Risk maps

See the list of related resources at the bottom of this page.

The purpose of a risk map is to help you decide what to do about your risks. I've seen the term applied to several different things; this note sets out what my understanding of the topic.

The important properties of a risk map are:

Includes all the relevant risks;
Includes some sort of ranking or assessment of each risk;
Each risk is mapped back to the organisational structure in some useful way.

Another term often used in this context is risk profile. If the properties listed above seem a bit vague, that's because risk maps can be used in all sorts of different situations, and being any more specific would rule some of them out.

We can consider a couple of simple examples to make things a bit clearer.

FSA risk assessment matrix

The risk assessment matrix produced by the FSA as part of its ARROW risk assessment framework is a risk map. (The matrix is available in both The firm risk assessment framework and Building the new regulator: Progress report 2 — see below.)

It includes all the risks that the FSA are interested in, they are each given a probability score, and the risks are mapped on to the risks to the FSA's objectives. The completed matrix is used by the FSA to decide on any remedial actions that should be taken by the firm being assessed.

Internal risk management

An organisation's internal risk management processes might also make use of a risk map.

The risks included in the map would be decided during the identification stage; it's important to make sure that all the risks that the organisation faces are included.

A simple method of assessment is to assign to each risk a qualitative value for impact or consequences and one for frequency or probability. In each case, a simple low/medium/high classification is often used.

A simple matrix can then be used to assign a single grade to each risk: for example, a high impact/high frequency risk might be ranked as avoid while a low/low risk might be ranked as ignore. Other possibilities include insure, control, and transfer.

A structure that is frequently found is for risks to be grouped by functional area. Relating them to the organisational structure in this way helps to decide how to control them.

Resources

Building the new regulator: Progress report 2: The Financial Services Authority have issued a series of reports outlining their new risk-based regulatory framework. This report, issued in February 2002, describes their risk-based operating framework and what it means for the firms that they regulate. In particular, it includes (as Appendix B) a probability assessment matrix that provides the risk classification system that they use. Note that the FSA is interested only in risks to their statutory objectives, and that these may not be the same as, for example, risks to shareholder value. The report is available at http://www.fsa.gov.uk/pubs/policy/bnr_progress2.pdf.
The firm risk assessment framework: This is the fourth document in the Building the new Regulator series of reports issued by the Financial Services Authority. It describes the FSA's ARROW framework for risk assessment and is essential reading for anyone in a regulated firm who will be involved in the risk assessment process. It was published in February 2003 and is available at http://www.fsa.gov.uk/pubs/policy/bnr_firm-framework.pdf.
Mastering Risk Volume 1: Concepts: Edited by James Pickford, this book is a collection of chapters by different authors that first appeared as a series in the Financial Times. The chapters vary in quality, but most are useful to some degree. Some chapters in the book tend to assume a banking background. There are five chapters on operational risk, somewhat less banking oriented than many of the other chapters. It has a useful overview chapter on credit risk, Lenders and borrowers demand a creditable system by Suresh M. Sundaresan. There is a useful chapter on enterprise risk management, Total strategies for company-wide risk control by Lisa Meulbroek. Visit the page for this book on Amazon.
Mastering Risk Volume 2: Applications: This book, edited by Carol Alexander, is a collection of chapters by different authors that first appeared as a series in the Financial Times. The chapters vary in quality: some of them are rather more useful than others. There is an unstated bias towards banking. It has four chapters on operational risk, covering measurement and modelling as well as an overview chapter. There are several chapters on different aspects of modelling credit risk. Visit its page at Amazon.
Financial Services Authority: The FSA is the regulatory authority for the financial services industry in the UK. Its website at http://www.fsa.gov.uk contains all the public documents produced by the FSA, including consultation papers and the texts of speeches as well as the currently applicable Handbook of rules and guidance.
Risk Management, by Andrew Holmes: A book in the ExpressExec series. It gives a brief overview of several aspects of risk management, rather less biased towards banking than many other books (and also much shorter). It covers a somewhat eclectic range of topics, and has a useful list of resources. Visit its page at Amazon.
Managing Operational Risk, by Douglas G. Hoffman: This is a major tome, giving "20 Firmwide Best Practice Strategies". Hoffman's background is in banking, and the book certainly concentrates on that industry. He does make an effort to extend the range, though. This is an extremely comprehensive book, a bit difficult to make one's way through at times. It contains many lists of key points, which are made slightly less useful because each list is so long. Visit the page for this book at Amazon.
Risk Management in Banking, Second Edition: By Joël Bessis. The word comprehensive doesn't begin to describe this book as far as a quantitative view of risk in banking is concerned. However, as its title suggests, it doesn't discuss risk management outside banking at all. It has a full treatment of credit risk, including a useful overview chapter on credit risk models and many chapters on different aspects of modelling both standalone risk and portfolio risk. It hardly mentions operational risk. Visit its page at Amazon.
A Risk Management Standard: Produced by The Institute of Risk Management, in conjunction with ALARM (The National Forum for Risk Management in the Public Sector) and airmic (The Association of Insurance and Risk Managers). It is available from their website at http://www.theirm.org/publications/PUstandard.html.

	:: About :: Blog :: Notes :: All topics :: All links :: Publications :: Downloads :: Contact Related topics: Operational Risk Risk identification Risk management process Financial Services Authority ARROW risk assessment framework Risk classification Future regulation of insurance briefing The FSA and operational risk Risk indicators Enterprise risk management The FSA and risk based capital Read my blog. Is your software use Competent, Complacent or Compromised? Take my 30 second quiz now, and find out! Read past issues of my newsletter. Tools download a simple code profiler for Excel VBA. Automated spreadsheet testing, documentation and more. Download now, or find out more at http://www.xlsior.com. Search WWW Search louisepryor.com
Risk maps Themes: Risk management See the list of related resources at the bottom of this page. The purpose of a risk map is to help you decide what to do about your risks. I've seen the term applied to several different things; this note sets out what my understanding of the topic. The important properties of a risk map are: Includes all the relevant risks; Includes some sort of ranking or assessment of each risk; Each risk is mapped back to the organisational structure in some useful way. Another term often used in this context is risk profile. If the properties listed above seem a bit vague, that's because risk maps can be used in all sorts of different situations, and being any more specific would rule some of them out. We can consider a couple of simple examples to make things a bit clearer. FSA risk assessment matrix The risk assessment matrix produced by the FSA as part of its ARROW risk assessment framework is a risk map. (The matrix is available in both The firm risk assessment framework and Building the new regulator: Progress report 2 — see below.) It includes all the risks that the FSA are interested in, they are each given a probability score, and the risks are mapped on to the risks to the FSA's objectives. The completed matrix is used by the FSA to decide on any remedial actions that should be taken by the firm being assessed. Internal risk management An organisation's internal risk management processes might also make use of a risk map. The risks included in the map would be decided during the identification stage; it's important to make sure that all the risks that the organisation faces are included. A simple method of assessment is to assign to each risk a qualitative value for impact or consequences and one for frequency or probability. In each case, a simple low/medium/high classification is often used. A simple matrix can then be used to assign a single grade to each risk: for example, a high impact/high frequency risk might be ranked as avoid while a low/low risk might be ranked as ignore. Other possibilities include insure, control, and transfer. A structure that is frequently found is for risks to be grouped by functional area. Relating them to the organisational structure in this way helps to decide how to control them. Resources Building the new regulator: Progress report 2 The Financial Services Authority have issued a series of reports outlining their new risk-based regulatory framework. This report, issued in February 2002, describes their risk-based operating framework and what it means for the firms that they regulate. In particular, it includes (as Appendix B) a probability assessment matrix that provides the risk classification system that they use. Note that the FSA is interested only in risks to their statutory objectives, and that these may not be the same as, for example, risks to shareholder value. The report is available at http://www.fsa.gov.uk/pubs/policy/bnr_progress2.pdf. The firm risk assessment framework This is the fourth document in the Building the new Regulator series of reports issued by the Financial Services Authority. It describes the FSA's ARROW framework for risk assessment and is essential reading for anyone in a regulated firm who will be involved in the risk assessment process. It was published in February 2003 and is available at http://www.fsa.gov.uk/pubs/policy/bnr_firm-framework.pdf. Mastering Risk Volume 1: Concepts Edited by James Pickford, this book is a collection of chapters by different authors that first appeared as a series in the Financial Times. The chapters vary in quality, but most are useful to some degree. Some chapters in the book tend to assume a banking background. There are five chapters on operational risk, somewhat less banking oriented than many of the other chapters. It has a useful overview chapter on credit risk, Lenders and borrowers demand a creditable system by Suresh M. Sundaresan. There is a useful chapter on enterprise risk management, Total strategies for company-wide risk control by Lisa Meulbroek. Visit the page for this book on Amazon. Mastering Risk Volume 2: Applications This book, edited by Carol Alexander, is a collection of chapters by different authors that first appeared as a series in the Financial Times. The chapters vary in quality: some of them are rather more useful than others. There is an unstated bias towards banking. It has four chapters on operational risk, covering measurement and modelling as well as an overview chapter. There are several chapters on different aspects of modelling credit risk. Visit its page at Amazon. Financial Services Authority The FSA is the regulatory authority for the financial services industry in the UK. Its website at http://www.fsa.gov.uk contains all the public documents produced by the FSA, including consultation papers and the texts of speeches as well as the currently applicable Handbook of rules and guidance. Risk Management, by Andrew Holmes A book in the ExpressExec series. It gives a brief overview of several aspects of risk management, rather less biased towards banking than many other books (and also much shorter). It covers a somewhat eclectic range of topics, and has a useful list of resources. Visit its page at Amazon. Managing Operational Risk, by Douglas G. Hoffman This is a major tome, giving "20 Firmwide Best Practice Strategies". Hoffman's background is in banking, and the book certainly concentrates on that industry. He does make an effort to extend the range, though. This is an extremely comprehensive book, a bit difficult to make one's way through at times. It contains many lists of key points, which are made slightly less useful because each list is so long. Visit the page for this book at Amazon. Risk Management in Banking, Second Edition By Joël Bessis. The word comprehensive doesn't begin to describe this book as far as a quantitative view of risk in banking is concerned. However, as its title suggests, it doesn't discuss risk management outside banking at all. It has a full treatment of credit risk, including a useful overview chapter on credit risk models and many chapters on different aspects of modelling both standalone risk and portfolio risk. It hardly mentions operational risk. Visit its page at Amazon. A Risk Management Standard Produced by The Institute of Risk Management, in conjunction with ALARM (The National Forum for Risk Management in the Public Sector) and airmic (The Association of Insurance and Risk Managers). It is available from their website at http://www.theirm.org/publications/PUstandard.html.
Copyright © 2003-2008 Louise Pryor. All rights reserved. Site developed by Louise Pryor. Louise Pryor is no longer practising as a consultant — the site is maintained as an archive, and is not updated.