WAT: --:--:--
EAT: --:--:--
EST: --:--:--

The Anatomy of Risk

The Anatomy of Risk

R. Lotan By  October 8, 2025 0 625

Introduction

The next article in our Governance Universe series (Article 3) will explore the subject of risk—how it is intricately laced with strategy, control, and performance, and what this means for risk managers navigating sector-specific and industry-wide challenges. It promises to be both informative and engaging. This current article serves as a soft landing into that discussion by introducing risk from a unique perspective: The Anatomy of Risk.

The Anatomy of Risk is a diagnostic approach to understanding risk—one that goes beyond identifying top risks and applying two-dimensional heat map analyses (likelihood vs. impact). It delves into the nitty-gritty of what drives and sustains risk; its dependencies and interdependencies. This article is not an exploration of the familiar five or six step risk management cycle, but an examination of often overlooked components of risk. We believe that when these components are proportionately factored into the risk analysis and evaluation equation, they lead to more effective and context-adapted mitigation strategies.

In alignment with the Governance Universe series, we also recommend prior reading of our article on risk assurance mapping, which advocates for a coordinated approach to organizing assurance efforts in line with corporate risk priorities.

Definition of Risk

Just as a diagnosis begins with understanding the symptoms, risk analysis begins with defining the condition.

ISO 31000, the leading international standard for risk management, defines risk as ‘the effect of uncertainty on the attainment of objectives.’ The Institute of Internal Auditors in its official Glossary states that risk is ‘the possibility of an event occurring that will have an impact on the achievement of objectives.’ By and large, two elements stand out in these definitions: 

  • Uncertainty : varying probabilities of possible outcomes, and 
  • Objective : the measurable goals that may be affected by those outcomes. 

The IIA brings these elements together by stating that “risk is measured in terms of impact and likelihood.” In the simplest terms, risk is about what could go wrong and how easily it can go wrong. 

Basic Parameters of Risk Assessment and Analysis

Identifying a risk as probabilistic outcomes in prose would serve no purpose if risk owners and managers do not analyse the components of the risk and perform a contextual assessment of its severity. 

Analysing a risk involves categorizing the risk (and implicitly its owner), defining the organization’s appetite for that risk (which is easily expressed in broad policy statements, but difficult to define at a process or operational level), and determining both its likelihood (probability of occurrence) and impact (potential financial or material loss).  These last two variables are then combined to determine the severity of the risk, typically expressed as likelihood × impact (l × i).

Easier said than done, this exercise is dependent on a number of prerequisites: 

 A Defined Risk Taxonomy : 
The organization must have developed its Risk Taxonomy. This results from a strategic-to-granular definition of business processes, and overlaying this blueprint of the organization with the (actual) organizational chart; so that processes and their  associated risks can be ascribed to known pockets of responsibility. This also makes the categorization of risks pretty straightforward. 

Standardized Syntax for Evaluation :
There must be a consistent methodology for evaluating and codifying risk measures (likelihood and impact) across varying levels of severity – using scales such as 1 to 5 or A to E. This makes generating heat maps much easier and assessing the overall risk profile of the organization an objective process; one based on methodology and data. This evaluation of risk is also strongly tied to the definition of materiality and loss escalation thresholds, which can be a challenging feat to achieve per risk category or business process. . 

Defined Risk Appetite and Tolerance Thresholds :
Defining the risk appetite can be a bit challenging in spite of its straightforward definition: risk appetite is the measure of a given risk the organization is ready to undertake, within tolerable thresholds. However, the challenge comes in going beyond policy statements to define appetite for business and process level risks that could have differing natures of impact (financial, market, health, reputational etc.). Resources of time, expertise and commitment are a must.

Risk Taxonomy, Analysis and Evalyation Syntax, Tolerance and Appetite Thresholds

With the right digital infrastructure, risk maps become just a click away. Beyond serving as reference points for qualifying identified risks, 2D heat maps offer intuitive illustrations of an organization’s risk spectrum or profile. When the diagnostic process—taxonomy, syntax, evaluation—is standardized and supported by technology, risk maps evolve from static snapshots into dynamic tools that provide near-real-time visibility into the organization’s risk landscape.

Beyond the Basics: Expanding the Risk Lens

While the generic definitions of risk may appear straightforward, a deeper inquiry reveals lingering ambiguity about what risk truly represents. Is risk:

  • the inability/incapacity to meet objectives?
  • the failure of a defined internal control to operate effectively? 
  • the trigger event that sets off the chain of command/control failures? 
  • the tangible consequence(s) of those failures or undesirable events ?
  • the avoided decline in performance? 
  • or the likelihood (probability) of any of the above occurring? 

These questions expose the limitations of the traditional risk model, which typically relies on a two-dimensional assessment of likelihood and impact. In dynamic, fast-evolving, and uncertain environments, this basic framework often falls short of capturing the full complexity of risk.

Relying solely on this simplified measure to prioritize risks and define mitigation strategies may lead risk owners and oversight bodies astray—toward generic responses that fail to address the specific nature of each risk. Effective risk management demands a more granular understanding of risk in all its components or dimensions. 

This includes not only the probability and consequence but also the source, cause, event, velocity, persistence, vulnerability, and preparedness—each component contributing to a more complete and actionable risk profile.

Components of the Risk Specimen.

Risk can plausibly be described as a living organism – a specimen that evolves over time.. Each component of the risk specimen plays a role in its pathology—some trigger the infection, others determine the spread of the infection, and some define the prognosis. Risks are not static; they emerge form events and circumstances that evolve, hence are bound to change themselves. 

For this reason, our understanding of risk has to be attuned to up-to-date assessments of the detailed components of (the) risk. Otherwise, mitigation efforts might be insufficient or out of touch with reality, hence ineffective. 

Beyond the known dimensions of likelihood and impact, we propose a more comprehensive framework consisting of ten components that characterize risk : 

  1. Source (s):
    The host organism, the process or activity within which the risk originates and begins to take shape.
  2. Cause (ca):
    Cellular weaknesses, Internal (control) vulnerabilities or external shocks that create conditions for undesired events.
  3. Event (Trigger) (e):
    A specific occurrence that initiates the chain of events leading to adverse outcomes.
  4. Velocity (ve): The speed at which a trigger event escalates due to systemic or control failures.
  5. Impact (i): The immediate effect on performance across financial, legal, reputational, operational, or strategic dimensions.
  6. Consequence (co): The long-term or widespread outcomes that persist beyond the initial impact.
  7. Persistence (v): The duration over which the consequences of a risk continue to affect the organization and its environment.
  8. Vulnerability (vu): Systemic flaws that increase exposure to events, impacts, and consequences.
  9. Preparedness (p): The strength of organizational defenses that enable resilience against adverse events.
  10. Likelihood (l): The probability and frequency of undesired events and consequences occurring over time.
Components of the Risk Specimen

With all that said, how do we put these components into a coherent and actionable model that makes visual and analytical sense, much like 2D heat maps do?

———————————————

From Microscopy to Modeling: Advanced Risk Visualization Techniques

Having dissected the risk specimen into its core components, the next logical step is to explore how these variables can be assembled into sophisticated models that enhance analysis and decision-making. Just as medical diagnostics have evolved from basic observation to advanced imaging—CT scans, MRIs, and molecular mapping—risk management must also move beyond traditional 2D heat maps toward multidimensional visualization tools.

Techniques such as 3D heat maps and radar charts allow risk managers to plot multiple variables simultaneously, revealing patterns, intensities, and interdependencies that would otherwise remain hidden. These models transform risk analysis from a static snapshot into a dynamic diagnostic process—one that mirrors the complexity of real-world threats and organizational vulnerabilities.

 

3D Heat Maps :

3D heat maps enhance traditional risk evaluation by introducing a third variable — velocity — alongside likelihood and impact. Velocity reflects how quickly a risk escalates once triggered, making it a critical factor in determining urgency and response. For instance, a cybersecurity breach may unfold within minutes, demanding immediate action, whereas other risks with similar likelihood and impact may progress more slowly. Incorporating velocity into the model allows risk managers to distinguish between risks that require rapid intervention and those that permit more measured responses, resulting in more precise and effective mitigation strategies.

Three Dimensional Heat Maps include a third variable. We chose Velocity because it strongly determines the speed with which Events can be met with consequences and is most adapted to rapid changing and crisis situations.

Radar Charts : 

Radar charts (also known as spider or web charts) are also apt for visualizing multiple risk variables simultaneously. Each axis of the chart represents a distinct component of risk, and the overall shape reveals the balance and depth across chosen dimensions. The surface area covered by the web can be interpreted as a measure of the severity or complexity of the risk. We advocate incorporating velocity, persistence, vulnerability, and preparedness into the radar chart to produce a more nuanced, hexagonal illustration of risk. This approach to analysing risks mirrors the multifaceted nature of real-world threats.

The radar chart is very useful for intuitive presentations of the contrast between multiple risk profiles.

Acuity Knowledge Partners in its article on Three-Dimensional Risk Assessment introduces  Consequence into  its three-dimensional risk assessment model. McKinsey in its March 2024 report on Risk, also speaks of multivariate risk analysis and how leading organizations are leveraging artificial intelligence to assess risks across interconnected domains using advanced analytics, scenario modeling, and real-time data. 

Together, these perspectives confirm that technology is not just a support tool, but a prerequisite for intelligent and adaptive risk management. Boards and leadership have to be convinced of the benefits of investing in such technology; in terms helping their organizations better grasp the urgency, spread, and systemic exposure of risks, especially in a global context of cybersecurity, climate risk, and geopolitical disruptions.

Conclusion

Risk is no longer a simple concept confined to likelihood and impact—it is a dynamic specimen with multiple interdependent components that shape its behavior, severity, and response requirements. As we’ve explored, integrating variables such as velocity, persistence, vulnerability, and preparedness into risk analysis offers a more diagnostic and actionable understanding of risk—one that mirrors the complexity of modern organizational environments.

Advanced visualization techniques like 3D heat maps and radar charts allow risk managers to move beyond static assessments and embrace models that reflect urgency, asymmetry, and systemic exposure. This sophistication is not just for glossy reports—it is a necessity for organizations operating in volatile, uncertain, and fast-paced sectors.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – 

For organizations or persons seeking to build or refine their risk management frameworks—from defining a clear risk taxonomy, establishing consistent evaluation methods, and mapping their risk universe to developing robust risk catalogs—we invite you to reach out. 

Let us help you design – from the ground up – a risk architecture that is not only compliant, but also intelligent, and adaptive. 

📧 Email: [email protected]
📞 Phone: +237 670 325 203
🌐 Website: www.sg-consultants.com

Make a Comment

Your email address will not be published. Required fields are marked *

Categories

Recent Posts

Recent Comments

At SG Consultants, our mission is to build attention, thought and curiosity on matters related to Governance, Risk Management, and Compliance.

Our core values are Respect, Integrity, Sustainability, and Continuous Learning

Contact Info
Office Address
×