Home > Risk > Risk visualization

Risk visualization

February 9, 2018 Leave a comment Go to comments

I have to agree with the author of Are we witnessing the demise of the risk register (and the rise of risk visualisation)?

He says, “I loathe risk registers”.

So do, but for different reasons.


He loathes them because “they are boring, one dimensional and poorly prioritised lists that lack context and often serve to satisfy a requirement rather than a purpose”.

Now that’s true.

But I loathe them because they are risk-centric and not objective-centric. They don’t help understand the likelihood of success: the achievement of objectives, the satisfactory completion of projects, and so on.

I do agree with him that staid reports can be replaced with far more interesting and useful visualizations.


I don’t know whether they still do this, but executives at SAP used to have a great visual depiction of the current level of performance and the status of risks on each of the revenue opportunities they were responsible for.

This is how I described it in World-Class Risk Management.

In my last year with SAP, one of the risk management leaders showed me an iPad app he was developing for the senior executive team. Each would be able to see, on a single screen, each of his or her objectives with an indicator as to whether everything was “green” (on target), “yellow” (potential issues), or “red” (serious issues). By clicking on the objective, the executive could drill down to the next level and see detailed information about its status. That information would include both performance and status information, presenting the information that the executive needed to understand and initiate appropriate actions.

This is risk information, integrated with performance information, that helps executives make decisions not only to manage risks but to optimize outcomes and achieve objectives.

I also saw a tablet app for information security managers. A network diagram indicated the level of attacks and the related level of risk (as defined by the CISO) at each point. If there was an attack that met defined criteria, an alert would appear on the screen.


If we want to help people make informed decisions, it is not enough to give them a report with the information.

It is essential that the information is highlighted for their immediate attention and presented in an actionable form.


I spent some time on the web looking for examples of visualization tools and graphics that would fit the bill; but while I found some articles and some links to books, my search was in vain.

Does your organization use graphics, charts, or other 21st century tools to provide decision-makers with the information they need – current performance and the state of the road ahead?

Is it better than what I have included in my book?

Please share. I also welcome your comments.


  1. David Michael
    February 9, 2018 at 10:46 AM

    Agree about the impact visualization can have in effective communication. But it can also distort priorities if the underlying analysis is not thorough. The latest cloud based MS Office 365 business products have improved visualisation capacity and functionality, at reasonable cost with just the old favourite, Excel. GSuite has Data Studio.

  2. February 9, 2018 at 12:00 PM

    I was quite critical of the original post when it was first published: a) it’s a marketing piece, b) the author has a very limited understanding of risk management and more specifically informed risk-taking. Visualizing risks in any way for the sake of communicating risks is completely missing the point, as you correctly pointed out in your article.

    And yes, there is a simple way to visualize not risks but the impact risks have on objectives or decisions: https://riskacademy.wordpress.com/2017/03/16/4-steps-to-integrate-risk-management-into-strategic-planning/ (diagram 2 and 3)

  3. Norman Marks
    February 9, 2018 at 2:27 PM

    Nico Lategan has pointed me to a different post of his where he discusses objective-centric visuatlization: https://www.linkedin.com/pulse/visualising-brexit-nico-lategan/

  4. Roger
    February 9, 2018 at 4:07 PM

    Risk registers have always been the worst choice for risk reporting. Risk registers are useful, but not for reporting.
    Visualization may be a way forward, but risk reporting is not a binary choice between registers and visuals.
    I’m a strong supporter of Norman Marks, Alexei Sidorenko, and Tim Leech on the central role of objectives.
    The best risk report shows the likelihood of meeting each objective, and the likelihoods of other non-success outcomes on each objective.
    The likelihoods for the spread of outcomes can be visualized in many ways, or they may remain verbal. For visualization, I can see two major challenges.
    The first challenge is that outcome likelihoods are not numerical facts. Subjectivity and estimation are always involved. Report visualization should never hide the subjectivity and imprecision.
    The second challenge is to represent causal pathways in the same view as the likelihoods for outcomes, in a way that leads to useful insights and decisions.

    • Norman Marks
      February 9, 2018 at 4:13 PM

      Thank you!

  5. Ammar Ahmed, REDA
    February 10, 2018 at 5:07 AM

    Nice article to introspect the thinking of the linked article. I read the linked article first to get the context and then read the above thoughts of Norman. There are a couple of things that I would like to highlight:

    1) The linked article is surely a fine piece of where the function of the RM should be heading towards, however, his idea that Risk Registers (RR) are boring and one dimensional has nothing to do with RR’s elimination from the process. One would always be having risks registers (or similar tables) underneath their fancy looking info-graphics. It’s just that the Risk Registers might get the place of appendices rather the real upfront highlighted core message on the front page.

    2) Norman gave another dimension to the core subject of the said article by stating that the article’s subject overly emphasized on the risks themselves rather the focusing on objectives of the organization and the relations of risks/ opportunities with them.

    Loved reading both pieces, Thanks Norman!


  6. Ravindra Tiwari
    February 10, 2018 at 10:21 AM

    Dear Norman,

    Thanks for such an excellent post!

    My understanding on risk visualization is quite limited. Can you suggest some source , which I can refer to enhance my understanding.

    Also as per my view, developing tools fitting all companies could not be impossible, but will be bit difficult, as every company is different. Although I might me wrong.

    Also I shared your post on my twitter and facebook account auditguide2077 just to educate others and shared your post in my blog http://iunique1.weebly.com/audit

    Ravindra Tiwari
    Founder CEO Iunique.org
    iunique.org coming soon with a mission to spread knowledge of best practices on audit and risk management

    “Hey Risk Managers! Please Dump Risk Management to be More Objective ! To know more please visit https://youtu.be/1mzgzYZklwc

  7. MIchael Corcoran
    February 10, 2018 at 5:36 PM


  8. Norman Marks
    February 12, 2018 at 9:21 AM
  9. Ransom
    February 14, 2018 at 10:59 AM

    Reblogged this on Ransom Nformi and commented:
    This may mean the end of the risk register as we know it. Can we innovate our way out of the boring black on white risk register and make is more interesting and inviting?

  1. February 25, 2018 at 7:17 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: