Upload
philip-dipastena
View
123
Download
1
Embed Size (px)
Citation preview
The Case Of The
Plucky Promise Can Enterprise Risk Management really deliver the goods?
Enterprise Risk Management • Structured process for the management of all risks
• Lots of ideas about how to make it work
• Are they real solutions or just snake oil?
Purported benefits • Fewer surprises
• More efficient deployment of resources
• Improved chance of achieving goals ü “Risk management is the Army’s principal risk-reduction process to
protect the force. Our goal is to make risk management a routine part of
planning and executing operational missions.” Chief of Staff, Army, 1995
Implementation challenges • Effectiveness of program based on judgment
ü Human judgment can be faulty
ü Management has ability to override ERM decisions
• Application of risk management concepts relatively
new to most areas
• Risk management decisions/controls subject to
relative costs and benefits
• Tolerance for risk not uniform throughout
organization
And the fine print . . . • No guarantee of success
• Only able to provide “reasonable assurance”
• Misalignment of incentives is likely
Built-in conflict
Business Management • Customer is king • Achieve performance targets • Maximize volume & revenue
Risk Management • Deviation from plan • Minimize losses & errors
Improve your odds of success
1. Focus on empirical solutions
2. Don’t just tell people to manage their risks • Provide risk assessment training and analytical tools to
help business managers evaluate risks as part of their day-to-day decision-making process
3. Learn how to talk about uncertainty and risk
Focus on empirical solutions
Worse Better
Soft methods used but are not counted on by management.
Management intuition drives assessment and mitigation strategies. No formal risk management attempted.
Quantitative models built. Scope of risk management expands to include more risks.
Ineffective methods used with great confidence. No objective, measurable evidence that improves on intuition.
Quantitative models built. All inputs validated with proven statistical methods. Additional empirical methods used where optimal.
Risk assessment methods
Expert Intuition
Expert Audit
Risk Mapping
Weighted Scores
Traditional Financial Analysis
Probabilistic Models
Key risk language skills
• It’s better to be precise than ambiguous about what you don’t know
• Scales using verbal descriptions create an “illusion of communication”
• Most people are “catastrophically overconfident” in their ability to make predictions.
ü But with training, most people can become more accurate
Color Code Methodology for Ranking Residual Risk
Green Assessed levels of residual risk on a forward-‐looking basis for all iden4fied poten4al occurrences are fully within management tolerance levels when all mi4ga4ng ac4vi4es are considered.
Green-‐Yellow Certain iden4fied residual risks are outside management tolerance at the present 4me given current mi4ga4ng ac4vi4es. The total levels of residual risk present a minimal threat to jeopardize the goals and objec4ves of the Company and mi4ga4on plans must be in the process of being implemented in order to lower excessive residual risks to tolerable levels within a short period of 4me not to exceed two quarters.
Yellow Certain iden4fied residual risks are outside management tolerance at the present 4me given current mi4ga4ng ac4vi4es. There may be more numerous iden4fied risks than lower ra4ngs or the poten4al consequences may be greater if any single or group of events occurs. The total levels of residual risk are more than minimal but s4ll not likely to jeopardize the goals and objec4ves of the Company. Mi4ga4on plans must be in the process of being implemented in order to lower any excessive residual risks to tolerable levels within a reasonable period of 4me not to exceed four quarters.
Yellow-‐Red The residual risk of a given category aDer accoun4ng for all mi4ga4ng ac4vi4es is significantly outside management tolerance levels. Iden4fied risks have a reasonable probability of occurring, which would jeopardize the goals and objec4ves of the Company. Proposed mi4ga4on ac4vi4es are either inadequate or would not reduce residual risk within an acceptable 4meframe; however expected loss is not imminent and 4me is expected to be adequate to address iden4fied residual risks prior to any likely occurrence.
Red The residual risk of a given category aDer accoun4ng for all mi4ga4ng ac4vi4es is significantly outside of management tolerance levels. Iden4fied risks have a substan4al probability of occurrence which would jeopardize the goals and objec4ves of Company. Proposed mi4ga4on ac4vi4es are either inadequate or would not reduce residual risk within an acceptable 4meframe and there is a substan4al probability that an iden4fied residual risk will occur prior to the implementa4on of a mi4ga4on strategy sufficient to lower the overall risk to a degree consistent with acceptable management tolerance levels.
Ambiguity not cure for uncertainty
Dangers of relying on intuition and experience
• Based on nonrandom, nonscientific sample of events throughout our lifetime.
• Memory-based; selective
• Conclusions can include errors
• Inconsistent in how we apply memory
Focus on empirical solutions
Worse Better
Soft methods used but are not counted on by management.
Management intuition drives assessment and mitigation strategies. No formal risk management attempted.
Quantitative models built. Scope of risk management expands to include more risks.
Ineffective methods used with great confidence. No objective, measurable evidence that improves on intuition.
Quantitative models built. All inputs validated with proven statistical methods. Additional empirical methods used where optimal.
That’s why
Risk modeling methodologies
• Probabilistic risk analysis (engineering) ü Monte Carlo simulation
ü Markov chains
ü Regression
• Qualitative methods (finance, insurance, psychology) ü Decomposition
ü Option theory
ü Correlations
ü Bayesian analysis
ü Value of information
But we’re different –
that won’t work here • Your risk measurement problems are not unique
• You probably have more data than you think
• You probably need less data than you think
• Getting more data is probably more economical than you think
• You probably need completely different data than you think
Want to improve your odds of launching a successful ERM program? [email protected]