Contact Information. General approach to building a risk map
To reduce the impact of risks, they must be managed. An example of our company’s risk map will help you develop your own risk control algorithm.
The company where I work is part of an international holding company, so we assess risks according to uniform regulations for subsidiaries. It involves drawing up a risk panel, on the basis of which a risk map, an example of which I will give below, and a visual diagram are formed.
We have been using this approach for the last three years. Using a risk map, we structured the risks, focused on those that pose the greatest danger, and were able to reduce losses. For example, losses from procurement market risk were reduced by 30 percent, from organizational risk by 60 percent, and tax risk was minimized.
Determine which risks to monitor
First, decide what risks the company faces and which ones you will monitor. It’s not worth considering the very minor ones, it’s just a waste of time. Choose the ones that are significant and will have a big impact on the numbers. We analyze five groups, in each of which we distinguish subgroups.
- Financial risks: currency, interest, tax, credit, liquidity, investment and derivatives risks.
- Operational risks: technical, informational, organizational, project, legal, management and personnel risk.
- Strategic: risk of enterprise strategy and business area.
- Environmental risks: legislative, technological, risk of disasters and trade relations with the country.
- Market: risk of competition, sales markets and procurement.
Each subgroup is divided into components. For example, currency and interest rate risk includes the risk of losses caused by fluctuations in Libor/Euribor interest rates on a loan in foreign currency.
Create a panel of significant risks
This indicator allows you to estimate the company's losses if a risk arises (taking into account the effectiveness of its response). We calculate the risk priority number using the formula:
NPR = gold and foreign reserves × domestic reserves × economic development
where gold and foreign currency is the value of the risk impact (in euros);
PVR is the probability of its occurrence (in%);
MER is the risk response efficiency multiplier (in %).
This indicator is influenced not only by the size of possible losses, but also by how likely this risk is and how quickly we can eliminate its consequences. The lower the priority number, the less dangerous the risk.
If we sum up the priority numbers of all analyzed risks, we get the total risk of the company. It characterizes the total amount of probable losses or lost profits.
Based on the table, the priority number of currency and interest rate risk is 60 thousand euros, of which:
- 50 thousand euros for the risk of currency losses from accounts payable (300 thousand euros × 100% × 16.67%);
- 10 thousand euros for the risk of losses caused by rising interest rates.
Example of a company risk map
Then we rank the risks by priority number and draw up an overall diagram. To do this, from the risk panel we put the name, priority number and probability of the risk into a separate table. In addition, we add the column “share in total risk” to the table (see Table 1).
Example
With an annual gross income of an enterprise of 9 million euros, risks exceeding 270 thousand euros will be critical. According to the diagram (see additional. Its priority number is 1.1 million euros, which is 33 percent of the total risk. The highest probability of occurrence (94%) is for currency and interest rate risk, although it is insignificant in magnitude - only 2 percent of total risk.
In addition to the diagram, we draw up a risk map in Excel (for an example of a risk map, see Table 2), marking them according to the traffic light principle:
- critical risks - in red;
- less significant - yellow;
- the most minor ones are green.
Figure 2. Example of a risk map
for marking, create a rule for highlighting cells in the “Conditional Formatting” field (see example of a risk map).
We classify the risk as critical:
- if it is inherent in several business processes;
- its priority number exceeds three percent of the company's gross revenue;
- its implementation influences the achievement of the strategic goals of the enterprise;
- to manage it, corporate strategy needs to change.
Example of risk
A risk with a priority number of more than 270 thousand euros is highlighted in red, in the range from 135 thousand (50% × 270 thousand) to 270 thousand euros - yellow, less than 135 thousand euros - green. As can be seen from Table 2, three out of 19 risks are red, two are yellow and 14 are green.
Calculate the final risk index
The final risk index is determined by the formula
IR = SR: MD
where CP is the total risk,
MD - marginal income.
Example of risk
With an annual marginal income of the company of 2.5 million euros and a total risk of 3,363,333 euros, the risk index will be 1.3.
- less than 4 - highlighted in green,
- in the range from 4 to 6 - yellow,
- more than 6 - red.
In this case, we take into account the difference between the current and previous index values:
- if it is positive, highlight it in red;
- equal to zero - yellow;
- negative - green.
Red or yellow color serves as a signal to analyze the reasons for the index change.
Work plan
Number and the priority of each risk for the period we compare with data from last year. We analyze the reasons for significant deviations. We study not only increased risks, but also those that have significantly decreased. In the risk panel we provide the reasons and measures that will prevent or minimize them.
Example of risk
The risk of losses due to disruption of the production process is associated with the fact that the potential volume of orders exceeds the capacity of the equipment. And the risk of losses from fluctuations in the Libor/Euribor rate arose because the company raised a loan in foreign currency. This risk can be avoided by changing investment policies to reduce the need for borrowed funds. If there is a loan, measures are taken to minimize risk - monitoring rates, reducing debt if they increase, etc.
The controlling department and its divisions monitor risks annually, and the most critical ones - quarterly. We present the results of the risk assessment and the plan for working with them at the end of the year to the board of directors.
Prepared based on materials from the magazine
Attached files
- Example of a risk map.xlsx
By clicking on the "Download archive" button, you will download the file you need completely free of charge.
Before downloading this file, think about those good essays, tests, term papers, dissertations, articles and other documents that are lying unclaimed on your computer. This is your work, it should participate in the development of society and benefit people. Find these works and submit them to the knowledge base.
We and all students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.
To download an archive with a document, enter a five-digit number in the field below and click the "Download archive" button
Similar documents
Organization of risk management at the enterprise. The state of the construction industry as an external risk factor. Their manifestation in the organization in the process of financial and economic activities. Pilot operation to implement risk management stages.
thesis, added 12/19/2014
Organization, identification, main aspects and trends of risk management. Analysis and assessment of the degree of risks, their classification. Risk management as a management system. Industry risk management. Investment strategy and portfolio risk management.
tutorial, added 11/27/2009
The essence and functions of risk management, its strategy and tactics. Types of risks and methods for their assessment. Tips and methods for reducing risks. Organizational and economic characteristics of Rabochy-1 LLC. Study of risks in enterprise financial management.
course work, added 05/10/2014
The essence of risk management, its main content and principles of organization. Classification and types of risks, their comparative characteristics, methods of reduction and management. Analysis of business risks in an enterprise, ways to minimize them.
course work, added 08/23/2014
The concept of factor, type of risks and losses from the occurrence of risk events. Assessing the effectiveness of actions to minimize risks. Analysis of project risks, their classification and identification. Risk management using the example of shared-equity construction of a residential building.
test, added 12/03/2014
History of the development of risk management. Risk can be managed. Concept and classification of strategic risks. Description of the risk assessment method and their impact on the activities of risky enterprises. Risk mitigation measures. Forecast of strategic risks in Russia.
course work, added 02/08/2009
course work, added 05/03/2011
Representatives of various sectors of the economy - including our clients - often ask us, as risk management consultants, the question: are there simple and clear methods, accessible to non-specialists, that would help at least roughly assess the risks in the development of new strategic business areas, large investment plans, etc. It happens that during the strategy development process, up to ten possible strategies are evaluated. Each of them has its own set of often catastrophic risks. So is there a way to quickly and concisely display your organization's business risks that are preventing you from achieving your strategic goals? How to describe in several pages the details of these risks, as well as the composition of actions to reduce or eliminate them, how to establish and distribute the time frame for completing the work, measures of success and performers responsible for successful completion?
This can be done by building a risk map of your organization or a separate strategic direction for business development.
What is a risk map and how is it useful?
Risk map is a graphic and text description of a limited number of risks of an organization, located in a rectangular table, along one “axis” of which the strength of impact or significance of the risk is indicated, and on the other the probability or frequency of its occurrence. Figure 1 shows a particular example of a risk map.
Hsomething you can do yourself: the process of building a risk map.
In general, the process of risk mapping is part of a systematic methodology covering all aspects of a company’s activities, which allows one to identify, prioritize, and quantify (break into classes) the organization’s risks. Methods that consultants use when drawing up a risk map include interviews, formal and informal questionnaires, reviews and industry studies, analysis of the company's documentation package, numerical assessment methods, etc. It should be noted that when it comes to assessing financial risks, it is the quantitative analysis of the company’s financial statements that is important. Of course, the individual characteristics of the client company and its needs dictate the appropriate method of data collection and analysis.
We will describe an example of the process of independent risk mapping when solving the problem of identifying risks critical to the organization (threatening the existence of the organization), highlighting only the main steps. These steps include initial training, analysis boundaries, team composition, time horizons, scenario analysis and ranking, risk tolerance, action plan, quantification and modeling techniques.
Primary training.
When drawing up an organization's risk map, it is very important that at least one or two company employees are trained in the basics of risk management. They will further help to establish dialogue between team members and guide the entire team during the mapping process. To do this, it is necessary to conduct preliminary training, which can last from one to five days. In our experience, the best results are achieved when the orientation seminars last two to three days. The role of such a trained company employee is the manager of the risk mapping process within the company, constantly guiding the team towards the desired goal. In cases where specific subject matter expertise is required, an expert may be added to the team. Of course, if your organization has a large number of competent specialists, this will strengthen the team.
Don't trust the work to amateurs. If you do not intend to contact consultants, train your employees.
Limits of analysis.
The boundaries of analysis, which determine which business decision areas are affected by mapping, are determined early in the process. Risk management consultants also do this during the first stage of their assessment of the organization. In the example under consideration, we define boundaries as the identification, prioritization and understanding of all risks that impede the achievement of corporate strategic goals in the implementation of a specific strategic plan. Note that the scope of analysis can be as wide or as narrow as the organization desires. However, there must be a balance between the breadth of the scope, the depth of the information and the value of the information that will be obtained from the risk mapping process. For example, the value of one risk map for the entire company may be significantly less than the value of risk maps for each business unit or any one business unit of the company, or vice versa.
Decide on the goals, availability and cost of information. Then outline the boundaries of the analysis to build a risk map.
Command structure.
Team composition is critical to the success of the risk mapping process. When professional consultants carry out work, the team (working group) usually includes the top management of the company, i.e. those specialists who have experience and expert knowledge. In the case of independent risk mapping, the consultant is essentially the “collective intelligence” of the organization’s top management, guided by trained employees. Experience shows that a team works effectively if it consists of six to ten people.
Only by defining the boundaries of the analysis can you determine who is included in the team. When drawing up a map of a company's strategic risks, for example, the team includes the chief administrator, the head of the financial department, the head of the treasury, the head of the legal, control, and IT departments, and the head of the strategic planning department, if the company has one. If the company already has a risk management department, then, of course, its head is included in the working group.
For narrower scopes, such as identifying and mapping the risks of a specific division or operating business unit, the team will consist of the top management of the division's management team. Or, if the risks of a certain area of activity such as e-commerce are being analyzed, then the team will be formed from senior representatives of the relevant functional areas and those departments whose interests are affected.
It is most important that the team be as representative of the institutional knowledge of their company as possible and include top management.
Scenario analysis and ranking.
At this step, the team undertakes a guided brainstorming session to identify all the potential risks of the company under a given development strategy and the scenarios that accompany their emergence. Once identified, risks and scenarios are discussed, consensus is reached, and a written description of the scenarios is prepared. The key points of each scenario are the company’s “vulnerability” (risk object), “trigger mechanism” (risk factors) and “consequences” (the magnitude of possible losses).
A vulnerability or risk object is a company's value that is susceptible to potential threats. Trigger mechanisms (risk factors) cause negative consequences for risk objects. Consequences are expressed in terms of the nature and magnitude of losses resulting from the vulnerability of the risk object and the nature of the trigger mechanism. At the same time, it happens that seemingly dissimilar scenarios and trigger mechanisms leading to the same consequences for the risk object are combined, when viewed from a bird’s eye view, into one scenario. Already at this stage of work, one should strive to understand whether many small risks, which, as a rule, employees of an organization identify when working independently, can be combined into some groups, on the basis of which this can be done.
Once a limited number of scenarios have been identified and consensus has been reached, the team must rank the scenarios in terms of "impact" and "likelihood". The team defines both impact and likelihood in terms that are relevant to the organization. For example, in qualitative terms, the four impact ranks can be defined in descending order as (1) catastrophic, (2) critical, (3) significant, and (4) marginal. The probability ranks, of which there are six on our map, are also defined in qualitative terms from “almost impossible” to “almost certainly will happen.” Both likelihood and significance can also in principle be quantified by a company. The team can use any quantitative determination, however, this procedure is much more complex and requires significant analysis time.
Determining the risk tolerance limit.
The critical limit of risk tolerance is a broken thick line that separates those risks that are currently tolerable from those that require constant monitoring right now. Business risks located above and to the right of the boundary are considered “intolerable” and require immediate management attention. In the case of developing an organization's strategy, it is advisable to understand before adopting the strategy how to manage or eliminate them; will this not lead to such a decrease in business profitability that the strategy will become unattractive? Those threats that are located below and to the left of the border are currently considered tolerable (this does not mean that they will not need to be managed at all).
The risk tolerance limit changes depending on the organization's risk appetite. When classifying risks by significance/probability, even without a numerical assessment, you can roughly estimate the amount of financial losses from a particular risk, which allows you to determine to some extent the organization’s appetite for risk and determine the limit of risk tolerance on the map.
And here is the risk map!
The final step in mapping is placing business risks on the risk map based on their impact rank and probability rank, i.e. in essence, a classification of risks according to two parameters. In general, in a more complex case, there may be three or five such parameters. Then you can’t do without mathematics. In our example there are two parameters and the team aims to place each risk in the appropriate impact/probability cell. In this case, only one risk falls into one cell.
It is important to understand that the ultimate value of an organization's risk map lies not in determining the exact impact or level of likelihood of a particular threat, but in the relative position of one threat relative to other threats, and their position in relation to the risk tolerance boundary. Now, in order to accept this strategy, if it suits us in terms of profitability parameters, it is important to understand how to transfer all the risks lying in the red-lilac zone of “intolerance” to the green zone.
Action plan.
Risks that lie above the tolerance limit require immediate attention right now. Therefore, it is important to develop specific action plans to reduce the magnitude or likelihood of losses from a given risk. It is also necessary to determine target indicators and a measure of success in risk management, dates for achieving target indicators and assign responsibility. The goal of the action plan here is to figure out how to move each “unbearable” risk further to the left and below into the “tolerable zone.” It should be noted here that you need to compare the costs of such a move with the benefits from it, and also take into account that a strong reduction in the company’s risks can lead to its loss of most of its profitability.
Quantification and modeling.
The level of detail required in the analysis is specific to each risk and varies from one risk to another, but depends mainly on the goals pursued by the organization. If Western banks often fight for a fraction of a percent when assessing possible losses, then even our banks, not to mention enterprises in the real sector of the economy, do not yet need such accuracy. In general, when assessing a fairly wide range of business risks, significant detail is not required or cannot be done. Other risks and action plans will require more detailed research and quantification than can be achieved through questionnaires, brainstorming sessions, industry data studies, etc.
For risks that require additional analysis, sophisticated quantitative assessments and modeling techniques must be used.
Risk map - picture or process?
From the point of view of risk management technology, with the construction of a risk map, the management process does not end, but only begins. Moreover, your company's risk map is a “living organism” that reacts to decisions made and operations performed. It lives and develops with the development of your business; along with new opportunities, new risks appear; some of the old risks lose their relevance and become insignificant for your business. Therefore, it is important that the process of mapping risk and clarifying the map is built into the actions of the organization.
This will allow the company’s risks to be updated as often as necessary. Typically, the period for “planned updating” is a year; sometimes it is tied to seasonal cycles, if they occur in business, etc. However, when even weak signals appear about events that can greatly affect the company’s risk objects, their impact on the company’s risk map should be assessed without any frequency.
Creating value for the company.
Company risk mapping should be used to test existing strategies in the context of the company's realized and unrealized risks and opportunities for generating profitability, as well as to support management decisions on the development of new strategic directions.
Let's look at traditional approaches to strategic planning. While most companies perform some type of formal strategic planning (they are all well known), companies do not have a business process for identifying, assessing and integrating opportunities and risks, i.e. some kind of “teaching strategy”. This can easily be illustrated in the example of e-commerce, where traditional strategic planning methods cannot cope with the speed of change. The nature of technological change means that the reasons (returns and risks) that are considered correct for many of today's decisions are very likely not to be so in six months, and will bear no resemblance to those that will occur in three years. .
There is a disconnect between those who typically conduct the strategic planning process and those who interact with customers and are responsible for the gains or actual business losses in the ongoing business process. Traditional "strategic planners" rely on knowledge available at a specific point in time, while line management relies on "living" knowledge based on actual market dynamics, which can be called a "learning strategy." Business success depends on the quality of decisions made in the dynamic present. An ongoing risk mapping process targeting a company's strategy can bridge or reduce the gap between "strategy planners" and line managers, including "live" market information about where a company's competitive advantage can actually be realized.
Thus, risk mapping is a powerful analytical tool for understanding and prioritizing a company's business risks. In addition, in many cases, the risk map is a source for creating economic value for the company, because It is already clear that this methodology can be applied beyond the risk management process itself. It plays an important role in strategic and ongoing planning, implementation of existing and evaluation of future business strategies.
In the course of identifying and assessing financial risks, various graphical methods are used that provide a visual representation of the distribution of risks in time, by type of activity, by stages of a business process, in space (for example, by premises), by the amount of identified damage, etc. But the most universal information visualization tool, widely used in risk management, is the so-called risk map. It is built on the basis of a register of risks and their qualitative and quantitative characteristics obtained during the measurement process. A risk map can be built either for the entire organization or for any department. In addition, risk maps can be drawn up for the direction of the organization’s activities or for a separate project or program.
The simplest risk maps are usually presented in tabular form. In cases where qualitative and quantitative scales of probabilities and consequences are used to measure risks, matrix risk maps are used. Matrix risk map is a graphical and textual description of a limited number of risks of an organization, located in a rectangular table, on one “axis” of which the strength of impact or significance of the risk is indicated, and on the other, the probability or frequency of its occurrence. In cases where qualitative and quantitative scales of probabilities and consequences are used to measure risks, the entire range of risks is divided into cells. Due to its external similarity, such a risk map is sometimes called a “matrix”.
Generally speaking, the methodologies for constructing a risk map are as different as the risks of companies are different. The construction of a risk map can be carried out both as part of the implementation of a risk management system at the level of the entire organization, and to solve a separate range of risk management tasks. Methods that consultants (experts) use when drawing up a risk map include interview , formalized And informal questionnaires for reviews And industry research , analysis of the company's documentation set and numerical assessment methods and so on.
The composition of the team of consultants (experts) is very important for the success of the risk mapping process. When carrying out work by professional consultants, the team (working group) usually includes those specialists who have experience and expert knowledge. Experience shows that a team works effectively if it consists of six to ten people. Only by defining the boundaries of the analysis can you determine who is included in the team. When drawing up a map of the company’s financial risks, the team must include the head of the financial department, the head of the legal, control, GG departments, etc. The degree of detail required in the analysis is specific to each risk and varies from one risk to another, but depends mainly from the goals pursued by the organization.
Mapping is a complex process that involves many specific activities, but in general terms it involves visualizing identified risks. Risk identification includes financial risk analysis aimed at identification and assessment of risks.
Let us recall that identification is the first and one of the main stages of risk analysis. The results of risk identification make it possible to describe and compile a risk register. Risk assessment involves determining (calculating) the main qualitative and quantitative parameters (magnitude) of risk.
The results of risk identification and assessment are entered into financial risk maps. To build a financial risk map (hereinafter referred to as the Map), you must complete the following sequential steps and fill in all the columns of the following table (Table 2.6).
At the initial stage, identification involves choice of risk owner (risk subject). In our Map this is the line - job title.
The so-called risk owners (from English - riskowners) – These are employees, specialists whom the manager instructs to monitor the triggers of some specific risk, as well as manage response procedures in the event of this risk occurring. Employees become risk owners because of specific expertise regarding a particular issue or because they have some control over a specific risk.
Here the selection of an employee’s position and identification of the types of activities performed by him and the management objects associated with these types of activities are carried out. We will enter the selected type of activity in column 2 Maps.
The group of subjects with increased financial risk includes those that are characterized by:
- the presence of powers related to the distribution of significant financial resources;
- a high degree of freedom of action caused by the specifics of their work;
- high intensity of contacts with organizations and their representatives.
The next step is to identify a list of job responsibilities with high financial risk. Identification and assessment of risks is carried out according to a specific list of job responsibilities with a high probability of financial risks.
Column 3 Cards involves consideration and analysis of work conditions. Usually the following conditions are distinguished:
FINANCIAL RISK MAP No.________________
Department: _________________________________________________
Job title: ____________________________________________________
Filled out
(Head of unit) (signature) (Last name I. O.) (date) AGREED
Head of organization (division) ____________________________________________________________
______________________________________________________________________
- (EXPERT/CONSULTANT)
- normal (planned activities) – designated by the letter “N”;
- emergency (incidents and other emergencies) – designated by the letter “A”.
Identification of specific types of financial risks associated with selected activities is recorded in column 4 Maps.
The identified risks are described and documented in the form of a Register of Financial Risks (Table 2.7).
Table 2.7
Register of financial risks
|
Object of risk |
Risk name |
Description of the risk |
Risk factor |
|
|
P |
Count 5 Cards involves the identification of existing measures against the impact of hazards (regulations, measures) for the selected type of activity (work). Measures against exposure to hazards include:
- training and advanced training in the field of minimizing financial risks;
- carrying out certification of workplaces;
- carrying out certification of workplaces according to working conditions;
- testing of implemented standards, norms, regulations;
- identifying areas of business processes not covered by controls;
- identifying ineffective controls;
- introduction of new indicators of financial risks;
- other similar measures.
Identification of incidents (commercial bribery, official forgery, trading of insider information, abuse of authority, etc.) in the organization is filled out in column 6 Maps. Information on incidents is accumulated in the table presented (Table 2.8).
Table 2.8
Information on incidents
Description of the severity of the hazardous event (assumed - in the absence of statistics) from the possible impact of the hazard (column 7 Cards) taking into account the implementation of existing measures against this impact (standards for minimizing financial risks).
The most difficult step is assessing the risk. The risk assessment associated with the identified hazard is recorded in columns 7–10 Maps.
The risk associated with an identified hazard is assessed using the following formula:
where P is risk; T – severity of harm; – probability of danger occurrence; – exposure to hazards.
The severity of harm (T) is assessed in a point system (for example, in a ten-point system) and filled out in the form of a table (Table 2.9).
Table 2.9
Severity of harm T
|
Characteristic |
|
|
Bankruptcy |
|
|
Loss of primary financial document |
The severity of harm is determined by the expert assessment of the working group that conducts the mapping. They determine the severity and assign points based on the specifics of the business entity. Therefore, for example, the harm from the revocation of a license to carry out transactions in foreign currency for some organizations will be 9 points, and for others, non-core organizations, much less.
The probability of harm (B) is considered by experts in terms of the likelihood of the hazard occurring and exposure to the hazard and is filled out in the following tabular form (Table 2.10).
Table 2.10
Probability of harm B
|
Probability of occurrence of danger, B1 |
Exposure to hazard, B2 |
|
|
1 event per day |
From 90% of working time |
|
|
1 event per month or less |
80 to 90% of working time |
|
|
1 event per quarter |
70 to 80% of working time |
|
|
1 event per half year |
60 to 70% of working time |
|
|
1 event in 9 months |
50 to 60% of working time |
|
|
1 event in 1 year |
40 to 50% of working time |
|
|
1 event in 2 years |
30 to 40% of working time |
|
|
1 event in 3 years |
From 20 to 30% of working time |
|
|
1 event in 4 years |
From 10 to 20% of working time |
|
|
1 event in 5 years |
Up to 10% of working time |
Further, the identified risks must be sort. Let’s look at a real technique for sorting out a large number of risks, which has proven itself in more than one hundred companies. It is actively used and promoted by the Risk Management Special Interest Group ( RMSIG ) from Project Management Institute. The essence of the method is to distribute risks over a special card (its other name is PI- matrix). The map should look as shown in the table. 2.11. Typically, all identified risks are distributed among the risk team members. As a rule, the one who identified the risk is responsible for the risk (source indicated at RMC- map). Risks identified by those not present for the procedure are shared equally among all other participants. Then the participants distribute their risks into certain squares, i.e. rank the probabilities and degrees of impact of these risks.
Table 2.11
Risk sorting map
|
Probability |
||||||||
|
Impact level |
||||||||
It may be necessary to improve the quality of individual decisions about the likelihood and impact of risks. It is recommended to distribute markers of different colors to team members and ask them, after reviewing all the risks, to mark those with which they do not agree and which, in their opinion, need to be discussed separately. The flagged risks are then discussed and appropriate changes made. At the end of this step, the likelihood and degree of impact of each risk on the project is considered established, and RMC- cards, the probability of a given risk and the degree of influence are entered.
In addition to the risk sorting procedure, they must be propagate those. define R.R. (from English - risk ranking) for each risk. Formula for determining R.R. is this:
R.R. = Probability of risk (IN) × Risk exposure ( Y ).
This step repeats the sorting of risks on the map, but experts advise carrying it out, since it will be needed in the future. Then you can determine which risks will be included in the risk management process. List of risks according to value R.R. allows you to sort them. In this way, risks that have a very low probability of occurring or will have a very small impact on the project can be removed from further analysis.
The most important thing at this step is to decide on the threshold values of risks that will be included in further consideration. This is a complex issue on which it is difficult to give specific recommendations. The experience of the project manager plays a huge role here, as well as the risk levels that are accepted as thresholds in the company. If the company has adopted a maximum project risk level of 70, then all risks that have R.R. above 45–50 should be considered significant. All risks that have R.R. below 45–50, are documented, but are not put into risk management work. The identified risks are ranked, their written description is compiled, which is entered into a special table (Table 2.12). A similar table is filled in by each expert.
Table 2.12
Risk ranking map
|
Object of risk |
Risk name |
Risk factor |
Probability of occurrence |
Damage from risk |
Risk index (I r = B × Y) |
|
|
P |
The results of risk identification and assessment are entered into Maps for presentation to management. The identified, sorted and ranked risks are entered into the first version of the final Corruption Risk Map. In fact, we have already done part of this work by filling out the table. 2.6.
For a more visual representation, the identified and sorted risks are entered into a matrix Risk Map. Depending on the degree of danger, several categories of risks are distinguished. The number of categories corresponds to the needs of the study. You can use the table below as a starting point. 2.13. It will help determine High , Average or Low risk depending on its likelihood and consequences. For example, the combination High probability + High influence will obviously mean High level of risk.
Table 2.13
Risk level
|
Severity of Consequences/Probability of Occurrence |
Overall risk level |
|
High Losses/High Probability |
|
|
High Loss/Medium Probability |
|
|
High Loss/Low Probability |
Medium/Low |
|
Medium Loss/High Probability |
|
|
Average loss/Average probability |
Medium/Low |
|
Medium Loss/Low Probability |
|
|
Low Loss/High Probability |
|
|
Low Loss/Medium Probability |
|
|
Small losses/Low probability |
These nine simple combinations of risk characteristics can also be presented in tabular form as follows (Table 2.14).
Table 2.14
Level of risk and measures to manage it
|
Likelihood/Impact |
|||
The cells represent combinations of probabilities and consequences that can be safely ignored. The cells represent combinations that require urgent risk management measures. The cells represent combinations that require close attention and regular re-evaluation in the future.
The risk assessment is valid for a certain period. To have grounds to apply the apparatus of probability theory, this period must be quite long (three to five years). If the probability of an event (for example, theft) is low, the period under consideration should be further increased. But during this time the situation will change significantly and the old estimates will lose meaning. Consequently, when assessing risks, events with a probability less than a certain threshold value can be neglected, despite the fact that the potential damage from them may be great. Note that this is contrary to traditional practice, when managers tend to pay excessive attention to risks with high damage and low probability. In fact, in the first place there should be risks with moderate damage, but with a high probability (for example, malware attacks) that occur repeatedly during the period under review. At the same time, it must be borne in mind that the probability of a negative event is very difficult to assess with any accuracy. Therefore, it is recommended to consider risks not as numerical values, but as points on a plane, where the coordinate axes are probabilities and losses (Fig. 2.4). The level lines for the risk function are hyperbolas.
Event risk U1 is one of those usually overestimated by managers; in practice, due to the low probability, it is advisable to neglect most of such risks.
A very important step in risk analysis is determining the risk tolerance limit. Risk tolerance limit – critical limit of risk tolerance. The choice of tolerance line is made by a strong-willed decision of the company’s management. Financial risks located above and to the right of the boundary are considered “unacceptable” and require immediate management attention. Those threats located below and to the left of the border are currently considered tolerable.
Rice. 2.4.
we. The risk tolerance limit changes depending on the organization's risk appetite. When classifying risks by significance/probability, even without a numerical assessment, you can roughly estimate the amount of financial losses from a particular risk, which allows you to determine to some extent the organization’s appetite for risk and determine the limit of risk tolerance on the map. In order to visually represent the limits of risk tolerance (tolerance, acceptability), the financial risk map is presented in the following form (Fig. 2.5).
Rice. 2.5.
Risk acceptability limits allow you to immediately visually determine the division of risks into categories in terms of the danger they pose. The risk map can be a little more complicated and presented in color. For example, a matrix Risk Map may look like this (Fig. 2.6).
Rice. 2.6.
This risk map displays probability or frequency on the vertical axis and impact or significance on the horizontal axis. In this case, the probability of risk occurrence increases from bottom to top as you move along the vertical axis, and the impact of risk increases from left to right along the horizontal axis. The Arabic numerals on the map are designations of risks that have been classified so that each probability/significance combination is assigned one type of risk.
This classification, placing each risk in a specific separate “box,” is not mandatory, but simplifies the process of setting priorities by showing the position of each risk relative to others (increases the resolution of this method). The thick broken line is the critical limit of risk tolerance; cells are combinations of probability and significance (consequences) that can be completely safely ignored. When identifying critical risks, scenarios leading to risks above this limit are considered unacceptable.
They are marked on the map and . The cells represent combinations that require close attention and regular re-evaluation in the future. Based on identified unacceptable (intolerable) risks, it is necessary to understand how to reduce or transfer such risks, while risks below the border are manageable in an operational manner. Risk management corresponds to the movement of points along the plane. Usually they try to approach the origin of coordinates along one axis without changing the value of the other coordinate. However, if you can reduce both coordinates at once, it will be even better. In fact, depending on the design goals, many different types of risk maps or variations of a given risk map can be constructed.
The register and risk maps compiled on its basis are the main information base for making decisions on further risk processing. For the most accurate risk assessment possible, it is essential to take into account the full group of factors that determine risk. The set of risk factors must reflect all conditions of the organization’s external and internal environment that give rise to possible corruption risks.
The risk map has been drawn up; now it is necessary to develop measures to neutralize those risks that turned out to be above the tolerance limit. Based on the Maps of divisions, experts (consultants), together with interested divisions and specialists of the organization, within 10 working days, draw up a “Register of unacceptable risks of the organization (division)”. The working group must determine whether to leave everything as is and take no additional actions or develop a new action plan to manage the risks if they are not satisfied with the consequences. As a result of the activities carried out, it is possible reduce the likelihood of risk , reduce the likelihood of losses , or change the consequences of the risk.
The goal of creating an action plan is to figure out how to move each intolerable risk further to the left - lower into the tolerable zone. It should be noted that it is necessary to weigh the costs of such a move against the benefits of it. Proposed controls for unacceptable risks must first be assessed for the presence of new hazards and associated risks. The degree to which a risk is acceptable depends on the importance to each risk subject and their goals and expectations. The method of influencing the risk is selected. For example, if a risk has been determined to be unacceptable, then a mitigation option is developed. If it does not reduce the risk level to an acceptable level, then the avoidance option is used. If it is impossible to transfer the risk, it must be accepted with the obligatory reservation of funds in case of unforeseen circumstances.
From the point of view of risk management technology, with the construction of a risk map, the management process does not end, but only begins. Moreover, a risk map is a “living organism” that reacts to decisions made and operations performed. It lives and develops with the development of the organization; along with new opportunities, new risks appear; some of the old risks lose their relevance and become insignificant and insignificant for the organization. Therefore, it is important that the process of mapping risk and clarifying the map is built into the actions of the organization. This will allow the organization’s risks to be updated as often as necessary. Typically, the period for “planned updating” is a year; sometimes it is tied to certain cycles (seasonal, calendar) if they occur in the organization’s activities. However, when even weak signals appear about events that can greatly affect the organization’s risk objects, their impact on the organization’s risk map should be assessed without any frequency. It is important to understand that the value of a risk map lies not in determining the exact size of the probability or damage of risks, but in the relative location of one threat to another and their location relative to the acceptability boundary.
Thus, risk mapping is a universal analytical tool for understanding the financial risks of business entities, ranking them by importance, and preparing measures to minimize them.
- URL: iemag.ru/master-class/detail.php?ID=15716
New articles
- “Everything is like in a computer game
- Examples of the best resumes for getting a job
- Abstract modern ethics Fundamentals of modern ethics
- According to Feng Shui, cranes are a symbol of health and longevity
- Margin in simple words
- Shorter working day
- What to feed street birds in winter
- The castration procedure for piglets and its advantages
- We develop an employment contract with piecework wages
- Job description for front loader driver sample
Popular articles
- Lesson on the topic “The reason and significance of the warm-bloodedness of birds
- Culture and religion presentation for a lesson on the topic Do you consider yourself a cultured person
- How to write a resume for a job correctly: template, sample, what to include, what not to include
- Conversation on the topic: “Profession hairdresser
- Transfer without the employee’s consent due to production necessity
- Presentation on “human sensory organs and analyzers” Presentation on the topic of properties of animal analyzers
- Normal sources of reserve formation Values of the main analytical coefficients
- Skin suture. Interrupted seams. McMillan-Donati suture. Struchkov seam. Gillis seam Donati p-shaped seam on the neck
- Job description of a personnel development manager, job responsibilities of a personnel development manager, sample job description of a personnel development manager
- Reports in the 1C: Retail configuration