Many companies, public and private, have started to formalize their risk assessment procedures. Ferma’s benchmarking survey from 2012 has shown that regarding risk assessments and quantification, basic methodologies are in place, risk assessment workshops (60% of the EU companies) and internal/ external databases (44% of the EU companies) are the most widespread practices.
My experience is that the management teams appreciate risk assessment workshops where simple 3*3 or 5*5 matrices are used. They appreciate the visualization. They appreciate to find out how the perceptions and risk appetites differ between the members of the team, since these differences create good starting points for fruitful discussions. Through these discussions the company’s inherent and residual risks are identified.
Many companies make an effort to identify the external and internal factors which contribute to their risk and control environment. They are also good at defining the owners of various risks which the company is confronted with.
Consulting firms have been successful in facilitating risk assessment workshops and in providing easy to access tools for risk assessment even for the small companies.
2. The missing link – the improvement potential
However, many companies stop using creative tools once the risks and their owners are identified. The “owner” is given responsibility to define actions to monitor the risk and report the status.
Often, there exist several possibilities to monitor the very same risk. There is seldom a unique action, but a range of different possible actions. These actions have different costs and resource requirements. Further, they may have different impact on the risk in question in the short run and in the long run. The probabilities of their impact on the said risk differ too. In some cases, there is very high probability that a given action will affect a given risk in the desired direction. In other cases the probability is not so high or it is conditional.
What many companies lack today is an easily accessed, visual tool which will help them to identify and analyze possible actions and assign them priorities.
Especially in small companies, and for leader teams which appreciate easy accessed visualization the use of decision trees may be a good tool to fill the missing link i.e. for defining a set of actions and for assigning them priorities.
3. Why the decision tree?
The decision tree is a highly visualized tool for helping to choose between several courses of actions. It provides a simple but effective structure within which the risk owner can define a range of options and investigate the possible outcomes of choosing these. It also gives a picture of the risks and rewards associated with each possible course of action.
Drawing the decision tree and calculating the value of different options are easy to accomplish manually in a work shop environment. It is easy to involve people with different backgrounds to this task and to extend the creative process from risk assessment only, to both risk assessment and decision making, and thus risk monitoring.
Risk professionals know quite well that the decision tree is not the only method to fill the gap when choosing actions to monitor the risks. However for many small companies the technique may be an appetizer and a starting point.