How to Manage Risk Maps: Criminal, Ethical and Business

Currently, companies are obliged to manage a wide variety of regulations, for example, those that involve compliance with legal regulations, others specific to the financial sector, technological regulations, etc. The norms that apply to each company depend on various factors, such as the sector to which they belong, the number of employees, or the turnover volume, among others.

To comply with these regulations, it is often necessary to manage different types of risks. The final result that any regulation seeks is to have a Risk Map that allows a quick visualization of the number of risks in the organization and their criticality, for which the factors of probability of occurrence and the impact they cause for the organization are usually considered.

In recent years, organizations have been increasingly seeking to integrate different types of risks into a single risk map, as there are quite a few benefits such as avoiding duplication of information or achieving consolidated risk reports. However, this integration is not always easy for various reasons.

From here, we intend to cite some important points to take into account, and in this way achieve a high percentage of integration between different types of risk.

The Criminal risks generally correspond to the commissions of crime that workers in an organization can carry out in the performance of their duties, which usually correspond to the crimes typified in the Criminal Code of each country. Not all crimes are applicable to an organization, but these vary depending on the activities and services they carry out.

Ethical risks of companies can be cataloged as those risks where employees, due to their hierarchical position in the company and easy access to information, feel tempted and change their ethical principles and behaviors at a given moment, for others adopting improper, reprehensible or contrary to the Law conduct. In these risks, personal benefit usually takes precedence, regardless of the disaster that may be generated around them.

At the company level, some ethical risks can be identified, such as those set out below:

• Verbal conflicts and disrespectful treatment between groups.
• Abuse of authority.
• Bribes.
• Low performance due to lack of commitment.
• Factors derived from knowledge of information.

Business risks correspond to those that all business activities implicitly carry. The number of risks may vary between one organization and another, but no company is exempt from having business risks as these are directly related to the business areas and services provided.

The necessary requirements to achieve an integrated risk map are the same in all organizations. Depending on the type of organization (size, sector, applicable regulations, etc.), some will be more complex than others to achieve, or some may even be solved from the start.

1. Probability and impact levels.
   The most basic, and at the same time most important, aspect to achieve an integrated risk map is that the levels used for assessing probability and impact are the same. Risk is commonly represented by both parameters, so if we want to fit different types of risks in the same map, the possible options for their evaluation must coincide. If this is not homogenized, the results of the risks are not comparable.
2. Risk calculation.
   Another important aspect is related to the risk calculation formula. It seems obvious to think that, to integrate risks of different types, these must be obtained in the same way. However, this point has nuances. A risk calculation methodology can be worked with “several paths” using different parameters (for example: more than one type of impact for the assessment of business risk; consideration of the frequency of an activity and the historical probability of the risk), but the important thing lies in that the risk calculation is always based on a final value of probability and impact. A couple of examples of the above:
   • The impact of a business risk is calculated from the assessment of several types of impact (economic, reputational…), but a final impact value is always obtained which will be the one taken into account for the risk calculation.
   • The impact of a criminal risk is sufficient with a single assessment, which is the one considered for the risk calculation.
3. Analyzed elements.
   Every risk must be associated with some element. This can be an area, a process, or the organization itself. To achieve an integrated risk map, it is essential that the elements that are the object of risk analysis exist and are part of the scope of the risk analysis.
4. Typified risk catalogs.
   This aspect, while not mandatory, is highly recommended to consider. To facilitate the identification and management of different types of risks in the same risk analysis, it is necessary to create risk catalogs by typology. This allows for the homogeneous definition of the risks that will be considered in the map, being able to establish some coding mechanism that allows them to be quickly classified at a glance.

From our company, we help you in the implementation of your integrated risk management system through the GlobalSuite® Risk Management software with which you will obtain:

• Greater ease in defining the risks faced by your organization.
• Pre-established and customizable reporting that favors decision-making and where you can see how to use your resources in risk management optimally.
• Thanks to the heat map offered by the software, you save time and have the ability to easily filter by risk type.
• Greater control of your organization by having all identified risks in a single platform
• Guarantee of always being up to date with risk catalogs of the main international and local regulations.
• Ability to integrate with other software in your company to take advantage of management in other areas, for example, employees, processes, incidents, etc.