to the needs of the study. You can use the table below as a starting point. 2.13. It will help determine High , Average or Low risk depending on its likelihood and consequences. For example, the combination High probability + High influence will obviously mean High level of risk.

Table 2.13

Risk level

These nine simple combinations of risk characteristics can also be presented in tabular form as follows (Table 2.14).

Table 2.14

Level of risk and measures to manage it

The cells represent combinations of probabilities and consequences that can be safely ignored. The cells represent combinations that require urgent risk management measures. The cells represent combinations that require close attention and regular re-evaluation in the future.

The risk assessment is valid for a certain period. To have grounds to apply the apparatus of probability theory, this period must be quite long (three to five years). If the probability of an event (for example, theft) is low, the period under consideration should be further increased. But during this time the situation will change significantly and the old estimates will lose meaning. Consequently, when assessing risks, events with a probability less than a certain threshold value can be neglected, despite the fact that the potential damage from them may be great. Note that this is contrary to traditional practice, when managers tend to pay excessive attention to risks with high damage and low probability. In fact, in the first place there should be risks with moderate damage, but with a high probability (for example, malware attacks) that occur repeatedly during the period under review. At the same time, it must be borne in mind that the probability of a negative event is very difficult to assess with any accuracy. Therefore, it is recommended to consider risks not as numerical values, but as points on a plane, where the coordinate axes are probabilities and losses (Fig. 2.4). The level lines for the risk function are hyperbolas.

Event risk U1 is one of those usually overestimated by managers; in practice, due to the low probability, it is advisable to neglect most of such risks.

A very important step in risk analysis is determining the risk tolerance limit. Risk tolerance limit – critical limit of risk tolerance. The choice of tolerance line is made by a strong-willed decision of the company’s management. Financial risks located above and to the right of the boundary are considered “unacceptable” and require immediate management attention. Those threats located below and to the left of the border are currently considered tolerable.

Rice. 2.4.

by us. The risk tolerance limit changes depending on the organization's risk appetite. When classifying risks by significance/probability, even without a numerical assessment, you can roughly estimate the amount of financial losses from a particular risk, which allows you to determine to some extent the organization’s appetite for risk and determine the limit of risk tolerance on the map. In order to visually represent the limits of risk tolerance (tolerance, acceptability), the financial risk map is presented in the following form (Fig. 2.5).

Rice. 2.5.

Risk acceptability limits allow you to immediately visually determine the division of risks into categories in terms of the danger they pose. The risk map can be a little more complicated and presented in color. For example, a matrix Risk Map may look like this (Fig. 2.6).

Rice. 2.6.

This risk map displays probability or frequency on the vertical axis and impact or significance on the horizontal axis. In this case, the probability of risk occurrence increases from bottom to top as you move along the vertical axis, and the impact of risk increases from left to right along the horizontal axis. The Arabic numerals on the map are designations of risks that have been classified so that each probability/significance combination is assigned one type of risk.

This classification, placing each risk in a specific separate “box,” is not mandatory, but simplifies the process of setting priorities by showing the position of each risk relative to others (increases the resolution of this method). The thick broken line is the critical limit of risk tolerance; cells are combinations of probability and significance (consequences) that can be completely safely ignored. When identifying critical risks, scenarios leading to risks above this limit are considered unacceptable.

They are marked on the map and . The cells represent combinations that require close attention and regular re-evaluation in the future. Based on identified unacceptable (intolerable) risks, it is necessary to understand how to reduce or transfer such risks, while risks below the border are manageable in an operational manner. Risk management corresponds to the movement of points along the plane. Usually they try to approach the origin of coordinates along one axis without changing the value of the other coordinate. However, if you can reduce both coordinates at once, it will be even better. In fact, depending on the design goals, many different types of risk maps or variations of a given risk map can be constructed.

The register and risk maps compiled on its basis are the main information base for making decisions on further risk processing. For the most accurate risk assessment possible, it is essential to take into account the full group of factors that determine risk. The set of risk factors must reflect all conditions of the organization’s external and internal environment that give rise to possible corruption risks.

The risk map has been drawn up; now it is necessary to develop measures to neutralize those risks that turned out to be above the tolerance limit. Based on the Maps of divisions, experts (consultants), together with interested divisions and specialists of the organization, within 10 working days, draw up a “Register of unacceptable risks of the organization (division)”. The working group must determine whether to leave everything as is and take no additional actions or develop a new action plan to manage the risks if they are not satisfied with the consequences. As a result of the activities carried out, it is possible reduce the likelihood of risk , reduce the likelihood of losses , or change the consequences of the risk.

The goal of creating an action plan is to figure out how to move each intolerable risk further to the left - lower into the tolerable zone. It should be noted that it is necessary to weigh the costs of such a move against the benefits of it. Proposed controls for unacceptable risks must first be assessed for the presence of new hazards and associated risks. The degree to which a risk is acceptable depends on the importance to each risk subject and their goals and expectations. The method of influencing the risk is selected. For example, if a risk has been determined to be unacceptable, then a mitigation option is developed. If it does not reduce the risk level to an acceptable level, then the avoidance option is used. If it is impossible to transfer the risk, it must be accepted with the obligatory reservation of funds in case of unforeseen circumstances.

From the point of view of risk management technology, with the construction of a risk map, the management process does not end, but only begins. Moreover, a risk map is a “living organism” that reacts to decisions made and operations performed. It lives and develops with the development of the organization; along with new opportunities, new risks appear; some of the old risks lose their relevance and become insignificant and insignificant for the organization. Therefore, it is important that the process of mapping risk and clarifying the map is built into the actions of the organization. This will allow the organization’s risks to be updated as often as necessary. Typically, the period for “planned updating” is a year; sometimes it is tied to certain cycles (seasonal, calendar) if they occur in the organization’s activities. However, when even weak signals appear about events that can greatly affect the organization’s risk objects, their impact on the organization’s risk map should be assessed without any frequency. It is important to understand that the value of a risk map lies not in determining the exact size of the probability or damage of risks, but in the relative location of one threat to another and their location relative to the acceptability boundary.

Thus, risk mapping is a universal analytical tool for understanding the financial risks of business entities, ranking them by importance, and preparing measures to minimize them.

• URL: iemag.ru/master-class/detail.php?ID=15716

In a simplified way, management technology in the concept of acceptable risk is perceived as a sequence of three large stages of identification, assessment and minimization. Let’s assume that during the implementation of the first stage, management formulated goals and set tasks for the company’s risk management. The next step is to identify and identify the main threats to current and future activities. One of the effective and visual tools for such work is a risk map.

Risk mapping stage

Independent fight against risks in business, as a rule, begins with a traditional SWOT analysis and description of threats. This includes the analysis of documentation: regulatory, financial, managerial, marketing, contractual. Current policies, regulations, and the results of sessional strategic activities are examined. In the course of research and collegial work, a composition of external and internal factors that can influence the level of risks is formed.

As a result, the identified threats are subject to compilation into a single table, which is a system of risk factors with a list of them, sometimes called a risk factor profile. In addition to the summary table, it is also advisable to develop a classification scheme of factors with highlighted relationships between them. A more specific form of identifying factors is their identification. Identification of risks involves identifying their most significant qualitative and quantitative characteristics, which include:

• likelihood of manifestation;
• the extent of potential damage;
• place of origin;
• level of relationships between factors, etc.

In other words, the risk must be compared with the specified parameters. At the moment when we begin to comprehend the extent of the damage, a transition occurs to the second stage of management technology - the assessment stage. Risk measurement within the framework of factor identification and initial assessment is carried out instrumentally, first qualitatively and then quantitatively.

The second measurement tool is mapping. When we first start working with factors, we strive to describe them at the level of: likely - not likely, dangerous - not dangerous and how dangerous. On this basis, it is possible to construct a map with the abscissa axes, on which the danger scale is built, and the ordinate axes, with the placement of the risk probability scale on it. The factors are reflected on the created field and receive visual positioning on it.

Risk map model

Each company itself establishes the concept of danger and its units of measurement. For the managers of one company, this means lost profit; for others, it means income. For example, we can assume that the danger within the loss of profit up to 33% is not dangerous, in the range from 33% to 67% the danger is acceptable, and above 67% is no longer acceptable. Some authors believe that a factor can be dangerous if it can lead to a complete loss of profit (100%). The probability range from 0 to 1 is divided into three or more groups, suppose:

• from 0 to 0.2 – unlikely;
• from 0.21 to 0.65 – probable;
• over 0.65 – very likely.

The above example of partitioning ranges is not a dogma; in each specific case the approach is individual. Next, responsible employees, taking the data from the completed table of risk factors (the form is located below), transfer each factor to the risk map, taking into account probability and danger. Depending on the sector of the matrix in which the factors fall, you can see on the map which risk zone they belong to.

Table of the system of factors influencing the level of risk

Risk map analysis

It is recommended to build or correct the map once a quarter. Each time after such work an analysis should be carried out. It allows you to cut off a group of risks that are dangerous (above the red line drawn on the map). In addition, non-hazardous risks that fall in the quadrants below the blue dashed line become obvious. The risk map during the analysis makes it possible to draw the following conclusions.

1. For the risk group above the red line, an immediate (priority) action plan should be developed.
2. For the group of risks included in the zone between the red and blue lines, the development of an annual action plan is required.
3. For risks located below the blue line, it is necessary to create a plan of controlled measures so that over time they do not become acceptable or even dangerous.

Example of a visual form of a risk map

Above is an example of a different map view. The probability values ​​of the factor are indicated inside the circles. At the very top of the map we see two risks that can confidently be called key. Key risks should be understood as threats that can cause irreparable, catastrophic damage to a business. Damages of this type include the stoppage of continuous production due to the risk of man-made disasters, for example, in metallurgy, or even the loss of the business itself due to the threat of the emergence of so-called “killer technologies.”

Risk maps can be generated not only in graphical, but also in tabular form. Below is an example of such a map. Risk factors are placed along the rows, and probability and danger scales are sequentially placed in the columns. The table is filled out by putting “+” in the cells corresponding to the risk factors for the two main assessment parameters. The zone of the most dangerous risks includes factors that have a mark in every third column. In our example, this is “increasing production costs.” Controlled risks, on the contrary, have marks in each first column. In the example, these include “inventory growth” and “staff turnover.”

Example of a risk map in tabular form

When constructing a risk map, a reasonable question arises: “Could we be wrong?” Certainly! The mistake may lie in the selection of experts. And the experts themselves are capable of making mistakes, unfolding the situation in a subjective assessment of factors. But by regularly assessing and bringing the results into the focus of their attention, decision makers learn time after time to identify long-standing problems and find new threats. In addition, the skill of correctly setting priorities and timely minimizing risks is being developed. In any case, the present tool is effective in its own right.

The risk map is a treat for end users. In consulting projects, one of the authors got the hang of drawing these maps manually in PowerPoint in literally 10-15 minutes, along with beautiful circles and a legend. But manual labor is methodologically incorrect, as it increases the likelihood of error. Based on this, we decided to make a risk map in Microsoft Excel format.

As a technical specification, we took the most visual risk map in the terminology of the page ““. Among the existing chart types in Microsoft Excel, you can use a bubble and a scatter (XY) chart. The result using the example of a risk map of a hypothetical enterprise in Excel2016 – . In previous versions it is not possible to do automatic numbering (in fact, that’s why there was no such article before).

Sequence of actions for people who know Microsoft Excel:

• create a diagram. In this case, we select damage along the abscissa axis, probability along the ordinate axis, and add risk numbers as the name of the series in the data source. For a bubble chart, we additionally calculate the share of the mathematical expectation of each risk in the total mathematical expectation. It is advisable to use this particular parameter, since the size should reflect something new, and linking it to damage or probability will lead to a banality in the form that the further to the right and higher the risk, the larger the circle. Note that for the correct size of circles, the risks must be independent of each other, which is achieved automatically if you follow the recommendations of the appropriate one;
• add data signatures, place these signatures on top of the row. We display risk numbers as a signature. To ensure that the circles are the same size, we replace the risk numbers from 1 to 9 with the text format “1”, “2”, etc. (sorry for the perversion, but no other option was found);
• We optionally design the diagram: add a title, label the axes, select a gradient fill and play with gradients, add a logarithmic scale for damage, decorate data series, etc.

What problems when automatically constructing a risk map in Microsoft Excel need to be additionally solved:

1. If the risks are identical or similar in value, only one of them is displayed. For example, on the risk maps of a hypothetical enterprise, risks No. 9 and No. 22 are not visible. Elimination options: (1) slightly change the initial data, that is, instead of two risks with a probability of 50% and damage of 100 million rubles. draw risks with probabilities of 48 and 52% and damage of 96 and 104 million rubles, (2) complete the circles with your hands, or (3) increase the size of the diagram (as in the case under consideration, when there are no identical risks in terms of probability and damage).
2. The tolerance line in the form of a line is not reflected in automatic mode. Remedy options: (1) use a gradient fill; in Microsoft Excel 2016 it automatically takes on the desired colors (by the way, it looks especially beautiful if you set the damage to a logarithmic axis) or (2) complete the line by hand.
3. For the most visual risk map, circles with risks that do not fall on the map must be completed by hand.
4. It is almost impossible to insert the names of risks into the legend. In fact, this is not a problem, since the automatic tools in Microsoft Excel are not very economical in using the space in the chart, and as a result, the chart appears smaller when printed than it could be.

Despite these shortcomings, the task was completed. It can be used, if not for presentation to respected people, then as a control procedure.