Say what you will about risk management in financial services, one thing is for sure, it is much more mature than risk management outside of financial services, at least when it comes to credit and market risks. Don’t get me started on operational risk management at banks, it is often embarrassing to put it mildly. Nevertheless, there are two principles in banks that are fundamental to risk management – it pays to better manage risks and horses for courses. Basel has this wonderful idea that there are 3 risk managements: basic, standardized and advanced. Each is suitable for different tasks and the less effort you put into risk analysis the more you pay for it.
Let me emphasise this point – horses for courses. For example, a risk register has a role to play but this role is very narrow in scope and it is useless for other important tasks, so something else must be used. It is impossible to create a risk register that solves tasks beyond what was intended for risk registers. For example, risk registers are not useful for risk mitigation or decision making. We, as risk professionals, need to clearly understand when to use which type of risk analysis and the effort involved. For example, bow ties are great but no way a company would create one for many risks.
I summarised the scope of application below and will go into more detail in the rest of the article:
By the way, if you prefer video format, watch this video from a recent Archer event in Dubai:
Qualitative risk analysis
This is not risk management, just like astrology has nothing to do with astronomy. Horoscopes, sorry I meant heatmaps, are not ok even for companies that claim they are not mature, just like smaller space agencies wouldn’t use them for sending things into space.
Basic risk analysis
Most companies have risk registers. Well, it turns out it takes few minutes to turn any risk register on the planet into a quantitative risk register. It can be done manually by replacing probability score with a probability or frequency distribution and replacing consequence score with a consequence distribution. Or you can use software like Archer Insight which does it almost automatically.
Do this tomorrow. I am not exaggerating. Converting your current risk register to a quantitative risk register has amazing benefits:
- automatically calculate expected losses for a single risks
- automatically calculate aggregate expected losses for a department or business unit
- use expected losses for budgeting and mitigation planning
- calculate unexpected losses for liquidity and capital allocation purposes
And more importantly quantifying your risk register will allow you to prioritise risks more accurately than a heatmap, below is an example of the tornado diagram:
By the way, if you think it is impossible to aggregate financial and non-financial risks, think again. Utility theory is quite old and allows companies to aggregate unaggregatable risks with ease. Software packages like Archer Insight even have this functionality built in.
Given the effort required I honestly don’t understand why would anyone ever have a risk register that is not quantitative. The upside of having a quant risk register is huge. However you have to keep in mind, risk registers, even quantitative have limited application, for example, they are useless to have a mitigation conversation or decide on the best mitigation strategy, nor do they help in decision making. We have Standardized and Advanced for this.
Standardized risk analysis
Whenever we need to mitigate a risk or we need to improve our estimate of the risk exposure, we need to deep dive into that risk. Usually this is done for the top 3 or 5 risks from the tornado diagram above.
Bow-tie is a simple and powerful technique that can be used to perform detailed risk analysis, map risk factors against the consequence scenarios and improve on the quantitative risk estimate. Archer Insight automated bow-ties with Monte-Carlo engine sitting on top of it.
Bow-ties can be used for selecting optimal mitigation strategies or testing hypothesis regarding existing control effectiveness and various other return on investment decisions. I use bow-ties whenever I need to deep dive into a risk to understand it better, usually when someone from business approaches me to help with a decision.
Advanced risk analysis
Whenever there is a big decision at hand (large investment) or a lot of money at stake (insurance or vendor selection) or there is an expectation a risk will be quantified (CSRA, credit and market risks), neither quantitative risk registers or a quantitative bow tie will do the job. In these cases it may be required to built a tailor made model, specifically designed for that decision or risk.
My team built models for water pollution, investment projects, maintenance budgeting, different insurance lines, vendor accreditation, vendor selection and others.
Below is an example of a model specifically designed to optimise insurance coverage that the team is currently pilot testing within Archer Insight.
Let me know which risk analysis type does your organisation currently use.