Risk registers and heat maps – why you need something better

Monthly management reviews usually have a slot reserved for discussion of the biggest risks that threaten the business or important project. In management terms, it will be one of the most important topics, yet it’s unlikely to be a very productive part of the meeting. This topic explains why, and what can be done to change it.

What everyone does

The risk management slot will be centred around a presentation by someone (perhaps with the title risk manager) of the ‘Top 10 risks’ … or top 5, 15, 20. The senior executive team will be shown a list of these risks in a table which will be called a risk register. Search for ‘risk register’ images with Google and you will get the idea:

The risk register will list each risk that made it into the top 10, starting with the biggest risk. Each risk will have a description and some assessment that says, for example, that the risk would have had a critical severity without any risk management strategy, but because one is in place the residual risk is now only medium. There will be a cell in the table describing the risk management strategy that has achieved this miracle. The table may even give a red, orange, green color-coding to emphasize the point.

The Top 10 risks may be plotted in a heat map, like this:

The management team will be satisfied if all the residual risks plot below the yellow diagonal. Heat maps, like risk registers, are very popular. They all look pretty similar – search for ‘risk heat maps’ images with Yahoo! and you get this:

These risk heat maps give the impression that your portfolio of risks have been evaluated, but they are crude tools and can even be very misleading:

  • Qualitative scores for probability and impact are too imprecise and inflexible. One person’s ‘low’ is another person’s ‘quite low’, etc. Unlikely risks with very large impacts will typically have probabilities like 1/100 or 1/1000, and these cannot be distinguished from 1/10 in such grids. We also cannot represent a risk that is expected to occur say 5 times in the next year;
  • Impacts can have multiple dimensions (financial loss, injuries, environmental damage, project delays, etc) and without a quantitative scale it is impossible to represent them in a consistent manner;
  • A financial loss to a small business unit might be considered ‘very high’ to them but ‘very low to the owning corporate entity. A loss of life in a tiny project will need to have the same importance as a loss of life at head office. Rescaling rules can only work if one uses quantitative evaluations;
  • Unless you have quantitative evaluations for likelihood and impact you can never evaluate whether risk management strategies are cost-effective, so your business will inevitably lose competitive advantage in its risk management

Qualitative risk analysis may be appealingly simple, and lots of companies us it, but it’s almost valueless for making risk-based decisions.

Why you shouldn’t present a risk list to management

Risk management should be a creative process, and the knowledge and experience of the senior managers could contribute a great deal to that process. Risk register presentations to the executive reduce the risk management review to a box-ticking ‘senior management have been informed of the risks’ kind of corporate governance exercise. For managers, from the CEO down, to really ensure that the company’s risks are being managed well, they need to know the answers to some key questions, like:

  • What are the important risks we face, how big are they, and do we know them all?
  • How and why could the risks occur?
  • What’s the plan for managing them, and can it be improved?
  • Is the plan being carried out and are we confident that it will work?

What you could do instead

Our corporate risk management software system, called Pelican, provides all the technical aspects described below. It is a web-based database system designed for large businesses, and quite unique in its capabilities.

Rethink how you describe risks

It is common practice to describe risks as a triplet of {an event, the probability that event occurs, the magnitude of the unwanted consequence} – for example, “there’s a 10% chance of our computer system crashing, in which case we’d lose $10k – $200k of online sales revenue”.

But, in reality, describing a risk properly is more complex, and often involves a sequence of events and multiple unwanted consequences (perhaps even with different probabilities). The risk might also occur more than once, like a labor strike or a tsunami, which isn’t correctly described with a simple probability.

We can start by thinking about a risk event, defined loosely as the point at which you switch management strategy from trying to prevent the risk from ever happening to trying to limit the damage it might create. Bowtie diagrams offer a great way of graphically presenting this concept, as illustrated below. In this example, the risk event is a fire in the head office building:

You read the bowtie from left to right. On the far left (in blue) are events that might lead the elevator to fail, and on the right (in grey) are the possible outcomes of that failure, which are commonly termed drivers and consequences respectively.

Having mapped out the basic ‘story’ of this risk, we can now consider a risk management strategy. Actions that can stop the risk event from ever happening are called controls, and lie logically between the drivers and the risk event. Actions that reduce the chance of the consequence occurring, or reduce the size of the consequence, if the risk event has occurred are called mitigations.

In reality, risk events and their management strategies tend to be interconnected. Risk events and consequences can be drivers to other risks – so a risk event with a small consequence (like a supplier failing to deliver a component in time causing a project delay) may not seem important, but that changes if it drives another risk event with a very large consequence (like another supplier is used, the component is of poor quality, resulting in massive performance penalties). Controls (like safety training) and mitigations (like insurance) will also often be part of the risk management strategy for several risks, so their benefit must be the aggregated over the entire risk portfolio. Figuring out which risks to focus on, and the true benefits of controls and mitigations, requires software with a structure that performs these complex calculations for you.

Pelican allows one to include an additional quantitative layer to bowties so that you have better information about the probability of occurrence and magnitude of each consequence. That, in turn, lets Pelican determine how valuable each control and mitigation is to the business. But even without that quantitative information, a basic bowtie provides a far richer and more intuitive explanation to present to managers of the thinking behind the risk management strategy, and is far more likely to stimulate discussion on strategies than a line in a risk register table.

Make dashboards and put them online

If your risk management system sits in a database, it is relatively simple to set up risk dashboards that track risks and their evolution. The Pelican dashboard system is very customizable and comprehensive, tracking the risk profile, assessing vulnerability to key drivers, plotting KPIs, drilling down into risk issues, raising alarms for controls or mitigations that are no longer operating, etc:

Once the risk dashboard is online, with easy access from a tablet or phone, managers who have an interest in risk can monitor the top risks in their area of responsibility in real time. Then a risk management meeting can focus much more on an informed debate of changes to the risk management strategies and potential new threats.

Get everyone involved

It makes sense to involve everyone in the business in risk management, from the factory worker who notices a gas pipeline is corroding, to the IT guy who realizes nobody knows how a legacy, critical program works, to the security guard who sees how easy it would be to break into the facility he looks after. This means that you should have a system in which anyone can easily contribute a potential new risk issue, a new idea for managing a risk, or even point out when a risk management strategy is unlikely to work. So there should be an online portal to submit issues for inclusion to the ‘risk register’.

The Pelican portal for submitting possible risk issues also has an optional facility to submit the risk issue anonymously. I find it disquieting how often one hears that the senior management knew nothing of illegal or unprofessional practices going on in their business. I am certain they would prefer to have learned about the problems from their own risk management system rather than published leaks from a whistleblower or a regulator’s investigation.

Assign responsibility and monitor

A key vulnerability of risk management is the assumption that the risk management strategy is in place and working just fine. It probably isn’t. Maybe the idea never got further than the meeting room. If it was implemented, it will need maintaining but people get lazy, forget, are ‘too busy’, move to another job, or assume someone else is handling it.

If you use a bowtie approach to describing a risk issue, it becomes a lot easier to see the specific actions that need to be done to implement the management strategy – and then you can assign responsibility for them to specific individuals. You might also create a monitoring system like Pelican’s where the responsible person needs to follow a calendar of checks (like visiting a building to ensure fire doors aren’t blocked, or updating an insurance policy) and submit proof (like a photo, or updated insurance contract). You can also use a color scheme in your bowtie diagram to show the status of a control or mitigation. Pelican uses:

  • Black – rejected idea
  • Grey – possible future consideration
  • White – Approved, not yet implemented
  • Red – Was Implemented, now expired
  • Orange – Implemented, check overdue
  • Green – implemented, checked

Find out more about our software

Vose Software develops quantitative risk analysis software tools: Tamara for project risk; ModelRisk for spreadsheet-based risk modeling; ModelRisk Cloud for sharing risk analysis models and results; StopRisk for financial institution OpRisk modeling; and, of course, Pelican for corporate risk management. You can find out more about our software products from our website www.vosesoftware.com.

#riskregister #riskmanagement



David is the CEO of Vose Software and lead designer of its risk analysis software products.

He has been a risk analyst for over 25 years, working in a wide range of fields and problems.

David is the author of several influential books on risk analysis.

You can follow David on Linked.