MANAGING AND MEASURING VALUE CREATION
At the enterprise level, a risk identification and assessment exercise at a global company can develop a list of risks sometimes numbering in the hundreds. Such an expansive list of risks requires organization. One approach to organizing the list is to create a risk register. The purpose of a risk register is to sort the risks into categories, describe their characteristics, and rank them. Bringing additional order to a cumbersome risk register is a risk map – a kind of executive summary of the risk register in a pictorial format. A risk map is a graphical snapshot of the key identified risks – usually the top 10 risks. Including all the risks identified on a risk map would render it indecipherable.
The key question practitioners should be asking about these tools is: Who benefits from the time-consuming and expensive exercise of creating a risk register that sometimes contains hundreds of risks, and the associated risk map? If the benefit is limited to a single function, that suggests a limited and narrow purpose of the organization's risk management program.
Traditional risk maps are insufficient for many reasons. One key shortfall is that traditional risk maps do not properly plot risks. The common objective definition of risk in risk management, finance, and statistics – "the variation from an expected outcome over time" – includes three parameters. Traditional risk maps plot only two variables that make up the expected outcome: (1) the probability of an event and (2) the value of that loss. Rarely do they plot gains. But conspicuously missing from traditional risk maps are variation and time. All four variables must be plotted in order to provide complete information about the risks.
-  Stephan R. Leimberg, Donald J. Riggin, Albert J. Howard, James W. Kallman, and Donald L. Schmidt, The Tools & Techniques of Risk Management & Insurance, 2009 supplement (Cincinnati, OH: National Underwriter Co.), 8.