The purpose of a risk map is to help you decide what to do about your risks. I’ve seen the term applied to several different things; this note sets out what my understanding of the topic.
The important properties of a risk map are:
- Includes all the relevant risks;
- Includes some sort of ranking or assessment of each risk;
- Each risk is mapped back to the organisational structure in some useful way.
Another term often used in this context is risk profile. If the properties listed above seem a bit vague, that’s because risk maps can be used in all sorts of different situations, and being any more specific would rule some of them out.
We can consider a couple of simple examples to make things a bit clearer.
FSA risk assessment matrix
The risk assessment matrix produced by the FSA as part of its ARROW risk assessment framework is a risk map. (The matrix is available in both The firm risk assessment framework and Building the new regulator: Progress report 2 — see below.)
It includes all the risks that the FSA are interested in, they are each given a probability score, and the risks are mapped on to the risks to the FSA’s objectives. The completed matrix is used by the FSA to decide on any remedial actions that should be taken by the firm being assessed.
Internal risk management
An organisation’s internal risk management processes might also make use of a risk map.
The risks included in the map would be decided during the identification stage; it’s important to make sure that all the risks that the organisation faces are included.
A simple method of assessment is to assign to each risk a qualitative value for impact or consequences and one for frequency or probability. In each case, a simple low/medium/high classification is often used.
A simple matrix can then be used to assign a single grade to each risk: for example, a high impact/high frequency risk might be ranked as avoid while a low/low risk might be ranked as ignore. Other possibilities include insure, control, and transfer.
A structure that is frequently found is for risks to be grouped by functional area. Relating them to the organisational structure in this way helps to decide how to control them.
The following external links are relevant: