Even after my recent webinar series on “Mastering 21st Century Enterprise Risk Management”, (www.fasttrack365.com/resources/videos), there continues to be confusion around how to aggregate risk in an Enterprise Risk Management (ERM) system. Therefore some risk managers are now advocating that risks cannot be aggregated, but without aggregation ERM loses any meaning and purpose. So if accepting the need to aggregate risk, both from business units to group and between diverse natures of risk, the basic question of how to aggregate risks returns.
AVERAGING EXPOSURES
Just this week again on Linked-in, someone tried to put forward the idea of averaging exposures as a consolidation technique. There are NO circumstances you would want to do this! It’s like having one foot in boiling water and one in ice, on average, you’re perfectly comfortable. This stems from the common practice of using un-representative risk matrix modeling to evaluate risk exposure. They were essentially designed for their ease of use, not their effectiveness. The 2013 Milliman research report on OpRisk found that “Basic risk indicators and standard formula are ultimately a very blunt tool”. That is the current common practice of rating characteristics with 2 dimensional probability-consequences risk matrix, which is then aggregated to produce a close to meaningless value, although better than nothing, has little relation to the real world risk.
Further, the concept of evaluating a risk as an absolute value in isolation to its environment and timeline is just not realistic. The probability of someone falling and hurting themselves may be low normally, but will increase drastically if they have been working long hours, there is condensation on the floor, or they have a previous history. So a single risk factor misrepresents the real exposure. So we need to move to Scenario Analysis for mapping risk causes, drivers, and outcomes and drop the old risk matrix.
HOW TO GROUP RISK IN ERM
With an Enterprise Risk Management system, contrary to the common view, risks need to be grouped by their nature directly related to business strategies and business objectives. Instead of process or control focused, risk outcomes have to be tightly coupled to corporate objectives to allow for the meaningful aggregation over disparate operations and natures of risk. Evaluating the risk outcomes in terms of capital, contribution, metric tons, or man-days lost, allows for the simple aggregation of a financial, safety and reputational risk into a useable value. Conversely, it also allows executives to understand the importance and value of specific risk controls by their impact on business objectives.
Approaching risk aggregation for this perspective allows staff and management to comprehend the true concept and purpose of aggregating risk and therefore the objectives of an Enterprise Risk Management system. Aggregating risks based of corporate objective measurements, both horizontally as well as vertical, thru neural networking to handle complex interrelationships, provides a useful decision making tool for management.
Putting it all together:
- Use Scenario Analysis to identify potential risk events, states, and possible outcomes.
- Link risks back to strategic business objectives quantifying the risk in terms of their measured effect on the business objective.
- Use Bayesian modelling to calculate both the severity and likelihood of risks, drivers and outcomes
- Aggregate both horizontally and vertical using the measure of effect on the business objective.
AGGREGATION OF RISK
Aggregation of risk is just one factor you need to reassess if you are serious about implementing an effective Enterprise Risk Management system. Other issues include structuring a neural risk model to mapping the interrelationships and dependencies between risks, environmental scanning to identify changes in causes and drivers and triggers to initiate real-time re-evaluation of risk profiles. My book “Mastering 21st Century Enterprise Risk Management” will be available from Amazon and the www.fasttrack365.com website in the next couple of weeks.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd.
Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.