Wolters Kluwer on risk management

By Mike MacDonagh

Risk management aims to stop bad things from happening to a business, and to lessen the impact when bad things cannot be prevented. However, it is vital that any work performed in this area prevents the right bad things from happening, and that it does this at a cost that is justifiable and also proportionate to the potential harm that the company is trying to protect against.

To begin with, businesses need to think about what risks they may be exposed to, the potential impact of those risks, how often they are likely to occur, and how much it will cost to protect the business from them. This way, when the time comes for a risk manager to highlight a particular risk facing the business, he or she will be able to answer the question: "So what?"

The 'So what?' question has both qualitative and quantitative answers. From a qualitative perspective, managers need to know that the risk involves something they truly care about. From a quantitative perspective, they need to know exactly how important the risk is, and also whether it is more or less important than other potential threats.

Taking a qualitative view of risk

A qualitative perspective on risk encourages senior managers to ask: is this particular risk something that we really care about? In order to answer this question accurately, potential risks must be linked to a number of contextual, transactional and internal variables within the organisation.

The contextual environment for a business is largely outside of its control and influence, and includes factors such as geo-political trends, market prices and changes in technology. Contextual variables like these are often connected to one another, and so many businesses are now using "scenario analysis" to help them identify the combinations that could have a truly devastating impact on them.

By comparison, an organisation's transactional environment is made up of the key stakeholders within and around the business itself. When it comes to identifying the company's core objectives, business managers will often base their decisions around the needs of these stakeholders (for example, when stating goals for relationships with clients, regulators and suppliers, or for positioning with regard to competitors). As a result, examining the variables in this area can often provide a useful tool for helping the business to understand the relative importance of various risks by asking: "If this risk is not prevented, will it have a negative effect on a specific company objective?"

The internal environment, as the name suggests, is limited to the organisation itself, and is mostly concerned with company processes and policies. One method increasingly being used for evaluating these internal business processes is called "maturity analysis". With this approach, process maturity can be considered a proxy for risk, since the level of maturity required for a given type of process is likely to reflect the relative importance of that process in terms of the business objectives that it supports (in areas like customer satisfaction, competitiveness, and regulatory compliance, for example).

A quantitative view: how much does this risk matter?

Whilst this qualitative element of the 'So what?' question will help managers to determine whether or not they care about a particular risk, the quantitative element will tell them how much they care about it.

Although it is not always possible to produce an absolute measure of risk in financial terms, this is often not the most important measure to consider within a dynamic business environment anyway. Instead, it is worth re-examining the key environmental variables in order to determine which measures are the most useful.

As discussed above, risks engendered by contextual variables - things like sudden changes in the global political landscape or volatile financial markets - tend to be large and complex and have the potential to threaten the very existence of the entire business. In this case, small changes made within the organisation are almost meaningless, and so management tend to focus on measures of the probability of these events and, in particular, on indicators that reflect this probability.

Instead of trying to preempt changes to these contextual variables, it is often easier to consider the risks that are linked to transactional and internal variables when taking a quantitative view of risk. After all, if risks can be linked to specific company objectives, these will most likely already have quantitative measures and boundaries in place, which means that the risks can be measured in terms of their direct effect on these measures (and how they may move performance towards the prescribed boundaries).

Setting a common framework

The final piece of the puzzle in terms of answering the 'So what?' question for risk management is putting all this information together in one place and against a common framework, so that business managers don't have to come and ask the 'So what?' question every time a new risk is identified.

To achieve this objective, risk managers can create "scorecards" which are based on a set of risk indicators. This approach not only provides the ability to link together the qualitative and quantitative measures, but also helps to capture appropriate measures of risk appetite for each and then presents them against a common framework (e.g. a red, amber, green framework).

A key advantage of this tactic is that it allows senior management to have a consistent and comparable view of risks across the organisation, and yet at the same time it encompasses the detailed qualitative and quantitative measures that are most meaningful to the individual owners of risks. By putting all of this together, not only will a business know that it is managing its risks effectively, but it will also know that it is managing the right ones.

Biography

Mike MacDonagh is ERM Product Manager with Sword, part of ARC Logics, a Wolters Kluwer company. Mike has more than 25 years experience helping financial institutions across the globe manage enterprise and operational risk more efficiently while effectively addressing banking industry regulations, guidelines and standards.