Risk map.

Risk map - a simple method for assessing risks

Representatives of various sectors of the economy often ask, as risk management consultants, the question: are there simple and clear methods, accessible to non-specialists, that would help at least roughly assess the risks in the development of new strategic business areas, large investment plans, etc.

What is a risk map and how is it useful?

A particular example of a risk map

Description of the risk map structure

Arabic numerals on the map indicate risks that have been classified according to...

Building a risk map

Produced as as part of the implementation of a risk management system at the level the entire organization, which is difficult and often impossible to accomplish internally within the organization.

To solve a separate range of risk management tasks, for example as part of a preliminary assessment of various development strategies.

What you can do yourself: the process of building a risk map.

In general, the risk mapping process allows you to:

o highlight risks

o prioritize risks

o quantify (break into classes) the organization’s risks.

Methods that consultants use to create a risk map include

o interview

o formalized and informal questionnaires

o industry reviews and research

o analysis of the company’s documentation set

o numerical estimation methods

Basic steps of the self-risk mapping process

2. defining the boundaries of analysis 3. forming team composition 4. analyzing scenarios and ranking

Table of results of scenario analysis and risk ranking

Risk management methods.

The risk management methods themselves are quite diverse. This is due to the ambiguity of the concept of risk and the presence of a large number of criteria for them... Firstly, approaches to risk management can be grouped as methods... · Pre-event methods of risk management - activities carried out in advance aimed at changing...

To reduce internal business risks, an enterprise must screen potential business partners and carefully select personnel.

What will we do with the received material:

If this material was useful to you, you can save it to your page on social networks:

Tweet

More abstracts, coursework, and dissertations on this topic:

Enterprise risks, methods for assessing them
In the future, I would like to develop this topic when writing my thesis. I believe that this issue is currently very relevant in Russia, since... On the other hand, it is usually small, especially if a person is careful. Another thing is the risk of an entrepreneur. At such a risk...

Comparison of the efficiency of array sorting methods: Direct selection method and tree sorting method
With direct inclusion, at each step only one next element of the original sequence and all elements of the finished sequence are considered. The complete direct selection algorithm is given in the program. 3. Table 2. Example.. We can say that in this sense the behavior of this method is less natural than the behavior of direct inclusion. For C we have..

Methods for solving rigid boundary value problems, including new methods and programs in C++ for implementing the above methods
Page 8. The second algorithm for starting counting by the sweep method S.K.Godunov.Page. 9. Replacement of the Runge-Kutta method of numerical integration in the sweep method.. Pg. 10. Method of half constants. Page 11. Formulas used.. Pg. 62. 18. Calculation of the vector of a particular solution to an inhomogeneous system of differential equations. Page 19. Authorship..

A course of lectures on the discipline of risks and economics module. Risk as an economic category. Risk in economic activity
State educational institution of higher professional education Russian Customs Academy Rostov branch.. contents..

Business risk: types of risk, assessment of facts and ways to minimize it
In connection with the development of market relations, entrepreneurial activity in our country has to be carried out in conditions of increasing uncertainty.. Such a situation is somewhat unusual and unusual for our business executive.. But it introduced obvious or at least apparent clarity and ensured an imposed order. Although not completely...

Audit risk and methods for its assessment
One of the functions of audit is control of the financial and economic activities of economic entities. But in our country, audit has not yet “found its feet”. In this regard, the audit firm (independent auditor) arises.. The concept of audit risk, which appeared in audit theory in the mid-80s, marked the beginning of a new stage..

Currency risks, methods of managing and minimizing currency risks
Risk is expressed by the probability of obtaining such undesirable results as loss of profit and the occurrence of losses due to non-payments on issued... Therefore, on the one hand, any manufacturer tries to minimize... The level of risk increases if: problems arise suddenly and contrary to expectations; New tasks have been set...

Statistical indicators of production costs: Grouping method. Method of average and relative values. Graphical method
In aggregate, we can distinguish the following groups of costs that ensure production: - objects of labor (raw materials, materials, etc.); - means of labor.. Cost is an economic form of compensation for consumed factors.. Such indicators are calculated based on production cost estimates. For example, the cost of manufactured products...

Solving systems of linear algebraic equations using the method of simple iterations and the Seidel method
When using iterative processes, in addition, the error of the method is added. Note that the effective use of iterative methods depends significantly.. Now let's look at several definitions that we will use in this work. A system of linear equations with n..

Quantitative and qualitative methods of risk assessment
Quantitative risk assessment often accompanies a qualitative assessment and also requires a process of risk identification. Quantitative and quantitative.. The measure of risk is the degree of uncertainty of financial results, the degree.. The smaller the value of the standard deviation a and the coefficient of variation for the main parameters of activity , that..

0.054

In the course of identifying and assessing financial risks, various graphical methods are used that provide a visual representation of the distribution of risks in time, by type of activity, by stages of a business process, in space (for example, by premises), by the amount of identified damage, etc. But the most universal information visualization tool, widely used in risk management, is the so-called risk map. It is built on the basis of a register of risks and their qualitative and quantitative characteristics obtained during the measurement process. A risk map can be built either for the entire organization or for any department. In addition, risk maps can be drawn up for the direction of the organization’s activities or for a separate project or program.

The simplest risk maps are usually presented in tabular form. In cases where qualitative and quantitative scales of probabilities and consequences are used to measure risks, matrix risk maps are used. Matrix risk map is a graphical and textual description of a limited number of risks of an organization, located in a rectangular table, on one “axis” of which the strength of impact or significance of the risk is indicated, and on the other, the probability or frequency of its occurrence. In cases where qualitative and quantitative scales of probabilities and consequences are used to measure risks, the entire range of risks is divided into cells. Due to its external similarity, such a risk map is sometimes called a “matrix”.

Generally speaking, the methodologies for constructing a risk map are as different as the risks of companies are different. The construction of a risk map can be carried out both as part of the implementation of a risk management system at the level of the entire organization, and to solve a separate range of risk management tasks. Methods that consultants (experts) use when drawing up a risk map include interview , formalized And informal questionnaires for reviews And industry research , analysis of the company's documentation set and numerical assessment methods and so on.

The composition of the team of consultants (experts) is very important for the success of the risk mapping process. When carrying out work by professional consultants, the team (working group) usually includes those specialists who have experience and expert knowledge. Experience shows that a team works effectively if it consists of six to ten people. Only by defining the boundaries of the analysis can you determine who is included in the team. When drawing up a map of the company’s financial risks, the team must include the head of the financial department, the head of the legal, control, GG departments, etc. The degree of detail required in the analysis is specific to each risk and varies from one risk to another, but depends mainly from the goals pursued by the organization.

Mapping is a complex process that involves many specific activities, but in general terms it involves visualizing identified risks. Risk identification includes financial risk analysis aimed at identification and assessment of risks.

Let us recall that identification is the first and one of the main stages of risk analysis. The results of risk identification make it possible to describe and compile a risk register. Risk assessment involves determining (calculating) the main qualitative and quantitative parameters (magnitude) of risk.

The results of risk identification and assessment are entered into financial risk maps. To build a financial risk map (hereinafter referred to as the Map), you must complete the following sequential steps and fill in all the columns of the following table (Table 2.6).

At the initial stage, identification involves choice of risk owner (risk subject). In our Map this is the line - job title.

The so-called risk owners (from English - riskowners) – These are employees, specialists whom the manager instructs to monitor the triggers of some specific risk, as well as manage response procedures in the event of this risk occurring. Employees become risk owners because of specific expertise regarding a particular issue or because they have some control over a specific risk.

Here the selection of an employee’s position and identification of the types of activities performed by him and the management objects associated with these types of activities are carried out. We will enter the selected type of activity in column 2 Maps.

The group of subjects with increased financial risk includes those that are characterized by:

• the presence of powers related to the distribution of significant financial resources;
• a high degree of freedom of action caused by the specifics of their work;
• high intensity of contacts with organizations and their representatives.

The next step is to identify a list of job responsibilities with high financial risk. Identification and assessment of risks is carried out according to a specific list of job responsibilities with a high probability of financial risks.

Column 3 Cards involves consideration and analysis of work conditions. Usually the following conditions are distinguished:

FINANCIAL RISK MAP No.________________

Department: _________________________________________________

Job title: ____________________________________________________

Filled out

(Head of department) (signature) (Last name I. O.) (date) AGREED

Head of organization (division) ____________________________________________________________

______________________________________________________________________

• (EXPERT/CONSULTANT)
• normal (planned activities) – designated by the letter “N”;
• emergency (incidents and other emergencies) – designated by the letter “A”.

Identification of specific types of financial risks associated with selected activities is recorded in column 4 Maps.

The identified risks are described and documented in the form of a Register of Financial Risks (Table 2.7).

Table 2.7

Register of financial risks

	Object of risk	Risk name	Description of the risk	Risk factor
P

Count 5 Cards involves the identification of existing measures against the impact of hazards (regulations, measures) for the selected type of activity (work). Measures against exposure to hazards include:

• training and advanced training in the field of minimizing financial risks;
• carrying out certification of workplaces;
• carrying out certification of workplaces according to working conditions;
• testing of implemented standards, norms, regulations;
• identifying areas of business processes not covered by controls;
• identifying ineffective controls;
• introduction of new indicators of financial risks;
• other similar measures.

Identification of incidents (commercial bribery, official forgery, trading of insider information, abuse of authority, etc.) in the organization is filled out in column 6 Maps. Information on incidents is accumulated in the table presented (Table 2.8).

Table 2.8

Information on incidents

Description of the severity of the hazardous event (assumed - in the absence of statistics) from the possible impact of the hazard (column 7 Cards) taking into account the implementation of existing measures against this impact (standards for minimizing financial risks).

The most difficult step is assessing the risk. The risk assessment associated with the identified hazard is recorded in columns 7–10 Maps.

The risk associated with an identified hazard is assessed using the following formula:

where P is risk; T – severity of harm; – probability of danger occurrence; – exposure to hazards.

The severity of harm (T) is assessed in a point system (for example, in a ten-point system) and filled out in the form of a table (Table 2.9).

Table 2.9

Severity of harm T

	Characteristic
	Bankruptcy
	Loss of primary financial document

The severity of harm is determined by the expert assessment of the working group that conducts the mapping. They determine the severity and assign points based on the specifics of the business entity. Therefore, for example, the harm from the revocation of a license to carry out transactions in foreign currency for some organizations will be 9 points, and for others, non-core organizations, much less.

The probability of harm (B) is considered by experts in terms of the likelihood of the hazard occurring and exposure to the hazard and is filled out in the following tabular form (Table 2.10).

Table 2.10

Probability of harm B

	Probability of occurrence of danger, B1	Exposure to hazard, B2
	1 event per day	From 90% of working time
	1 event per month or less	80 to 90% of working time
	1 event per quarter	70 to 80% of working time
	1 event per half year	60 to 70% of working time
	1 event in 9 months	50 to 60% of working time
	1 event in 1 year	40 to 50% of working time
	1 event in 2 years	30 to 40% of working time
	1 event in 3 years	From 20 to 30% of working time
	1 event in 4 years	From 10 to 20% of working time
	1 event in 5 years	Up to 10% of working time

Further, the identified risks must be sort. Let’s look at a real technique for sorting out a large number of risks, which has proven itself in more than one hundred companies. It is actively used and promoted by the Risk Management Special Interest Group ( RMSIG ) from Project Management Institute. The essence of the method is to distribute risks over a special card (its other name is PI- matrix). The map should look as shown in the table. 2.11. Typically, all identified risks are distributed among the risk team members. As a rule, the one who identified the risk is responsible for the risk (source indicated at RMC- map). Risks identified by those not present for the procedure are shared equally among all other participants. Then the participants distribute their risks into certain squares, i.e. rank the probabilities and degrees of impact of these risks.

Table 2.11

Risk sorting map

Probability
	Impact level

It may be necessary to improve the quality of individual decisions about the likelihood and impact of risks. It is recommended to distribute markers of different colors to team members and ask them, after reviewing all the risks, to mark those with which they do not agree and which, in their opinion, need to be discussed separately. The flagged risks are then discussed and appropriate changes made. At the end of this step, the likelihood and degree of impact of each risk on the project is considered established, and RMC- cards, the probability of a given risk and the degree of influence are entered.

In addition to the risk sorting procedure, they must be propagate those. define R.R. (from English - risk ranking) for each risk. Formula for determining R.R. is this:

R.R. = Probability of risk (IN) × Risk exposure ( Y ).

This step repeats the sorting of risks on the map, but experts advise carrying it out, since it will be needed in the future. Then you can determine which risks will be included in the risk management process. List of risks according to value R.R. allows you to sort them. In this way, risks that have a very low probability of occurring or will have a very small impact on the project can be removed from further analysis.

The most important thing at this step is to decide on the threshold values ​​of risks that will be included in further consideration. This is a complex issue on which it is difficult to give specific recommendations. The experience of the project manager plays a huge role here, as well as the risk levels that are accepted as thresholds in the company. If the company has adopted a maximum project risk level of 70, then all risks that have R.R. above 45–50 should be considered significant. All risks that have R.R. below 45–50, are documented, but are not put into risk management work. The identified risks are ranked, their written description is compiled, which is entered into a special table (Table 2.12). A similar table is filled in by each expert.

Table 2.12

Risk ranking map

	Object of risk	Risk name	Risk factor	Probability of occurrence	Damage from risk	Risk index (I r = B × Y)
P

The results of risk identification and assessment are entered into Maps for presentation to management. The identified, sorted and ranked risks are entered into the first version of the final Corruption Risk Map. In fact, we have already done part of this work by filling out the table. 2.6.

For a more visual representation, the identified and sorted risks are entered into a matrix Risk Map. Depending on the degree of danger, several categories of risks are distinguished. The number of categories corresponds to the needs of the study. You can use the table below as a starting point. 2.13. It will help determine High , Average or Low risk depending on its likelihood and consequences. For example, the combination High probability + High influence will obviously mean High level of risk.

Table 2.13

Risk level

Severity of Consequences/Probability of Occurrence	Overall risk level
High Losses/High Probability
High Loss/Medium Probability
High Loss/Low Probability	Medium/Low
Medium Loss/High Probability
Average loss/Average probability	Medium/Low
Medium Loss/Low Probability
Low Loss/High Probability
Low Loss/Medium Probability
Low loss/Low probability

These nine simple combinations of risk characteristics can also be presented in tabular form as follows (Table 2.14).

Table 2.14

Level of risk and measures to manage it

Likelihood/Impact

The cells represent combinations of probabilities and consequences that can be safely ignored. The cells represent combinations that require urgent risk management measures. The cells represent combinations that require close attention and regular re-evaluation in the future.

The risk assessment is valid for a certain period. To have grounds to apply the apparatus of probability theory, this period must be quite long (three to five years). If the probability of an event (for example, theft) is low, the period under consideration should be further increased. But during this time the situation will change significantly and the old estimates will lose meaning. Consequently, when assessing risks, events with a probability less than a certain threshold can be neglected, despite the fact that the potential damage from them may be great. Note that this is contrary to traditional practice, when managers tend to pay excessive attention to risks with high damage and low probability. In fact, in the first place there should be risks with moderate damage, but with a high probability (for example, malware attacks), which are realized many times during the period under review. At the same time, it must be borne in mind that the probability of a negative event is very difficult to assess with any accuracy. Therefore, it is recommended to consider risks not as numerical values, but as points on a plane, where the coordinate axes are probabilities and losses (Fig. 2.4). The level lines for the risk function are hyperbolas.

Event risk U1 is one of those usually overestimated by managers; in practice, due to the low probability, it is advisable to neglect most of such risks.

A very important step in risk analysis is determining the risk tolerance limit. Risk tolerance limit – critical limit of risk tolerance. The choice of tolerance line is made by a strong-willed decision of the company’s management. Financial risks located above and to the right of the boundary are considered “unacceptable” and require immediate management attention. Those threats located below and to the left of the border are currently considered tolerable.

Rice. 2.4.

by us. The risk tolerance limit changes depending on the organization's risk appetite. When classifying risks by significance/probability, even without a numerical assessment, you can roughly estimate the amount of financial losses from a particular risk, which allows you to determine to some extent the organization’s appetite for risk and determine the limit of risk tolerance on the map. In order to visually represent the limits of risk tolerance (tolerance, acceptability), the financial risk map is presented in the following form (Fig. 2.5).

Rice. 2.5.

Risk acceptability limits allow you to immediately visually determine the division of risks into categories in terms of the danger they pose. The risk map can be a little more complicated and presented in color. For example, a matrix Risk Map may look like this (Fig. 2.6).

Rice. 2.6.

This risk map displays probability or frequency on the vertical axis and impact or significance on the horizontal axis. In this case, the probability of risk occurrence increases from bottom to top as you move along the vertical axis, and the impact of risk increases from left to right along the horizontal axis. The Arabic numerals on the map are designations of risks that have been classified so that each probability/significance combination is assigned one type of risk.

This classification, placing each risk in a specific separate “box,” is not mandatory, but simplifies the process of setting priorities by showing the position of each risk relative to others (increases the resolution of this method). The thick broken line is the critical limit of risk tolerance; cells are combinations of probability and significance (consequences) that can be completely safely ignored. When identifying critical risks, scenarios leading to risks above this limit are considered unacceptable.

They are marked on the map and . The cells represent combinations that require close attention and regular re-evaluation in the future. Based on identified unacceptable (intolerable) risks, it is necessary to understand how to reduce or transfer such risks, while risks below the border are manageable in an operational manner. Risk management corresponds to the movement of points along the plane. Usually they try to approach the origin of coordinates along one axis without changing the value of the other coordinate. However, if you can reduce both coordinates at once, it will be even better. In fact, depending on the design goals, many different types of risk maps or variations of a given risk map can be constructed.

The register and risk maps compiled on its basis are the main information base for making decisions on further risk processing. For the most accurate risk assessment possible, it is essential to take into account the full group of factors that determine risk. The set of risk factors must reflect all conditions of the organization’s external and internal environment that give rise to possible corruption risks.

The risk map has been drawn up; now it is necessary to develop measures to neutralize those risks that turned out to be above the tolerance limit. Based on the Maps of divisions, experts (consultants), together with interested divisions and specialists of the organization, within 10 working days, draw up a “Register of unacceptable risks of the organization (division)”. The working group must determine whether to leave everything as is and take no additional actions or develop a new action plan to manage the risks if they are not satisfied with the consequences. As a result of the activities carried out, it is possible reduce the likelihood of risk , reduce the likelihood of losses , or change the consequences of the risk.

The goal of creating an action plan is to figure out how to move each intolerable risk further to the left - lower into the tolerable zone. It should be noted that it is necessary to weigh the costs of such a move against the benefits of it. Proposed controls for unacceptable risks must first be assessed for the presence of new hazards and associated risks. The degree to which a risk is acceptable depends on the importance to each risk subject and their goals and expectations. The method of influencing the risk is selected. For example, if a risk has been determined to be unacceptable, then a mitigation option is developed. If it does not reduce the risk level to an acceptable level, then the avoidance option is used. If it is impossible to transfer the risk, it must be accepted with the obligatory reservation of funds in case of unforeseen circumstances.

From the point of view of risk management technology, with the construction of a risk map, the management process does not end, but only begins. Moreover, a risk map is a “living organism” that reacts to decisions made and operations performed. It lives and develops with the development of the organization; along with new opportunities, new risks appear; some of the old risks lose their relevance and become insignificant and insignificant for the organization. Therefore, it is important that the process of mapping risk and clarifying the map is built into the actions of the organization. This will allow the organization’s risks to be updated as often as necessary. Typically, the period for “planned updating” is a year; sometimes it is tied to certain cycles (seasonal, calendar) if they occur in the organization’s activities. However, when even weak signals appear about events that can greatly affect the organization’s risk objects, their impact on the organization’s risk map should be assessed without any frequency. It is important to understand that the value of a risk map lies not in determining the exact size of the probability or damage of risks, but in the relative location of one threat to another and their location relative to the acceptability boundary.

Thus, risk mapping is a universal analytical tool for understanding the financial risks of business entities, ranking them by importance, and preparing measures to minimize them.

• URL: iemag.ru/master-class/detail.php?ID=15716

If there were no risks, there would be no business and no reason to drink champagne. But we still have both, because risks in business are the only habitat for chance, fortune, success and new opportunities. The easiest way to puzzle a businessman is to ask him: How do you feel about risk? The first reaction will be negative: “Risks interfere with work. If it weren’t for the risks, things would be going great.”

But if we continue the conversation, it turns out that along with the risks, not only obstacles to business will disappear, but also the business itself. Paradox, not at all, because risk is the only habitat for chance, fortune and success; they do not live in other conditions. Therefore, the highest business pilotage is not the total destruction of risks, but targeted and systemic impacts on each of them, contributing to the transformation of problems into the development and success of the project as a whole.

Here's another way to confuse a businessman. Ask him: “What risks are most dangerous for the business?” First reaction: Unstable economic and political situation, gaps in legislation, corruption of officials, crime, unreliability of suppliers. And if you dig deeper, it turns out that all these risks (external) make up about 25% of all the risks of the project (project portfolio) as a whole. The remaining 75% are internal risks, located within the project team and the company. Among them are indiscipline, unformalized processes, ineffective motivation system, broken internal communications, and unqualified personnel.

What does it cost us to build a house?

In a construction company, project delivery deadlines were constantly not met, which led not only to losses (the approximate cost of one day of delay is about $12 thousand), but also to a loss of profit (about $10 thousand per day). Managers were not interested in completing projects as quickly as possible, since the motivation system included quarterly bonuses for work and a bonus for their successful completion. The sizes of these bonuses are comparable, that is, it was more profitable for the project manager to delay the delivery of the project and receive several quarterly bonuses than one for successful completion. Moreover, to begin each next stage of the project, the manager needed to collect more than 10 signatures from the heads of various departments. It is clear that these people went on vacation and were sick. Accordingly, the deadlines were delayed, even without one signature it was impossible to continue further work, although 70% of such signatures had long since lost their relevance. This example shows the impact of risks associated with staff motivation and poor internal communication. But by managing these risks, you can achieve early completion of the project, which will bring not losses, but additional profit. The motivation system should be tied to the milestones of each stage of the project. At these points, important information is transmitted and decisions are made. If this is not done, the risks that arise can lead to the failure of the entire project.

Risk management system in the company's project portfolio

Today there is a lot of talk about the implementation of a comprehensive risk management system. What is it? How does this system work? What tools does he use?

Today, a risk management system in a project portfolio exists mainly in financial institutions, companies with foreign capital and companies that have introduced a project approach into their activities (the risk management system is part of the corporate project management system). This list is due to the specifics of the activities of these companies. The banking business initially makes money on risks; for a bank, risk management is vital. Companies with foreign capital brought with them, in addition to investments, Western experience and management traditions. And in the West, risk management and the development of methods and approaches to risk management have been involved for a very long time.

One of the effective tools for risk management is a risk map. Difficulties in its preparation are often associated with unclear project goals and the lack of regulation of the main processes in the decision-making chain. It is possible to assess the impact of risks only after there is an understanding of who is really responsible for what and when all business processes are described. Also, to effectively identify risks, it is necessary to define the responsibilities and role instructions of each employee, to create a bonus system tied to a single result of the project, and not to the process. In other words, the risk management system in the project portfolio should be built by companies not in a “fire order”, but at a strategic level.

How does the risk map work?

Let's try to understand the risk map using the example of a company that supplies information security equipment. The organizational structure of this company is traditional for all similar organizations; as it turned out, it contained many risks. Let us describe the interaction of departments within the company. The sales manager, having concluded a contract, passes it on to the project manager, who delivers the products in accordance with the terms of the contract. The amount of the concluded contract is several million dollars, the customer's advance payment is 15%, the rest of the amount is paid upon delivery, the delivery period is three months.

This delivery time was predetermined by both logistics and the workload of the customer’s warehouses. To complete the transaction, the supplier had to take out a bank loan for a short period and, accordingly, at a high interest rate. Overall everything went well, if not for one “but”. After the transaction was completed, the sales manager remembered that two weeks after the contract was concluded, the customer called him.

Among other things, in this telephone conversation there was information that there was enough space in the customer’s warehouse to accommodate products. The sales manager from the supplier did not pay special attention to these words (he should not do this according to the job description approved by the company) and did not tell anyone about it. The project manager successfully delivered the products within three months.

Meanwhile, interest rates grew, and accordingly, profits decreased, because it was possible to supply the equipment and repay the loan earlier. Below is a fragment of the map regarding the risks of the entire project. Naturally, having identified and described the risks of the entire project, one should describe methods of responding to each of them (see Table 1).

Table 1. Risk map.

Risk names	Prevention/Response Methods
Lack of motivation for project results	Development of motivation schemes based on project results for project participants
Lack of periodic reporting on the project, periodic reporting in the established format in accordance with the approved regulations for the submission and collection of information does not exist	Formulating requirements for periodic reporting by information consumers. Development of forms and regulations for reporting. Motivation and demotivation for the accuracy and timeliness of reporting.
The project manager lacks authority and leverage over project participants.	Regulation of document flow and business processes (BP). Compliance with regulations. Demotivation for non-compliance with regulations. The principle of payment for internal resources.
Risk of having multiple points of information exchange with the customer? information may be distorted or lost.	Regulation of document flow and BP. Compliance with regulations. Demotivation for non-compliance with regulations. Information about the project team from the customer's side. Periodic project meetings. Consolidation of all information in a single information system.
Clear definition of the responsibilities of the sales manager as a project supervisor	Compliance with role instructions. Motivation and demotivation.
Risk of poor knowledge of contract terms	Demotivation, training

How many risks are possible and necessary to identify. In any project, after working with experts and clearly defining all business processes, the roles of participants and responsibility for the result, you can find 100-150 risks (remember that we have shown only a fragment of the risk map; its true dimensions are much larger).

After identifying risks at each stage of the project, they need to be ranked based on the likelihood of each risk event occurring and possible damage. The main goal of such an analysis is to determine which risks are the most significant, and to develop methods for responding to them, and to include the costs of response in the project budget. Risks are divided into systemic and critical. The source of systemic risk is not the project itself, but the organizational structure of the company as a whole. Responding to this risk will require more effort and changes will have to be implemented at the company-wide level. A critical risk poses a serious threat to the project, the source of which is the project itself. Naturally, it happens that the same risk is both systemic and critical. The project implementation scenario includes a response to critical and systemic risks (of the project portfolio), while minor risks are usually not taken into account in the plan. In order to minimize their possible impact (as well as the impact of undetected risks), reserves are created (for example, they increase the project timeline and budget by 10%).

Determination of the degree of danger of adverse events, as well as the list of events themselves, is based on an interview with the project manager. For this purpose, experts are also involved who have already implemented similar projects in the company and know what crisis situations can arise and what is the source of these crises (poor planning, poor decision-making, etc.).

It is important to remember that risk management is not a one-time event: you draw up a map and conveniently forget it. It is necessary to constantly adjust the risk map and decision-making mechanisms depending on what is happening. The risk map is formed through accumulations, it is constantly updated and undergoes major changes as the project is implemented. Many risks disappear with the completion of project stages. The likelihood and consequences of risks once identified and their priority assessment may subsequently change. New risks may also emerge. It is advisable to repeat the risk analysis so that new data is available when planning each new stage of the project.

What to do if there is no risk management system

As a rule, risks in companies are managed by special departments. However, if such a unit does not exist, then risk management is usually assigned to other departments. These departments develop mechanisms to reduce risk (for example, a reconciliation mechanism). This could be an internal audit, controlling, methodology department, or an analytical service, regardless of the name, the essence of the department’s work does not change.

In such a situation, risks are identified and eliminated during daily operations before the enterprise suffers serious losses. Naturally, working with such a manual management scheme is less effective; specialists in these departments, at best, reduce the company’s sensitivity to risk factors. For this purpose, full-time (risk managers) or freelance (consultants) specialists can be hired separately.

In conclusion, we emphasize once again that a comprehensive risk management system requires systematicity and consistency, only then will it give the desired effect. The operation of this system must be based on accumulated experience and be very flexible; the system must respond to all changes that occur. At the same time, it is useful to remember the words of the Marquis Luc de Clapier Vauvenargues: We foresee the difficulties associated with the implementation of our undertaking, but rarely think about those that are rooted in ourselves.

An effective risk management system for a project portfolio includes nine main components:

• the internal environment of the company in which the projects live determines how the risk will be identified and what decisions will be made;
• The company's goals must be clearly defined, because each of them is implemented through a project or an entire portfolio of projects. In other words, the goals that the company sets for itself determine what risks will arise. The task of a risk management system? ensure the safety of achieving your goals;
• identification of adverse events on which the achievement of set goals depends, their analysis for the existence of risks;
• risk assessment, identified risks should be analyzed from the point of view of the likelihood of a risk event and possible damage, as well as from the point of view of turning this risk (threat) into an opportunity;
• reaction to risk, determination of a possible reaction to risk: eliminate, reduce, accept or share risks. It must be taken into account that any reaction will change the project plan (as a rule, it will lengthen the project), but will make it possible to achieve the goal. To eliminate risks means to develop and carry out various preventive measures that will involve people and resources;
• information and communications, timely collection, processing and transmission of information to employees responsible for risk management;
• timely decision-making, development of scenario plans for project implementation in the event of the impact of a particular risk. Determining the mechanism for selecting these scenarios and making changes to the future project plan;
• control of business processes, internal rules, compliance with which ensures that the adopted risk response strategy is effectively implemented in daily operations;
• monitoring, previously identified risks must be constantly monitored and, if necessary, revised.

Anna Starinskaya

Views: 5 106

Representatives of various sectors of the economy - including our clients - often ask us, as risk management consultants, the question: are there simple and clear methods, accessible to non-specialists, that would help at least roughly assess the risks in the development of new strategic business areas, large investment plans, etc. It happens that during the strategy development process, up to ten possible strategies are evaluated. Each of them has its own set of often catastrophic risks. So is there a way to quickly and concisely display your organization's business risks that are preventing you from achieving your strategic goals? How to describe in several pages the details of these risks, as well as the composition of actions to reduce or eliminate them, how to establish and distribute the time frame for completing the work, measures of success and performers responsible for successful completion?

This can be done by building a risk map of your organization or a separate strategic direction for business development.

What is a risk map and how is it useful?

Risk map is a graphic and text description of a limited number of risks of an organization, located in a rectangular table, along one “axis” of which the strength of impact or significance of the risk is indicated, and on the other the probability or frequency of its occurrence. Figure 1 shows a particular example of a risk map.

Hsomething you can do yourself: the process of building a risk map.

In general, the process of risk mapping is part of a systematic methodology covering all aspects of a company’s activities, which allows one to identify, prioritize, and quantify (break into classes) the organization’s risks. Methods that consultants use when drawing up a risk map include interviews, formal and informal questionnaires, reviews and industry studies, analysis of the company's documentation package, numerical assessment methods, etc. It should be noted that when it comes to assessing financial risks, it is the quantitative analysis of the company’s financial statements that is important. Of course, the individual characteristics of the client company and its needs dictate the appropriate method of data collection and analysis.

We will describe an example of the process of independent risk mapping when solving the problem of identifying risks critical to the organization (threatening the existence of the organization), highlighting only the main steps. These steps include initial training, analysis boundaries, team composition, time horizons, scenario analysis and ranking, risk tolerance, action plan, quantification and modeling techniques.

Primary training.

When drawing up an organization's risk map, it is very important that at least one or two company employees are trained in the basics of risk management. They will further help to establish dialogue between team members and guide the entire team during the mapping process. To do this, it is necessary to conduct preliminary training, which can last from one to five days. In our experience, the best results are achieved when the orientation seminars last two to three days. The role of such a trained company employee is the manager of the risk mapping process within the company, constantly guiding the team towards the desired goal. In cases where specific subject matter expertise is required, an expert may be added to the team. Of course, if your organization has a large number of competent specialists, this will strengthen the team.

Don't trust the work to amateurs. If you do not intend to contact consultants, train your employees.

Limits of analysis.

The boundaries of analysis, which determine which business decision areas are affected by mapping, are determined early in the process. Risk management consultants also do this during the first stage of their assessment of the organization. In the example under consideration, we define boundaries as the identification, prioritization and understanding of all risks that impede the achievement of corporate strategic goals in the implementation of a specific strategic plan. Note that the scope of analysis can be as broad or as narrow as the organization desires. However, there must be a balance between the breadth of the scope, the depth of the information and the value of the information that will be obtained from the risk mapping process. For example, the value of one risk map for the entire company may be significantly less than the value of risk maps for each business unit or any one business unit of the company, or vice versa.

Decide on the goals, availability and cost of information. Then outline the boundaries of the analysis to build a risk map.

Command structure.

Team composition is critical to the success of the risk mapping process. When professional consultants carry out work, the team (working group) usually includes the top management of the company, i.e. those specialists who have experience and expert knowledge. In the case of independent risk mapping, the consultant is essentially the “collective intelligence” of the organization’s top management, guided by trained employees. Experience shows that a team works effectively if it consists of six to ten people.

Only by defining the boundaries of the analysis can you determine who is included in the team. When drawing up a map of a company's strategic risks, for example, the team includes the chief administrator, the head of the financial department, the head of the treasury, the head of the legal, control, IT departments, and the head of the strategic planning department, if the company has such a department. If the company already has a risk management department, then, of course, its head is included in the working group.

For narrower scopes, such as identifying and mapping the risks of a specific division or operating business unit, the team will consist of the top management of the division's management team. Or, if the risks of a certain area of ​​activity such as e-commerce are being analyzed, then the team will be formed from senior representatives of the relevant functional areas and those departments whose interests are affected.

It is most important that the team be as representative of the institutional knowledge of their company as possible and include top management.

Scenario analysis and ranking.

At this step, the team undertakes a guided brainstorming session to identify all the potential risks of the company under a given development strategy and the scenarios that accompany their emergence. Once identified, risks and scenarios are discussed, consensus is reached, and a written description of the scenarios is prepared. The key points of each scenario are the company’s “vulnerability” (risk object), “trigger mechanism” (risk factors) and “consequences” (the magnitude of possible losses).

A vulnerability or risk object is a company's value that is susceptible to potential threats. Trigger mechanisms (risk factors) cause negative consequences for risk objects. Consequences are expressed in terms of the nature and magnitude of losses resulting from the vulnerability of the risk object and the nature of the trigger mechanism. At the same time, it happens that seemingly dissimilar scenarios and trigger mechanisms leading to the same consequences for the risk object are combined, when viewed from a bird’s eye view, into one scenario. Already at this stage of work, one should strive to understand whether many small risks, which, as a rule, employees of an organization identify when working independently, can be combined into some groups, on the basis of which this can be done.

Once a limited number of scenarios have been identified and consensus has been reached, the team must rank the scenarios in terms of "impact" and "likelihood". The team defines both impact and likelihood in terms that are relevant to the organization. For example, in qualitative terms, the four impact ranks can be defined in descending order as (1) catastrophic, (2) critical, (3) significant, and (4) marginal. The probability ranks, of which there are six on our map, are also defined in qualitative terms from “almost impossible” to “almost certainly will happen.” Both likelihood and significance can also in principle be quantified by a company. The team can use any quantitative determination, however, this procedure is much more complex and requires significant analysis time.

Determining the risk tolerance limit.

The critical limit of risk tolerance is a broken thick line that separates those risks that are currently tolerable from those that require constant monitoring right now. Business risks located above and to the right of the boundary are considered “intolerable” and require immediate management attention. In the case of developing an organization's strategy, it is advisable to understand before adopting the strategy how to manage or eliminate them; will this not lead to such a decrease in business profitability that the strategy will become unattractive? Those threats that are located below and to the left of the border are currently considered tolerable (this does not mean that they will not need to be managed at all).

The risk tolerance limit changes depending on the organization's risk appetite. When classifying risks by significance/probability, even without a numerical assessment, you can roughly estimate the amount of financial losses from a particular risk, which allows you to determine to some extent the organization’s appetite for risk and determine the limit of risk tolerance on the map.

And here is the risk map!

The final step in mapping is placing business risks on the risk map based on their impact rank and probability rank, i.e. in essence, a classification of risks according to two parameters. In general, in a more complex case, there may be three or five such parameters. Then you can’t do without mathematics. In our example there are two parameters and the team aims to place each risk in the appropriate impact/probability cell. In this case, only one risk falls into one cell.

It is important to understand that the ultimate value of an organization's risk map lies not in determining the exact impact or level of likelihood of a particular threat, but in the relative position of one threat relative to other threats, and their position in relation to the risk tolerance boundary. Now, in order to accept this strategy, if it suits us in terms of profitability parameters, it is important to understand how to transfer all the risks lying in the red-lilac zone of “intolerance” to the green zone.

Action plan.

Risks that lie above the tolerance limit require immediate attention right now. Therefore, it is important to develop specific action plans to reduce the magnitude or likelihood of losses from a given risk. It is also necessary to determine target indicators and a measure of success in risk management, dates for achieving target indicators and assign responsibility. The goal of the action plan here is to figure out how to move each “unbearable” risk further to the left and below into the “tolerable zone.” It should be noted here that you need to compare the costs of such a move with the benefits from it, and also take into account that a strong reduction in the company’s risks can lead to its loss of most of its profitability.

Quantification and modeling.

The level of detail required in the analysis is specific to each risk and varies from one risk to another, but depends mainly on the goals pursued by the organization. If Western banks often fight for a fraction of a percent when assessing possible losses, then even our banks, not to mention enterprises in the real sector of the economy, do not yet need such accuracy. In general, when assessing a fairly wide range of business risks, significant detail is not required or cannot be done. Other risks and action plans will require more detailed research and quantification than can be achieved through questionnaires, brainstorming sessions, industry data studies, etc.

For risks that require additional analysis, sophisticated quantitative assessments and modeling techniques must be used.

Risk map - picture or process?

From the point of view of risk management technology, with the construction of a risk map, the management process does not end, but only begins. Moreover, your company's risk map is a “living organism” that reacts to decisions made and operations performed. It lives and develops with the development of your business; along with new opportunities, new risks appear; some of the old risks lose their relevance and become insignificant for your business. Therefore, it is important that the process of mapping risk and clarifying the map is built into the actions of the organization.

This will allow the company’s risks to be updated as often as necessary. Typically, the period for “planned updating” is a year; sometimes it is tied to seasonal cycles, if they occur in business, etc. However, when even weak signals appear about events that can greatly affect the company’s risk objects, their impact on the company’s risk map should be assessed without any frequency.

Creating value for the company.

Company risk mapping should be used to test existing strategies in the context of the company's realized and unrealized risks and opportunities for generating profitability, as well as to support management decisions on the development of new strategic directions.

Let's look at traditional approaches to strategic planning. While most companies perform some type of formal strategic planning (they are all well known), companies do not have a business process for identifying, assessing and integrating opportunities and risks, i.e. some kind of “teaching strategy”. This can easily be illustrated in the example of e-commerce, where traditional strategic planning methods cannot cope with the speed of change. The nature of technological change means that the reasons (returns and risks) that are considered correct for many of today's decisions are very likely not to be so in six months, and will bear no resemblance to those that will occur in three years. .

There is a disconnect between those who typically conduct the strategic planning process and those who interact with customers and are responsible for the gains or actual business losses in the ongoing business process. Traditional "strategic planners" rely on knowledge available at a specific point in time, while line management relies on "living" knowledge based on actual market dynamics, which can be called a "learning strategy." Business success depends on the quality of decisions made in the dynamic present. An ongoing risk mapping process targeting a company's strategy can bridge or reduce the gap between "strategy planners" and line managers, including "live" market information about where a company's competitive advantage can actually be realized.

Thus, risk mapping is a powerful analytical tool for understanding and prioritizing a company's business risks. In addition, in many cases, the risk map is a source for creating economic value for the company, because It is already clear that this methodology can be applied beyond the risk management process itself. It plays an important role in strategic and ongoing planning, implementation of existing and evaluation of future business strategies.

One of the main and accessible methods of risk management for many entrepreneurs, even those who are not specialists in the field of riskology, is the construction of a risk map. Entrepreneurs can use this risk management method in cases of strategic planning of their business, new investment projects, etc. After all, it happens that when planning a new business, an entrepreneur has many options for decisions and forecasts, and it is simply impractical not to assess the risk associated with the implementation of these decisions. But the fact is that this risk assessment using the construction of a risk map is quite rough and approximate.

The method of constructing a risk map allows you to quickly and concisely assess the risks that are possible when implementing management decisions of an entrepreneur.

A risk map is a display of the main number of company risks by plotting graphs and describing them. The horizontal axis of the risk map displays the strength of the impact, i.e. the significance of the risk, and along the vertical axis it is customary to mark risks in terms of the frequency of their occurrence, or, in other words, the probability of risk Nedosekin A.O., Maksimov O.B. Comprehensive assessment of the financial condition of an enterprise based on the fuzzy_multiple approach // www.vmgroup.ru

You can build a variety of risk maps with different sets of indicators. Figure 5 shows one of the options for constructing a risk map.

Here, the vertical axis displays the probability, or frequency, of the occurrence of a risk, and the horizontal axis displays the significance, or strength of impact, of a given risk.

Rice. 5.

Before constructing such a risk map, the specialist first classifies the assessed risks into several categories of significance. In the figure, these categories are shown in Roman numerals from I to IV. The same specialist then determines the categories of risk probabilities. In the figure, the categories of probability of occurrence are indicated in Latin letters. Arabic numerals from 1 to 10 indicate risks classified into different categories of probability and significance. The team that is building the risk map must identify all possible risks of the company that are potential given the company’s development strategy. Next, the team compiles a written description of the resulting scenarios. Important for describing each scenario is the definition of the risk object or “company vulnerability”, risk factors or “trigger mechanism”, the magnitude of possible losses or “risk consequences”. The next step is for the team to determine the rank of each scenario. Ranking is done in terms of “likelihood” and “impact”. The obtained data are summarized for convenience in a table (Table 3), and then the values ​​of “probability” and “significance” are transferred to the risk map. In this way, a graph of combinations of the probability of occurrence and the significance of each risk is built, and it is important that each combination corresponds to one type of risk. A thick broken line is drawn on the map, which represents the limit of risk tolerance. This boundary starts from the upper left corner of the probability value A and is laid along the average values ​​towards the lower right corner of the map. It separates risks that can be considered tolerable at the current moment in time from those that right now need to be given great attention and taken under strict control. The specialist identifies critical risks that are above the tolerance limit and are considered intolerable for the company. Before making the right strategic decision, a specialist must take measures to reduce them or transfer them to others. And risks below the tolerance limit are manageable.

All these calculations, assessment and analysis of identified risks, as well as the construction of a tolerance schedule can be done on your own. But, despite the apparent simplicity of the method, the procedure for constructing a risk map is preceded by a huge amount of work done by specialists in quantitative risk assessment and their formalization. In addition to quantitative analysis, specialists must do a lot of work to build a chain of probabilities.

The main task solved by building a risk map is to reduce cycles and decision-making time. The process of risk mapping itself is the application by the entire company of a methodology that would allow it to identify risks, prioritize them and quantify them, while breaking them down into classes. Often, a company with sufficient financial capacity does not manage risks on its own, but resorts to the help of consultants or specialists.

Consultants use various methods when constructing a risk map. These are interviews, various forms and questionnaires of a formal and informal nature, industry research, analysis of the company’s document flow, etc. When we talk about the financial risks of a company, namely their assessment, it is impossible to do without an analysis of the company’s financial statements. Here it would be more appropriate to use quantitative methods of assessment and data analysis. If a company has any characteristic features in terms of its type of activity or its format, then in this case these features must be taken into account when consultants carry out a risk analysis of this company.

Next, we will describe the process of independent construction of a risk map by any company in order to identify critical risks that threaten the existence of the organization. This process consists of several stages, each of which has its own special characteristics.

• 1. Primary training. To analyze risks and assess them, it is not enough to have superficial skills; it is necessary that at least several employees of the financial department undergo formal training in the specialty “Risk Management”. Even if not all financial professionals involved in risk research receive this training, but only some of them, it will already bring benefits. Trained specialists will guide the team in the right direction and guide the risk mapping process. You can only conduct preliminary training, which will take from three to five days. But practice has shown that the most effective for learning are introductory courses or seminars on risk management lasting about three days. A preliminary installation in the form of training employees in the basics of risk management in general and the mapping process in particular is aimed at training an ordinary financial employee to promote him to the level of mapping manager, who will guide the team towards the right goal. If simply trained several managers are not enough, then the company can take advantage of the help of experts in this field, who can be brought into the team while the mapping is being carried out. Naturally, the more well-trained specialists work in a company, the more efficient its activities and the stronger the team. It is important to remember that you should not trust the work in this area to amateurs. It is better to contact specialists or train your employees.
• 2. Boundaries of analysis. The first step in building a company risk map is always to determine the area and boundaries of the upcoming analysis. The boundaries of analysis are usually understood as those strategic decisions that the risk map is able to cover. This is done through a complete survey of the organization. The boundaries of analysis can be both wide and quite narrow. It depends on the wishes of the organization itself. Establishing the boundaries of analysis is tantamount to identifying risks, setting priorities, and understanding the risks that may hinder the achievement of a company's corporate goals. Although the size of the boundaries is determined by the company itself, there must be a balance between the breadth of the boundaries and the amount and value of information expected to be obtained from the risk mapping process. For example, it may be that creating a risk map for the entire organization may not be as valuable as creating several risk maps separately by activity or for each individual business unit. The opposite situation is also possible. It is important that the team first decides on the goals, availability and cost of information, and then sets the boundaries of analysis for mapping.
• 3. Team composition. The most important step in the mapping process is selecting a team to carry it out. The success and successful completion of a mapping project depends on the right specialists. If a company resorts to the help of third-party consultants in the field of risk analysis and assessment, then in this case the working group includes the company’s top managers, i.e. highly qualified specialists with extensive experience and knowledge in the field of risk, capable of conducting expert assessments. If the organization resorts to using only its own forces, then in this case the work group includes a team directed by trained employees, i.e. “collective intelligence”, oriented by several specialists. As practice has shown, the most effective and coordinated work is from six to ten people. Such a stage in drawing up a risk map as selecting a team composition must necessarily follow the stage of determining the boundaries of the analysis, and not vice versa. After all, it is important to determine the range of departments affected by the risk, and based on this, attract employees specializing in these departments. Most often, those employees who have the authority to make strategic decisions take part in drawing up a risk map. These include administrators and heads of financial, treasury and legal departments, and they can also be heads of strategic planning departments, if the company has them. Heads of control departments and information and computer technology departments also take part in mapping at some enterprises. If there is a risk management department among the company's divisions, its head is also included in the working group. If it is necessary to draw up a risk map for a separate division of the company or a specific operating business unit, then the composition of the team will consist of managers and the head of this division.
• 4. Scenario analysis and ranking. At this stage, the “collective intelligence” of the company carries out a “brainstorming” related to the identification of all potential risks that threaten the organization’s activities with a given chosen strategy, and the possibility of these risk events occurring. As a result of identifying these risks and their identification, the results obtained on the existence of risks and scenarios for their occurrence are discussed. Next, the team strives to achieve consensus on all identified issues: a written description of all types of risks and scenarios for their occurrence is prepared. In each scenario, three characteristics are important. These are the object of risk (company vulnerability), risk factors (trigger mechanism) and the amount of possible losses (consequences). The risk object represents the value of the company, which is constantly exposed to potential threats. The trigger mechanism refers to risk factors that cause negative consequences for the objects at risk. Consequences represent the magnitude of losses caused by the vulnerability of the risk object and the nature of the risk factors. At this stage, there may be a situation where it would be advisable to combine seemingly dissimilar scenarios and different risk factors leading to the same consequences into one scenario. It is also important to determine the need to combine many small risks into larger groups and the basis on which this combination is possible. After the working group has identified a certain number of scenarios and reached consensus on their content, the team can begin ranking the scenarios using the “impact - probability” method. It is important to determine the quantitative or qualitative characteristics of ranking. An example of qualitative ranking is the division of possible risk into catastrophic, critical, significant and marginal. As shown in Figure 5, risks can be ranked by the likelihood of their occurrence. Thus, there are six levels of probability, defined in qualitative terms from “almost impossible” to “almost certain to happen.” It is also possible to determine the probability and significance rankings of risks quantitatively, but this is a painstaking method that requires a lot of time for analysis. The results of the scenario analysis and ranking are presented in the form of a table. The table usually looks like this (Table 3).

Table 3 Zinkevich V.A., Cherkashenko V.N. Risk map - an effective management tool // www.consult.ru

The Crocus trading company sells household chemicals. The company's management decided to expand its product range by adding some perfumes. A team of specialists was assembled and tasked with developing a risk map for this project. In this case, the main objects of this project were identified. They are: profit from the trade of perfumes, the general profit of the company, an increase in retail space, an advertising campaign and a product promotion campaign, marketing research, an increase in the number of employees associated with the hiring of specialists in perfume products, an increase in wage costs for employees, etc. d. Next, the experts identified all possible risk factors, and one object may have several “trigger” mechanisms. Then the possible consequences to which the organization will be exposed are determined if these risks nevertheless overtake it. All this data is entered into table 4.

Table 4

Risk categories, or significance, are defined as: I - catastrophic, II - critical, III - significant, IV - marginal. And the probability of losses is denoted as follows: A - will definitely happen, B - almost certainly will happen, C - will not necessarily happen, D - possibly, E - almost impossible, F - impossible.

Based on the data obtained, a risk map is drawn up (Fig. 5), on which a broken line is drawn - the limit of tolerance.

• 5. Determination of the risk tolerance limit. As shown in Figure 5, the thick broken line - the tolerance line - separates risks that are currently tolerable for the company from those that must be immediately addressed and for which measures must be taken to reduce, abandon or transfer them. risks to third parties. Above and to the right of the tolerance line are those types of risks that require constant monitoring and special attention from management; they are considered unbearable. Those types of risks that are below and to the left of this border are currently tolerable, but this does not mean that they should be neglected, they just do not require management at the moment. By classifying risks according to their significance, it is possible to approximately draw a boundary of tolerance and approximately determine the amount of possible losses from each type of risk.
• 6. Drawing up a risk map. The final step in this mapping process is to plot the acquired and existing data on a map. Risks are mapped based on their impact rank and likelihood rank. Here we consider the classification of risk according to only two parameters - impact and probability. But there may be more classifiers. In this case, qualitative methods cannot be used; one must resort to mathematical methods. After drawing up a risk map, it is important to take all possible measures so that risks move from the upper zone of intolerable risks to the lower one. To do this, it is necessary to develop an action plan to reduce the magnitude and likelihood of possible losses from the negative consequences of the risk (Table 5). This is, first of all, the development of target indicators, determination of the date for achieving target results, as well as the appointment of those responsible for carrying out these activities. The purpose of the plan in this case is the same - to find opportunities to transfer some intolerable risks to a tolerable zone. And the most important thing is to evaluate and compare the costs of this movement and the benefits from it. It is also necessary to take into account that a significant reduction in the level of risk for a company can lead to a significant decrease in the level of profitability.

Table 5 Zinkevich V.A., Cherkashenko V.N. Risk map - an effective management tool // www.consult.ru

It can be said that once the risk mapping is completed, the risk management process has only just begun. Moreover, the risk map is considered a “living organism”. It evolves and changes as business develops and changes. New risks and new opportunities appear, old risks lose their relevance and become insignificant for the business relative to some new risks. And all these changes must be constantly made to the company’s risk map. It is not drawn up for life; its validity period is a certain period, after which it requires adjustment and clarification. Regardless of the approximate period for which the risk map was drawn up (year, season, etc.), when any new events appear that could have an impact on the company’s risk objects, measures should be immediately taken to assess, analyze these events and apply them to map of new risks.