You can’t see the future, but you can understand the way different events will impact you. Ballot features a great tool called Relationship Modelling which, through a series of questions, helps risk managers paint a picture of the interrelationships between various risks.
Say what?
By posing a series of logical questions to a group, Ballot creates a visual depiction of patterns of influence that show how one risk event increases the likelihood or impact of another. This picture is generated in real-time in a risk workshop and can be done with or independently from the anonymous assessment. The result is a map of interconnected risks with ratings of the impact on the organization.
Wow!
Here’s an example. The screen image below shows the impact that a new acquisition may have on an organization. As a risk manager, you may or may not have visibility on M&A activity, but this visual representation helps you understand the sequence of risks that are more likely to emerge if that event occurs.
Studies in psychology indicate that people are naturally good at seeing one or two levels of influence, but how many of us would look at an acquisition and immediately think of inadequate IT security (#4) and the increased probability of IP theft (#9)?
Now take the same picture and simply overlay the impact vote from a regular risk assessment workshop and you get something even cooler.
From the color coding (green is low impact, yellow is medium, and red is high), you can see that according to the group’s votes, the acquisition risk (#7) is ranked as a medium impact risk. But seeing the risks in this view, it prompts us at least to reconsider #7 as a high impact risk, since it leads to an increase in probability for many other risks including, in this case, a high impact risk (#9). (For the same reason, risks #4 and #5 should also be considered for upgrading to high impact.
With this information in hand, a good risk manager who goes through an acquisition simply opens up their model and examines the types of risks that fall out from an acquisition. In this scenario, some diligent work in the IT department to beef up the two new joined networks has the potential of stopping the flow of increasing likelihood between the risks.