Writing as a risk professional with 15 years’ experience, I have a confession to make:
I loathe risk registers.
Let’s face it, they are boring, one dimensional and poorly prioritised lists that lack context and often serve to satisfy a requirement rather than a purpose. Risk registers can be useful in some contexts, however I believe a risk visualisation approach is a far better way to accomplish the aims of risk management and support better decision making. So what is risk visualisation, and how do we implement it?
The origins of risk visualisation
Risk visualisation is a relatively new concept, and traces its roots back to data visualisation. Data visualisation is in itself a broad theme, ranging from charts and graphs to geographical mapping and highly stylised infographics. It is supported by a mature set of applications, from the ubiquitous Microsoft Excel to sophisticated business intelligence and big data analysis tools.
The late Dr. Hans Rosling pioneered the concept of telling compelling stories by combining data visualisation and the 4th dimension: time. His TED talk entitled “The best stats you’ve ever seen” and the shorter “Hans Rosling’s 200 countries, 200 years, 4 minutes” are both excellent examples of this.
Risk heat maps
An early version of risk visualisation has been with us for decades in the form of the risk heat map. It is usually depicted in a 3×3 or 5×5 matrix with Probability or Frequency on one axis and Impact or Consequence on the other, and is often referred to as a Probability Impact Diagram (PID).
Figure 1: A typical Probability Impact Diagram (PID)
A heat map is a slight improvement on the traditional risk register approach in the sense that it can transfer a lot more information to the reader at a glance. Users of the information can intuitively zoom in on the risks requiring intervention through the use of colour, size and position of the risk elements on the grid. Beyond this however, heat maps are somewhat limited in terms of providing context, conveying systemic complexity and aligning risks to organisational goals.
Another form of risk visualisation includes shading areas on a geographical map to indicate risk levels, or using dots of varying sizes and colours to indicate location-specific hazards.
Figure 2: Travel Risk Map
These are more useful for organisations or institutes where a geographical context is important. They simplify a large amount of data into an impactful image that draws attention to key areas of risk.
Current developments in risk visualisation
Tools now exist to enable the creation of richer, more context aware risk visualisations based on information captured through normal risk identification and analysis processes. These can model the systemic nature of risk causality and interconnectivity. To apply this concept, let’s examine the global risks we face in 2017.
Figure 3: Systemic view of interconnected risks
None of these global risks exist in isolation, and those that materialise could have an exacerbating effect on the materialisation of others. For example, any combination of risks such as asset bubbles, extreme energy prices, water shortages and financial system collapses could result in the risk of a failed state materialising. This in turn can exacerbate the risks of terrorism, major refugee crisis, further water shortages and extreme energy prices.
Figure 4: The systemic nature of interconnected risks
This concept of systemic and interrelated risks can equally be applied to enterprise risks in an organisation. For example, cyber threats can be affected by and in turn affect the materialisation of related risks across the organisation. In this way, risk visualisation highlights the need to reach across organisational silos to effectively manage and mitigate the strategic threats facing an organisation.
Furthermore, risk visualisation can illustrate a rich array of information across multiple dimensions, including but not limited to risk proximity (how quickly risks are likely to materialise), categorisation (against predefined risk categories or organisational objectives), control effectiveness (the effectiveness of mitigations currently in place), impact quantification (the actual numerical value of impacts measured, for example, in pounds sterling) and risk trajectory (risk exposure reduction over time). In these circumstances, risk visualisation can be a powerful aid in getting a message across to decision makers, enabling them to prioritise and highlight appropriate risks for immediate attention or identify opportunities for collaboration on risk mitigation efforts.
Benefits of risk visualisation
Risk visualisation is far more engaging to users of risk information than simply relying on risk registers to convey the same message. This is due in part to the rich context of the risk information combined with the ability to tailor the information to suit different audiences. Interactive visualisations can be used to highlight risks that exceed an organisation’s risk appetite, risks with poor controls, risks against certain key objectives, or any combination of the aforementioned criteria. Visualisations can also be used to present high level strategic risk information to executives, whilst retaining the ability to drill down into the details for appropriate audiences. Increased engagement and understanding of enterprise risks leads to better decision making at all levels of the organisation, from frontline staff all the way up to the board room.
Systemic modelling of risk interconnectedness has a profound effect on the way people perceive risk. Instead of focussing solely on risks in their own silos, there is a genuine understanding of the strategic nature of enterprise risks, and this encourages a collaborative approach to risk mitigation.
Implementing risk visualisation
Technology is often the easiest component of adopting a risk visualisation approach. It is far harder but absolutely crucial to implement a comprehensive risk framework that encompasses all the elements of an ISO 31000 approach. The framework should include a methodology for comparable analysis of risks against stated objectives and a defined organisational risk tolerance and/or appetite.
The old adage – “garbage in, garbage out” applies here. Risk visualisation will only ever be as good as the information behind it. Designing, communicating and embedding this framework successfully allows the right information to be collated in order to build a risk visualisation model that can support effective decision making, and ultimately, effective risk management.
Once a risk framework is in place, it is relatively straightforward to design a risk visualisation strategy based on information captured through the risk process, organisational structure, and desired outcomes from adopting a risk visualisation approach. It is important to note however that there are some technical design issues to consider. Examples include the specification of information required, the flow of data from the point of capture through to storage and presentation, the integration between various databases and toolsets, and whether these are managed on-premises for better security or in the cloud for easier access and collaboration between entities.
Risk visualisation technology can be inexpensive (relative to commercial off the shelf Enterprise Risk Management solutions) and fairly easy to implement. It is flexible enough to be configured to reflect organisational and risk process changes, and can model threats, opportunities, causes, consequences, controls, improvement actions, key risk indicators and anything else organisational risk processes require.
Steps for implementing a successful risk visualisation approach:
- Design and implement a robust risk framework based on ISO 31000
- Conceptualise the desired risk visualisation outputs
- Socialise a proof-of-concept with key decision makers and users of risk information
- Communicate the benefits, actions needed and implementation date of risk visualisation
- Build and roll out final risk visualisation solution, with training and support in place
Challenges in adopting a risk visualisation approach
People can naturally be sceptical about the benefits of new approaches and technologies, and risk visualisation is no exception. With risk visualisation however, seeing is believing. It is easier to convince decision makers of the benefits of a risk visualisation approach using a well-designed proof of concept over a standard business case.
Providers of risk information can be another source of inertia for the risk process to evolve. This is especially true once they come to the understanding that risk visualisation will expose data quality or risk maturity shortcomings to senior management. Working with them to set a realistic deadline for the collation of risk information with the expectation that the board will be shown all risk visualisations can be a catalyst for positive change in this area.
The future of risk visualisation
Risk visualisation is the natural evolution of and ultimately a replacement for traditional risk registers. It is a far more engaging and useful approach when attempting to understand the context of systemic risks, prioritise risks and tailor risk information to audience requirements. Risk visualisation has the added benefit of encouraging providers of risk information to comply with risk processes to ensure current and detailed risk information is presented to the board.
The next step requires organisations to embrace the concept of visualisation to the point where risk visualisation is no longer an isolated approach, but is linked to every part of a business including strategy, assurance, compliance, business performance and change programmes. This pervasive embedding of risk management across an organisation to achieve business success is the ultimate aim of risk management. Enterprise risk professionals with their strategic overview of their respective organisations are uniquely placed to influence the development of approaches that can enhance business success. Risk visualisation is the first step in this direction.
Dr. Hans Rosling once said that “few people will appreciate the music if I just show them the notes. Most of us need to hear it”. A parallel can be drawn to risk management. Risk registers simply do not cut the mustard anymore. We need to visualise risks.
(This article appeared in the Spring 2017 edition of Enterprise Risk Magazine)