Risk Management: Answering the ‘so what?’ question

By Mike MacDonagh

Intuitively, business managers know that risk management is about stopping bad things from happening to their organisation, and lessening the impact when they cannot be prevented. But when it comes to investing their companies’ hard-earned revenue in this area, they have a right to ask for more information, as it is vital that any work performed in this area prevents the right bad things from happening.

When a risk manager has to highlight a particular risk facing the business, he or she must answer the question: "So what?" This question has both qualitative and quantitative answers. From a qualitative perspective, managers need to know that the risk involves something they truly care about. From a quantitative perspective, they need to know exactly how important the risk is, and how it compares other potential threats.

A qualitative view

To understand their importance, potential risks can be linked to a number of contextual, transactional and internal variables within the organisation.

The contextual environment for a business is largely outside its control and includes factors such as geo-political trends, market prices and changes in technology. Contextual variables are often connected, and many businesses now use "scenario analysis" to identify the combinations that could have a truly devastating impact.

By comparison, an organisation's transactional environment is made up of the key stakeholders within and around the business. When it comes to identifying the company's core objectives, business managers will often base them around the needs of these stakeholders. As a result, examining the variables in this area can often provide a useful tool for helping the business understand the relative importance of various risks by asking: "If this risk is not prevented, will it have a negative effect on a specific company objective?"

The internal environment is limited to the organisation itself, and is concerned with company processes and policies. One method used for evaluating these internal business processes is maturity analysis, using standard models such as CMMI. With this approach, process maturity can be considered a proxy for risk, since the level of maturity required for a given type of process is likely to reflect the relative importance of that process in terms of the business objectives that it supports.

A quantitative view:  how much does this risk matter?

Whilst this qualitative element will help managers to determine whether or not they care about a particular risk, the quantitative element will tell them how much they care. It is worth re-examining the key environmental variables in order to determine which measures are the most useful.

As discussed above, risks engendered by contextual variables tend to be large and complex and have the potential to threaten the very existence of the business. In this case, small changes in risk impact are meaningless, and so management tend to focus on measures of the probability of these events and, in particular, on indicators that reflect this probability.

Risks linked to transactional variables can be linked to objectives that should have quantitative measures and boundaries. These can be assessed in terms of their direct effect on these measures and boundaries. The measures may be absolute, or may relate to the probability of achieving the objective. In both cases the figure is likely to be calculated through a risk assessment process, including the mitigating effect of controls.

For risks related to internal variables, there really isn't any further quantitative measure over and above the assessments of maturity against target levels.

Setting a common framework

The final piece of the puzzle for risk management is putting all this information together so that business managers don't have to come and ask the 'So what?' question every time a new risk is identified.

To achieve this objective, risk managers can create "scorecards" based on risk indicators, to link together the qualitative and quantitative measures, capture appropriate measures of risk appetite for each and present them against a common framework. By putting all of this together, not only will a business know that it is managing its risks effectively, but it will also know that it is managing the right ones.

Biography

Mike MacDonagh is ERM Product Manager with Sword, part of ARC Logics, a Wolters Kluwer company. Mike has more than 25 years of experience helping financial institutions across the globe manage enterprise and operational risk more efficiently while effectively addressing banking industry regulations, guidelines and standards.