Stage 3: Assess effects of exposures

In this stage, a further analysis of the effects of the various risks identified takes place and certain questions are answered:

1. Why be exposed? Is the exposure unavoidable? The analysis may show how certain risks can be avoided, or at least minimised, if different choices are made.
2. Size of exposure. This certainly needs to be assessed on a relative basis (that is, what proportion of the total risk does this element represent?), but if an absolute value can be placed on it, so much the better. It is often as useful to senior management to use a rating scale (for example, highest = 1, next highest = 2, etc.), as opposed to specific numbers, for measuring relative risk exposures provided the scale is understandable and can be sufficiently discriminating.
3. Warnings. The analysis should flag any potential catastrophic outcomes arising from a particular risk element. Where feasible, it is helpful if the analysis shows what is currently done to avoid or reduce a risk. Alternatively, suggestions for future action can be included.
4. Cost of risk. If the risk is avoidable, or can be reduced, what would be the cost of avoidance or reduction? What is the potential benefit?
5. Correlation of risk. Many types of risk are interrelated. For key risk elements that are correlated, it is useful to make plain the linkage where this is material. This correlation of risk is clearly akin to portfolio theory. However, because here we are considering a much broader range of risks it is not possible to be as mathematically precise as in portfolio theory – but the idea is the same.

The overall goal for the mapping should be kept in mind: that is, to provide risk information to the organisation’s policymakers. As always, the objective is to end up with a succinct report to give the senior management the input needed for them to produce an appropriate definition of corporate strategy.

It is a good idea, where possible, to rank the risk factors within the groups, but how possible this is depends on the measures used. If the expected value and standard deviation method is predominant, then ordering is feasible. Most financial risks are amenable to this way of measuring risk/return, but whether the same is true of operational, business and strategic risks is less certain. Ranking may also be possible with a scaled system, but this will often depend on the degree of discrimination the chosen scale allows. In general, the ordering aims to put at the top of each group’s list the factors with the best risk/return profile, and the worst at the bottom.

If two factors, A and B, have the same risk assessment, perhaps measured by standard deviation, but A offers a better expected return, then the ordering is straightforward. It is less easy to be precise if A is also riskier. At this point the organisation’s particular attitude to risk becomes important. A very conservative business will require more return per unit of additional risk than will a more adventurous one, assuming the terms ‘conservative’ and ‘adventurous’ refer to the degree of risk aversion of the respective organisations. The rankings must reflect this attitude to risk.

Another way of partitioning within the groups is to treat linked risks together. For example, if there is a set of risks all associated with operating in a particular country, report them together, on the premise that strategic-level management may only be able to act on them as a group anyway. This form of partitioning can be used as well as, rather than instead of, the ranking procedure. It may add more complication than illumination to senior management’s interpretation, however, and can only be decided upon on a case-by-case basis.

By now you should have a sizeable report on the organisation’s overall risk profile – and hopefully a better understanding of that profile. It is time for decision making to take over from analysis.