In an article I wrote last year, I explained in detail why one should avoid using quantitative techniques in enterprise risk management. It was a popular post with many likes thanks to its appealing title. In that article, I tentatively introduced a few new terms. In particular, I argued that the term heat map which is so often used in risk management needed some rethinking. It is so easily confused with the heat maps that scientists and engineers often use when they display real data, statistics, the results of quantitative analysis, or forecasts. This is obviously a confusing term to apply to a risk heat map which is not based on any of those things.
My suggested term for a risk heat map was:
“Colourful Risk Analysis Presentation”
My more literary colleagues have suggested alternative phrases, for example:
Coloured Risk Analysis Plot
Clear-cut Risk Assessment Plan
Coordinated Risk Analysis Portfolio
Collected Risks And Possibilities
We are, however, united in our opinion that CRAP is the appropriate abbreviation for the type of analysis shown in the figure below.
A risk heat map. Little dots are added onto the coloured squares to show individual risks. In this example, the risk is represented as a star for greater dramatic effect.
A new lexicon
A persistent challenge faced by the risk management community is the lack of consistency in interpretation of common words and phrases (likelihood, probability, etc). Many of my colleagues hope that “CRAP” will become the foundation for a variety of much needed terms, and will be adopted by ISO, COSO and other learned organisations that produce guidelines in risk-speak. If you, dear reader, have ever met any of the august authors of these hallowed guidelines from these venerated organisations, may I ask you to submit the following list for their consideration?:
CRAP – the standard heat map adding or multiplying scores for probability and likelihood to achieve a severity score which can be given a colour scale. It sounds complicated, but Excel has nice conditional formatting tools that make this easier – see Figure 1
Fairly CRAP – applying the FAIR methodology for IT risk, which is quantitative, and then converting it to a qualitative scale maximising the loss of information to make it easier to understand
Relative CRAP – comparing whether one risk has a greener or redder colour than another in order to prioritise its treatment. ‘Treatment’ means selecting from one of the following labels from a spreadsheet dropdown list: Accept, Reject, Avoid, Transfer. It does not matter which is selected, as only the spreadsheet owner sees this
Pointless CRAP – replacing the point representing a risk on a heat map with a diffuse blob. This allows us to acknowledge we are uncertain whether, for example, the probability score is a 2 or a 3
Dangerous CRAP – these are health and safety heat maps. The key technique here is to consider the probability that a risk event will occur (e.g. a building floods) and then consider the scenario that would maximise the human health impact (e.g. the senior management team was partying in the basement, and someone locked the door from the outside for a joke) and plot the combination on the heat map. Dangerous CRAP tends to have a lot more dots in the red than, for example, a CRAP analysis done of financial risks
Complete CRAP – a heat map on which are plotted all the risks of the organisation. This is characterised by the inability to differentiate any individual risk from the swarm of dots, making scrutiny of the analysis less likely, and is simultaneously reassuring as no risk will be dark red (unless it includes Dangerous CRAP)
Absolute CRAP – an advanced technique where numbers are used to define probability ranges instead of labels. For example, instead of using the category ‘Very Low’ to represent a very low probability, one defines the Very Low probability over an absolute range like 0% to 20%. Usually avoided as very few people understand probability, but everyone understands ‘very low’
Total CRAP – summing up all the risk scores to evaluate the aggregate risk that the entity is exposed to. Aggregation of risk is one of the most important tools in risk management, necessary for deciding between different investments or determining how likely a strategy is to succeed, so this technique is essential to master
Undeniable CRAP – plotting a set of risks on a heat map that everyone knows could happen, like ‘Project X could be delayed’. This improves the credibility of the heat map
Indisputable CRAP – alternative term for Undeniable CRAP
Unimaginable CRAP – adding dots to the heat map with vague labels to represent risks nobody has yet thought of – the Unknown Unknowns, which need to be managed most carefully. Usual risk management approach is to select Reject or Transfer
Unmitigated CRAP – plotting risks in a heat map, assuming that absolutely nothing is done to try to prevent them happening or reduce their potential impact. Used in PowerPoint presentations to senior management. All risks will be red or orange, which will alarm the senior management greatly. It is best practice for the next slide in the PowerPoint presentation to show the heat map after the risks have been accepted, rejected, avoided and transferred. All risks are now green or light orange, demonstrating that risk management has once again achieved what seemed impossible
A great benefit of this new lexicon is the possibility of combining phrases in a natural and familiar way. For example, evaluating the aggregate exposure to unmanaged risks would be Total Unmitigated CRAP. We also have Absolute, Pointless CRAP with its obvious meaning.