Customise a risk universe map for your organisation, sector or project with this easy sample-template.
Use RiskMapper as an inherent risk mapper and risk register-analysis tool to help you become RiskSmart.
RiskMapper features a unique heat-prioritised rating criteria system based on risk practitioner experience - not theory. Here are some smarter ways it helps to to manage risk:
1 categorising your inherent risks,
2 heat-prioritising them, so executives understand priorities
3 using it as an 'inventory' for risk identification and assessment purposes
4 reality-checking' the robustness of your residual risk register (by comparing both maps against each other)
5 starting a risk-based audit plan (if there are no robust risk registers in-place)
6 building a bridge between business risk management and internal audit
Here's how to get started (assuming you know the basics of using a spreadsheet in .xls format):
Step 1: Understand the background. Read the attached worksheet called "Background".
Step 2: Research the inherent risks for your sector/business/project. Gather lists from appropriate sources e.g. insurers, desk-top, team workshops, Delphi experts, etc.
Step 3: Familiarise with the worksheet "Universe" starting at 40% to get a big picture, read the Notes, remove all colour from boxes and remove the code numbers below them
Step 4: Start to customise it to suit your needs by changing risk titles to your preferred set, especially at Level Three. Add Opportunities as well as Threats.
Step 5: Understand the Rating Criteria on the "Rating" worksheet. Print this off and use at next step as reference.
Step 6: Rate each risk, by adding your own rating codes (e.g. 3,4,8) underneath each Level 3 box, using the Criteria. This leaves an audit trail.
Step 7: Colour-paste each box to the correct heat-colour Rating (i.e. red, amber, yellow, green)
Step 8: Re-order the boxes within the 'strings' so the boxes appear in colour-order, red at top, then amber, yellow, green and white. NB: Does the pattern suggest risk profile?
Step 9: House-keeping: check all externally-sourced risks are in italics , add comment-boxes to clarify, spell-check, format-check.
Step 10: Update periodically: e.g. check sector publications or competitor annual reports for new risks, etc
Step 11: Apply it: E.g. Transfer your 4-colour rated residual risk register risks onto the same format and print in A3. Place it over your A3-print of the Universe map and compare the
pattern. Does it suggest your business managers are missing or wrong-rating the residual risks? Or are you tracking the wrong inherent risks, if the outside real world has
Step 12: Future: send any improvements or global practice changes to email@example.com and watch our website: http:// www.DAntonucci.com
Sources: A Synthesis by Domenic Antonucci including but not limited to:
1 Personal multi-sector experience in Europe, Africa and Asia-Pacific for the Rating criteria.
2 Various publications, including "IFRS conversion Who’s managing risks on the road ahead?" 2010 by Deloitte, audit and consulting firm
3 Marsh Business Risk Inventory by Marsh Risk Consulting, the largest global specialty risk consulting firm
4 CIA Learning System (Institute of Internal Audit Certified Internal Auditor) guidelines by the Institute of Internal Audit (IIA)
5 "The Risk IT Practitioner Guide" 2009 by ISACA and RiskIT
RiskMapper - Risk Universe Map for <Ports>
Level One Category of Risk
Strategic Risks Operational Risks Financial Hazard
Technology & Corporate Environment & Information Sales, Marketing & Compliance, Hazard &
Geo-Political Economic Societal Reputation Market Business Strategy Planning Corporate Assets Human Capital Legal & Contract Product & Customer Process & Planning Finance
Science Governance Sustainability Technology Communications Reporting & Risk Environment
Reputation / Effectiveness &
Under-invested Equipment Stevedore Transport Vertical Budgeting & Contracting & Differentiate / Counterparty via People Health &
Regulatory Trends Risk Averse Culture Stakeholder Business Model Extreme Weather Corporate Resilience Corporate Culture Contract Management Reputation & Brand Efficiency of Operational Planning
Infrastructure Resilience Performance Integration Forecasting Outsourcing Migrate or Divest Banks Safety
1,4,5,7 1,4,6,7 4,6 3,9 9 1,2,4,9 4,5,8,9,10 1,2,4,5,6, 1,4,6,7,8, 1,2,4 4,5,9 4,5,6,9,10 4,5,9,10 2,3,4,5,6,8, 3,5,7,8,9 1,2,4,5,6, 1,2,3,4,9, 4,6,7,8,10 2,4,9,10 1,2,4,10
Technology New Entrants & Board/CEO Structure Organisation Drought & Disaster Recovery & Crisis Controls, Monitoring Program
Operational Risk Financial Markets Pandemic & Disease Cargo Care Capital Planning Maintenance Blame Culture Contract Liability Customers & Service Equity & Debt Business Interruption
Innovation Competition & Leadership Structure Desertification Continuity Communications & KPIs Management
2,6 1,2,4,8 2,4 1,2,4,5 9 1,2,3,4,5, 9 1,3,5,6,7, 4,6,7,8,9 1,2,4 4,5,7,9 4,8,9 1,2,3,4,7 4,6,7 4,7,8,9 1,2,4,9,10 1,7 2,3,4,5,6, 4,7,8,10 1,2,4,5,6,
Performance NatCat: Inland Contract Counter Party Credit Communication Alignment &
Sanctions Globalisation Labor Skills Technology Trends Vessel Delays Demand & Growth Board Accountability Alliances Asset Utilitisation Competencies & Skills Pricing Risk Management Hedging Fire & Explosion
Management & KPI's Flooding Commitment Risk - Contractual & Media Interface
1,4,8 2,4,5,8 4,5 1,2,5 1,9 7,9 6 4,6,8 4,6,7,8,9 1,2,4 4, 7 4,5,6,7 7 4,9,10 4,7,8 1,2,4,5,6, 1,6 6,9,10 3,4,7,10 1,4,6
Investment Operational Board/CEO Corporate & Social Physical & Investor/Owner Strategy Budgeting &
Terrorism Liability Regimes Cyber Crime Competitors Acquisitions/ Scenario Planning Balance Sheet Change Readiness Port Land Ownership Production Fraud Security
Restrictions Performance Effectiveness Responsibility Environmental Communications Implementation Forecasting
2,4 1,4,6 1,4 4 10 2,4,7,8 6,7 4,7,9 2,6,7 4,5 1,4,8 4,5,6,7 6 10 8 1,4,5,6,7, 4,7 5,6,7,8,9, 4,5,7 1,7
Pollution - Air,
Accounting Racial/Culture Equipment Industry Increasing Size of Real Estate Change Price: Foreign Environmental
War Cargo Deliveries Conflict of Interest Business Portfolio Water, Noise, Asset Utilisation Leadership Data fraud / Loss Contingent Liability Marketing Programs Culture
Standards Conflict Automation Consolidation Ships Development Management Exchange Impact
2,4,5 1,2,3 4 1,2 9 5,10 3 1,4,5,6,7 7,9 1,2 4,8 4,5,6,9 1,2,3,4 8 4,6 1,2,3,4,5, 4 6,9,10 3,4,8 1,5,7
Transnational Crime Business Continuity Projects Material Piloting, Tugs & Business
Asset Price Crisis Demographics Brand Strength Crisis Risk Oversight Outsourcing Biodiversity Loss Physical Security Key Managers Information Security Internal Fraud Cycle Time Price: Commodities Piracy
& Corruption Management Pricing Marine Operations Development/Sales
1,2,4 2,4 4,5 3,4,8 8,9,10 1,3,4 2,4,6,7,8, 1,2,4,5,6, 1 1,2,4 5,6,7 3,4 4,7 1,4,6 5,8 4,5 10 4,5,8 4,8
Kidnap, Ransom, & Social/Cultural Migration & Facilities & Performance Mgt for Key Relationship
Interest Rates Adverse Publicity Market Forces Ethics Port Design Climate Change Back Up Claims & Litigation Share Operations Market Research Unauthorised Acts Financial Instruments Liability Claims
Extortion Trends Relocation Equipment Individuals Management
4 2,4 5 7 2,5,7,10 1,4 1,4,5,7,8 5,6 1,2 1,5 5,6 4,5 3,4 1,4,6 4,5,7 1,4 5,9 4,5,8 1,3,4
Operational NatCat: Coastal Recruitment & Government Utilities Liquidity: Assets &
Political Trends Currency Exchange Work/Life priorities Corruption Board Compensation Resource Allocation Methodology Intangible Assets Change Mgt Utility Supply Financial Disclosures Project Management
Experience Flooding Retention Investigations Development Opportunity Cost Superstructure
2,4 2,4,5 2,5 3,4 4,6,7 4,6 4,5 1,2 2,4 4,5,6 4,5 1,3 2,4 1,2,4 1,3,4 4,8 4,5,8 1,2,4
Government Industry Future NatCat: Storm, Compensation & Major Equipment Customer Vessels & Port
Ownership Risk Business Restrictions Affirmative Action Subsidiaries Reliability Confidentiality Reporting Quality Finance
Regulations Trends Storm Surge Benefits Delivery Satisfaction Equipment
1,2,5 1,2,4,5 1,2,3,4 1,2 4,5,7 2,3,4,5,6 1,2 6 3 4,5 4 1,3 1,4,5,6 1,2,4,5 1,2,4
Hazard Mitigation Accidents and Energy Mgt & Lifecycle Policies &
Enforcement Public Disorder Industry Maturity Change Readiness Accountability Availability Bankruptcy Capacity Capital Availability Port Approaches
Costs Incidents Alternative Sourcing Management Procedures
1,4,5 5 1,2 1 1,3,7 5,7 1 3,4,5,7 5 1,3 2,3 1 5,8 2,4,5 1,2,4
Privatisation/ Trade Zones & Government Business Regulation &
Trademark Erosion Carbon Footprint Succession planning e-Commerce Licenses Liabilities Supply Chain Mgt Audit Quality Natural Hazards
Nationalisation Restrictions Relations concentration Reporting
1,2,4 1,2 1,2,4,6 7,8 1,2 4,5,6 1,5 1 4 1 5,7 3 2,4
Product Portfolio & Training & Technology Communications & Infrastructure
Nuclear Proliferation Fiscal Crisis Customer Needs Water Scarcity Architecture Intellectual Property Credit Risk - Internal Theft & Crime
Lifecycle Development Obsolesence Training Development
2 2 6,7 4,3,5 1,4,5,6 2 5 1,2 1,2,7 4 2,4
Pressure Groups Seasonality Channels & Network NatCat: Earthquake Ethics - Staff Operations Asset Mgt Innovation, R&D Tax Reporting Price: Interest Rate Public Liability
2 2 4,5 4,7 1,2 1,2 1 4,5 4,5 1,4
International Community Port & Maritime Accounting
Tax Industry-specific Risk Access Capacity Product Recall Quality Assurance Liquidity: Cash Flow Navigational Safety
Maritime Regulation Investment Specific Skills Standards
1,2 1,2 3,4,5 6 1,2 1 1,3 4,5 1,3,4
Fair Trade "Blackberry Knowledge Water Depths
Regulator Inertia Royalties Rate of Change Mandate Change Substitution Warranty Issues
Certification Decision-making" Management (Dredging)
1,2 1,2 2,4,5 6,8 2 1,3 1,5
Refer Financial Natural Resource
Global Governance Standard Terms Dangerous Goods
Credit Rating Utilisation & HR Planning New Product Measurement Accounting
Gaps Incorporated Handling
1,2 1,2 5,6 1,2 1 1,3
Innovation Advisers Insurance Waste
4,5 1 1
Industrial Action Price: Asset Value
1,4 2 1
Payroll Disease & Disability
1 1 2
Social/Cultural Trends Pensions Charting & Surveying
Refer Economic &
Work/Life Priorities Market Aids to Navigation
Refer Environment &
The above universe categorises inherent risks (not residual risks) for a port, prioritised to criteria
All risks listed here are inherent risks, not residual risks
All risks currently represent Threats, not Opportunities, but these can be added as appropriate
Italics = Externally driven typical sources of risk
Overlaps and inter-connections do occur
Blank/white boxes are not applicable at this time, but possible in future
Printed on 12/1/2011 7403473c-6eca-4432-ba7e-8a117b734dd9.xlsx
RiskSmart Universe of Risk for ADPC
# Type of Rationale - The nature of the business activity means this type of Rating Notes:
Uncertainty uncertainty is inherently sourced from or characterized by:
10 Complexity. Complexity of task, process, design, interface, function, controls, geography, often hides risks
footprint, etc. Also, pervasive risk or systemic risk.
9 Inter-face. Failures at the point of key interfaces between plan/execution, plan/capability, often hides risks
parties, processes, people, technology, etc
8 Volatility. Exposure to unexpected crisis, factors e.g. volatile business assumptions, &
factors financials e.g. FX, forecasts, demand, supply, stats, measuring the
7 Assumptions. wrong things, unexpected crisis
Exposure to inappropriate assumptions or failure to adapt to changing often hides risks
assumptions e.g. changed measures, KPI's, market demand.
6 Alignment. Business activity uncertainty from lack of strategic alignment or fit between
activities, functions, processes, technology, etc
5 Change. Transition, subject to change, or key planned or recent changes in people,
organisation, process, design, etc.
4 History. External history of sector events, losses, near misses, track record, reputation
3 Assurance. Internal history or current Audit or review attention or remedial controls.
2 NINA. Source of risk is Non-Insurable &/or Non-Avoidable (i.e. source being outside
control of entity).
1 Compliance. Exposure to compliance, regulation, approvals, etc. often routine controls
All ratings are based on the criteria below, except where indicated (e.g. Booz ratings used for Interface risks)
Scoring Method Rating Action
Any 1 in the Red band, or combination of 2 from Orange band + any other Very High Expect as high residual register
1 or 2 in the Orange range, or combination of 3+ from Orange+Yellow+ Green High Expect as high residual register
1 or 2 in the Yellow range, or combination of 3+ from Yellow+Green Medium Assurance
1 or 2 in the Green range Low Monitor
These notes are not comprehensive, just informative.
Hate it when your CEO's and business executives say "So what ..." when faced with a typical 'white' risk universe map?
Now you can attract their attention with real risk priorities
WHY BOTHER WITH A RISK UNIVERSE MAP?
1 Your CEO and business executives do not understand their inherent business risks AND their priorities
2 You have no risk registers and want to kick-start the process with an inventory tool
3 You have risk registers and want to test how robust they are
4 You want to kick-start your risk-based audit plan, even when you cannot access any residual risk registers
5 You want a working bridge between business risk managers and audit functions
6 You must comply and provide one as a requirement from regulators, auditors, insurers and other external stakeholders
RISK UNIVERSE DEFINITION
The scoping, boundaries or collection of all assumed inherent uncertainties (risks) and opportunities that may affect the achievement of objectives, OR
All potential risks and risk event descriptors as applicable to the sector/organization/etc, regardless of actual likelihood or impact
"Risk" being any uncertainty impeding achievement of objectives/goals
To scope inherent risk potential across a given entity within the context of its sector experience and operational/geographic footprint
To scope inherent risk potential BEFORE OR INDEPENDENT of the business manager perspective and a corporate risk register
Does NOT represent actual or residual risk
Can be used to create or compare against and vet any residual risk assessment results / actual risk register to test their robustness and completeness
Can be used as an input to a risk-based audit plan and for clarity with an Auditor or regulator or sector authority
MORE THAN ONE UNIVERSE MAP?
The most popular type of Risk Universe map scopes out inherent risk in the form of a risk-categorised hierarchical bush. Typically this is un-prioritised, or inventory-looking.
RiskMapper represents a new version of the above format, which heat-colour prioritises the old 'white' map and leaves an audit-trail .
Alternative Risk Universe maps may scope inherent risks in different forms. For example, a functional matrix of Y Axis (Stakeholders) & X Axis (Objectives, Interfaces, Processes, Assets, P
The four-colour ratings criteria are explained on Worksheet Rating. These have been derived from the RiskMapper creator's past business experience and tested by peer risk practitioner
These criteria and methodology can be adapted and changed to suit any new user.
RISK UNIVERSE BACKGROUND NOTES (ISACA)
Risk Universe Maps represent potential areas of risk exposure. These vary in size and significance for each business and its sector footprint.
This big-picture risk universe can help to test and map out a risk register and scan for inter-dependencies, assumptions and links between risks.
A risk universe describes the overall risk environment (i.e. defines the boundaries of risk management activities) and provides a structure for managing all risk.
The risk universe is Enterprise-Risk Management (ERM) sympathetic:
* Considers the overall business objectives, business processes, and their dependencies and interfaces throughout the enterprise.
Risk needs to be seen from an end-to-end business activity perspective, crossing functional silos (e.g. IT operations, project management,
application development, disaster recovery, security, etc.).
* Considers the full value chain of the enterprise - not only the enterprise and its subsidiaries/business units but also its clients, suppliers and service providers (the ‘extended’ enterprise
* Considers a full life-cycle view of business activities - most relevant to the entity - including transformation programmes, investments, projects and operations
* It includes a logical and workable segmentation of the overall risk environment (e.g., across organisational entities, geographic locations, technologies, applications).
This is not easy —the hierarchical organisation of the enterprise, business processes, and supporting Risk infrastructure and
services often are not aligned, and it is highly probable that different views along different dimensions exist for the overall environment. It is
up to different users within the enterprise to determine which view will be the most meaningful to support the business objectives
of the enterprise while considering the potential overlaps or omissions.
* Needs to be updated and reviewed on a regular basis due to the constantly changing internal and external environment
Are unlimited. The most popular macro-categories (Level One) are :
Level Two and others can include:
1. Asset Management - loss, damage, destruction, loss of use of own or other party's
buildings, plant, equipment, stock.
2. Compliance - failure to comply with regulatory requirements, internal or external.
3. General Management - consequences of poor corporate governance and/or general
4. People - injury to staff and other people; failure of duties of care to other parties.
5. Environment - damage to the environment.
6. Business Model / Change Management - impact on the business of poorly managed
strategic development and change processes.
7. Financial - reduced revenue and/or increased expense flows.
8. Products and Services - liability arising from product or service, quality or delivery.
9. Technology and IT - impact relating to failure of technology.
Level Three sub-set categories may vary the most widely by sector and business, and are subject to change over time.
Whichever categories are chosen, ensure that they are aligned to the residual risk register's categorisation so they can be compared consistently.
Customise. Some sectors like Finance, would extend the Level Two and Three categories under "Finance" for instance.
es, Interfaces, Processes, Assets, Project LifeCycle)
nd tested by peer risk practitioners.
oviders (the ‘extended’ enterprise).