Risk registers and heatmaps are widely used as enterprise-level risk management tools and are also promoted by many risk software providers. While these methods and tools may attempt to illustrate that risks are being “managed”, that illustration is really an illusion, due to the manner in which the risk registers and heatmaps are created. Approaches based on risk registers and heatmaps (also known as risk matrices) offer little decision-making inputs and easily churn out ‘so-what’ reports. They are challenged in many ways to deliver actionable insights and ultimately don’t help in any significant way, either for managing the enterprise or for corporate governance.
Disconnected from Decision-Making
Risk registers aim to capture risks to the business and are meant to help business managers respond appropriately to them. They are also intended to help a Corporate Board or a Management-level Risk Committee with Risk Oversight. Which implies that risk registers must be created and actively used by business teams to make decisions about managing risks. Interestingly, this is not the case with most teams. Business teams usually have their own methods to manage business-specific risk. Those methods are built into their business operations, and can take many different forms based on the nature of the specific business.
The job of ensuring that risks are documented in risk registers across the enterprise is usually entrusted to a team that sits outside business management. This team usually has its own methods for documenting risks, and the most commonly used approach here is to use a risk register. However, as business teams have their own methods to manage risk, the register turns into an administrative documentation artifact. As decision-making happens outside of this risk register process, the register itself provides little value for making important decisions of consequence and can become outdated quickly.
Lack of Context
The traditional approach used to develop risk registers involves describing risks using artificial qualitative precision to develop synthetic scores. As this precision is not quantitative, it overly simplifies the context of these risks. When this qualitative approach is used for risks across the Firm (to produce a Firmwide heatmap of top risks), the resulting oversimplification loses important context behind the risks. Without important situational context, risk information is heavily diluted and it can be difficult to correctly understand why a risk is on the register. The low quality of information also does not help to determine if sufficient actions are being taken to manage the risk, whether more resources are required and if so, to what extent are they needed.
Based on how the registers are built, the interconnections between linked risks across different teams may be lost due to the siloed nature of discussions. This can again result in failure to capture important context. Some teams try to organize cross-functional exercises to capture this information. But due to the structural limitations of tabular approaches described in Challenge #3, this information can easily get scattered across the registers. Once scattered, it can be hard to compile all of this information to reconstruct the true picture of risks. Taken together with Challenge #1, this contributes directly to creating bulkier registers that offer fragmented views of risk that miss essential context.
Risk registers are not a natural structure for organizing complex interconnected risk information. Most risk registers take a tabular style for their representation, with many columns for the risk, its cause, consequence, scores and perhaps owners and mitigation. However, risks are rarely linear. There may be many causes, many consequences and many interdependencies between them. Most tabular registers can’t capture these important but nuanced linkages. A single risk event can lead to multiple consequences that each have varying levels of impact and different probabilities of occurrence. Simplified tabular representations can’t capture these linkages and any true picture of risks is distorted without these interconnections.
Most risk registers also aim to provide a single score for the likelihood and a single score for the impact of the risk. (There are more qualitative measures that are heavily promoted and add little value, but those are best addressed in a separate blog.) It can be very difficult even for seasoned business managers to think about all the possible interconnections and come up with one number that correctly captures either the likelihood or impact. Not only does this require non-trivial effort, but more importantly, as highlighted in Challenge #1, this isn’t connected to decision-making. The effort required, along with the fact that all this effort is for the purpose of reporting the risk rather than managing it! This is another reason why it is hard for business managers to buy into and participate in structuring risk information using the traditional register-based approach.
Disconnected from Objectives
Consider this piece of information – the market is expected to go down 10% tomorrow based on Futures activity. Is this a risk, or an opportunity?
The answer depends on your specific context and your objectives. If you are long the market, perhaps this is a risk to you. But if you are a long-term investor, perhaps you expect this and this is not a big risk for you. On the other hand, if you don’t hold anything and have plenty of cash at your disposal, perhaps this could present a buying opportunity. Or maybe you do hold some securities, but also have some cash available to invest. What then?
Maybe you already lost 10% of your investment last week, and that has made you more risk averse today relative to last week. Besides, there may be macroeconomic factors that may affect your decision. Perhaps this is just movement in a high-volatility environment, or a market correction, or something else. So your appetite for taking risk depends on what your objectives are. And whether it is a risk or an opportunity, depends largely on your objectives and context.
Unfortunately risk registers or heatmaps don’t offer a meaningful way to model opportunity or context for objectives, especially when a situation or an event presents multiple opportunities with linked risks. Without the connection to objectives, it can be hard to understand whether the issue at hand is a risk or an opportunity, further reducing the usability of the risk registers.
All of these factors together create a potent recipe for risk registers and heatmaps to be disconnected from real on-the-ground picture of risks. There aren’t many buyers of the distorted picture, nor are there many takers for the false sense of comfort that heatmaps provide. With all of these challenges, its no surprise that risk management approaches that rely heavily on risk registers and heatmaps stall very quickly.
What about Risk Oversight?
Long-term value creation requires good strategy setting, performance management and risk management by the management teams and also requires good oversight by Boards or Management-level Risk Committees. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has also highlighted that continued value creation is the primary objective of risk management.
It is important for the Board to understand the specific risk factors that can impact revenue, earnings, reputation and other objectives the business has, so the Board can perform its duties effectively. Boards and Management Teams need to be able to use accurate risk and performance information that is a true representation of reality.
However, the retrospective nature of risk registers together with the challenges described above cannot provide this true representation. For issues that are of real importance to the Board, business managers may already be providing those updates directly.
As a result of all these challenges, approaches that use risk registers and heatmaps may never meet value-maximization objectives in an attributable way.
Moving beyond Risk Registers and Heatmaps
Risk management teams should think instead, about how they can help business managers risk-adjust their decisions to manage risk better. Risks are best managed in context, so approaches and tools that avoid building artificial complexity should be used. Instead of a documentation-centric approach, a more quantitative approach that involves modeling risk factors and including the context of the risks should be used. Instead of undue focus on building accuracy of qualitative measures, simple prioritization of important topics should be done. Subsequently, deeper quantitative modeling for each of those important topics can be done to identify risks, opportunities and their impact on performance.
Risk teams need to have more direct performance-linked skin-in-the-game and actively participate in enabling risk-adjustment across their Firm. With a focus on risk-adjustment for important business outcomes, reporting can follow. In this way, risk teams and business managers can collaborate more productively and risk-adjustment activities can contribute in an attributable way to long-term value-creation for the enterprise.