As interconnected risks grow in frequency and impact due to globalization and digitization, businesses are adopting sophisticated interconnection analysis techniques to identify and mitigate potential threats, according to a new executive report from RIMS.

The report highlights the limitations of traditional risk management approaches and underscores the importance of understanding and addressing interconnected risks to avoid devastating weak points in strategy.

“Impacts from interconnections are becoming larger, faster, and more frequent as globalization and economic development evolve, the pace of change continues to accelerate and life becomes more digitized,” states the report, prepared by members of RIMS Strategic and Enterprise Risk Management Council. “While the importance of interconnected risks may resonate with risk managers, the next challenge lies in how to address them.”

Limitations of Traditional Risk Management Approaches

Historically, many approaches used to assess and communicate risks have been simplistic in design. These methods often assume that individual risks are discrete in nature, fall under one person’s responsibility, and fit neatly into appropriate categories. Such siloed approaches to risk management stem from outdated management models characterized by complex hierarchies, turf battles, and associated accountability expectations, according to the report.

The problem with these traditional methods is twofold. First, they operate under the assumption that risks are isolated and unrelated. Second, they have the potential to understate overall risk levels, leaving organizations susceptible to unwelcome surprises.

To illustrate the concept of interconnected risks, the report provides two examples:

1. Regulatory Violation Leading to Reputational Damage and Business Losses

A regulatory or ethical violation can set off a chain reaction of consequences. Beyond the immediate financial penalties, such an event can inflict severe reputational damage. This reputational hit may result in customers taking their business elsewhere, leading to lost revenue, increased expenses to replace the business, and sharply reduced future earnings.

Furthermore, the situation could make it harder to attract and retain top talent, affecting the company’s ability to bring new and competitive products to market. Without a pipeline of new products, the company risks further customer and market share loss.

2. Crowdstrike Incident in 2024 Highlighting Technology Vulnerabilities

The Crowdstrike incident in July 2024 provides a stark example of the amplifying risk effect generated by interconnectedness. A common and typically routine automatic software update went wrong, resulting in disruptions across the globe. The problem, which propagated undetected for less than 80 minutes, exposed vulnerabilities in a world where computer systems are intertwined and dependent on a small set of niche software companies.

This incident triggered a cascade of consequences, including lost revenue, customer dissatisfaction, damaged reputation, health and safety concerns (as hospitals and health care networks were among those affected), and potential legal, regulatory, and contractual liabilities, the report noted.

Challenges in Addressing Interconnected Risks

Risk managers face a significant challenge: how to strike the right balance between a broad analysis that captures all potential connections and a focused approach that remains manageable and cost-effective. Too wide a scope can lead to analysis paralysis, while too narrow a view may leave organizations vulnerable to unforeseen threats.

To tackle this challenge, risk professionals are turning to a more nuanced method: a risk interconnection survey. This approach goes beyond traditional risk assessment by expanding the scope to evaluate 25 or more risks, rather than focusing solely on top-tier concerns. The key to making this expanded analysis feasible lies in its targeted nature.

Instead of asking all participants to assess every risk relationship, the survey targets specific subject matter experts (SMEs) to provide input only on their areas of expertise. This strategy not only reduces the time commitment for each participant to a manageable 5-10 minutes but also ensures higher quality data. SMEs are better equipped to evaluate how upstream events affect their area of expertise, providing more accurate and insightful responses.

The survey methodology recognizes that participants are generally more adept at assessing how external factors impact their domain rather than how their area affects downstream risks. This insight shapes the survey design, focusing on capturing the most reliable and relevant data from each expert.

Building a Data Model of Known Risks

Once the survey data is collected, the next step is to organize and analyze the relationships between risks. A straightforward and effective approach is to use a simple matrix. This risk interconnection matrix lists individual risk categories across both axes, with each cell representing the level of “connectedness” between two risks.

When constructing this matrix, it’s important to note that risk relationships are not always symmetrical. For instance, Risk A may be highly influenced by Risk B, while Risk B might only be minimally impacted by Risk A. The matrix should reflect these nuanced relationships.

Visualizing and Communicating Risk Interconnectedness

Two powerful visualization tools have emerged as go-to methods for risk managers to illustrate interconnection relationships: network diagrams and bow tie diagrams.

Network diagrams offer a bird’s-eye view of risk relationships, making them ideal for board directors and senior executives who need to grasp the big picture quickly. These visual representations showcase how multiple connected risks can cumulatively impact a larger, more visible risk. By presenting this high-level overview, network diagrams help decision-makers understand the broader implications of risk interconnectedness without getting bogged down in details.

For a more granular analysis, risk managers turn to bow tie diagrams. These detailed visualizations outline the various contributing causes of a risk event on the left, while acknowledging both preventative and corrective measures on the right. Bow tie diagrams are particularly valuable for accountable executives and those responsible for mitigation efforts. They provide the necessary depth of information to manage investment trade-offs and assess compliance status in a risk-informed manner.

The report is exclusively available to RIMS members here. &