Risk Management Blog | Pirani

5 steps to make a risk map | Three lines of defense model

Written by Deicy Pareja | June 19, 2020

To develop a risk map, information collected by the process leaders with their support group is analyzed, who must identify and describe the impact and probability of each of the risks, as well as the occurrence thereof to assess the mitigation measures. The Three Lines of Defense model is necessary for all organizations, both from the financial and the productive sectors, because it is an effective way of managing risk and having control. It also strengthens corporate governance.

A risk map is a profile designed to identify and quantify the probability of events and measure the impact or damage associated with the occurrence. This tool, which can be represented using graphs or data, is based on different types of information such as internal and external risks, i.e. by the context of the country or sector in which the business operates.

This map is designed to highlight the operational or financial problems of the organization, monitor and follow up on critical processes that may be at risk, as well as exposures or threats, to develop strategies to mitigate those risks.

Organizations' commitments include designing this risk map. Therefore, your company should know the five steps to consider when designing its own map.

1. Appoint a risk committee

Designing a risk map provides comprehensive and discriminated information to better understand the company's threats, as well as its processes and projects. This helps to plan strategies to prevent and mitigate impacts and damages. Identifying possible events that may affect the organization is a commitment of senior management, so there must be a committee that will commit to building the map.

2. Define risk

To gather information accurately, the members of the committee must define risk, and conduct a quantitative and qualitative analysis to unify criteria. For example, a risk arises when the cash flow is exhausted to cover operational expenses such as employee salaries, the office lease, taxes or transportation. Defining risk helps predict the crises the company may face in order to anticipate them and reduce exposure.

3. Identify the risks

Each area of the company must analyze the processes and procedures to identify the possible risks inherent to their daily activities, those that get in the way or hinder the development of their strategies to achieve their objectives. Once they are identified, they should be inventoried and each of them should be described to know their possible consequences. This promotes teamwork across the organization and increases the level of responsibility and collaboration, as well as awareness thereof.

4. Assessing risks

 A company must classify each risk based on the information obtained at the identification and description stage to assess them and establish the level of risk and the actions to be taken. To do so, the degree of probability, impact, and occurrence of each risk  (high, average, low) should be analyzed using indicators.

It should also be defined whether the risk is systematic or not. Systematic refers to the probability that the industry to which the company belongs will suffer a crisis such as an economic recession, so all the companies in the sector, e.g., flower or coffee businesses, are exposed, while non-systematic is when a specific company fails. All of the risks must be considered to have a plan.

5. Prioritization matrix

When the risk committee classifies threats, based on the probability, occurrence, and impact that each one could bring if it occurred, a prioritization matrix must be developed to establish those that require immediate treatment.

Here, each risk is analyzed and classified as high (very likely to occur), average  (likely), or low (very unlikely) and identified on the map with a different color: average (red), medium (yellow), or low (green).

It is also analyzed whether each impact can be internally or externally driven and whether it is high, average, or low to prioritize them in that order. This map serves as the basis to start working on the most urgent risks and to propose strategies to mitigate or avoid them.