A crucial element of an effective risk management strategy is the setup of the risk control framework and identification of the appropriate KRIs (Key Risk Indicators). This task requires a precise definition of the objectives to select the potential elements that might hinder the achievement of those objectives.

The process of identifying the KRIs may bring significant advantages to an organisation:

A better understanding of risk dynamics: Defining and monitoring KRIs provides a deeper insight into the main threats to the business;

More reliable risk strategies: With a greater understanding of the risk dynamics the management team can define more accurate methods to assess and minimise potential risks;

Risk tolerance levels: Using KRIs, the management can define the company’s tolerance threshold and the risk limits that trigger a corrective action;

Better insight into risk trends: Periodic and regular monitoring of KRIs provides the organisation with a more accurate view of the risk trends. These might be used to determine which activities or business lines are more vulnerable and need further monitoring, as well as new opportunities for growth.


HOW TO SET THE KRIs AND HOW THEY DIFFER FROM KPIs (KEY PERFORMANCE INDICATORS)?
KRI can be explained as the antithesis of KPI, because of the following: while KPI (Key Performance Indicator) indicates how well a company is doing, KRI (Key Risk Indicator) shows the opposite. It warns the company about the dangers and threats and enables the windows of opportunity to react to a specific risk.

KRIs must meet a specific set of requirements:

Measurable: Either in absolute numbers or as a percentage;
Traceable: KRI’s should show a consistent scale of value that allows comparing of their evolution;
Predictable: KRIs should provide early signals of potential risks;
Informative: Providing an accurate outlook on the risk status.

Once the KRIs are selected, the management should define the thresholds that would trigger risk mitigation plans.

HOW FREQUENTLY DO WE NEED TO CONTROL THE RISKS?
Risk control is not a one-time project but needs to be performed as a cyclical process where risks are monitored systematically. But what is the optimal frequency? Real-time, daily, weekly, monthly or yearly?

These two measures need to be taken into consideration when we decide upon the frequency:

i) each realized risk (loss event) can have a different impact on the organisation and
ii) the frequency of risk control is determined by the impacts.

The risk control process must also include the information from the loss event management (do you track your loss events systematically? Stay tuned for our next blog where we will talk about the systematic Loss event management and all it’s benefits for the risk management) and data from all the executed mitigations. And don’t forget: be alert and respond to all the changes.

In general, we can say that KRI’s should be monitored regularly, and their evolution needs to be reported to the organisation’s management so that they are informed to make strategic decisions. In that sense, it is essential to be selective with the KPI’s, as managing too many of them might be complicated and could lead to wrong conclusions.

THE ROLE OF TECHNOLOGY IN RISK CONTROL (AND MANAGEMENT)
In many cases, monitoring and reporting KRIs manually in real-time might be challenging and time-consuming. If you still handle your monitoring and reporting in Excel tables you know what I am talking about. In these cases, only technology allows access to accurate and updated data on the various risk metrics to obtain immediate reporting.

Businesses with a clear risk management strategy in place can leverage technology to monitor the evolution of the KRIs and to deliver periodical reports to the management team. This automated reporting with customizable dashboards would liberate the company’s risk managers from low-value tasks such as risk monitoring, improve data traceability over time and minimise human error. And most importantly: it will save them time, and enable them to focus on the effectiveness.

P.S.: To refresh your knowledge about systematic risk management, check a few previous articles:

How to manage risks systematically?

How to identify risks?

How to define “a risk”?

Risk assessment [Part 1]: Setting up the risk measurement framework

Risk assessment [Part 2]: How to assess risks in practice?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

The ultimate purpose of risk identification and analysis is to prepare for risk mitigation which includes reduction of the likelihood that a risk event will occur, and/or reduction of the effect of a risk event if the latter does occur. This time, we will show you the strategies to reduce or mitigate such risk and discuss the importance of risk mitigation planning and management in the first place.


RISK MITIGATION STRATEGIES

We can define risk mitigation as a process, in which we take steps to reduce adverse effects. There are five types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a mitigation strategy that is based on the cost/benefit analysis of possible mitigations and which closely relates to and matches your company’s profile.

5 risk mitigation strategies

“ACCEPT” RISK strategy
With some risks, the expenses involved in mitigating the risk is more than the cost of tolerating the risk. In this situation, the risks should be accepted and carefully monitored.

“AVOID” RISK strategy
In general, risks should be avoided that involve a high probability impact for both financial loss and damage.

“TRANSFER” RISK strategy
Risks that may have a low probability of taking place but would have a large financial impact should be mitigated by being shared or transferred, e.g. by purchasing insurance, forming a partnership, or outsourcing.

“REDUCE” RISK strategy
The most common mitigation strategy is risk limitation, e.g. businesses take some type of action to address a perceived risk and regulate their exposure. Risk limitation usually employs some risk acceptance and some risk avoidance.

“HEDGING” RISK strategy
Hedging assumes the additional risk that works in the opposite direction as the mitigated risk. While natural hedging organizes the business in a way that “internal” risks offset each other, external hedging uses the instruments that create offsetting risks (e.g. by locking the price secures us against the price fluctuations).

RISK MITIGATION PLANNING AND MANAGEMENT

Risk management is an ongoing effort that cannot stop after the risk identification phase or after a qualitative risk assessment. One Monte Carlo simulation or the setting of contingency levels cannot be your final destination!

This is why risk mitigation and management needs to be a long-term project that never truly ends. Some of the key issues when planning risk mitigation are:

• Do a cost-benefit analysis of mitigation effects vs. mitigation costs. If the mitigation costs are too high, it is best to assume the risk. Too often marginal risks are addressed just in case.

• Compare risk effects to risk tolerance or (appetite) if the risk is too high, then risk mitigation needs to be undertaken even if it might not be cost-effective.

• Risk mitigation should be approached like any initiative in a company with clearly divided responsibility, budgets and deadlines.

 

This accounts for the planning process of new risk mitigation measures, but existing measures also need to be continuously addressed. If risk mitigation is all about planning new measures, there is a danger that existing mitigation actions are neglected. Therefore, continuous management of existing measures is needed:

• Are the mitigation actions working as planned and are the activities being carried out?

• Occasional testing or audit of mitigation measures ensures that everyone remains vigilant.

• When incidents or near misses happen, it is critical to investigate which mitigation measures were not working.

 

LIMITS OF RISK MITIGATION

Another important issue to remember is that no risk mitigation measure is fully bulletproof. There always exist ways for things to go wrong that no one has thought of, as proven by almost all major man-made disasters ever. As a response to this, it is best to think risk measures as layers of swiss cheese, that stand in a way of a threat and an ultimate loss. Each layer reduces the risk somewhat but is ultimately imperfect.

Therefore it is important to prepare to act flexibly when risk indeed realizes.

If Dwight D. Eisenhower would be talking about risk management battles he would say “In preparing for the (risk management) battles, I have always found that (risk management) plans are useless, but planning is indispensable.”

 

P.S.: To refresh your knowledge about systematic risk management, check a few previous articles:

How to manage risks systematically?

How to identify risks?

How to define “a risk”?

Risk assessment [Part 1]: Setting up the risk measurement framework

Risk assessment [Part 2]: How to assess risks in practice?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

In my previous blog post I talked about risk measurement system, which I will now present you in practice. I am sure this approach will make it easier to evaluate the risks in your every day work.

I often say to our clients that the system is merely a tool, which is why it cannot capture all aspects and anticipate all possible scenarios. Therefore, I always suggest to use common sense and also leave some room for maneuverer.

Now that we have discussed the good principles of setting up a risk measurement system, we are ready to give an example that works for most companies.

The system is an extension of the typical “Likelihood-Impact” matrix. The added dimensions make it possible to assess most of the risk characteristics in a coherent way. For instance, one cannot define likelihoods for many risks at all (foreign exchange rate risk, interest rate risk), and thus they cannot be estimated at all in the “Likelihood-Impact” manner.

All the losses are defined in terms of lost profit within 1-year period, and the frequency is defined in terms of years (once every x years).

Frequency

This value tells you how many times you can expect that a certain risk will occur over a period. If a certain risk cannot realize repeatedly, one can substitute frequency with likelihood during a time period.

Typical loss

When there is a risk realization, a range of damage is possible from very small to very high losses. For example, a computer virus in most cases leads to only a few hours of work failure, which is a typical loss. This is a relatively common phenomenon and damage from such event falls under a typical loss.

Mathematically one should define this as the average loss per realization.

Worst case loss

Loss in the worst-case scenario is the damage that occurs when an extremely high and extremely rare realization. Linking, to the example typical loss example – in the worst-case scenario, the virus infects a computer that manages certain critical systems in the company. This can lead to the loss of the most important computer tools and systems, which in turn implies the shutdown of all activities and huge losses.

Mathematically the worst-case loss should be based on certain percentile of losses, similar to Value at risk.

Persistency

Persistency can take values from “no persistence”, which means that the company feels the negative effects of the risk only in the year in which the risk is realized, to a completely persistent one, which means that after the realization of the risk the company feels negative effects in all subsequent years. Persistency is used to evaluate the net present value (NPV) of future losses which measures to total firm value loss in one year.

‘Social’ impact in the worst case

This aspect of the risk measurement system is meant account for impacts that cannot meaningfully be compared to financial damages. This impact scale is not quantitative in nature, but one should aim to set specific impact categories that are objective. For instance, this risk scale could be set to capture the potential impact on employee health, ranging from minor injuries to death or even death of multiple employees.

 

As there are multiple distinct dimensions of what makes a risk ‘serious’ we have numerous perspectives of how to rank risks. How much importance is given to each way of measuring depends on the organization, and the intended usage of risk estimates. 

Below are presented 4 ways to estimate the risk severity that are based on the above-mentioned risk dimensions.

Short term [Liquidity horizon]

Long term [Solvency horizon]

Average based measures

Expected profit loss due to risk

What does it mean: Indicates how much on average per year, specified risk reduces the profit?

How its calculated: Frequency X Typical loss

Why is it relevant: This is the starting point to benchmark running risk mitigation cost. If risk mitigation on annual bases costs less than it reduces the expected costs of risk, then it certainly makes sense to mitigate the risk.

Expected loss in company value due to risks

What does it mean: Adding the effect of persistency of risk effects allows us to estimated how much the value of the company is expected (on average) to decrease due to assessed risk.

How its calculated: Frequency X Typical loss X Present value factor based on the persistency

Why is it relevant: this is most meaningful way to benchmark does it makes sense to make certain capital investments to mitigate risk. If the investment value is lower than the expected loss in company value, then investment adds value to the company.

Worst case-based measures

Worst case profit loss 

What does it mean:

How its calculated:

Why is it relevant: This is important in evaluating whether the company can operate normally (service debt, etc.) even if the risk has the worst-case impact.

Worst case value loss

What does it mean: Estimates how much the economic value (not accounting) decreases in one year due to the risk?

How its calculated: Worst case loss X present value factor

Why is it relevant: This is important in determining whether the company has enough capital to withstand the effects of the risk realizing.

 

Find present value factor calculator on the following link.

Until next time, when we will examine how to combine and analyse the risk in order to get the best results, I invite you to check our latest posts:

– How to manage risks systematically?

– How to identify risks?

– How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

In our second instalment of our risk management process series, we are going to look more closely to the process of assessing risks. Fundamental step for risk assessment is the setup of the risk measurement framework. In effect this means that before we start the actual assessment, we must decide a set of criteria that make one risk worse from another.

While this may seem trivial it is the step where most organizations are led astray by the material floating all around the internet, which advocates the use of likelyhood and impact risk matrix. At this time, we will not go into why such a framework is utterly insufficient for any organization.

Attributes of good risk measures

For a starting point I listed below some attributes that make a good risk measure. And by combining numerous such measures we can successfully capture different aspects of specific risk.

Objective The first and arguably the most important aspect of a good risk measure is that it has an objective definition, that is shared among the people in the organization. Far too often one finds organizations basing their risk assessment on categorical risk impact estimate (from high to low), but what is the meaning of what each of the categories mean is changes from organizational unit to organizational unit. As simple definition for risk impact measure, as “financial loss” is often understood in different ways. It can mean a loss of revenues, loss in value of the company, decrease in profit, decrease in cashflow… This means that people are using the same language, but the words mean different things, an optimal setup for a lot of confusion.

Falsifiable A famous anecdote attributed to Wolfgan Pauli (noble price winner in physics), tells a story of when a friend showed him a paper of a young physicist, and asked if Wolfgan thought the papers conclusion was right. His response was “That is not only not right; it is not even wrong”. The moral of the story is that if a claim (such as risk assessment), is so vague, that it can’t be falsified, it is even worse than wrong. For one to ensure that a risk assent is falsifiable, it should relate to some observable phenomenon that the risk measure can them be benchmarked against. It is common occurrence that, risk measures are so detached from reality that one can practically make any estimate, and it would not be wrong.

Relevant and actionable Optimally a good risk measure has direct implications for the management of the organization. In this way the risk assessments results are actionable. For instance, the information that a realization of a given risk would lead to a loss that would put the repayment of a loan in jeopardy, clearly indicates that likelihood of realization has to be minimized even if that would lead to substantial costs. Similarly risk assessment indicating a large change for human injury clearly points the course of action.

Ease of use In the end risk measures have to be used by people. This means that if the risk measure is utterly impossible to estimate or that its meaning is too difficult to understand, it is no good. This is the reason why sophisticated risk measures like “expected shortfall” rarely find their way out of financial institutions. This is also where us risk consultants, often fail the test. Striking the balance risk measure being precise enough to be ‘at least wrong ‘, while being understandable is no mean feature.

Time assessment Risk measure should be most of the time linked to time or time horizon. For instance, common risk measure that is used is “probability of realization”. Most of the time the risk documentation of an organization fails to mention what is the time horizon for a probability. Not defining the probability in terms of time horizon, means that events like “bankruptcy of supplier” would need to be given very high probability ( +50%). This clearly is very uninformative. Much better measure for bankruptcy would be “2% likelihood next year”. Similarly, if we assess the financial implications of “new market entrant”, it is much more sensible in discussing the losses during next year or during the next 5 years rather than losses without any mention of time horizon.

Risk measurement system cannot capture everything

While the guidelines from above can help one design a good risk measurement system, the fact remains that no system can fully capture all aspects that makes a risk ‘serious’. The reason is that the level of risk is a very multidimensional issue, and if one wants to take all dimensions into account, the result is usually more chaos than added value.

Examples of possible dimensions that could affect how serious risk is include: the loss of profit, the decrease of value of the company, The decrease in cashflow or liquidity, how quickly the risks effects materialize, how persistent the effect of the risk is, how likely it is that multiple risks happen at the same time, level of employee health and safety endangered, level of possible environmental damage, level of social impact to external stakeholders, … You get the picture.

Thus, in addition to using a systematic way to assess risk, leave space for judgement calls and common sense!

Key takeaways

– Risk assessment starts with setting up a coherent risk measurement framework;
– Impact x Likelyhood is not acceptable as only risk measurement system;
– Good risk measure is: Objective, Falsifiable, Relevant, Easy to use, and tied to time horizon;
– Risk measurement framework can never be complete, so supplement it with common sense;
– Good risk measurement framework captures multiple dimensions of risk;

Next time I will be putting the risk measurement system in practical use by discussing how to perform a risk assessment.

P.S.: To refresh your knowledege about systematic risk management check a few previous articles:

How to manage risks systematically?

How to identify risks?

How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Before starting any systematic risk management efforts, it is crucial to identify the risk that the company is exposed to.
The aim of the risk identification process is to establish a catalogue of risks or so called “risk register”. While this process usually is relatively intuitive there are few pitfalls that should be taken into consideration.

What constitutes a risk?

The first step in identifying a risk is to agree on a common definition of what a risk is.

ISO 31000:2018 defines risk as “effect of uncertainty on objectives”. After this the definition goes on to specify that “An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.”

While this definition is theoretically sound, we feel that it is too vague for practical use in many companies. Therefore, we generally advocate to use two conditions that tell whether something can be called a risk or not:


1. Uncertainty: Risk exists if there is uncertainty about the future events or developments.

2. Financial damage: Risk exists if this uncertainty may cause a significant financial loss or in other way cause the firm’s financial performance to be below the planned level.

Effectively this definition assumes that company’s primary objective is financial gain, so any uncertainty that might lead to financial loss is a risk.

At the same time as we can define what is a risk, we can also give examples of what does not constitute a risk.

Risk is not a foreseen/ expected adverse development
For instance, if the sales of given product group are expected to decline, this does not constitute a risk. On the other hand, a possibility that the sales are unexpectedly lower than planned is.

Risk is not a difficulty or challenge
A difficulty or a challenge is not an unexpected if the situation exists already now. Risk would be “possibility that the new market entry fails” instead of “challenging market situation”.

Getting the terminology straight

There is an unfortunate confusion about the risk terminology that should be rectified sooner or later. Below are some common terms and the explanation of what is their relationship with each other.

Threat – the source or the trigger of the risk event that causes the uncertainty. Threat without any risk exposure is not problematic.

Risk exposures – the amount that theoretically is at risk if threat realizes. In financial risk management the exposure is simply used to indicate how a relative (%) changes in value of the underlying variable (interest rate or exchange rate etc.) translates to profits or losses.

Risk – the collection of threats/causes and exposures that is treated and managed as a single whole.

Risk levels – risk level is the result of a risk assessment process that indicates how serious the risk is considering the probability of different loss amounts.planation of what is their relationship with each other.

Issues to keep in mind when identifying risk

More identified risks does not mean better identification
While it is a natural urge to identify as many risks as possible, this approach often leads to so many risks that in the end none of the risks get properly managed.

Key aim is to first find risks that have, in the worst-case scenario, the largest potential loss or financial impact. Try to avoid identifying risks that at worst have minor financial consequences. Such risk can be added when the risk management effort matures, but before that, it is crucial to find the ‘large’ risks.

Another way to reduce to keep the amount of risks more manageable is to remember that there might be several causes and several outcomes for the same risk. For instant, instead of listing, “shutdown of machine A”, “Shutdown of machine B” etc. we can simply identify a risk “machine interruptions”

The key of grouping smaller ‘risks’ together is to ensure that these smaller risks are either highly similar or that they can be effectively managed as a group. For instance, in the example above, a single person might be responsible for maintaining all the machines and thus he would naturally be responsible for risk management.

Risk should not ‘overlap’
When identifying risk, we should ensure that we do not accidently double or triple count the same risk. This can easily happen when many people are separately identifying risks and the risk are then collected to a joint catalogue.
For instance, consider a situation that a person responsible IT and person responsible for production have identified key risk in their respective departments.
Production side considers an interruption in the supply of semi-finished goods to be among the key risks. On the other hand, IT department sees the unavailability of enterprise resource management system to be critical risk. Key here is that many of the production interruptions bight be due to IT failures and thus such risk is accounted twice in the risk identification.
Counting the same risk multiple times causes additional burden in the risk management system and might lead to wrong results if risk estimates later on are aggregated.

Avoid too vague risks
Another major issue that hinders the risk identification process is the tendency of identifying risks that are too vague to be managed. Consider the “risk of decline in employee morale”. For such risk it is almost impossible to assign financial consequences. Likewise, it is hard to even know when the risk has realized. In short, the risk is too vague to be managed. A good substitute for such risk could be “an increase in employee sick days” or something similar, making the risk more tangible and manageable.

Lack of imagination
Most of the major disasters that happen to companies were one unimaginable and had never happened before. Therefore, when identifying risks, one needs to move the mindset from what has happened to what is in the realm of possibility. In doing this we have to overcome our natural mechanism of not worrying about everything that keeps us sane in everyday life.
For risks that are unlikely, Human psychology has the natural tendency to either dismiss the possibility of something going wrong completely (“that cannot happen”) or get overly paranoid about very low probability risks (flight accidents). At the risk identification stage, we want lean toward being paranoid about everything, and then only later on the risk assessment stage, start thinking about the actual seriousness of the threat. If rigorous analysis show that the risk is unrealistic, then we can still dismiss it.

Risk identification techniques

Risk identification can be done in two complementary ways:

– First method is to ask the people with knowledge about the functioning of the organization, what could go wrong. In this class of techniques one can use variety of specific approaches such as, risk workshops, brainstorming, questioners, self-reporting etc. For an organization in the early part of the risk management effort, the group-based methods are more suitable since they foster the risk culture. For more mature risk organization the individual approaches are more suitable since new risks that are identified are likely the once that are missed initially and are therefore likely identified during the normal course of work by single individual.

– Second class of methods are more analytical and engineering methods that are base on careful analysis of company’s or operations value creating process. These methods are better suited to find hidden critical failure points that might be missed in the intuitive level. Method in this class include structured what if analysis, Scenario analysis, fault tree analysis, bow-tie analysis, incident analysis and peer incident analysis.

Key points

Risk is presence of uncertainty that can cause financial damage.

Common failures in risk management are:
– focusing on generating as many risks as possible,
– identifying overlapping risks or double counting the same risk,
– identifying too vague risk and
– lack of imagination.

Risk identification can be done by asking people what they could happen or analysing the company’s process and finding hidden failure points that might lead to major losses.

***

Contact our team if you want to manage risks systematically.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Systematic enterprise risk management is a never-ending process in a company that ensures that the risks are appropriately managed.

Risk management process is in its simplest form divided into 4 main phases:

1) Identification
2) Assessment
3) Treat
4) Control

While many ERM books make it sound complicated really is not.

First, we must identify the existence of a risk; evaluate how serious risk we are dealing with, doing something about it, and finally ensure that what we did helped.

Then over time we repeat the steps 2, 3 and 4 to ensure that situation hasn’t changed and that our mitigation efforts are still suitable.

silver bullet risk - blog - risk management process

All this being said, there are number of fine details in each of the steps that one should be carefully. And in our article series we’ll bring additional insights into each step.

RISK IDENTIFICATION
-Create a collection of all the risks that the company faces → Risk register
-How to know which risk exists? Use out of the box thinking & imagination
-Avoid identifying difficulties as risk; avoiding double counting the same risks; start with the major risk and don’t think that large number of risks means that identification was done well
RISK ASSESMENT
-“Deciding how serious risk is”
-Quantify in monetary units based on cash flow, profitability, and firm value impact
-Advanced: Take into account the interdependencies → risk aggregation
RISK TRAETMENT
-Strategies to reduce risk: Assume; mitigate; hedge; transfer
-Cost benefit analysis: Does it pay off to mitigate risk (requires monetary risk quantification!!!)
-Assign risk owners and organize risk treatment tasks
RISK CONTROL
-Track risk realization and near misses → Data
-Keep track and record underlying risk drivers, such as price fluctuations and interest rates (KRI – Key Risk Indicators)
-Control that risk treatment is functioning well

***

Contact our team if you want to manage risks systematically.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.