In the first instance, I think of the swine flu
"pandemic" exposure and in the latter, the Y2K hysteria. Regardless of the potential for misapplied time, there is good reason to go deep and wide on selected risks, even at great cost. While finance would prefer a cost benefit analysis of our efforts, that's not always practical. Sometimes you do the right thing, not the most efficient thing.
Even so, what's the value proposition?I'm not convinced that in the case of Y2K it was wasted effort. It may have been overkill, since like SOX compliance, it has taken years and lots of resources to meet requirements, but we'll never know what might have happened if not for the initiative taken.
This defines the key conundrum: which risk and to what degree require the closest scrutiny?The answer is a focused effort that is applied to the risks that matter most. What are they? They are those exposures that have the most potential for harming our organization, from destroying an earnings season to killing the company.
What is "potential" in this context? I combine a laser assessment of likelihood with a set of scenario-driven impacts that reflect magnitude of loss. This classic view can be supplemented with VoR, or velocity of risk, where we attempt to understand how quickly the exposure is approaching. This troika of data is the starting point for selecting those key exposures. With this approach, you can easily construct a top five to 10 list and then begin picking the exposures off from the top. With the rapidly escalating interest in risk of progressive boards, there is a growing demand for more information, greater detail and better quantification.
Governance needs aside, your first customer is really senior management who has an urgent interest in a deep understanding of this "matters most" group of exposures. Leading with a rigorous scenario analysis, you can expound quickly on those first three data points to a better understanding of an expected loss contrasted with a worst case scenario, ideally with some reasonably digestible form of valuation or quantified impact on key corporate objectives.
With these two views staking the two ends of the spectrum of probability, your next move should be to value a point in between, though not necessarily the midpoint. That point might be reasonably defined as the maximum foreseeable loss which I think quite nicely defines that point where a very bad loss result is not only possible, but one that can be envisioned as very real, the estimate of loss for which is unlikely to exceed this estimate.
Now you have the data to tackle the response plans that define what you will do, should such an experience come to life. What mitigations will you employ to reduce the size of loss once occurred and promote quick recovery? Who owns those mitigations and are they accountable for ensuring their effectiveness?
This gives you one view of what diving deep on risks can mean. Assuming directionally correct analysis, you should get a lot of mileage out of such efforts, even if only tackling one key risk at a time. Don't wait for the loss to emerge to take action. It could be your last procrastination before the exit door.
CHRIS MANDEL is the enterprise risk manager for a leading financial institution and a former president of the Risk and Insurance Management Society.
November 1, 2009
Copyright 2009© LRP Publications