Guest Post by Patrick Ow (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
Criticality Map, a strategic top-down analytical tool that I developed and used, is vital for risk management, assurance mapping, and regulatory compliance. It is a great simplified tool for effectively guiding management action and resource allocation and as a sanity check.
The format of the tool is shown below.
How to build a Criticality Map
There are seven steps to build a Criticality Map. Tailor the format and steps to your requirements and the outcomes you want to achieve.
Step 1 – Determine unit of analysis using the organisational chart
The development of a Criticality Map starts with your organisational chart. Determine the unit of analysis – say at the branch level, or three levels down.
If the organisation is large, take the analysis down to the second level.
You can have different levels of criticality map, depending on the complexity of your organisation.
Each Criticality Map must fit on one page for easy analysis. The page limit will determine the unit of analysis.
More importantly, the Criticality Map should generate the right level of strategic discussion or discussion that matters most to the organisation without getting bogged down in details.
Step 2 – Assess the criticality of key processes and functions
The criticality of the unit of analysis, say at the branch level, is based on a modified approach to business impact analysis, a concept borrowed from business continuity management.
In any organisation, related business processes and functions are generally grouped by divisions or branches, which will be used as proxies for our criticality mapping.
As part of this step, list down all key business processes or functions in each branch.
Then assess the critically level of these key business processes as a group for each branch based on the following criteria:
Critical – Must remain or be restored within TWO working days.
High – Can be restored within TWO weeks.
Medium – Can be restored within ONE month.
Low – Can be restored after ONE month.
The criticality level is also a proxy for the level of risk this branch pose to the organisation, especially if this branch cannot operate as intended. The impact of this branch can be “critical” to the organisation if it cannot function normally.
For example, the technology branch that manages all critical business servers is considered a “critical” operation that must continue operating in the event of a disruption. The risk rating for this branch can also be “critical”.
Having one consistent criteria for assessing branch level criticality across the entire organisation minimises or eliminates ‘gaming the system’ for resources.
Unit managers are known to assess risk as “critical” just to get attention and resources. But when that “critical” risk is compared with other “critical” risks in the organisation using the Criticality Map, it is not so “critical” after all.
This one-page Criticality Map can be used to immediately highlight ‘gaming’ practices. It should generate resource allocation discussions where the organisation’s limited resources are directed to critical areas rather than to the person who speaks the loudest.
It also eliminates interpretation biases of a risk matrix especially when it is not applied consistently.
Step 3 – Assess the level of regulatory compliance
The next column sets out the level of legal compliance against obligations.
List down all regulatory and legal compliance obligations that relate to the operations of the branch.
For each obligation, identify the level of compliance.
Thereafter, determine the “Overall Level of Legal Compliance with Obligations” for the branch.
This exercise can uncover compliance gaps quickly.
Step 4 – Identify linkages to existing strategic and operational risks
Determine if there are any risks or issues already documented in risk registers or issues log that relate to the operations of the branch.
One would expect that if a branch is considered “critical” from an operational perspective, there would be some risk identified and documented in either the strategic risk register or even the operational risk register.
If there is none, then it is time to investigate the reasons.
Step 5 – Assess assurance level considering the effectiveness of three lines
The starting point for assessing the overall assurance level is the organisational chart rather than risk registers. Auditors generally link their assurance mapping exercise to the risk identified as documented in risk registers, which can be limiting.
The Criticality Map seeks to comprehensively assess the organisational-wide risk profile, right down to the branch level (unit of analysis), which is also the proxy for related key business processes.
Considering the key business processes and key existing controls in each branch, the control effectiveness at each of the three lines can be assessed.
This will lead to an assessment of the “Overall Assurance Level” for each branch in the organisation.
Step 6 – Identify audit activities related to each branch
The systematic but comprehensive linking of internal audit activities based on the approved internal audit plan and past audits conducted against the criticality rating and overall assurance level for each branch can uncover potential gaps in the organisation’s internal audit activities.
Once again, auditors generally link their work program on risk registers rather than operational areas that are considered critical for organisational survival.
Step 7 – Identify the existence of business continuity plans related to each branch
The pandemic has caught many organisations off-guard and unprepared from a business continuity and supply chain management perspective. There were no and poor business continuity planning especially for critical areas of the organisation.
The Criticality Map shows the level of business continuity preparedness or resilience of each branch in the organisation. You can also add information on when the plans are last tested.
The Criticality Map can be further enhanced with branch level performance (i.e., level of performance target achievement), the budget allocated to each branch, the number of employees, skills gap analysis, etc.
The magic occurs after populating the criticality map
Once you have populated the one-page Criticality Map, the magic occurs.
When a branch or key business processes performed by that branch is considered “critical” to the overall organisational performance, you would expect higher compliance with regulatory compliance, higher levels of risk management activities, higher levels of assurance activities across all three lines, and higher levels of business continuity activities.
On a single page, a well-developed Criticality Map will quickly point to specific hotspots for further analysis or deep dives, driving the right conversations at Board and executive meetings.
It will also provide the required guidance for management action.
Criticality Maps are strategic dashboards of key governance activities across the entire organisation. It pulls together and summarises high-level governance information for analysis, discussion, and action-taking.
These maps are vital for enabling organisations to achieve their objectives. More so when risk management and internal audit are objective-focused concepts.
As a Chartered Accountant with over 25 years of international risk management and corporate governance experience in the private, not-for-profit, and public sectors, Patrick helps individuals and organizations make better decisions to achieve better results as a corporate and personal trainer and coach at Practicalrisktraining.com.
His “Practical ISO22301 Business Continuity Management That Works” Udemy course can be found here – https://bit.ly/3rOxmqm.
He is also the co-founder of Skillsand.org, an organisation dedicated to helping people acquire in-demand job skills and preparing them for the future of work. Our goal is to create a convenient learning experience that’s as easy as making any other purchase on Amazon.
Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution, and How to Improve the Performance of Collaborations, Joint Ventures, and Strategic Alliances: The Shared Risk Management Handbook.