Risk Mapping
Risk mapping is a way to visualise risks. It involves identifying, evaluating and defining responses to mitigate risks, ensuring proactive management and prevention.
Key concepts important for creating a risk map are:
Likelihood
The probability of a risk occurring. Likelihood is usually assessed using a relative rating from 1 to 5, where:
- Rare: Very unlikely occurrence
- Unlikely: Possible but not expected
- Possible: Fair chance of happening
- Likely: Expected to happen
- Almost Certain: Almost guaranteed to happen
Impact
The severity of the risk if it happens. Impact is usually assessed using a relative rating from 1 to 5, where:
- Insignificant: Minimal impact
- Minor: Manageable impact
- Moderate: Noticeable impact, requires management effort
- Major: Significant impact, disrupts operations
- Critical: Severe impact and could create irreparable damage for the initiative
The results
- A prioritised list of risks
- A simple visual which can be used to communicate risks
- A risk mitigation plan
When to use it
Business Planning: When evaluating potential risks across important initiatives
Project Planning: When establishing a project
Scenario Planning: When preparing for emergencies, threats and other high impact situations
Compliance: When identifying and reducing risks to comply with regulations
Strengths
Visual
Well-known
Easy to use
Weaknesses
Subjective
Can be seen as bureaucratic
Might overlook detail
How to use it?
What do I need to start?
It’s useful to start risk mapping with a clear purpose and a defined scope, so that only relevant risks are mapped. Also consider collecting information on:
- Key activities, processes, or systems involved.
- Past incidents, challenges, or industry trends to inform potential risk identification.
How to use it?
Who to involve?
Risk mapping can be done alone or as a team. Consider involving:
- People with knowledge about specific areas of the scope, that can identify risks that others might miss
- People with understanding or experience of the risks being assessed
- People who can allocate resources to proposed mitigations
Step by step
1
Identify risks
Brainstorm and list potential risks.
Consider using tools like Mind mapping and Fishbone/ Ishikawa to help identify risks.
It can be helpful to frame risks using if-then statements. For example: “IF (x happens), THEN (x outcome happens).”
2
Analyse risks
For each risk, assign a rating of the likelihood of a risk happening, then rate the potential impact.
Map risks on a matrix with likelihood and impact forming the axis.
Look at where the risks fall on the map. Ask questions like:
- Are there risks which can be avoided completely?
- Which risks are missing from this picture?
3
Plan mitigations
Develop mitigation plans for each risk, starting with the highest likelihood, highest impact risks.
Ask questions like:
- What preventive measures can we implement to reduce the likelihood of this risk occurring?
- What are the steps we need to take to mitigate this risk?
- What contingency plans are in place to maintain progress on the initiative during and after the risk event?
- What other possible outcomes could happen as a result of this risk eventuating?
Assign risk and mitigation owners. Consider using tools such as RASCI to define accountabilities.
Do not ignore low-impact or low- likelihood risks, but do prioritise action on the highest likelihood and impact risk mitigation actions first.
4
Review and communicate
Review the risk map to ensure everyone is aligned and understands the risks and mitigations. The review should include all people and roles involved in the work. Adjust as needed.