What defines a risk model?

/ CasMo HQ/

This post is a repost of a short article I wrote in 2009, on my then riskguy blog. I've rewritten it to more appropriately reflect my ideas on this, as of course over the past years this has evolved. I've revisited this article because it has become actual again in the ongoing discussion on whether or not to use a risk model.

In a lot of the articles on this blog about internal audit or risk management, I refer to the Risk Model or the Risk Identification Model, or Risk Model, but what defines a risk model to me?

The following are to me the two defining elements of the Risk (Identification) Model, with some explanation:

It’s a Model

It is a structured representation of a reality. It is important to realize that the map, or the model in this case, is but an abstraction of, and therefore not the territory. It is a representation, a ‘simplification’ for easier use or access. And as any simplification, it does not contain all dimensions or aspects of the real thing. We use a model to make it easier to deal with or to handle a complex reality.

So whatever way you look at it, you cannot ever blame the model for its inadequacies or its incompleteness. As a risk manager, you have the responsibility to make sure the risk model you use is adequate across all the dimensions you are using it for. In effect, having a subject matter expert looking at the model for each of the dimensions you will be using it for (operational, financial, strategic, human resources ...) is highly relevant and can only add to the relevance and the pertinence of the model.

It serves a purpose and only that purpose: identifying risks

The model is to be developed for and aims at supporting the user in identifying risks which are relevant to him or her. The structured representation of a model reduces the reality to a set of risks (the concepts) out of a risk universe (a set of all possible risk events which could occur) with respect to the objectives of the area in scope such as an organization, a division, a set of processes, a process, a sub process or a set of activities.

So, if you want to use the model for another purpose, it cannot serve as such. Much like you cannot use a map of London which is useful for a car as a means of finding public transportation. Other purposes, other tools.

A definition for a risk model

Thus, in short, a Risk Identification Model or Risk Model is a simplified representation of the risks to the objectives of the in scope area, for the purpose of identifying those risks.

The three categories in a Risk Identification Model

/

Why use categories?

A way of structuring a risk identification model is by using categories. A category is a risk cluster which clusters risks according to area of (possible) occurrence. I use the following three categories, and do further clustering within a category according to types (a post on this to follow later):

  1. Environment (risks related to): in this category I put all identified risks to the objectives of the area in scope which occur outside of the scope (i.e. the external environment). You may find risks such as availability of budgetary means, legal changes, demographic evolutions etc here, as long as these risks occur outside of the scope of risk review, and can impact the objectives of the area within scope;

  2. Operational activities (risks related to): in this category you can find all risks related to actual operational activities within scope of the risk management exercise. Risks related to process structure (bottlenecks) but also risks related to personnel motivation, ICT or integrity, to name a few, find their place here;

  3. Interfaces and decision making (risks related to): this last categories contains all risks related to reporting about the operational activities. For example, the risk that the balanced scorecard system is not adequately structured and thus provides erroneous information on the process can be found in this category.

5 reasons for using a risk (identification) model

/

A frequently asked question

“Why do you insist on using a risk (identification) model as the basis for risk management? We can easily do this without a model” It’s a question that comes up on occasion when I am teaching risk management or executing a risk assessment. It’s a relevant question. I’ve put together 5 good reasons to use a risk model, but there are many more, I am sure.

My five main reasons for using a risk identification model

  • Clear and consistent understanding of the risks – People’s perception of reality will lead their interpretation of it. While a banana will surely be a banana for most of us, what do we mean by client satisfaction, or workforce motivation? A risk (identification) model will reduced the burden of having to explain every risk related idea and concept as they are already defined in the model;
  • Neutrality of the risk description and questions – Although not a direct result of developing a model, the fact it will be used by more than one person leads to a more neutral description of the risks, especially if the participants can propose amendments to the risk descriptions;
  • Higher degree of completeness of the risks in the analysis – A key challenge in risk analysis and management is to ensure as high a level of completeness (a reasonable assurance on completeness of the risks) as you can. The use of a model will help participants identify the risks that are not represented by providing a comparative baseline for the risk universe;
  • Structuring the risks – a well developed risk (identification) model will provide a structural baseline, which will allow the participants to link risks to areas of occurrence (e.g. does this risk occur in my environment, in my operations or in my decision taking) and to their nature (e.g. is this about the way my process is structured or about the level of job satisfaction of my personnel?)
  • Reuse – perhaps the most relevant of reasons: we’ve noted that once an organization has gone through the effort of developing an elaborate risk (identification) model, the model is most of the time reusable in other departments or processes as up to 80% of the risks can be similar in nature.