Risk mapping: a decision-making and anticipation tool
Interview with Alexia Fakiri, Internal Control Manager at Bouygues Construction.
Risk management is essential for all companies. Its objective is to identify and assess the major risks facing a company, in order to address them and monitor their development. For listed companies, having a suitable risk management system is compulsory. Each company’s major risks must be presented in the universal registration document (formerly the reference document), established to communicate detailed information on its activity, financial situation and outlook. Alexia Fakiri, Internal Control Manager at Bouygues Construction, explains all.
What is the role of risk mapping and how is it carried out at Bouygues Construction?
All types of activity present a potential risk with more or less significant consequences for a company, be it on its revenue, its people, the environment, and so on. Risk management is deeply rooted at Bouygues Construction and exists at different levels (construction site, process, operational unit, etc.) and can take different forms depending on the needs (risk and opportunity matrix, SWOT analysis, etc.). In addition to these procedures, Bouygues SA, a listed company, must communicate on its major risks and call on its various entities (Bouygues Construction, Bouygues Immobilier, Colas, Bouygues Telecom, and TF1). This is how Bouygues Construction creates its major risk map, which is updated annually.
The definition of risk used for this mapping is “an event which could affect: a) the company’s capacity to achieve its strategic, operational and financial objectives; or b) a process that would lead the company to lose control over its activities.”
From a methodological point of view, risk mapping is the retranscription of the vision of our directors, operational and functional entities, and the management committee. We cross-check these internal analyses with external macro-trend maps, such as the World Economic Forum’s Global Risks Report which offers an in-depth perspective on the main threats that could have an impact on world prosperity during the year and the upcoming decade, and draws on the vision of nearly 800 experts and decision-makers from around the world.
Each identified risk is characterised and evaluated according to its probability of occurrence and its estimated financial impact: gross (if no action is taken by the company) and net (taking into account measures or actions implemented by the company). All of this information makes it possible to position the risks on a graph and prioritise them. The mapping process is dynamic and considers risks systemically, highlighting their interconnections.
What are the main risks identified and what is the operational nature of this mapping activity?
The risks identified can be macro (e.g. ethics and compliance, climate risk, geopolitics) or operational (e.g. major construction projects, cybersecurity, disintermediation/uberisation). The climate risk, for example, is considered based on the impact of climate change on the Group’s activities, but also on the consequences of the Group’s contribution to its imbalance. To give another example, the risk of disintermediation takes into account the impact of new players from the digital world who appear on the Group’s markets.
This mapping practice should be seen as a tool to aid in strategic decision-making, which makes it possible to judge the impact of a risk, the cost of the actions to be carried out to mitigate that risk, and their potential effect. Each risk is assigned a handler, who monitors it and participates in developing an action plan.
This tool also contributes to renewing our approach to risk management, taking a more resilient perspective, i.e. accepting that “zero risk” does not exist, and developing our reactivity to lessen the consequences. Implementing actions does not mean that the risk will not occur or that it will have no impact. However, using these macro-trends and developing our risk management culture improves our agility and our ability to adapt.
How is this mapping shared?
Previously, the internal control process, and risk management in particular, were relatively closed off and rarely shared. Over the past few years, however, we have been communicating more widely in order to make this mapping an educational tool to improve action and awareness. Workshops are regularly held to focus on risks, their impacts, actions to be implemented with a view to continuous improvement, and constant anticipation.