Management tools are a dime a dozen. And yet, contrary to popular belief, most of them are good and helpful if used correctly and in an adequately defined context.
In “Tool Box Talks” we introduce you to common and less well-known tools and show you how you can exploit their potential for your enterprise, with today’s focus on the Risk Matrix.

What is a risk matrix and when should it be used?

A risk matrix is a tool which helps you to deal with risks. This device visualises a risk assessment by taking account of its probability, its consequence severity and its level or priority.
To support risk managers in their work, risk matrices are often incorporated into risk registers, which they represent in a condensed and visualised form. Also, they have become customary in reporting, where they show the amount and distribution of risks in a project or in a specific operational unit

How do you use a risk matrix?

Before you can apply a risk matrix, you first have to identify and assess the risks for your project or your operational unit. Evaluating these risks works in three dimensions: probability, consequence severity and priority. The first two values can be assessed either qualitatively (high / medium / low) or quantitatively (in % or €), whereas the priority of risks is typically categorised into high / medium / low.
Depending on this assessment you then plot these risks on a two-dimensional matrix, with the x-axis representing the probability of occurrence and the y-axis corresponding to consequence severity. Priority can be visualised by the choice of different colours

Beware of pitfall

However, it is in particular due to this manner of visualising priorities that certain risks are neglected. The most frequent reaction to traffic light colours – the most often used colour for high / medium / low is red / yellow / green – is to focus on the red items by ignoring the green ones.
While it may certainly be right to prioritise some risks as ‘high’, classifying a risk as ‘low’ still does not necessarily mean that it “does not have to be dealt with actively”. So take a closer look at every single risk and double-check, no matter what the priorities, what measures you can take and which of them is suitable and should be put into action.

What is the use of a risk matrix?

A risk matrix is a tool to visualise all risks and their individual assessment. Thus it helps to quickly identify the most relevant risks – both in terms of their individual probability and consequence severity, and with regard to their priority.
This visualisation is particularly useful if you have to handle a great number of risks as it will make it easier for you to identify the most important issues at a glance and to tackle the most crucial ones first.
Furthermore, this form of graphical representation is ideal for reporting as this intelligent system of visualisation offers a valuable insight into the total number of risks and their criticality without the necessity to go through or analyse huge amounts of data.

Follow us on LinkedIn to learn on a regular basis how you can make the most of management tools, so that you will stay one step ahead of your competitors.

When in spring 2020 most countries imposed a lockdown to tackle the onset of the Corona pandemic, plunging a lot of companies into economic problems, it was often said that “nobody could have foreseen this crisis!“. At the same time, there are plenty of standards and legal requirements providing the framework for companies to anticipate risks and threats and to take adequate precautions. But none of the existing guidelines has so far helped to answer the question of how a company can spot all relevant risks.

While there is no universally valid answer to this question – and probably never will be, still a couple of tried and tested useful devices and methods can help recognise risks.

Brainstorming

A classic and widespread approach to risk identification is brainstorming. It is a simple question like: “What could happen if …?” that will give you enough information to fill your risk register. As, however, the number of identified risks will depend very strongly on the experience and the perspective of the involved person in question, you should remember two things if you intend to reach good results using this method:
First, you should bring together people with backgrounds as diverse as possible. The involved people’s feedback will be strongly influenced by their individual experience and preferences, particularly when it comes to identifying possible risks. If you engage a great range of different participants, their feedback will reflect this diversity, too.

Second, you should guide the debate during the brainstorming in different directions. Here various approaches will be useful, for instance 4Ss or 5Ms or PESTLE.

Process Analysis

Another way of facilitating the group process while identifying risks is process analysis. Here you first divide your project into clearly defined smaller, separate units of activities. For each unit you then think up risks that might occur and analyse how they might affect your target achievement.
This approach is ideal if your project consists of a sequence of clearly defined process steps and if you can easily show how the actual activities correspond with the final result. If, however, your task is more complex or if mulitple interdependencies are involved, this approach, which in fact very much resembles the design tool FMEA, is less suitable as it is extremely difficult to assess risks with it.

Case Studies

A third approach is investigating reference cases. Here comparable projects and ventures are scrutinised for unforeseen events and the impact they had on target achievement. To identify a valid list of risks in this way, you have to make sure that you have a sufficiently high number of past cases. Also, you should check if the found risks are relevant for your case in question.

We recommend this technique of recognising risks for situations in which you regularly carry out several rather similar tasks or projects – for example if you have to make adjustments to machines according to your client’s wishes or if you design software modules for a plant control system. Here you can detect standard risks relatively quickly and take measures appropriate to the corresponding project.
This method is less suitable, however, for situations with few or no reference cases. Further, this approach is unfit to consider novel hazards or rarely occuring extreme events.

Pre-Mortem Session

To take such extreme events into account, you should make use of so-called “pre-mortem sessions“. Here the team in question imagines that their project has already been completed and tries to come up with reasons for the project’s presumable failure.

At first glance this approach seems hardly different from the brainstorming method detailed above. However, the change of perspective, shifting from thoughts like: “What might happen?” to the hands-on question: “What has caused the failure?” will help to change your set of mind and explore new ways of thinking. This is particularly useful to identify those risks that are different to those people have encountered so far.
Which approach will you be using to spot risks in your next project?

Management tools are a dime a dozen. And yet, contrary to popular belief, most of them are good and helpful if used correctly and in an adequately defined context.
In “Tool Box Talks” we introduce you to common and less well-known tools and show you how you can exploit their potential for your enterprise, with today’s focus on the risk register.

What is a risk register and when should it be used?

The risk register is a risk management tool. Depending on the focus of the risk management activities, it documents risks related to a product, a project, a department or an entire enterprise. Though the tool stays the same for each of the perspectives mentioned, we strongly recommend having one independent risk register per perspective to avoid misinterpretation of the documented information (see “Do risk evaluations lead to faulty decisions?”).

A risk register should be used whenever risks need to be documented. The format of the risk register varies, depending on to the needs of the situation. An ad-hoc analysis, for example, generally requires less background information to be documented to be helpful than is needed for an extensive risk evaluation accompanying a complex and long running project. This difference in scope is reflected in the extent of the risk register. Besides the scope, the maturity of an organisation impacts the appearance of a risk register, which may be as simple as a spreadsheet or as complex as an integrated database using artificial intelligence for data completion and linking of information.

How is a risk register applied?

The simplest form of a risk register is a table listing all information required for risk management. The rows represent the individual risks while various pieces of information are organised in columns.
A basic set of risk information, i.e. columns in the risk register, are

  1. a continuous labelling for risk identification,
  2. an acurate description of the risk itself (i.e. what may happen and how does it affect the goals?)
  3. an estimation of the probability of occurrence,
  4. an evaluation of the impact and
  5. a proposal of a risk response.

There is much more information which may be included in a risk register, depending on the context.
Two approaches lend themselves as blueprints for adding information to a risk register in the context of a risk analysis. The most convenient one is working row by row, i.e. identifying one risk and then adding all related information before going on with the next risk. This approach follows intuition and thus is easy to facilitate. However, it also results in rather lengthy workshops and is therefore tiring. Alternatively, you may want to focus on the risk identification and description first and add all other information later. This approach shortens risk analysis workshops but also required a much more disciplined facilitation.

Beware of pitfall!

A risk register documents individual risks and their evaluation in a defined context. A common pitfall is to add up the individual risks and assume this number represents the overall product, project or organisational risk. Though this may be true in some rare instances, generally the actual product, project or organisational risk is significantly lower than the sum of the individual risks. The reason for this deviation between the overall risk and the sum of individual risks are dependencies between risks which are neglected if simply added up.

The transfer of risk information from one context to another is another topic to be aware of. Risk is defined as the “effect of uncertainty on objectives” (see ISO 31000:2018). Thus, if risks are transferred from one context to another, they need to be re-evaluated as generally the objectives shift with the context. Copy-paste of risk information from one risk register to risk register in a different context is simply wrong.

What is the use of a risk register?

A risk register summarises all information on risks within a defined context. Thus, it provides all data required for an effective risk management for the product, project or organisation. It also documents risk management-related activities by capturing changes in the evaluation of risks or decisions how to respond to risks. Therefore, the risk register allows for a detailed overview of risks and how they are managed.

Follow us on LinkedIn to learn on a regular basis how you can make the most of management tools, so that you will stay one step ahead of your competitors.

 


2020 – The spreading coronavirus causes disruptions in the supply chain of many companies. These difficulties have already led some companies to the brink of insolvency [1].

2019 – Iran retains a foreign oil tanker ship resulting in rising concerns regarding a blockage of the Strait of Hormus. As a result, the oil price shots up [2].

2011 – An earthquake and a subsequent tsunami destroy a Toyota supply plant. The resulting supply shortage causes a breakdown in production processes, thus considerably delaying the delivery of cars [3].

Supply Chain as an Optimisation Task

In our globalised world, the value chain of any product generally is a series of interrelated activities of several companies and countries. Consequently, the design of the supply chain is a critical task which needs to consider several targets. Unfortunately, some of the targets are contradicting.

One of the most obvious targets of supply chain optimisation is cost reduction. Suppliers and source countries are selected to minimise the cost of production to allow for low product costs at high margins.

Logistics are another important optimisation aspect. Lead time, suppliers’ reliability and flexibility are important factors, especially in just-in-time manufacturing. As delayed deliveries can easily result in production downtimes, logistics are often almost as important as costs.

Lately, sustainability and carbon footprint are becoming more important in supply chain design. This is especially true for B2C products; however, legislation is expected to provide more rigid guidelines and requirements companies need to comply with.

Besides, the examples above highlight another target parameter for supply chain optimisation: risk.

Risks in the Supply Chain

There may be many different types of risks in a company’s supply chain. Probably the most obvious is potential quality issues. Many companies today address these by incoming goods inspections and frequent supplier audits.

What is often ignored is the dependence on individual suppliers. A single source setup strengthens the bargaining position of the supplier and may result in higher costs. At the same time, supply interruptions become more likely as issues in the production of an individual supplier directly impact the entire supply.

Also, if one supplier relies too heavily on one single customer, this may become problematic in the future. A drop in purchase volume, even if it is temporary, may pose a significant threat to the supplier’s ability to survive.

And what is true for depending on a single-source supplier is also true for regional dependency. The issue with regional dependencies is that they do not only affect the supplier location – the problem Toyota was facing after the 2011 tsunami – but also the transportation routes – which became problematic in the Strait of Hormus case.

Supply Chain Risk Analysis

To ensure that their own operations are running smoothly, companies need to evaluate their entire supply chain. However, given the vast number of products, raw material and services which a medium to large-size corporation is sourcing, a detailed analysis of the entire supply ecosystem is neither possible nor economically feasible. Here I’d recommend the ABC analysis. This is a proven tool to identify the critical segments in the supply chain. This approach divides supplies in three categories.

A parts are those which have the highest value and are most critical for the one’s own value creation. These components are normally sourced by highly specialised suppliers, plus they are a significant cost factor and cannot easily be replaced in case of supply issues. For A-parts, a detailed risk analysis of suppliers and sub-suppliers and the systematic integration of risk mitigation measures in the supply chain is a well invested effort.

B parts represent the next segment in a company’s supplies – both with regards to volume and value. For B parts, a risk analysis should include the company’s suppliers in a first step. This significantly reduces the effort compared to the analysis of the entire supply value chain but still allows for systemaitc mitigation planning. If the outcome of the initial supplier risk analysis brings to light any points which require special attention, this may trigger a more detailed analysis for selected parts or suppliers in the B-segment.

The bulk of supplies in terms of volume are usually off-the-shelf articles, so-called C parts. Given the low value and high volume of these parts, a detailed risk analysis does not make sense economically. For risk mitigation, a certain level of redundancy in the supplier base allows a company to avoid unpleasant surprises in case of crisis.

Using the ABC analysis as a guideline for supply chain risk analysis allows to minimise the resources needed to gain an adequate overview of a company’s supply ecosystem. This will enable you to adjust your supply chain and make it more robust, so that your company will be more resilient to local or global crises.

Quellen:
[1] DW (26. Februar 2020). „Coronavirus sprengt die Lieferketten – Wirtschaft droht Lähmung“. DW.com.
[2] FAZ (18. Juli 2019). „Ölpreis steigt nach Tanker-Stopp“. FAZ.net.
[3] Spiegel (13. April 2011). „Toyota-Kunden müssen auf Autos warten“. Spiegel.de.

 


The presentation of the project idea left everybody euphoric. The proposed product will revolutionise the market, return some 150€ to 200€ for each invested Euro and the market share in the target segment will rise above 50%. As this will also increase brand awareness, revenue and market share of the existing products is also expected to increase – and the company will be able to open up entirely new markets.
The next day the project is kicked off and the team starts working. However, the first project report is a frustration. Because the high level of uncertainty, the detailed risk evaluation reveals that the project risk is almost as high as the profit expected from the new product. After lengthy discussions, the project is given up just a few weeks after its kick-off.

What happened?

At first glance this story is an example of how risk analysis should support decision making. A promising idea was presented, a project for its realisation kicked off and risks and opportunities were analysed. With the new information the project was re-evaluated and then discontinued because the risks was seen as too high.
If you take a closer look at the facts, things are not as simple as they might look. The decision to stop the project was based on a comparison of the project risk and the projected product revenue. This comparison neglects other benefits of the new product for the company besides the revenue of the product itself.
The increase in market share, the positive effect on existing products and the opportunity to find new markets was not included in the decision. As all these factors have a positive impact on the company’s bottom line, one may assume that the company would have been better off with the project – even if the project risks are significantly higher than assumed in the beginning.

How to avoid such mistakes?

Silo mentality is still a reality in many companies. This facilitates situations as the one described in the beginning: Information is evaluated within only one part of an organisation. Decisions are based on the needs of a subset of the organisation and thus are rarely the best possible solution for the entire company.
To avoid this pitfall, you need to break the silo mentality. This can be achieved by a scenario approach (see “Four requirements for scenario planning” https://rno-consulting.com/en/vier-anforderungen-an-die-szenario-planung/). In the given setting, a three-scenario set-up is probably the best approach. However, it is important to create the scenarios from the company’s point of view.

Reference Scenario

The reference scenario describes the company’s future assuming the evaluated project will never be kicked off. Thus, it represents the status before putting the idea into practice. In companies which regularly use scenario planning, this scenario should already be available and therefore ready for use.

Nominal Scenario

The nominal scenario represents the development of the company if the project is completed as assumed. Usually, such a description is part of the initial project proposal and can be taken from there. The difference between the reference scenario and the nominal scenario represents the expected benefit of the project.

Risk Scenario

The risk scenario is a combination of the nominal scenario and the latest project risk evaluation. This scenario highlights the expected developments based on the identified and evaluated risks and opportunities.
The benefits of such an approach are obvious. By including the risk information in a scenario, all effects on the company are considered – and not only internal project effects. A comparison of the risk and the reference scenario shows the benefit which can be expected from the project. In addition, the difference between the nominal and the risk scenario highlights how far the project deviates from initial assumptions.
These three elements help to avoid faulty decisions like those in the above example. As a result, this approach is essential to successful risk management and, in the end, to economic success.

Active risk management helps companies to deal with insecurities, to reach operative and strategic goals and to improve the performance of the management system [1]. This makes it an important element in safeguarding entrepreneurial success. At the same time, risk management does not add direct, but merely indirect value, by avoiding risks or exploiting an opportunity.
Regrettably, legal requirements like the German Stock Corporation Act [2] do not provide sufficient hints how this task of optimisation can be solved by the individual company. However, the maturity concept for risk management offers helpful guidance as the model’s levels of development can be easily linked to the structure and characteristics of a specific enterprise.

Maturity Level 1: Linear companies

The first level of risk maturity is represented by companies characterised by linear structures. These companies are typically relatively small, have a limited portfolio of products and services, and their target market is clearly defined. As a result, the risks arising from the direct environment and internal processes can be easily handled by one person.
Accordingly, it is rather simple to meet the requirements for a risk management system in such settings. The only thing a company has to do is to make sure that there is at least one person who systematically keeps track of risks and evaluates them. Moreover, it must be guaranteed that this person takes a responsible part in decision-making processes and that relevant information about risks are duly considered.

Maturity Level 2: Ramified businesses

Businesses of the second level are marked by a ramified system of structures, resulting either from a division of labour (e.g. development – manufacturing – sales), parallel marketed products and services, or different target markets. This means that the company can no longer be controlled and managed by a single person alone, while each of the branches within the company structure still have the features of a linear enterprise.
Efficient risk management under such circumstances demands that it be shared: In each branch at least one person should adopt the role of a risk manager in charge of identifying, assessing and addressing risks in the respective area. If in all parts of a company this is to happen in more or less the same way, tools and processes for risk management have to be clearly defined and aligned with each other. Within these branches it is the risk managers’ job to make sure that the information about risks is sufficiently taken into account when decisions are made. To ensure that this is common practice even on the top management levels, a system of filing and transmitting information has to be created. In this way information collected on lower levels of a company will be equally accessible to higher levels.

Maturity Level 3: Matrix companies

Complex companies are characterised by a matrix structure. Communication and decision-making does not take place in a linear top-down or bottom-up manner, but both horizontally and vertically. As a consequence there are many interfaces where information has to be exchanged and decision-making is increasingly decentralised. Going along with this, information about risks has to be available at many different places. Decision-makers have to be capable of dealing with this information to handle risks and opportunities* effectively.
To meet these requirements, an effective risk management system must have tools and processes that run smoothly. It should be clearly defined where there are interfaces between different areas and how risks are transferred and re-evaluated in different settings. Also, information about relevant risks have to be accessible to all people who are responsible for making important decisions. At the same time, staff members need to have the necessary knowledge about risks and opportunities and the technical expertise for dealing with them. Their skills should comprise the ability to identify and assess risks, and to integrate them into decision-making processes. In this way the collected information about risks is sufficiently accurate and the information can be used efficiently and adequately.

Maturity Level 4: Risk-taking companies

Companies of the fourth stage have a high level of risk-taking, i.e. these companies systematically try to exploit opportunities by taking calculated risks, which, once a reality, can endanger the company as a whole or in parts.
It is an essential element of these companies’ business models to create an ideal balance between opportunities and risks. The requirements that matrix companies have to meet in terms of risk management have to be fulfilled for opportunity management as well. What is more, performance indicators should help to assess how efficient the respective risk and opportunity management strategies are. These indicators should of course be under constant surveillance and modified where necessary.

Maturity Level 5: High risk companies

The keyword “high risk companies” comprises two different types of enterprises: those whose main business is managing risks and those for which risks, once a reality, will have a desastrous impact on their environment.
In both cases it is essential to have effective risk management strategies. This requires that all risk management processes be systematically and constantly improved, on the basis of adequate performance indicators. Companies whose main job is risk management should also apply this to opportunity management.

 

[1] DIN ISO 31000:2018 Risk management – guidelines

[2] §91.2 AktG (German Stock Corporation Act)

*According to the definition [1], the term “risk” signifies both negative and positive effects of uncertainty on targets. In contrast, following the common usage, we here use “opportunity” for positive and “risk” for negative effects.

Increasing uncertainty, rapid changes of the environment and a constantly rising level of unpredictability urgently require an active risk management system for every business strategy. Top executives, project managers and department leads find themselves more and more confronted with a host of improbables, which they have to consider in their decision-making processes to secure long-term success and reach their goals and aspirations.

Assessing risk management processes

How successful risk management strategies are normally does not become clear until the set goals are achieved – or, if things go wrong: are missed. However, this approach to assessing quality is problematic as it is merely reactive. Potential for improvement can only be recognised and realised when it is actually too late.
It would be better to use a different approach that assesses the quality of risk management processes in companies independently of whether goals are reached or not. Potential for improvement should be identified before risks have already become a reality. One concept which meets these requirements is the maturity model, created to assess risk management strategies in companies.

Maturity concept for risk management systems

The maturity concept includes a reference model that helps integrate risk management strategies in companies. To do so, several aspects are examined and assessed, so that they can be systematically improved. These aspects cover very different perspectives, thus preparing the way for a holistic assessment of risk management systems.

Definition of processes and roles

How are risk management processes defined, what activities do these processes consist of and what roles are defined in this context?

Tools and documentation

What tools are used for risk management purposes and how is relevenat information documented?

Application and embedding

How are risk management processes and tools applied within the company and how are risk management processes integrated into other processes?

Interfaces and processing of information

What defined interfaces concerning risk management processes exist in the company and how is relevant information processed?
Training and development of skills
What mechanisms make sure that the right people have the necessary skills required for successful risk management?

Risk culture and awareness

How strong is risk awareness in the company and how closely is it linked with the respective corporate culture?

Use of the maturiy model for a successful risk management

The maturity concept has three different functions in terms of improving risk management processes in a company. First, the reference model helps describe risk management systems in a consistent way which at the same time fits the specific requirments of the individual company. These descriptions can be used as a target definition for risk management processes.
Second, this model makes it easy to analyse how much progress has already been made in implementing risk management strategies. Thanks to the holistic approach including different viewpoints, strengths and weaknesses and the current level of implementation become clearly obvious.
Finally, the reference model used in the maturity concept is a road map for improvement risk management systems in companies, particularly when it comes to developing and prioritising measures that ensure healthy and prospering growth.