ASSESSING A RISK? STOP! AND VISUALIZE THE FUTURE

Imagine you've just been appointed Risk Manager at a dairy company famous for its cheese. You've taken a few courses and learned the standard process: identify risks, document them in a register (a form or card), and compile a risk inventory for validation.

Chances are, you'll end up using a table or spreadsheet (whether in Excel or an expensive software that mimics one). Let's say you identify and analyze the risk of product contamination and document it as follows:

 So far, so good. Now, you assess the risk—likely by asking a few people for their input. Suppose the consensus is that the likelihood is low, but the impact is high, making this a "medium risk." That means a mitigation plan isn't compulsory, but being proactive, you propose one anyway—probably actions that were already in place.

What does this achieve?

Not much. You might raise short-term management awareness and ensure compliance with regulatory audits. But here's the problem:

·        The spreadsheet approach is risk-centric, limiting your ability to see the bigger picture. Even with hyperlinks, you're stuck within a row-by-row format.

·        It lacks dynamic data analytics—meaning it’s practically useless unless mitigation actions successfully shift key performance levers.

What’s wrong with the conventional approach?

1. Software limitations – Most GRC platforms provide poor visualization of relationships. They are rigid, failing to accommodate a company’s unique ontology and semantics.

2. Risk-centric training – Conventional coaching focuses on documenting risks but not on capturing context. Risks don’t exist in isolation—they are embedded in a strategic and business context with trade-offs that executives care about.

The Alternative: Contextual Graphs

Imagine that instead of a table, you map risks in relation to decision-making. You structure risks based on how new information updates reality (this is called Bayesian thinking).

To truly understand the governance system that connects assumptions, risks, and data-driven decisions, you need a contextual graph.

Risk Management is a subset of Uncertainty Management, which is a subset of Governance. I am not against risk management—I am against ignoring the system that governs risks.

Why the Bow-Tie Diagram Falls Short

The traditional bow-tie diagram treats the risk event as the central object, rather than the decision. It fails to represent key factors like:

· Objectives, assumptions, requirements, tolerances, datasets, and changing conditions that shape decision-making.

·        The actual trade-offs involved in mitigating risks (resources are finite, after all).

Bow-tie diagrams are useful for investigating failures, but they’re not designed for strategic decision analysis.

The Power of Contextual Graphs

Let’s look at a partial example:

·        I start with a user safety concern and map out how decisions are made.

·        The product contamination risk appears as part of the system, but it’s just one element in a broader network of uncertainties.

Each node in the contextual graph is a card that holds additional data, connections, and insights. This structure enables:

·        Machines to read and learn from the graph.

·        Real-time updates and analytics.

·        Decision-makers to see the bigger picture beyond isolated risks.

What Happens to the Risk Score?

Risk scores still exist—they are stored within the contextual graph as data points rather than the centerpiece of risk management. You can still link to a bow-tie diagram if needed.

But risk scores alone don’t matter—what truly matters is:

·        How decisions are made about the risk.

·        What data is presented and how.

·        The trade-offs involved (e.g., resource constraints).

·        Who participates in the decision-making process.

·        How effectively the governance system supports decisions.

Decisions—not isolated risks—are what drive real corrective actions.

The Bigger Picture: A Risk Governance Fabric

If you start connecting decisions one by one, you’ll construct a larger contextual graph that represents the risk governance fabric of the company.

This brings powerful advantages:

1. Internal auditors can audit decision processes, ensuring that governance is effective—not just that risks are "documented."

2. IT teams can enhance data management and train a Large Language Model (LLM) to understand business decisions.

3. AI-powered analytics can dynamically assess risk—not through static registers but through a continuously evolving model.