In 2018 I attempted to coin the distinction between “Risk Management 1” – cosmetic, governance-driven risk management, and “Risk Management 2” – value-adding risk management that drives better decision-making https://riskacademy.blog/rm1-vs-rm2-which-side-will-you-choose/ I have been following walking the talk, in both my consulting practice, personal life and in the corporate employment, ever since. In 2021 the company where I am responsible for operational and investment risk received an honorable mention at RIMS and I was named risk manager of the year by FERMA, but more importantly using RM2 for insurance buying decision making allowed the company to save $10M+ in premiums while improving the quality of the risk transfer. I continue to be a huge believer in RM2 and an outspoken critic of RM1.
In this article I wanted to talk about RM2 and the two very different and very useful applications of RM2.
Risk management 2 as a decision making tool
Using risk analysis to compare decision alternatives or calculating the distribution of the fair budget or the probability of achieving an objective is something I have been extensively writing about and you can find more information in my free book https://www.researchgate.net/publication/323254437_FREE_RISK_MANAGEMENT_BOOK_GUIDE_TO_EFFECTIVE_RISK_MANAGEMENT_30, in the RISK-ACADEMY blog https://riskacademy.blog/ or the RISK-ACADEMY YouTube channel https://www.youtube.com/c/RISKACADEMY/
For complex, uncertain decisions quantitative risk analysis is absolutely invaluable.
Risk management 2 as a controlling mechanism
The second application of RM2 is something new for me personally and I quite excited about its application in nonfinancial companies. Financial services and some treasury departments of large corporations have been doing this forever and I want to help spread the idea. There are certain risks that are inherent in doing business, for example price, FX, credit. These risks cannot and should not be reduced to zero, because they offer both upside and downside. There also risks like safety, compliance, sanctions, etc that should be reduced to ALARP, as there is no upside.
These risks need to limited within the risk appetite and monitored daily or regularly to make sure risk exposure stays within limits. A risk management middle office is usually created to monitor risk exposures on a daily basis, escalate any limit breaches and action stop losses to limit losses. Quantitative risk metrics are usually used like VaR/ES for market risks, cVaR for credit risk, MAR/FAR for safety risks. Quantitative risk appetite needs to be set to allow limits to be established. Automation plays a critical role as it is impossible to perform daily reassessment of risks. Quality of data become the most important roadblock to daily risk monitoring, as accurate position reports are necessary for accurate VaR/ES calculations.
This is very much what banking risk management looked like for ages and something corporates can apply as well. More to come on this as we continue implementing RM2 in both its controlling and decision making capacity…