One area where Enterprise Risk Management often fails is when it comes to reporting risks to the executive team of a company, its stakeholders or the board. In this posting, we are going to take a look at why risk managers go off the rails with this top level reporting requirement and how these flaws can be addressed.
Perhaps the best place to begin our study into why risk reporting at a board level is busted so often is to observe common reporting practices today and we have been at this place before on this blog site.
Those in Enterprise Risk Management should be familiar with the Risk Heat Map where top level risks are inserted onto a matrix similar to the one shown below. The Heat Map is nothing more than a matrix with an axis for likelihood and magnitude, often configured with the likelihood axis in a statistically abnormal x-axis fashion. Risks are then listed and scattered across the matrix depending on whether they are classified as low risk which lands them in the green zone or high risk for those threats found in the far right-hand corner of the matrix.
Curtis & Carey Risk Heat Map | Deloitte & Touche [LINK] Click Image To Enlarge
The Curtis & Carey example displayed here is one of the better Risk Heat Maps I have stumbled across over the years but it fails in the same way all Risk Heat Maps do. Quite simply it doesn't represent the effect of risk on an objective.
Stakeholders are interested in objectives not just their risks and being able to choose the level of risk to take when chasing an objective can't be comprehended by looking at a Risk Heat Map in the traditional sense. Heat maps and risk registries only show us one side of the uncertainty equation under our objectives and this is unable to support a non-biased review of risk treatment responses.
ISO 31000 defines risk as "The effect of uncertainty on objectives" but the Risk Heat Map isn't showing us this. At best, what it does shows us is each risk being singularly represented in a fashion no more sophisticated than glancing through a one-pixel lens that can only have a single frequency and one potential outcome of magnitude. Worse, displaying risk information to executive management in this manner doesn't support decision making, it doesn't help stakeholders understand what the true effects of risk may be on a company's bottom line.
I don't believe the Risk Heat Map can be fixed even though we have deliberated over that end before because it pitches risk management in the wrong context. By painting risk management as a tiresomely negative activity from the outset or worse, failing to talk boardroom language will land many risk managers on the back foot with their stakeholders.
Let's cast the Risk Heat Map finally into the historical bin of "keep it simple" in concept but it doesn't actually work in practice, nice idea but it's flawed and bung, consign it to room 101.
Integrated Risk Reporting
It's quite simple in life; if you want to appeal to someone, if you want to find their sweet spot, you need to talk their language at the very least and in the boardroom, the realm of finance has the upper hand. No one wants to be lectured on threats that may torture them, Heat Mapped or not when meeting strategic objectives is going to be what catches a stakeholder's attention.
Risk reports need to be integrated with those from finance, the silos between the finance department and the risk function need to be bridged so that risk management can be on the same page as finance rather than contesting it.
To do this we need to look at how finance flows through a company and how risk impacts or enriches that flow. There is definitely component entanglement between risk and finance information that needs to be understood before it can be reported and the schematic below is a Risk Effect Network for finance. This network tracks how risks in a portfolio of uncertainties (not threats) have implications on revenues, how risk treatments impact expenses and where the resulting outcome from all of this will modify a firm's operating margin.
The Risk Effect Network | Martin Davies [Click Image to Enlarge]
In the next week or so I am going to release a paper that describes how to enable this Risk Effect Network and alongside this work, I will release a spreadsheet that demonstrates a risk report which is pertinent and consequently useful to stakeholders. Risk reports need to assist stakeholders with their decision-making activities and they need to move away from being a tiresome list of unfastened negatives on a Heat Map or in a risk registry that everyone tries to avoid.