Risk management frame of reference and overall risk mapping

The implementation of a risk management system often begins with the establishment of an initial global risk map, i.e. the most exhaustive possible identification of the risks incurred by the organization, followed by an assessment of the risks thus identified. At least, this is what the ISO 31000 standard on the subject, published at the beginning of 2010, recommends: "draw up an exhaustive list of risks based on events likely to cause, stimulate, prevent, hinder, accelerate or delay the achievement of objectives [...] whether or not their source is under the control of the organization [...]".

In this article, we'll try to describe how to organize a mapping project, but above all what are the prerequisites for implementing such a project.

How do we get started? Which players do we need to bring together? Can we arrive at a meeting with a blank page and ask the participants to tell us what the risks are and how serious they think they are? Wouldn't we risk producing a very partial result, based on recent events, fears and even individual "dada"? How can we ensure that the word "serious" has the same meaning for everyone around the table? Admittedly, there are reference events, effectively inscribed in the organization's collective memory. But is the context the same as that in which these events occurred? Would the gravity of those events be the same today?

Before answering all these questions, we must first assert that risk apprehension is always subjective, and that risk appetite differs from one individual to another: what is perceived as major by one of us may be considered perfectly derisory by another, and vice versa. Apprehension and appetence are the aggregation of a host of criteria. Some of these criteria are the foundation of who we are: our education, our studies, our values, our experiences, our convictions and so on. Others are much more contextual or situational, intra- or extra-professional: our professional motivations, our personal situation, our state of health, and so on.

So it's clear that, in order to establish a cartography, risk assessment has to be organized in such a way as to deal with this reality. We need to find rational elements that enable everyone to understand and share the results of an assessment produced by others. It's true that some of our companies lack risk analyses. But many others, and particularly the larger ones, suffer from having a lot of them, without having the key to reading the assessment made by Mr. X and that made by Mr. Y. Yet it is this "key" that makes risk assessment a genuine decision-making tool. It is "this key" that will give risk management the title of management system. It will enable everyone to share the same vision of the risks to which the organization...