Risk Mapping

What is the single most important tool for Risk Management?  I get this question a lot, mostly from my MBA students and from participants at Executive Education courses.  My answer is always the same: Risk Mapping.  The only way to start a serious risk management process is by systematically mapping the risks faced by the company.  The purpose of this post is explaining what is a risk mapping, how to do it properly and why it is so important.

Essentially a risk mapping is a listing of all the relevant risks that might affect the company, where each single risk is placed in a two-dimensional space: impact and probability of occurrence.  The location of the risks in this space allows top management to reach a decision regarding which risks should be assumed and which risks should be hedged.

A critical aspect of the risk map is that it needs to be complete; we do not want to restrict it with the ex-ante low probability risks beliefs of the sort: “this is not going to happen so I will not consider it”.  It is crucial that we make an effort to include all the relevant risks, irrespectively of them having low or high probability of occurrence.  A single person cannot produce a complete map of all the risks affecting a company; it is imperative that we organize a group of people working in this process. In my experience the best way to face this, is to assemble a group of top managers (usually the first two or three decision levels of the company), that, after a brief general discussion on risk management and risk mapping, meet in small and heterogeneous groups to start listing the main risks that might affect the company.  The heterogeneity within each group, usually people form different sectors in the company, is needed to make sure that most of the risks show up in each small group’s list.  In order to help people not forgetting to include risks, it is usually a good idea to offer them a four-risk classification: (i) Strategic Risks, (ii) Operational Risks, (iii) Political Risks and (iv) Financial Risks.  Table 1 shows some examples of risks in each category.



Once each small group has its own list of risks affecting the company, it is usually worth having another general meeting, where a moderator shares all the groups’ risk listings.  The objective of this meeting is to produce a single agreed risk list, usually a blend of all the small group’s lists and the product of the discussion.  Almost always, in this general discussion, new risks –i.e. risks that were not brought by any small group- appear in the new list.  The appearance of these new, and previously unforeseen risks, is explained by the cross fertilization between each groups’ input and the discussion process in the plenary meeting; a process in which new risks, that were not considered in the original small groups discussions, are usually discovered.

Once this process is finished, we should have a list of risks that need to be qualified, for that purpose the next step is to fit them in the following framework:

Table 2. RISK MAP


Notice that we have two relevant measures in the graph: (i) Probability of Occurrence and (ii) Impact.  We need to fit all the listed risks in each of the boxes of the graph.  In order to do so, my recommendation is to form small homogeneous groups to work on the list of risks that are relevant for each group (i.e. the finance group should work on the financial risks, the marketing group in the commercial risks and so on and so forth).  The homogeneity of the groups (people from the same sector and similar experience) ensures experience and knowledge of the members of the group, and should help obtaining a better risk classification for each category.  After this second round of meetings is held, the project coordinator receives the list of the classified risks, i.e. receives the risks labeled as very high, high, medium, low and very low in both, probability of occurrence and impact, checks the validity of the classification, which usually requires a round of meetings with some of each group members, and fits the risks in the map shown in Table 2.

Notice that Impact needs some careful thinking.  We need to make sure we understand which impact we want to assess, (i.e., impact with respect to what).  Consider the case of a risk that has a very limited impact on cash flows but a very high effect on reputation, for example a petrochemical plant that unexpectedly generates a nauseating smell (within the limits of the emissions tolerated by the local regulation).  This, does not have an effect on the cash flow, but causes bad publicity for the firm nonetheless.  We need to assess under which bar we are willing to measure the impact of the risk occurrence.  In some cases we might be willing to measure a financial outcome, but in some others we might need to think in terms of other type of output measurements. When we measure the impact of risk we consider the effect on cash flows, on profits, on firm value, on leverage, on reputation, on the morale of the workforce, on competitiveness, etc…  In some sense, the effects of risk are not always measurable in financial terms and according to the same lever, in some cases its effects are stronger for different aspects.  Take the BP Clearwater disaster for example, the effects on the firm’s cash flow are one aspect to consider, but its effects on competitiveness and reputation are extremely important, difficult to measure in exact mathematical terms, and surely not to be neglected.

One important consideration from what I just said above is related to the so-called Reputational Risk: there is no such thing as Reputational Risk, reputation is one of the places where risk effects strike the firm, reputation is not a risk factor, is a risk outcome!  Because of some risk occurrence, the firm has a bad (or good) outcome affecting negatively (or positively) its reputation.

Once the project leader is satisfied with the risk classification of the different groups, he or she needs to compile the Risk Map, in which all the risks are fitted in the two-dimensional space shown in Table 2.  Each risk needs to be have a detailed explanation on why the probability of occurrence and the impact have been classified as such, including which is the outcome of the impact as discussed above.  Notice that the boxes in the graph have different colors, showing their relative importance for the firm.  Obviously, these colors are indicative and can change from firm to firm depending, for example, on the industry dynamics or on specific firm characteristics.  The small box that corresponds to very low probability of occurrence and very high impact are the so-called Black Swans, popularized by Nassem Taleb in his famous book The Black Swan: The Impact of the Highly Improbable.  In a subsequent step, the company will decide policies regarding risks that are in each of the boxes of the risk map.  These policies will depend on which risks are the ones that the firm needs to assume in order to make a profit, the level of risk appetite/risk aversion, who is making the decisions regarding risk levels etc., (but this will be discussed in a subsequent post).

Having a Risk Mapping is extremely important for any company.  First, it forces top management to start thinking about risks that most of the times firms do not consider until it is too late.  Second, the process that ends with the risk map helps everybody to gain a much better knowledge of every relevant risk that might be affecting the company.  Additionally, this process fosters an integrated risk management process, so risks are not managed as in independent silos in which every sector has its own risk policy that might drive companies, for example, to duplicate hedging strategies.

The first risk mapping represents a milestone in the company, usually needs a lot of work and brings several eye-opening discoveries (usually in the form of risks that nobody ever thought about).  Subsequent updates are needed periodically; a risk mapping is an ongoing process, and a very healthy exercise of strategic planning that every company should start doing as soon as possible.