Many ERM frameworks suggest that risk quantification is a necessary step in the ERM implementation process. They often state that one should create a quantitative risk appetite or "materiality threshold" and then quantify all various strategic risks and measure them against this threshold. It sounds very simple in theory, but many risk managers have found that risk quantification in the early phases of ERM is devilishly difficult.
The authors of these frameworks assume that big, fuzzy risks, such as "failure to innovate," "loss of personnel" and "damage to reputation," can be quantified in a meaningful way. Most often this is simply not the case. These big strategic risks are driven by a staggering number of variables. Unless all of these variables are already quantified, the risk manager is going to, at best, embark on a very long and labor-intensive task. But more likely he will be trying to quantify something that is not quantifiable. He will be performing a task roughly equivalent to finding the square root of yellow.
These frameworks also assume that these quantitative outputs will be meaningful to the executive team; this is not necessarily the case. Executives are accustomed to sorting important issues from minor ones. Strategic risks that threaten the company are obviously important. ERM should be focusing on the truly grave risks that require board and executive-level attention. If a risk is capable of bankrupting the company, quantification of such a risk is unnecessary.
Big risks facing companies are like hungry predators facing down a hapless hunter. The hunter need not know the sex, weight and age of the tiger. Nor does he need to know the probability that the tiger will lunge for his head before his legs. He just needs to know who has the gun and whether that person is prepared to use it.
The other problem with quantifying very large, complex future events is that one must make numerous assumptions when building the model. It is unlikely that one will find much hard data on things like reputational damages.
For example, in order to start any kind of quantification on reputational damage, one has to start by making an assumption regarding what the reputation is worth, what could damage it and how much damage each event could cause.
One then needs to make guesses about the probability of these events occurring. The final output will be a fragile compilation of assumptions resting on guesses. This will be the case for many top strategic risks. Executives accustomed to dealing with numbers might well disregard such calculations and be unwilling to base multimillion-dollar decisions on them.
Even if the quantification is performed and received favorably by the executive team, there is still a problem: any projection is subject to gross inaccuracies.
This is not to say that quantifying risks does not have its value. It is an extremely valuable tool that every risk manager should regularly employ. But it is not well suited to the early phases of ERM, and it might even bog ERM implementation down to the point that the project loses momentum and dies. Risks must be quantified at some point in the ERM process but not necessarily in the early stages.
One should always remember the end goal of ERM: to effectively manage the risks that could severely damage the organization. It is best to shoot the tiger first, and then start quantifying.
BEAUMONT VANCE, the risk management columnist for
Risk & Insurance®, lives in Colorado and manages risk for Sun Microsystems Inc.
November 1, 2006
Copyright 2006© LRP Publications