English: Risk management sub processes (Photo credit: Wikipedia) |
Kristina Narvaez
&Larry Warner
For many organizations, gathering risk information from many business units and departments and then creating a consolidated risk report to share with senior managements and boards can seem daunting.
The sheer volume of risk data to be aggregated can overwhelm even the most astute decision makers. That’s especially true because many organizations still manage their risks in silos, separating them into operational units without understanding their correlations. But concentrations of risk can mean that bad events spread quickly across an organization’s silos.
One difficulty arises in managing risks via a silo-based approach is the inability to aggregate those risks across different business units and operational departments, which makes evaluating those risks from a global perspective hard. As a result, risk managers and CFOs struggle with such issues as unstable and weakly founded risk- correlation assumptions, inconsistent risk metrics and differing time horizons for different types of risks.
English: A flowchart pointing out the different types of risks in Banking (Photo credit: Wikipedia) |
Risk aggregation can be applied to more than just an organization’s financial risks. In fact, many organizations outside the financial-services industry have started to use a broader definition of risk aggregation. That definition describes the term as the accumulation of the total risk exposures of various types of risks throughout the organization along with the ability to compare its various risk exposures to the organization’s risk-appetite statement.
Objective Correlatives
While it’s important to understand the effect on the organization of individual risks, it’s rarely the case that two individual risks are either perfectly correlated, and hence can be simply added together, or perfectly independent, allowing the use of a simple approximate formula to combine them.
While it’s important to understand the effect on the organization of individual risks, it’s rarely the case that two individual risks are either perfectly correlated, and hence can be simply added together, or perfectly independent, allowing the use of a simple approximate formula to combine them.
Because of that, it becomes necessary to design a robust general process enabling the aggregation of risks while allowing for the fact that the outcome for any one risk might depend on other types of risks in the organization.
Ideally, organizations should develop and maintain strong risk-data aggregation capabilities that take into account correlations within their risk portfolios to ensure risk reports reflect risks in a reliable way.
Not by Data Alone
Accurate, complete and timely risk information is, after all, a foundation for effective risk management. But risk information alone does not guarantee that the board and senior management team will get the timely and accurate information they need to make effective decisions.
Accurate, complete and timely risk information is, after all, a foundation for effective risk management. But risk information alone does not guarantee that the board and senior management team will get the timely and accurate information they need to make effective decisions.
The right risk information needs to be presented to the right people at the right time. Risk reports should contain correct content and be presented to the appropriate decision makers in a timely manner that allows for an appropriate response.
While organizations may have the ability to easily aggregate financial risks, there are other risks, such as hazard, operational and supply-chain exposures, that represent larger opportunities that can sometime be overlooked.
Effective programs need both quantitative and qualitative data and should recognize the need of both tangible and intangible risks. For organizations with multiple locations, divisions, and /or multinational operations, risk aggregation can present more complicated problems.
Some organizations have effectively tackled it by taking an evolutionary approach that builds upon their existing, internal risk-reporting processes. This has often proven to be a more practical and cost-effective approach that trying to aggregate risks all at once.
For organizations that use workshops, surveys or audits in their risk management practices, extracting both quantitative and qualitative information can lead to a much better understanding of risks and more effective aggregation.While quantitative information is easy to extract and useful in itself, a more thorough review of the data may present management with the opportunity to think more comprehensively about risk. Often, organizations that extract common themes among disparate data can more easily identify emerging risks.
English: A qualitative categorization of different risks in terms of scope and severity (Photo credit: Wikipedia) |
For “potential impact” they may ask: “What could be the potential outcomes of this risk our employees, vendors, suppliers or customers? What impact could an issue have on our brands and corporate reputation? And, what are the potential impacts on sales, expenses, or profits?
These can be rated on a 4 or 5 level scale basis ( e.g. insignificant, low medium, major, or catastrophic ) to determine how critical the risk is to the business. Some organizations use the additional dimension of complexity as an additional risk evaluation tool. For example, they might ask: Is the issue becoming more widely spread?
English: Prioritizing risk and opportunities based on their risk/opportunity management contribution and cost-effectiveness contribution (Photo credit: Wikipedia) |
Such practical approaches increase the effectiveness of both risk identification and aggregation by creating a uniformity of approach. That yields better information and reliability.
When used properly, good risk aggregation can help an organization to effectively assume more risk. That’s because they have a better understanding of the breadth of the risks that they are taking on. Using risk aggregation can also lead to a better understanding of the individual risks being taken, a competitive advantage to an organization, and a more efficient and effective risk management program.
Kristina Narvaez is president and CEO of ERM Strategies LLC and Larry Warner is president of Warner Risk Group.