For many organizations, gathering risk information from many business units and departments and then creating a consolidated risk report to share with senior managements and boards can seem daunting.
The sheer volume of risk data to be aggregated can overwhelm even the most astute decision makers. That’s especially true because many organizations still manage their risks in silos, separating them into operational units without understanding their correlations. But concentrations of risk can mean that bad events spread quickly across an organization’s silos.
One difficulty arises in managing risks via a silo-based approach is the inability to aggregate those risks across different business units and operational departments, which makes evaluating those risks from a global perspective hard. As a result, risk managers and CFOs struggle with such issues as unstable and weakly founded risk- correlation assumptions, inconsistent risk metrics and differing time horizons for different types of risks.
Risk have been defined for the financial-services industry by the Basel Committee of Banking Supervision’s 2013 Principles of Effective Risk Data Aggregation and Risk Report published in January 2013 as “the gathering and processing of risk data according to the bank’s reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite.”
Risk aggregation can be applied to more than just an organization’s financial risks. In fact, many organizations outside the financial-services industry have started to use a broader definition of risk aggregation. That definition describes the term as the accumulation of the total risk exposures of various types of risks throughout the organization along with the ability to compare its various risk exposures to the organization’s risk-appetite statement.
While it’s important to understand the effect on the organization of individual risks, it’s rarely the case that two individual risks are either perfectly correlated, and hence can be simply added together, or perfectly independent, allowing the use of a simple approximate formula to combine them.
Because of that, it becomes necessary to design a robust general process enabling the aggregation of risks while allowing for the fact that the outcome for any one risk might depend on other types of risks in the organization.
Ideally, organizations should develop and maintain strong risk-data aggregation capabilities that take into account correlations within their risk portfolios to ensure risk reports reflect risks in a reliable way.
Not by Data Alone
Accurate, complete and timely risk information is, after all, a foundation for effective risk management. But risk information alone does not guarantee that the board and senior management team will get the timely and accurate information they need to make effective decisions.
The right risk information needs to be presented to the right people at the right time. Risk reports should contain correct content and be presented to the appropriate decision makers in a timely manner that allows for an appropriate response.
While organizations may have the ability to easily aggregate financial risks, there are other risks, such as hazard, operational and supply-chain exposures, that represent larger opportunities that can sometime be overlooked.
Effective programs need both quantitative and qualitative data and should recognize the need of both tangible and intangible risks. For organizations with multiple locations, divisions, and /or multinational operations, risk aggregation can present more complicated problems.
Some organizations have effectively tackled it by taking an evolutionary approach that builds upon their existing, internal risk-reporting processes. This has often proven to be a more practical and cost-effective approach that trying to aggregate risks all at once.
For organizations that use workshops, surveys or audits in their risk management practices, extracting both quantitative and qualitative information can lead to a much better understanding of risks and more effective aggregation.
While quantitative information is easy to extract and useful in itself, a more thorough review of the data may present management with the opportunity to think more comprehensively about risk. Often, organizations that extract common themes among disparate data can more easily identify emerging risks.
For intangible or hard-to-quantify risks, such as those involving personnel issues, some companies effectively use a practical approach to risk aggregation. This requires a common set of questions to evaluate the scope and potential impact of each risk. For “scope” organizations evaluate as such questions as: How many business units or countries are affected? How many employees do the risk treatments affect? And, how many business processes or functions are affected?
For “potential impact” they may ask: “What could be the potential outcomes of this risk our employees, vendors, suppliers or customers? What impact could an issue have on our brands and corporate reputation? And, what are the potential impacts on sales, expenses, or profits?
These can be rated on a 4 or 5 level scale basis ( e.g. insignificant, low medium, major, or catastrophic ) to determine how critical the risk is to the business. Some organizations use the additional dimension of complexity as an additional risk evaluation tool. For example, they might ask: Is the issue becoming more widely spread?
The output of the evaluation of intangible or difficult-to- quantify risks can provide organizations with major insights when it aggregates risks. For example, the inability to find an adequate number of properly skilled and trained technical staff may show up as a risk in China or in Central and South America countries. The resulting inability to properly staff manufacturing facilities can adversely affect production capabilities. Thus, an issue which may be viewed as a nuisance in the domestic job market may be major when viewed on an aggregated basis. In fact, unexpected correlations may be revealed when reviewing these risks on a more holistic basis.
Such practical approaches increase the effectiveness of both risk identification and aggregation by creating a uniformity of approach. That yields better information and reliability.
When used properly, good risk aggregation can help an organization to effectively assume more risk. That’s because they have a better understanding of the breadth of the risks that they are taking on. Using risk aggregation can also lead to a better understanding of the individual risks being taken, a competitive advantage to an organization, and a more efficient and effective risk management program.
Kristina Narvaez is president and CEO of ERM Strategies LLC and Larry Warner is president of Warner Risk Group.