Over the last 10 years, many companies have adopted an enterprise risk management (ERM) framework and launched the process by taking steps to identify and assess their risks. But such an exercise for a global company can involve developing a list of risks that could number in the hundreds.
Such an expansive list of risks requires organization. One approach to organizing the list is to create a “risk register,” which enables categorizing, sorting, and ranking the risks. To inject order into a cumbersome risk register, CFOs and chief risk officers can plot their companies’ most material risks on their registers a “risk map.” Serving as a kind of executive summary of the risk register, the map amounts to a graphical snapshot of the key risks.
One questions any organization should ask before embarking on the process however, is: “Who benefits from the time-consuming and expensive creation of a risk register that may contain 500-600 risks?” Another: “Who benefits from an executive summary of the key risks?” The answers should stimulate a re-thinking of the purpose of an organization’s risk management program.
Risk Management Fault Line
Being in business is all about taking risks. Examples include: expanding new product lines, research and development, mergers and acquisitions, and geographical expansion. Organizations undertake these and other activities to grow the business.
While all of these areas involve taking risks, none are guaranteed successes. Therefore, managing the threats associated with taking risk is required (traditional risk management). But so is identifying and assessing the upside gain of the opportunities associated with taking those risks (enterprise risk management).
Measuring both the downsides and upsides of risk-taking provides a context that can be used to determine the type and amount of resources needed to support any corporate project. Favorable outcomes, as projected by strategic planners and executive management, require a metric that is meaningful to the organization. For example, the risk should be measured in terms of its impact on earnings per share.
A benefit of measuring risks as a group is that analyzing the range of possible outcomes against what was actually achieved may also provide executive management with insights into individual operational performance capabilities.
To be sure, the benefits of identifying and assessing both risks and opportunities at the same time might seem obvious. Yet it is rarely practiced. One reason is that the two most widely used tools currently employed in ERM risk assessment are the risk register and risk heat map. The focus of both of these is only the perceived threats to an organization–they provide no consideration of the positive value that could be created by taking risks.
Risk registers and risk maps have value under certain circumstances. Based on our research and analysis, we conclude that:
- If the organizational goal is to respond only to known and identified threats, and the ERM process is viewed as an extension of audit and compliance, risk registers and risk heat maps can be useful.
- If the organizational goal is to respond to known threats and opportunities and gain risk intelligence about emerging perils on the horizon, traditional risk registers and risk heat maps fall short.
- If the organizational goal is to grow the business and create value for stakeholders, traditional risk registers and risk heat maps are useless.
- A new tool is required to measure both risks and opportunities. We call it a “Value Map.”
A Value Map is a graphical illustration of both threats and opportunities. Because threats and opportunities are two sides of the same coin, a value map also has two sides, as illustrated above. Threats (negative outcomes) are plotted on the left side of the map, while opportunities (positive outcomes) are located on the right side. Those outcome values may be measures of earnings per share or a project’s net present value, for example. The vertical axis shows the relative likelihood of an event happening.
Rather than plotting a single point on a risk map, the value map illustrates the range of the magnitude of each situation. For example, Risk #1 has a large range of outcome values that runs from moderately negative (the orange range) to very positive (dark-green range). Risk #1’s likelihood is fairly certain, as it all resides in the highly likely range. In contrast, Risk #2’s outcome values are largely in the moderately negative threat range. But the likelihood is very uncertain; the range goes from very low probability to very high probability. Thus, each risk has very different metrics and consequently will require different risk responses.
Knowing the full dimension of each risk is an important consideration, because operational conditions during the year or years are not stagnant. A Value Map also plots movement of risks over time. For example, Risk #1 was a low probability even in the previous state (perhaps last year). But now, in the current state, the outcome likelihood is much more certain. In contrast, Risk #2 had a very positive outcome and was fairly certain in its previous state. But now, in its current state, the outcome is projected to be a moderate negative threat with high uncertainty in its outcome likelihood. A single dot-plot heat map fails to provide executives with that critical time-sensitive information.
Moreover, some risky events occur and last for only a short period – perhaps a matter of days. Others have long “tails” and last for many years. Some long-lasting risks can have significant strategic importance. In addition, a Value Map can plot correlations between risks.
Some volatile situations are highly associated with others. For example, the threat of a patent lawsuit may have a strong link to a consequential decrease in revenues. A weather-related catastrophe may be highly correlated with the chance of personnel being injured, property damage, business interruption expenses, crisis management, and perhaps stock price. These associations can be shown on the Value Map, enabling senior management to be fully aware of the total consequences of an event.
In those companies in which ERM is viewed as an extension of the audit and compliance function, risk registers and risk heat maps are somewhat useful. But ERM’s scope is broadening. ERM is now being used to support the strategic planning process – a strategic function in which the primary goal is to build the business and create stakeholder value.
Traditional risk heat maps focus only on the downside of risk – a visualization of known threats. Consideration should also be given to the upside of risk – the opportunities for creating value that exist by taking risks.
The Value Map can be used to measure both threats and opportunities within a context, such as earnings per share, which can provide boards, CFOs and executive management with insights that lead to improved decision-making and to actually practicing strategic risk management.
John Bugalla is a principal with ermINSIGHTS. James Kallman, Ph.D. is a finance professor at St. Edwards University in Austin, Texas.