Assessing real risk appetite

/ CasMo HQ/

Attending an IIA training in Brussels today on Corporate Governance audits, an excellent training by the way, we (the participants) started discussing risk appetite. The discussion got me thinking about the way we establish or validate risk appetite and the issues that come with that. Let me take you through my thoughts ...

A reflection of stated risk appetites

Let's look at a traditional process of establishing risk appetites.
Following COSO-ERM, the board has established some kind of risk appetite. In order to translate this to an operational reality, we start with a risk analysis, often based on risk maps specific to your industry. Management and process owners assess impact, probability of occurrence within a certain time interval and current risk coverage. They follow this with an assessment of the adequacy of that coverage in order to determine their "appetite" for the specific identified risks ...

Well, there is a bit of a problem with that approach. This approach gives us a reflection of the stated or expressed risk appetite, the stated preferences of the participants with respect to these risks.
What we don't know is whether this is a truly accurate reflection of the risk appetite, or whether it is a subjective response reflecting what management believes it should answer as a truthful interpretation of the expressed preferences of the board.

In other words, is this a reflection of how they really would behave with respect to these risks, or of how they believe they should behave.

Real risk appetite is reflected by exhibited risk appetite

There is one good way of finding out real risk related behaviour. For risks which occur with some frequency, we can observe the behaviour of management and process owners.

How? Well, any actual behaviour towards risks is reflected in the day-to-day decision making and action taking. In other words, our operational behaviour is an accurate reflection of risk related behaviour. From a risk management point of view, we can look at evidence of this behaviour, such as:

  • publications which exhibit our opinion on certain key issues in our industry which may be related to one or more risks, hence giving some information on our real risk appetite;
  • project choices and priorities give information on our preferences in terms of organisational strategies that we want to focus on as we deem them relevant;
  • meeting minutes of and reports presented to the board and exco give us information on which decisions are being taken as to where the organisation should focus.

In essence, these real life rather than stated set of choices reflect our actual attitude as an organisation, a management team, a division with respect to risks and our exposures to these risks: in other words, our risk appetite.

Using the results

Okay, what can we do with the information we gathered? Recapping, we have information on the stated, expressed behaviour of management and process owners towards risk and we have information as to the actual behaviour exhibited by the management and the owners regarding these risks.

We can perform the following analyses:

  1. Internal interpretation of the board's risk appetite: When we compare the board's risk appetite with the stated management and process owner risk preferences;
  2. Actual versus stated risk appetite: When we compare the stated management and process owner preferences with the exhibited preferences.

For any discrepancies, I would ask management or process owners to come up with a good explanation which motivates the deviations. They may be relevant and valid, but they need to be in line with the board's choices.

Why sum formulas better reflect the risk appetite in calculating risk levels

/

How to determine a risk profile and calculate a level of risk?

Introduction

This is a significant rewrite and a first time write-up in English of an article I published in Dutch in May of 2009. I'm revisiting it because I had an interesting exchange with my ERM class at Solvay Brussels School last week, where we discussed the issues related to risk calculations.

As is always the case in this area of risk management, there will be both proponents of the approach and people contesting it. For me, a large part of the value of these posts is in the discussion that follows. For that, I refer to the ERM group on Linked-In, where I will post a link to this post.

Finally, I understand that the number of readers of a post halves with each formula you put into an article. This may actually mean I will be the only one reading this one to the end.

The controversy

Risk analysis tasks you with "measuring" risks. To date, we most often use qualitative information. There are a couple of reasons for that.

First, quantitative information is most often not readily available in sectors other than banking or insurance. Even if it were available, it can cloud rather than clarify the issue. Look for example at risk management failures in the banking sector over the past years.

So, we start with qualitative information. My implicit assumption here is that definitions of scales are agreed upon with all evaluators and are consistently applied in the evaluations. Everyone evaluating should be very clear about what "high", "medium" or "low" risk actually means.

In some cases, simple scoring along the axes of probability of occurrence and impact on objectives is not enough. Some analysis requires a roll-up from these "traditional" scores for impact and probability of occurrence to a single dimension, which we will refer to here as the "risk level".

Now, most of us, risk management nerds, agree that the risk level is a function of impact and probability. However, the controversy starts right after. Traditional risk management usually uses a product formula to calculate the level of risk:

Level of risk = I(mpact) x P(robability) = I x P

The problem with this approach becomes apparent pretty quickly. Risk related events with a high impact and low probability are scored in a similar manner to risk related events with a low impact and a high probability. The assumption these events are comparable in "risk level weight" is an unfounded assumption. Let me give you a concrete example:

The likely low impact even of a fly hitting your vehicle has an overall lesser level of risk than the luckily unlikely high impact event of a deer hitting your vehicle.

However, traditional risk management will yield a same risk level for a event with P=6/6 and I=1/6 as for an event with P=1/6 and I=6/6. Both are valued at 6.

See the problem? Right. Now, what can we do about it?

Alternatives to the product formula

Using a sum formula rather than a product formula allows us to attach a numeric weight to the dimensions impact on objectives (which we'll call impact or I) and probability of occurrence within a certain time frame (which I will refer to as probability or P). This weight is a function of the relative importance of impact and probability to the organisation where we are performing the risk analysis.

How does that work? Well, depending on your risk appetite as an organisation, you can give more weight to one dimension over another, which allows you to tweak the risk analysis to the risk profile of your organisation. This is where product formulas fall short. They cannot be used to integrate this aspect:

W x (I x P) = (W x I) x P. However, W x (I+P) does NOT equal (W x I) + P

You could rightly remark that weighting in the product formula can be realised when applying exponential values to the dimensions. However, it's exactly that exponential nature that will quickly reduce the relevance and weight of the not-weighted dimension to virtually nothing as compared to the weighted dimension. Hence, it makes little sense to take the non-weighted parameter in account. But as it is valued, we do need to take in account the scores that have been attributed to that dimension for the different risks evaluated.

In short, applying a sum formula to calculate the risk level ensures a more transparent calculation which allows the management to better reflect their risk appetite … provided the dimensions are weighted in a manner that reflects the risk appetite of the organisation.

But what do these weights mean?

Weights are applied to a dimension to give that dimension more importance in the calculation of the risk level of the specific risk. If the risk appetite calls for the avoidance of high impact events, impact will be weighted heavier than probability. If we want to reduce the probability of event occurrence, we will put more weight on probability.

There is some, but not a perfect, correlation between impact preferences and organisations with a preference for proactively managing the consequences of risks and probability preferences and organisations with a preference for proactively managing the sources of risks. That however is the subject of another blog post.

If we let W be the weight factor, we can distinguish three different profiles, which depending on the value of X can be more or less extreme.

impact oriented profile

This profile weighs impact as more important than probability of occurrence. This organisation will prefer to work on high impact risks with less attention given to the probability factor. Coverage of frequently occurring, low impact risks, such as clerical errors, is less important.

The risk level calculation is RL = (W x I) + P) / (W + 1)

probability oriented profile

This profile weighs probability of occurrence as more important than impact. The organisation wants to avoid the frequently occurring risks, but sacrifices coverage of high impact, lower probability risks.

The risk level calculation is RL = (I + (W x P)) / (W + 1)

indifferent profile

This profile does not weight probability or impact. Risks with high impact and low probability are treated in the same manner as risks with low impact and high probability.

The risk level calculation is RL = (I + P) / 2

Who gets to determine these weights?

Well, management does. It's there responsibility to determine weights as these represent the risk profile of the organisation. They need to translate the mission and vision into a strategy which is supported by a risk profile. That decision is theirs and theirs alone.

An example

Let's assume we have two situations for which the impact and probability of occurrence have been established. Let's further assume that the impact score for the first situation equals the probability score for the second, and the probability score for the first situation equals the impact score for the second. The traditional calculations using the product formulas will of course show these risks to be at an equal risk level to one another.

Let's further assume that the weighting factor applied will be W = 2. In essence, the parameter it will be applied to will be considered to be twice as important than the other parameter. In this case, we chose for an environment which values impacts more than probability of occurrence, as stated with a factor of 2.

Let's finally assume that the evaluation of each dimension is done on a five point scale and that the final risk level score needs to be normalised to a five point scale.

  • Situation 1 is a collusion between a responsible and a supplier to perpetrate a fraud damaging the organisation.
  • Situation 2 is a clerical error in the administrative registration of a demand for a service of that same organisation.

We first perform the calculations to get a non-normalised result, which then needs to be brought back to a score on an axis from 1 to 5. We then normalise to a five point scale.

Evaluation of situation 1

the weighted product formula yields: (2 x I) x P = (2 x 5) x 1 = 10

the non weighted product formula yields: I x P = 5 x 1 = 5

The weighted sum formula yields: (2 x I) + P = (2 x 5) + 1 = 11

the non weighted sum formula yields: I + P = 5 + 1 = 6

Evaluation of situation 2

the weighted product formula yields: (2 x I) x P = (2 x 1) x 5 = 10

the non weighted product formula yields: I x P = 1 x 5 = 5

The weighted sum formula yields: (2 x I) + P = (2 x 1) + 5 = 7

the non weighted sum formula yields: I + P = 1 + 5 = 6

Normalisation

As all risk scores need to be brought back to a five point scale, we need to perform a "normalisation", which is just a fancy way of saying we are bringing the score back to a reference scale. Depending on the formula used, the normalization calculation is different.

For the product formula, we divide by the maximum possible score (normalisation to 1) which we then multiply by the maximum value on the scale, in this case 5. This leads to:

2 x Imax x Pmax / 5 = 2 x 5 x 5 / 5 = 50 / 5 = 10

In other words, the normalized risk level for situation 1 becomes:

  • for the weighted calculation: 10 / 10 = 1
  • for the non-weighted calculation: 5 / 10 = 0,5

The normalized risk level for situation 2 becomes:

  • for the weighted calculation: 10 / 10 = 1
  • for the non-weighted calculation: 5 / 10 = 0,5

For the sum formula, we divide by (W + 1), where W is the weight given to the dominant dimension. This yields the following normalized results for situation 1:

  • for the weighted calculation: 11 / 3 = 3,66
  • for the non-weighted calculation: 6 / 3 = 2

For situation 2, this becomes:

  • for the weighted calculation: 7 / 3 = 2,33
  • for the non-weighted calculation: 6 / 3 = 2

In other words, where the product formula fails to distinguish the two very different risk events, the sum formula distinguishes the risk events and considers the risk with the higher impact as of a higher priority.

The example demonstrates the sum formula better answers the needs of management to reflect its risk appetite in the calculated risk level of individual risks.

Embedding risk management in the strategy cycle

/

As of its inception, there have been a lot of comments on COSO-ERM and how it can be applied in practice in an organizational setting. Those of you, dear reader, who have followed this blog know I am not an avid fan of the framework. However, contrary to some experts I don't agree the authors made an error when introducing risk appetite as a concept as early in the ERM cycle as they have.

Understanding risk appetite

Dr. Larry Rittenberg (Ernst & Young) and Frank Martens (PwC) authored a short(ish) document on understanding and communicating risk appetite, which was published by COSO in January of 2012. It aimed to present a set of answers to the unclarity surrounding the concept of risk appetite as it was introduced in COSO-ERM:2004. In its executive summary, they clearly state that:

"Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is will to undertake in doing so."

In defining risk appetite in this way, they aim to get ERM out of the compliance corner it has been painted in for a long time. It elevates risk management above the level of a mere tool or requirement and positions it where it should be and informally often already is: an integral part of the strategy process.

Risk appetite as a key element in strategy setting

A strategy can be defined as it is in venerable Wikipedia as follows:

"A plan of action designed to achieve a vision. Strategy is all about gaining (or being prepared to gain) a position of advantage over adversaries or best exploiting emerging possibilities. As there is always an element of uncertainty about future, strategy is more about a set of options ("strategic choices") than a fixed plan."

Hence, reading this again, the key risk element, the uncertainty element, is an inherent part of the definition of a strategy. A lack of awareness of what, in broad terms, this risk may be and to what extent it would be acceptable for the organization to be confronted with it, is required to develop the action plan. Hence, risk and especially risk appetite drives strategy.
In my personal opinion, the authors did not adequately emphasize this.

An illustrative example

Imagine that your organization, for the sake of argument a non-profit organization, is offered the opportunity to start activities in an area which in content is adjacent to what the core purpose of the organization is. Imagine the organization is about assisting the development of civil society in fragile states, and the area you are invited into would like you to work in post-conflict issue resolution between two tribes. There are some elements of uncertainty here.
However, the geographic area and its culture is completely unknown to your organization. There is no prior experience here. Hence, there are quite a few elements of uncertainty here.
Without a clear view on the risk appetite of the organization as compared to the potential risk exposure the organization may encounter, it is virtually impossible to develop a relevant strategy.

Conclusion

COSO-ERM is far from perfect. However, in light of some of the, already old, comments on the risk appetite, I believe it to be essential to consider risk and risk appetite, even in the broadest of terms, during strategy setting.