Please enable JavaScript.
Coggle requires JavaScript to display documents.
Key Risk Management Concepts - Coggle Diagram
Key Risk Management Concepts
Defining risk
Risk is usually associated with the volatility of unexpected outcomes (uncertainty) that could lead to a loss of value
In an organisational setting, it is rare for any risk to be calculated with 100% accuracy. Most decisions or actions will contain some element of uncertainty. The degree of uncertainty will often depend on
The chosen risk model and underlying assumptions
The availability and quality of data
The chosen model parameters such as time horizon or frequency of data inputs
The chosen confidence level, among other factors
Examples of uncertainty in an organisation include but are not limited to
The research and development of a new product
Organisational change initatives, changes to reporting structures or an attempt to change the culture of an organisation may have unintended and unpredictable consequences
Emerging risks such as cyber attacks
How financial markets may react to unfamiliar scenarios such as natural disaster or a major economic downturn
The effects of political or regulatory change
The effects of negative news media coverage
Risk events
A risk event is any outcome that arises from a single decision or an action that could result in more than one potential outcome. Every outcome in an organisation is technically a risk event.
In many organisations risk events may be defined as accidents - this means that only negative events such as financial losses or injury are considered to be risk events.
The outcomes that result from a single decision or an action an be expressed in terms of probability and severity
The concept of probability is concerned with estimating the likelihood of a single outcome or a range of outcomes
Probability can also be expressed as a qualitative metric - eg highly unlikly
Impact relates to the scale of a particular positive or negative outcome - impact is commonly estimated in relation to how the specific objectives are affected
Exposure, specifically risk exposure, is the measure of probable future outcome resulting from a single decision or an action - risk management often focuses on the downside exposure by estimating potential loss arising from the outcome
Probability x impact = exposure
Pure risks
: are risks that may only have neutral or negative outcomes, eg fire
Speculative risks
: risks that may have three outcomes: positive, neutral or negative. Gains re usually financial but they can also be non financial human welfare or social gains such as improved health, happiness or environmental benefits
Risks should always be approached neutrally. This is because 'good' or 'bad' risk categorisation is very much dependent on a specific objective, making risk as much a part of the success of an organisation as its failure
Inherent, residual and target risks
Inherent risk means the level of risk - more specifically exposure - that is present in the absence of any controls or mitigating actions to manage the risk in question
Residual risk describes the level of exposure that remains given the current effectiveness of the controls that are in place to manage the risk in question
Some organisations use the term target risk, this denotes the desired level of risk exposure usually the level required to keep the risk within appetite. Where residual risk exceeds target risk, action will be required to reduce the level of exposure
This could include implementing new controls or improving the effectiveness of existing controls
Principal risk:
a significant or key risk is a risk that is considered material and can affect the viability of the business
Emerging risk
: disruptive risk, refers to the risk that does not yet affect an organisation but may develop to become a principal risk in future
Risk profile
represents a combination of all principal and emerging risks that an organisation faces
Principal risks are reported as a part of the strategic annual report. There is an expectation that board members understand what these risks are, why they are considered material, how they may affect an organisation and its future performance and how they are managed or mitigated
Black swan events
The risk arising from a highly improbable and difficult to predict event or an event that has a very small probability of occurring but has widespread ramifications (high impact)
Events for which before they occur there is little or no information. This means that people, organisations and governments, basing their prediction on the available, historical information are unlikely to predict their occurrence - in this way black swans can appear as a major, unpleasant surprise even though they could have occurred much sooner under the right circumstances
Cliff risk, also known as cliff edge risk or cliff effect refers to the risk arising from an event is probable and has widespread ramifications (high impact)
Technically cliff risk can be planned for and risk managed, in reality fully managing this risk can become a very expensive exercise.
Wrong way risk occurs when the risk exposure to a counterpart is adversely correlated to the credit quality of that counterparty. Wrong way risk is mostly used in relation to poorly collateralised transactions.
Risk taxonomy is a set of all risk categories used within an organisation. Very often, there will be a difference in how risks are categorised from one organisation to another - things get even more challenging when different departments categorise the same risks differently within the same organisation - this is known as a fragmented taxonomy.
Risk interconnectivity
With the rise of globalisation, innovation and technological advances, there has been a growing recognition that risks are becoming much more complex, impactful and interconnected
Traditionally risk management practices would rely heavily on pre-exisiting knowledge and experience within a specific area, failing to identify potential interconnections with other areas
Interconnectedness is expressed by correlation, which measures the extent to which different variables move together
Another way to appreciate the interconnectedness of risks is by looking at how one risk can trigger the occurrence of another
Interconnected risk management is often focused on strengthening operational resilience and emergence response
Risk perception
In an objective sense, risk is a statistical concept that can be quantified using probability, impact and exposure
Any organisation should be able to estimate its risk exposures objectively - a number of challenges arise with this view
The choice of a specific statistical model, underlying assumptions, model parameters and a confidence interval is subjective action
The output is only as good as the input, thus patchy or erroneous data can skew the results. The choice of how to clean patchy data is also a subjective action
Many risk models use hsitrocial data to predict future risk events and rely on supporting subjective judgements around any forward looking modelling enhancements or qualitative statements
Not every risk can be quantified using conventional statistical methods
Even where risks can be quantified, decision makers and those involved in the process of quantifying these risks may not interpret their findings in an objective manner - in other words, different people would make different estimates and conclusions about the same risk
Subjetive judgements and actions
The choice of a risk model, underlying assumptions and other model parameters usually sits within an organisation although some regulatory risks models may come with a set of pre defined assumtpions
At this stage, subjective choices or omissions through human judgement can have a far reaching impact on the accuracy or the relevance of produced estimates
Another important subjective parameter of a risk model is the confidence level
In order to estimate probability and impact, an organisation needs large amounts of data, either generated internally or sourced trough approved external data providers
A significant amount of risk models use historical data to predict risk events that may occur in future - this practice makes the whole exercise somewhat backward looking as there is no guarantee that past outcomes are a reliable indicator of future ones, this can be a significant issue in volatile environments where risk exposures are increasing or decreasing at an exponential rate
Unquantiifable risk
Unquantifable risk is the risk that cannot be measured using conventional statistical methods
Lack of relevant or quantifiable data is often the primary reason
Reputation risk, compliance risk, or corporate culture heath are good examples of unquantifiable risks
Organisations use a combination of quantifiable and qualitative solutions to manage such risks
Subjectivity of risk perception
Studies show that most people do not think of risk in statistical terms, even where they are presented with objective data about risk exposures, they may not respond to this data in a statistically rational way by making the decisions that yield the best possible outcomes.
People base their decisions on subjective factors that influence how they perceive risk
Behvaviroural economists have also identified a series of cognitive biases that may influence the decision making process especially when it comes to estimating the impact from emerging risks
Group think
happens when individual decision makers strive for group consensus over alternative viewpoints
Authority bias
arises when a senior members viewpoint overrules the viewpoints of other contributors
Status quo bias
Favours preservation of the current state
Myopia bias
Leads to an increased focus on smaller and less impactful risks at an expense of more strategic and more impactful risks
Common perception issues
Choice
A persons perception of risk is reduced if they take risks they chose
They focus on rewards while being confident in their personal ability to control risks
This means that organisations decision makers may underestimate the risks associated with decisions that they choose to make, such as strategic decisions to exploit profitable opportunities
Control
People are more willing to accept risks they blieve they can control
Risks that are out of a persons control are of greater concern because they cannot influence their outcome
Most people overestimate their ability to control risk, thinking they are better than average
Familiarity
Familarilty with risks can affect risk perception
People get used to living with certain risks and therefore perception of the real risk can diminish with time and experience
Spotting new and unfamiliar risks can be a particularly difficult task for people influenced by this
Distant risks
If the effect of a certain risk is far into the future, people may be more willing to accept that risk now
Long term effects of environment hazards will tend to be underestimated
Media
The media has a huge impact on shaping peoples perceptions of risk
Risks ignored by the media are not seen to be as important as those that receive media attention
People think a risk must be important if the media has chosen to cover it
Randomness
Natural 'Act of God' or fate vs human made risks are perceived differently. Naturally occurring risks are more accepted as they are believed to be random bad luck whereas people assume that something can be done to control or reduce human made risk
As analytical and technological advancements improve organisational defence mechanisms, people are less willing to accept that certain risks are simply a result of bad luck
Other practical challenges
Risk models have become increasingly complex due to the availability of advanced analytical tools and techniques
Balancing multiple outputs from different risk models that are meant to estimate the same type of risk is becoming more of an art than a science
Risks are interconnected, whereas many risk models are often designed to address an individual component of risk at the loss of a bigger picture
The number of required regulatory risk modes has been growing, particularly in financial services
The link between risk model assumptions and long term strategic objectives need to be stronger