When Is It OK To Have High Risks In Your Heat Map?

Thomas Frenehard

We all know those “red risks,” right? Those red risks that, high probability or not, systematically carry a significant negative impact if they manifest themselves, and that scare everybody. Well, I was recently asked whether it is ever OK to accept them as they are—or whether all attempts should be made to lower them at any cost.

Being by nature quite risk-adverse, my first reaction was to say that they should be mitigated with a sound response strategy. And then I gave it some more thought…

As a matter of fact, I now believe that in some cases you may need to accept that some events are high-risk and that you can’t really lower them. And this is what I want to discuss in today’s blog.

What are red risks?

First, let’s agree on what these “red risks” are. They are the events that, if they happen, will durably impact your business and may even jeopardize its sustainability in the short run.

They can be of two sorts:

  • High-probability and high-impact
    • You really shouldn’t have many of these if at all. This would indicate that your business is extremely risky and that impactful incidents can occur at any time. If that’s the case, sustainability is de facto endangered.
    • I don’t think that it’s ever OK to accept these risks. Attempts should be made to lower the probability of occurrence or impact.
  • Low-probability but catastrophic impact
    • These are the ones I want to talk about. In many industries there can be a “disruptive event” that could cause them. Natural disasters of course come to mind, but with recent events, political and terrorist risks are also a reality that need to be included in the context.
    • Here you can’t lower the probability, so you can only work on the impact. But even there, in some cases, it will be more economical to accept the risk than to try to mitigate it.
heat map

When is it appropriate to simply record and monitor high-impact risks?

As for any other risk, you need to ask yourself: If it happens, what could be its impact on our objective? And what would this objective bring the company if we successfully achieve it?

In essence, what I am trying to convey is that there are two sides to the coin (here the objective). There is a positive aspect—usually referred to as the opportunity—and a negative one: the risk.

If your opportunity outruns your risk, then it’s worth taking it. Otherwise, it most definitely doesn’t make sense.

Now, once you have determined that taking the risk is justified from a business standpoint, you need to assess whether it’s possible to lower its negative impact. Indeed, the original question that I was asked was whether all attempts should be made to lower them at any cost.

You really need to do a return on investment (ROI) type of analysis on your response strategy. If the cost of the responses is higher than the potential impact of the risk itself, does it really make sense to mitigate it? If not, since we already agreed that you can’t lower the probability, you only have one choice: Monitor occurrences and prepare for the worst case scenario.

Preparing for the worst-case scenario

Here, of course, I refer to business continuity plans. If there is a chance that the risk will manifest and impact you, prepare for this disruption and design your contingency plan. You will have to work in a degraded mode for some time.

Don’t wait for it—look for it!

Like the storm when on a boat, it’s always better to see it beforehand even if there is nothing you can do about it. Key risk indicators that I have already mentioned a few times in these blogs are you best friends here.

For example, is your catastrophic risk a typhoon-type natural event? Survey and monitor weather information so that you are alerted in time and can trigger your continuity plan i.e. evacuate your employees and shut down production of the concerned site, and so on.

As you’ve already gathered, I do think that there can be “red risks” that you have to accept, simply because they may be from an external source and there is nothing you can do about them. Nevertheless, whatever the case, not only do you need to know (and report it) but you must also have to plan for the worst-case scenario to be prepared in case it occurs. This includes continuously monitoring the threat so as not to be caught by surprise.

How about you? Do you agree that there can be acceptable “red risks?”

I look forward to reading your thoughts and comments either on this blog or on Twitter (@TFrenehard)!


Thomas Frenehard

About Thomas Frenehard

Thomas Frénéhard is a director in the Governance, Risk, and Compliance Solution Management team at SAP. His particular responsibility is with SAP Risk Management. Thomas's other functional areas of focus are in internal control and compliance management and audit management. In this role and in constant interactions with SAP’s network of partners, clients, and internal stakeholders, Thomas is responsible for bringing together technology, skills, and products to deliver an always-compelling solution for enterprise risk management.