Sooner or later when implementing risk management the risk team will face a dilemma: reduce the scope of risk analysis or automate. For example, market and credit risk management very quickly become impossible to do manually, especially if management wants to monitor daily expected shortfall and track against risk limits. Same with many operational risks and integrating risk analysis into investment or capital projects, we can theoretically run monte-carlo simulations in native MS Excel, but it’s a lot quicker and less painful when using a software that has the modelling engine.
Not all risk management software is created equal. Many things within risk-based decision making can be automated and some are more important than others. In this article, I will share my take on the top 3 functions that businesses should expect from their risk management software in a non-financial company:
- A calculation engine that performs risk estimation, stores stochastic data packets and performs mathematically sound aggregation to measure the effect of risks on a decision
- A method for deep diving into a risk and determining the most cost-effective ways to mitigate the risk
- Transparency and auditability of the risk estimates, with the ability to back-test risk models and improve them over time.
A calculation engine for risk estimation, storing and aggregation
A monte-carlo engine, an ability to create risk models, an ability to store stochastic data as data packets and a mathematically sound risk aggregation methodology are an absolute must-have function for a modern day risk management software. Even if your company is currently using a qualitative scoring methodology for analysing risks, the quantification of risk and decisions is inevitable and only a matter of time. Risk quantification is no longer optional for “mature organisations”, it is the core of modern day risk management.
- Ability to simulate multiple risk scenarios and generate quantitative risk profiles (loss exceedance curves) to compare against company tolerance for each risk
- Automatic recalculation of risk exposure when input data or external risk factors change
- Mathematically correct aggregation of risk metrics like VaR or expected shortfall across departments, locations or risk types
- Aggregation of financial and non-financial risks using utility theory
- Calculating and storing expected and unexpected losses.
Deep diving into a risk and determining the most cost-effective ways to mitigate
Once the software can address the basic risk management needs like building a loss exceedance curve for a risk and aggregating loss exceedance curves across types or geographies, the next core function is an ability to deep dive into a specific risk. This is required when the risk team or the management want to improve on the original high level risk estimate or test various mitigation strategies to determine the best return on investment. Ability to break down risks into causes and consequences and map various controls across the risk is another core functionality for the risk management software. Some do it with bow-ties, others with influence diagrams.
Whatever the inbuilt methodology, the software should help test different controls and mitigations to determine which of them provide the biggest reduction in expected and unexpected losses. I have a case study on how we broke down a water pollution risk using a bow-tie and helped HSE team test different mitigation options, only to discover that the original design of the water purification plant wasn’t sufficiently reducing the risk exposure and implemented additional controls that reduced expected losses more than 10X.
Business looks to risk team, just like they do to the tax team, not to be a facilitator, aggregator or report generator. Business looks to risk team for the difficult calculations, conclusions and recommendations the others in the company cannot do.
By determining the most cost-efficient ways to manage risks, businesses can prioritize risk management activities and make the most of their resources. This is what I call standardized quantitative risk analysis, it is number 2 in my list of risk analysis types.
Transparency, accessibility, auditability
The last thing I normally look for in a risk management software is user-friendliness. Key users are the decision makers, the risk team and the audit team that will need to audit the risk methodologies sooner or later.
For decision makers I look for clean and customizable dashboards for key quant risk metrics. Dashboards that can show risk exposure against performance or business forecasts.
For risk team I look for best in class library of risk modelling functions, suitable for beginners and advanced users, relevant distribution types, copulas, time series functions, and fitting tools for each category. I also look for an ability to build versatile risk-based models for important decisions and ability to run different scenarios and stress tests on the same model and save and compare the results to test hypothesis and support investment committee.
For internal auditors I look for ability to store and recall historical simulation results at any time and full audit trail.
What features are you looking for when it comes to risk quantification?