The Case Of The

Plucky Promise Can Enterprise Risk Management really deliver the goods?

Enterprise Risk Management •  Structured process for the management of all risks

•  Lots of ideas about how to make it work

•  Are they real solutions or just snake oil?

Purported benefits •  Fewer surprises

•  More efficient deployment of resources

•  Improved chance of achieving goals ü  “Risk management is the Army’s principal risk-reduction process to

protect the force. Our goal is to make risk management a routine part of

planning and executing operational missions.” Chief of Staff, Army, 1995

Implementation challenges •  Effectiveness of program based on judgment

ü  Human judgment can be faulty

ü  Management has ability to override ERM decisions

•  Application of risk management concepts relatively

new to most areas

•  Risk management decisions/controls subject to

relative costs and benefits

•  Tolerance for risk not uniform throughout

organization

And the fine print . . . •  No guarantee of success

•  Only able to provide “reasonable assurance”

•  Misalignment of incentives is likely

Built-in conflict

Business Management •  Customer is king •  Achieve performance targets •  Maximize volume & revenue

Risk Management •  Deviation from plan •  Minimize losses & errors

Improve your odds of success

1.  Focus on empirical solutions

2.  Don’t just tell people to manage their risks •  Provide risk assessment training and analytical tools to

help business managers evaluate risks as part of their day-to-day decision-making process

3.  Learn how to talk about uncertainty and risk

Focus on empirical solutions

Worse Better

Soft methods used but are not counted on by management.

Management intuition drives assessment and mitigation strategies. No formal risk management attempted.

Quantitative models built. Scope of risk management expands to include more risks.

Ineffective methods used with great confidence. No objective, measurable evidence that improves on intuition.

Quantitative models built. All inputs validated with proven statistical methods. Additional empirical methods used where optimal.

Risk assessment methods

Expert Intuition

Expert Audit

Risk Mapping

Weighted Scores

Traditional Financial Analysis

Probabilistic Models

Key risk language skills

•  It’s better to be precise than ambiguous about what you don’t know

•  Scales using verbal descriptions create an “illusion of communication”

•  Most people are “catastrophically overconfident” in their ability to make predictions.

ü  But with training, most people can become more accurate

Color  Code  Methodology  for  Ranking  Residual  Risk  

Green   Assessed  levels  of  residual  risk  on  a  forward-­‐looking  basis  for  all  iden4fied  poten4al  occurrences  are  fully  within    management  tolerance    levels  when  all  mi4ga4ng  ac4vi4es  are  considered.  

Green-­‐Yellow   Certain  iden4fied  residual  risks  are  outside    management    tolerance    at  the  present  4me  given  current  mi4ga4ng  ac4vi4es.  The  total  levels  of  residual  risk  present  a  minimal    threat  to  jeopardize  the  goals  and  objec4ves  of  the  Company  and  mi4ga4on  plans  must  be  in  the  process  of  being  implemented  in  order  to  lower  excessive  residual  risks  to  tolerable  levels  within  a  short  period  of  4me  not  to  exceed  two  quarters.  

Yellow   Certain  iden4fied  residual  risks  are  outside    management    tolerance    at  the  present  4me  given  current  mi4ga4ng  ac4vi4es.    There  may  be  more  numerous  iden4fied  risks  than  lower  ra4ngs  or  the  poten4al  consequences  may  be  greater  if  any  single  or  group  of  events  occurs.  The  total  levels  of  residual  risk  are  more  than  minimal    but  s4ll  not  likely  to  jeopardize  the  goals  and  objec4ves  of  the  Company.  Mi4ga4on  plans  must  be  in  the  process  of  being  implemented  in  order  to  lower  any  excessive  residual  risks  to  tolerable  levels  within  a  reasonable  period  of  4me  not  to  exceed  four  quarters.  

Yellow-­‐Red   The  residual  risk  of  a  given  category  aDer  accoun4ng  for  all  mi4ga4ng  ac4vi4es  is  significantly  outside    management  tolerance    levels.  Iden4fied  risks  have  a  reasonable  probability  of  occurring,  which  would  jeopardize  the  goals  and  objec4ves  of  the  Company.  Proposed  mi4ga4on  ac4vi4es  are  either  inadequate    or  would  not  reduce  residual  risk  within  an  acceptable  4meframe;  however  expected  loss  is  not  imminent  and  4me  is  expected  to  be  adequate  to  address  iden4fied  residual  risks  prior  to  any  likely  occurrence.  

Red   The  residual  risk  of  a  given  category  aDer  accoun4ng  for  all  mi4ga4ng  ac4vi4es  is  significantly  outside  of  management  tolerance    levels.  Iden4fied  risks  have  a  substan4al  probability  of  occurrence  which  would  jeopardize  the  goals  and  objec4ves  of  Company.  Proposed  mi4ga4on  ac4vi4es  are  either  inadequate    or  would  not  reduce  residual  risk  within  an  acceptable  4meframe  and  there  is  a  substan4al  probability  that  an  iden4fied  residual  risk  will  occur  prior  to  the  implementa4on  of  a  mi4ga4on  strategy  sufficient  to  lower  the  overall  risk  to  a  degree  consistent  with  acceptable  management  tolerance  levels.  

Ambiguity not cure for uncertainty

Dangers of relying on intuition and experience

•  Based on nonrandom, nonscientific sample of events throughout our lifetime.

•  Memory-based; selective

•  Conclusions can include errors

•  Inconsistent in how we apply memory

Focus on empirical solutions

Worse Better

Soft methods used but are not counted on by management.

Management intuition drives assessment and mitigation strategies. No formal risk management attempted.

Quantitative models built. Scope of risk management expands to include more risks.

Ineffective methods used with great confidence. No objective, measurable evidence that improves on intuition.

Quantitative models built. All inputs validated with proven statistical methods. Additional empirical methods used where optimal.

That’s why

Risk modeling methodologies

•  Probabilistic risk analysis (engineering) ü  Monte Carlo simulation

ü  Markov chains

ü  Regression

•  Qualitative methods (finance, insurance, psychology) ü  Decomposition

ü  Option theory

ü  Correlations

ü  Bayesian analysis

ü  Value of information

But we’re different –

that won’t work here •  Your risk measurement problems are not unique

•  You probably have more data than you think

•  You probably need less data than you think

•  Getting more data is probably more economical than you think

•  You probably need completely different data than you think

Want to improve your odds of launching a successful ERM program? info@eRiskAnalytics.com