In my previous blog post I talked about risk measurement system, which I will now present you in practice. I am sure this approach will make it easier to evaluate the risks in your every day work.

I often say to our clients that the system is merely a tool, which is why it cannot capture all aspects and anticipate all possible scenarios. Therefore, I always suggest to use common sense and also leave some room for maneuverer.

Now that we have discussed the good principles of setting up a risk measurement system, we are ready to give an example that works for most companies.

The system is an extension of the typical “Likelihood-Impact” matrix. The added dimensions make it possible to assess most of the risk characteristics in a coherent way. For instance, one cannot define likelihoods for many risks at all (foreign exchange rate risk, interest rate risk), and thus they cannot be estimated at all in the “Likelihood-Impact” manner.

All the losses are defined in terms of lost profit within 1-year period, and the frequency is defined in terms of years (once every x years).

Frequency

This value tells you how many times you can expect that a certain risk will occur over a period. If a certain risk cannot realize repeatedly, one can substitute frequency with likelihood during a time period.

Typical loss

When there is a risk realization, a range of damage is possible from very small to very high losses. For example, a computer virus in most cases leads to only a few hours of work failure, which is a typical loss. This is a relatively common phenomenon and damage from such event falls under a typical loss.

Mathematically one should define this as the average loss per realization.

Worst case loss

Loss in the worst-case scenario is the damage that occurs when an extremely high and extremely rare realization. Linking, to the example typical loss example – in the worst-case scenario, the virus infects a computer that manages certain critical systems in the company. This can lead to the loss of the most important computer tools and systems, which in turn implies the shutdown of all activities and huge losses.

Mathematically the worst-case loss should be based on certain percentile of losses, similar to Value at risk.

Persistency

Persistency can take values from “no persistence”, which means that the company feels the negative effects of the risk only in the year in which the risk is realized, to a completely persistent one, which means that after the realization of the risk the company feels negative effects in all subsequent years. Persistency is used to evaluate the net present value (NPV) of future losses which measures to total firm value loss in one year.

‘Social’ impact in the worst case

This aspect of the risk measurement system is meant account for impacts that cannot meaningfully be compared to financial damages. This impact scale is not quantitative in nature, but one should aim to set specific impact categories that are objective. For instance, this risk scale could be set to capture the potential impact on employee health, ranging from minor injuries to death or even death of multiple employees.

 

As there are multiple distinct dimensions of what makes a risk ‘serious’ we have numerous perspectives of how to rank risks. How much importance is given to each way of measuring depends on the organization, and the intended usage of risk estimates. 

Below are presented 4 ways to estimate the risk severity that are based on the above-mentioned risk dimensions.

Short term [Liquidity horizon]

Long term [Solvency horizon]

Average based measures

Expected profit loss due to risk

What does it mean: Indicates how much on average per year, specified risk reduces the profit?

How its calculated: Frequency X Typical loss

Why is it relevant: This is the starting point to benchmark running risk mitigation cost. If risk mitigation on annual bases costs less than it reduces the expected costs of risk, then it certainly makes sense to mitigate the risk.

Expected loss in company value due to risks

What does it mean: Adding the effect of persistency of risk effects allows us to estimated how much the value of the company is expected (on average) to decrease due to assessed risk.

How its calculated: Frequency X Typical loss X Present value factor based on the persistency

Why is it relevant: this is most meaningful way to benchmark does it makes sense to make certain capital investments to mitigate risk. If the investment value is lower than the expected loss in company value, then investment adds value to the company.

Worst case-based measures

Worst case profit loss 

What does it mean:

How its calculated:

Why is it relevant: This is important in evaluating whether the company can operate normally (service debt, etc.) even if the risk has the worst-case impact.

Worst case value loss

What does it mean: Estimates how much the economic value (not accounting) decreases in one year due to the risk?

How its calculated: Worst case loss X present value factor

Why is it relevant: This is important in determining whether the company has enough capital to withstand the effects of the risk realizing.

 

Find present value factor calculator on the following link.

Until next time, when we will examine how to combine and analyse the risk in order to get the best results, I invite you to check our latest posts:

– How to manage risks systematically?

– How to identify risks?

– How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

In our second instalment of our risk management process series, we are going to look more closely to the process of assessing risks. Fundamental step for risk assessment is the setup of the risk measurement framework. In effect this means that before we start the actual assessment, we must decide a set of criteria that make one risk worse from another.

While this may seem trivial it is the step where most organizations are led astray by the material floating all around the internet, which advocates the use of likelyhood and impact risk matrix. At this time, we will not go into why such a framework is utterly insufficient for any organization.

Attributes of good risk measures

For a starting point I listed below some attributes that make a good risk measure. And by combining numerous such measures we can successfully capture different aspects of specific risk.

Objective The first and arguably the most important aspect of a good risk measure is that it has an objective definition, that is shared among the people in the organization. Far too often one finds organizations basing their risk assessment on categorical risk impact estimate (from high to low), but what is the meaning of what each of the categories mean is changes from organizational unit to organizational unit. As simple definition for risk impact measure, as “financial loss” is often understood in different ways. It can mean a loss of revenues, loss in value of the company, decrease in profit, decrease in cashflow… This means that people are using the same language, but the words mean different things, an optimal setup for a lot of confusion.

Falsifiable A famous anecdote attributed to Wolfgan Pauli (noble price winner in physics), tells a story of when a friend showed him a paper of a young physicist, and asked if Wolfgan thought the papers conclusion was right. His response was “That is not only not right; it is not even wrong”. The moral of the story is that if a claim (such as risk assessment), is so vague, that it can’t be falsified, it is even worse than wrong. For one to ensure that a risk assent is falsifiable, it should relate to some observable phenomenon that the risk measure can them be benchmarked against. It is common occurrence that, risk measures are so detached from reality that one can practically make any estimate, and it would not be wrong.

Relevant and actionable Optimally a good risk measure has direct implications for the management of the organization. In this way the risk assessments results are actionable. For instance, the information that a realization of a given risk would lead to a loss that would put the repayment of a loan in jeopardy, clearly indicates that likelihood of realization has to be minimized even if that would lead to substantial costs. Similarly risk assessment indicating a large change for human injury clearly points the course of action.

Ease of use In the end risk measures have to be used by people. This means that if the risk measure is utterly impossible to estimate or that its meaning is too difficult to understand, it is no good. This is the reason why sophisticated risk measures like “expected shortfall” rarely find their way out of financial institutions. This is also where us risk consultants, often fail the test. Striking the balance risk measure being precise enough to be ‘at least wrong ‘, while being understandable is no mean feature.

Time assessment Risk measure should be most of the time linked to time or time horizon. For instance, common risk measure that is used is “probability of realization”. Most of the time the risk documentation of an organization fails to mention what is the time horizon for a probability. Not defining the probability in terms of time horizon, means that events like “bankruptcy of supplier” would need to be given very high probability ( +50%). This clearly is very uninformative. Much better measure for bankruptcy would be “2% likelihood next year”. Similarly, if we assess the financial implications of “new market entrant”, it is much more sensible in discussing the losses during next year or during the next 5 years rather than losses without any mention of time horizon.

Risk measurement system cannot capture everything

While the guidelines from above can help one design a good risk measurement system, the fact remains that no system can fully capture all aspects that makes a risk ‘serious’. The reason is that the level of risk is a very multidimensional issue, and if one wants to take all dimensions into account, the result is usually more chaos than added value.

Examples of possible dimensions that could affect how serious risk is include: the loss of profit, the decrease of value of the company, The decrease in cashflow or liquidity, how quickly the risks effects materialize, how persistent the effect of the risk is, how likely it is that multiple risks happen at the same time, level of employee health and safety endangered, level of possible environmental damage, level of social impact to external stakeholders, … You get the picture.

Thus, in addition to using a systematic way to assess risk, leave space for judgement calls and common sense!

Key takeaways

– Risk assessment starts with setting up a coherent risk measurement framework;
– Impact x Likelyhood is not acceptable as only risk measurement system;
– Good risk measure is: Objective, Falsifiable, Relevant, Easy to use, and tied to time horizon;
– Risk measurement framework can never be complete, so supplement it with common sense;
– Good risk measurement framework captures multiple dimensions of risk;

Next time I will be putting the risk measurement system in practical use by discussing how to perform a risk assessment.

P.S.: To refresh your knowledege about systematic risk management check a few previous articles:

How to manage risks systematically?

How to identify risks?

How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Before starting any systematic risk management efforts, it is crucial to identify the risk that the company is exposed to.
The aim of the risk identification process is to establish a catalogue of risks or so called “risk register”. While this process usually is relatively intuitive there are few pitfalls that should be taken into consideration.

What constitutes a risk?

The first step in identifying a risk is to agree on a common definition of what a risk is.

ISO 31000:2018 defines risk as “effect of uncertainty on objectives”. After this the definition goes on to specify that “An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.”

While this definition is theoretically sound, we feel that it is too vague for practical use in many companies. Therefore, we generally advocate to use two conditions that tell whether something can be called a risk or not:


1. Uncertainty: Risk exists if there is uncertainty about the future events or developments.

2. Financial damage: Risk exists if this uncertainty may cause a significant financial loss or in other way cause the firm’s financial performance to be below the planned level.

Effectively this definition assumes that company’s primary objective is financial gain, so any uncertainty that might lead to financial loss is a risk.

At the same time as we can define what is a risk, we can also give examples of what does not constitute a risk.

Risk is not a foreseen/ expected adverse development
For instance, if the sales of given product group are expected to decline, this does not constitute a risk. On the other hand, a possibility that the sales are unexpectedly lower than planned is.

Risk is not a difficulty or challenge
A difficulty or a challenge is not an unexpected if the situation exists already now. Risk would be “possibility that the new market entry fails” instead of “challenging market situation”.

Getting the terminology straight

There is an unfortunate confusion about the risk terminology that should be rectified sooner or later. Below are some common terms and the explanation of what is their relationship with each other.

Threat – the source or the trigger of the risk event that causes the uncertainty. Threat without any risk exposure is not problematic.

Risk exposures – the amount that theoretically is at risk if threat realizes. In financial risk management the exposure is simply used to indicate how a relative (%) changes in value of the underlying variable (interest rate or exchange rate etc.) translates to profits or losses.

Risk – the collection of threats/causes and exposures that is treated and managed as a single whole.

Risk levels – risk level is the result of a risk assessment process that indicates how serious the risk is considering the probability of different loss amounts.planation of what is their relationship with each other.

Issues to keep in mind when identifying risk

More identified risks does not mean better identification
While it is a natural urge to identify as many risks as possible, this approach often leads to so many risks that in the end none of the risks get properly managed.

Key aim is to first find risks that have, in the worst-case scenario, the largest potential loss or financial impact. Try to avoid identifying risks that at worst have minor financial consequences. Such risk can be added when the risk management effort matures, but before that, it is crucial to find the ‘large’ risks.

Another way to reduce to keep the amount of risks more manageable is to remember that there might be several causes and several outcomes for the same risk. For instant, instead of listing, “shutdown of machine A”, “Shutdown of machine B” etc. we can simply identify a risk “machine interruptions”

The key of grouping smaller ‘risks’ together is to ensure that these smaller risks are either highly similar or that they can be effectively managed as a group. For instance, in the example above, a single person might be responsible for maintaining all the machines and thus he would naturally be responsible for risk management.

Risk should not ‘overlap’
When identifying risk, we should ensure that we do not accidently double or triple count the same risk. This can easily happen when many people are separately identifying risks and the risk are then collected to a joint catalogue.
For instance, consider a situation that a person responsible IT and person responsible for production have identified key risk in their respective departments.
Production side considers an interruption in the supply of semi-finished goods to be among the key risks. On the other hand, IT department sees the unavailability of enterprise resource management system to be critical risk. Key here is that many of the production interruptions bight be due to IT failures and thus such risk is accounted twice in the risk identification.
Counting the same risk multiple times causes additional burden in the risk management system and might lead to wrong results if risk estimates later on are aggregated.

Avoid too vague risks
Another major issue that hinders the risk identification process is the tendency of identifying risks that are too vague to be managed. Consider the “risk of decline in employee morale”. For such risk it is almost impossible to assign financial consequences. Likewise, it is hard to even know when the risk has realized. In short, the risk is too vague to be managed. A good substitute for such risk could be “an increase in employee sick days” or something similar, making the risk more tangible and manageable.

Lack of imagination
Most of the major disasters that happen to companies were one unimaginable and had never happened before. Therefore, when identifying risks, one needs to move the mindset from what has happened to what is in the realm of possibility. In doing this we have to overcome our natural mechanism of not worrying about everything that keeps us sane in everyday life.
For risks that are unlikely, Human psychology has the natural tendency to either dismiss the possibility of something going wrong completely (“that cannot happen”) or get overly paranoid about very low probability risks (flight accidents). At the risk identification stage, we want lean toward being paranoid about everything, and then only later on the risk assessment stage, start thinking about the actual seriousness of the threat. If rigorous analysis show that the risk is unrealistic, then we can still dismiss it.

Risk identification techniques

Risk identification can be done in two complementary ways:

– First method is to ask the people with knowledge about the functioning of the organization, what could go wrong. In this class of techniques one can use variety of specific approaches such as, risk workshops, brainstorming, questioners, self-reporting etc. For an organization in the early part of the risk management effort, the group-based methods are more suitable since they foster the risk culture. For more mature risk organization the individual approaches are more suitable since new risks that are identified are likely the once that are missed initially and are therefore likely identified during the normal course of work by single individual.

– Second class of methods are more analytical and engineering methods that are base on careful analysis of company’s or operations value creating process. These methods are better suited to find hidden critical failure points that might be missed in the intuitive level. Method in this class include structured what if analysis, Scenario analysis, fault tree analysis, bow-tie analysis, incident analysis and peer incident analysis.

Key points

Risk is presence of uncertainty that can cause financial damage.

Common failures in risk management are:
– focusing on generating as many risks as possible,
– identifying overlapping risks or double counting the same risk,
– identifying too vague risk and
– lack of imagination.

Risk identification can be done by asking people what they could happen or analysing the company’s process and finding hidden failure points that might lead to major losses.

***

Contact our team if you want to manage risks systematically.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Systematic enterprise risk management is a never-ending process in a company that ensures that the risks are appropriately managed.

Risk management process is in its simplest form divided into 4 main phases:

1) Identification
2) Assessment
3) Treat
4) Control

While many ERM books make it sound complicated really is not.

First, we must identify the existence of a risk; evaluate how serious risk we are dealing with, doing something about it, and finally ensure that what we did helped.

Then over time we repeat the steps 2, 3 and 4 to ensure that situation hasn’t changed and that our mitigation efforts are still suitable.

silver bullet risk - blog - risk management process

All this being said, there are number of fine details in each of the steps that one should be carefully. And in our article series we’ll bring additional insights into each step.

RISK IDENTIFICATION
-Create a collection of all the risks that the company faces → Risk register
-How to know which risk exists? Use out of the box thinking & imagination
-Avoid identifying difficulties as risk; avoiding double counting the same risks; start with the major risk and don’t think that large number of risks means that identification was done well
RISK ASSESMENT
-“Deciding how serious risk is”
-Quantify in monetary units based on cash flow, profitability, and firm value impact
-Advanced: Take into account the interdependencies → risk aggregation
RISK TRAETMENT
-Strategies to reduce risk: Assume; mitigate; hedge; transfer
-Cost benefit analysis: Does it pay off to mitigate risk (requires monetary risk quantification!!!)
-Assign risk owners and organize risk treatment tasks
RISK CONTROL
-Track risk realization and near misses → Data
-Keep track and record underlying risk drivers, such as price fluctuations and interest rates (KRI – Key Risk Indicators)
-Control that risk treatment is functioning well

***

Contact our team if you want to manage risks systematically.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.