Risk Scenario Analysis

2010-06-17 / How to do Risk Assessment /0 Comments

It is ironic that future scenario analysis, developed famously by Royal Dutch Shell, was not used when it should have been in that very same industry. AP reported on May 06 that:

“…a site-specific exploration plan filed by BP in February 2009 stated that it was “not required” to file “a scenario for a potential blowout” of the Deepwater well.”

Risk and international business managers could take a close look at risk scenario planning as a way to grapple with black swan risk, defined here in the Barnes and Noble synopsis of Nassim Nicholas Taleb’s book:

“an event, positive or negative, that is deemed improbable yet causes massive consequences.”

Doesn’t that definition, by the way, assume that you were able to at least identify the risk before deeming it improbable? Perhaps the true black swan risk is the one that broadsides you altogether. In any case, the value in future scenario planning is that it sidesteps the necessity to predict. It does not depend upon forecasting.

We all know business continuity scenarios are not like conventional risk management, not only because they deal specifically with disaster and emergency risk, but also because they focus on mission-critical functions, and often take an all-hazards approach. There will be significant areas of overlap in plans to address several different perils.

Similarly, risk scenario analysis is interested in resilience, and starts from a consideration of a core mission. You define the trends with the most significant influence upon that mission, and then create extreme – but plausible – scenarios. The advantage is that you are not relying on one narrow prediction or forecast. You have instead rich scenarios that present conditions that challenge your organization’s survival in different ways.

The team can then plan pre-event treatment, and adjust its plans to meet difficult conditions in something like an all hazards approach.

Risk practitioners point out another advantage to future scenario analysis. It permits a freer discussion than is normally held to identify essential business functions, assets at risk, types of threats, and the longevity and relevance of the organization’s very mission. For example, if the team determines that, in three out of four future scenarios, shifts in industry practice, business models and technology would likely render the core business obsolete, they might well re-evaluate their strategic direction.

I have put in a proposal to RIMS to develop another risk assessment online course [update: Creating Value: Risk Manager as Innovator — up and running], in which I would include a module on risk scenario analysis, using the future scenario planning model.

Read More

Systemic Risk – Challenging Assumptions

Risk managers should contribute to long range planning and analysis. They can cause planners and modellers to recast their assumptions. In a recent workshop, participants and I were discussing risk assessment of the firm’s strategic plan, and considered wider systemic risk and emerging risk, that could undermine the organization.

On the issue of strategic risk, I first draw the reader’s attention to my 6-part series in which I discussed high quality risk assessment and future scenarios; strategic identity; stakeholders; and environmental scan. The essential point in that series is that risk assessment should be part of a complete research and planning process, including methods to deal with “black swan” risks and high uncertainty.

In this post, I want to elaborate on the idea of risk managers questioning assumptions that typically go unchallenged.

Read the rest of this entry »

Read More

Definitions: ERM and Risk Assessment – Part 1/2

definition enterprise risk management, risk assessment Enterprise Risk Management is a relatively young discipline. There is no universal agreement on what it really consists of. In some of the academic literature, the definition is assumed. Authors don’t bother with it, and yet actual practice of what people call ERM is varied.

I want to give a critique of some of the definitions of Enterprise Risk Management having currency in management discourse, and then propose my own definition of ERM. Standards such as ISO or AS/NZ 4360 do not define or even contain the term Enterprise Risk Management. But they do define risk itself consistently as being associated with the organization’s goals and objectives.

Read the rest of this entry »

Read More

Risk Assessment as Due Diligence in Finance

Questioning the foundations of the economy
In the previous post, issues were raised about the Canadian financial system: Is Canada relatively immune from a deepening depression in the US and Europe? Are Canadian banks, in particular, on solid ground? The main implication I am trying to point out for risk managers is that, in whatever context you happen to be working, a multi-faceted risk assessment that questions common assumptions is needed.

Read the rest of this entry »

Read More

Risk in Canadian Financial System

In a previous post on Canadian Financial Risk, I reported on commentator Bob Chapman’s assessment. He had said that Canada has a very solvent financial system; has always been very conservative; and that while the US and Europe are headed for a significant crisis, the magnitude of its effect on Canada should be about half of what they will experience. I expressed doubt that Canada’s isolation is really guaranteed.

Read the rest of this entry »

Read More

Enterprise Risk Management Manifesto

Enterprise Risk Management - risk matrixEnterprise Risk Management is now finding its place in creating strategic value.

Traditionally confined to either loss control in the realm of commercial insurance, or financial controls and audit, enterprise risk management has now taken an evolutionary step to encompass the entire spectrum of strategic and operational risk.

Risk has gained, in recent years, a high profile in the public mind, as waves of corporate malfeasance, natural disaster, security threats and economic meltdown have rocked the foundations of organizations in all sectors, and created profound distrust among stakeholders. ERM implementation is now proving its value as conventional risk management duties expand to embrace strategic planning and innovation.
Read the rest of this entry »

Read More

The Economist Risk Intelligence Report

2010-12-09 / How to Implement ERM /0 Comments

Managing innovationRisk management surveys
The Economist Intelligence Unit has released a report entitled “Fall guys: Risk management in the front line”. It is based on a survey of banking and insurance executives both within and outside the risk function, supplemented by interviews with other risk experts.

The report paints a picture, on one hand, of an increased appreciation for risk managers, where many have acquired more authority within improved risk governance structures. This is a response to the economic crisis. On the other hand, respondents who believe their firms are effective in detecting emerging risks are still in the minority (35% – p.3. para.7). This same discrepancy – the risk function’s high importance but low perceived effectiveness –  appears in previous risk management surveys (see summary in this online introductory presentation).

Risk managers’ role
I found it encouraging that, according to this new report, risk managers wish to broaden their role by being “constructive”, “enabling”, and assisting managers to “achieve their business objectives” (p.4 para.2). Helping risk managers do just that is pretty much my whole mission in ERM! But relatively few firms even have risk managers participating in important business and strategic decision-making (p.4 para.1) The authors lament:

…there continues to be a perception among some senior managers that it is a support function staffed with narrowly focused specialists, such as business continuity planners, insurance buyers, or health and safety officers. Risk managers can find it difficult to break out of this mould and convince senior-level management that they have a contribution to make… (p.7 para.4).

This leads to the question: how can risk managers who aspire to support strategic planning and opportunity analysis move into that space? The authors regret a “cultural barrier”, and say it is a matter of better communication. But risk managers must prove they can actually help identify key business implementation risks, and can steward the innovation process, before they can be invited to fulfill those planning roles.

Risks and opportunity management: effective methods
They will not prove their value in planning by relying on the formalistic and bureaucratic aspects of the ERM program (PR, kick-off speeches, disseminating policy, etc.). Rather, they must demonstrate effective processes.  They must facilitate sessions dedicated to the analysis and mitigation of critical risks, and the identification of opportunities for innovation — in any context required by the internal client.

Risk managers must aggregate information for the board – but can they deliver insightful risk information that serves as a sound basis for strategic decision-making?

Risk managers must address long-term strategy and emerging risks. But do they know how to conduct a future scenario planning process? (See the report p.9 for a discussion of how the Lego senior director for strategic risk management uses risk scenarios.)

Risk managers must help identify opportunities. The authors report: “The average company’s risk register contains only threats, not opportunities” (p.8). My response is: should we really expect opportunities to show up within a risk register? To identify opportunities systematically, and subsequently develop them into sound business propositions and implement innovation — this all requires dedicated techniques. Risk managers are well-positioned to lead this process.

Conclusion: Managing innovation and opportunity is done incrementally
Risk managers who are aspiring to expand their roles can start with small pilot projects, even as experiments. I wrote a description of collaborative risk assessment in business (“No risk in collaboration”) in the September 2010 edition of Canadian Underwriter. You must have a sound process for identifying risks comprehensively as a basis. Principles of engendering and managing innovation are closely related. If you can help one client solve a critical business problem and meet objectives, then the next department will come knocking on your door.

Read More

Strategic Risk Assessment-6/6

2010-08-05 / How to do Risk Assessment /0 Comments

black-swan-eventThis is the last in a series on the risk manager’s role in strategic planning. In this post I describe the integration of the risk methodologies discussed so far.

Complex Enterprise Risk Management Mandate

We saw in post 1/6 that, from the Black Swan perspective, unless we are overstating it, risk-optimized decisions and rational planning are illusory;  redundancy and randomness are better.

But a balanced approach is required. Risk managers will not stop helping to optimize business decisions anytime soon, because people definitely want a risk-based analysis of the investment proposal, project, policy, plan or initiative. Excessive risk aversion can be costly and retrograde.

I wrote a statement today in support of a new Enterprise Risk Management certification:

‘Enterprise Risk Management will prove its value only as long as risk managers persist, with a variety of methods, to challenge assumptions in program plans and projects, and carry out strategic assessment to safeguard the organization’s core values and sustainability.’

That is pretty much the point of this series of posts. ERM presents risk managers with a complex mandate. They must identify and assess near-term operational risk, and in so doing overcome reliance on forecasts whose scope is insufficient, and whose underlying assumptions are not challenged.

They must also cope with the low-frequency/high consequence risk, and even the unknown and unpredictable (black swan). Time frames extending to 30 years are commonplace in infrastructure projects. Furthermore, they are charged with helping to create a risk-aware culture.

I believe it is possible to meet the ERM mandate, but only through a coordinated suite of risk methodologies.

Risk Methodologies

1. Strategic Identity is a model to help define the essence of the organization. It calls for a review of Mission, Vision,  Stakeholders, Corporate Values, Unique Assets and Capacity for Innovation.

2. Targeted Environmental Scan is a better use of your research dollars than generic industry reports, because it investigates your unrealized internal assets, as well as developments in your field.

Strategic Identity, informed by environmental scan, gives you a frame of reference for all strategic planning and risk assessment.

3. Business Continuity and Emergency Planning: this is the classic cornerstone to business resilience. A common problem is trying to identify disaster risk in a standard operational risk exercise – you can’t. You need to run a dedicated session, identify mission-critical functions, and set out mitigation with the help of a specialist.

4. High Quality Risk Identification and Assessment. With so many organizations still reporting dissatisfaction with their ability to effectively assess risk, this needs close attention.

5. Innovation. Arguably, the most important source of competitive advantage. This is not a fringe activity, but critical for the long term viability of the firm. Risk managers are well placed to lead the innovation process.

6. Future Scenarios Planning. Risk scenarios lets you expand the planning discussion, explore options, and stress test strategic plans in terms of their underlying dynamics and relationship of forces.


Integrating Risk Management and Corporate Planning

Therefore we recommend a balanced array of risk methodologies. The above listed methods cover the different philosophical approaches; i.e., rational planning and quantification of risk; and preparedness and resilience; adaptability and flexibility, as well as challenging assumptions, creativity and visioning.

Read More