For many organizations, gathering risk information from many business units and departments and then creating a consolidated risk report to share with senior managements and boards can seem daunting.
The sheer volume of risk data to be aggregated can overwhelm even the most astute decision makers. That’s especially true because many organizations still manage their risks in silos, separating them into operational units without understanding their correlations. But concentrations of risk can mean that bad events spread quickly across an organization’s silos.
One difficulty arises in managing risks via a silo-based approach is the inability to aggregate those risks across different business units and operational departments, which makes evaluating those risks from a global perspective hard. As a result, risk managers and CFOs struggle with such issues as unstable and weakly founded risk- correlation assumptions, inconsistent risk metrics and differing time horizons for different types of risks.
Risk have been defined for the financial-services industry by the Basel Committee of Banking Supervision’s 2013 Principles of Effective Risk Data Aggregation and Risk Report published in January 2013 as “the gathering and processing of risk data according to the bank’s reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite.”
Risk aggregation can be applied to more than just an organization’s financial risks. In fact, many organizations outside the financial-services industry have started to use a broader definition of risk aggregation. That definition describes the term as the accumulation of the total risk exposures of various types of risks throughout the organization along with the ability to compare its various risk exposures to the organization’s risk-appetite statement.
While it’s important to understand the effect on the organization of individual risks, it’s rarely the case that two individual risks are either perfectly correlated, and hence can be simply added together, or perfectly independent, allowing the use of a simple approximate formula to combine them.
Because of that, it becomes necessary to design a robust general process enabling the aggregation of risks while allowing for the fact that the outcome for any one risk might depend on other types of risks in the organization.
Ideally, organizations should develop and maintain strong risk-data aggregation capabilities that take into account correlations within their risk portfolios to ensure risk reports reflect risks in a reliable way.
Not by Data Alone
Accurate, complete and timely risk information is, after all, a foundation for effective risk management. But risk information alone does not guarantee that the board and senior management team will get the timely and accurate information they need to make effective decisions.