How to measure risk in your business
A look at two approaches to measuring business risks, ‘likelihood versus consequence’ and ‘risk appetite versus exposure’.
Although the management and measurement of risk has long been recognised as an important organisational responsibility, the credit crunch and the ensuring economic crisis catapulted it to the forefront of the minds of senior executives.
Irrespective of the industries/sectors in which they operate, organisational leaders are becoming increasingly aware that there are a plethora of risk pressures or events that if actualised might destabilise the organisation or, if it is a commercial enterprise, even put it out of business. The risk management standard ISO 3100, 2009 defines risk as the “effect of uncertainty on objectives.”
Risk management is transitioning from a siloed function to one that is fully integrated with the organisation’s strategy management (strategy cannot be successfully executed without full attention being paid to risk). How to effectively align risk management with strategy management is presently one of the hottest topics in management circles.
Measuring risk likelihood versus consequence
Likelihood is simply how likely the risk is to materialise, whereas consequence is the impact on the organisation (not just financial, but also operational and reputational and, in some instances, its license to operate).
Data is usually collected from the observations of the managers/employees closest to the risk. Their real-life views are the major input into this equation. But organisations can also look at historical data that shows when and how a risk has materialised and the consequence for organisations from financial or operational perspectives, as examples, and also look at scenarios around how the risk might play out or evolve in the marketplace.
Risk severity can be calculated as likelihood multiplied by consequence. It is measured through using a risk rating model –or heat map - (see figure below).
This has likelihood (from very low to very high), listed on the vertical axis, and consequence (also from very low to very high), listed on the horizontal axis. To calculate the “risk score” values are assigned for both the likelihood and consequences axes from 1 (very low) to 9 (very high).
Those risks that have the highest scores (usually located in the top right boxes) are the ones that require the closest attention as they pose the greatest threats to the organisation.
As an example, consider the Ministry of Works (MoW), Bahrain, which has fully integrated the management of risk with its strategy management approach.
The MoW first created a corporate strategy map which describes the key organisational strategic objectives from stakeholder, customer, internal process and learning and growth perspectives. Within a workshop setting, senior managers and subject experts then identified the main risks that might stop the organisation from delivering to those objectives.
For example the stakeholder objective of “Excellent Public-Private Partnerships (PPP),” has eight risk indicators, such as “damaged credibility to manage PPPs.” The risk likelihood/consequence assessment was completed for each identified risk and risk mitigation initiatives were captured for those risks.
Perhaps the clearest danger in working to a likelihood/consequence matrix is that the organisation places all of its attention on those risks that fall in the very high (or high) categories for both likelihood and consequence. It is these risks that are usually reported on a quarterly basis.
This is clearly sensible, but organisations should also pay attention to (at least through an annual assessment) of the risks that have a very high/high consequence but which might be assigned a very low/low likelihood. Remember that a likelihood of very low/low does not mean that it isn’t going to happen, so appropriate and robust contingency plans must be in place to cope with these risks if they should indeed arise.
Moreover, it is important to bear in mind that likelihood and consequence ratings are dynamic and will change given movements in the operating or competitive environments. Organisations should review likelihood at least on a quarterly basis (it is important to consider the impact that corrective interventions have had on likelihood levels) and consequences at least annually.
Measuring risk appetite versus exposure
Risk management is not just about mitigating potential downsides but also maximising upsides. Success in the post credit-crunch world will be built on the foundation of balancing risk appetite and exposure within the context of clear strategic objectives. Embracing this new paradigm will enable organisations to answer three critical questions:
- What we are trying to achieve i.e. what are our strategic objectives?
- What level of risk is acceptable to achieve those objectives i.e. what is our risk appetite?
- What is our current level of risk i.e. what is our risk exposure?
Risk appetite can be defined as the amount and type of risk that an organisation is prepared to seek, accept or tolerate on a broad level, in pursuit of value and the achieving of its objectives.
Risk exposure is the extent to which an organisation is subject to risk events. More meaningfully, however, it is the exposure to consequences - as a combination of impact and likelihood (see approach above).
Data for measuring the risk appetite versus exposure is collected from an analysis of emerging threats and opportunities within the business environment in which the organisation operates. There will also likely be an analysis of an organisation’s strategic objectives (that might be captured in a cause and effect strategy map).
The managers/employees closest to the objective consider and debate the level of risk they are prepared to take to achieve the objective and whether their exposure to risk is aligned to their appetite. Some organisations develop sophisticated quantitative models for assessing risk appetite.
You can then map the current risk exposure against your risk appetite to see where there is misalignment:
- If risk appetite is lower than the risk exposure then this identifies unacceptable risks and the need to find ways of decreasing risk.
- If the risk appetite is higher than the risk exposure then this identifies areas where the organization is maybe not be taking enough risks – risks could therefore be increased in these areas.
The frequency of conducting assessments of whether risk appetite and exposure are aligned depends largely on the markets or sector in which the organisation operates or competes. The more volatile or fast-moving the business environment the more frequent the assessment (sometimes monthly), but typically assessments will be conducted quarterly or twice-yearly.
Some organisations develop complex, sophisticated quantitative models to support the definition of risk appetite. However, to ensure relevance and to make this information instantly meaningful to senior management, others focus on a more pragmatic approach.
As an example from the consultancy Manigent, it worked with one client to create a simple set of levels for “target appetite” – Extreme, High, Moderate and Low - with clear, well agreed definitions. Once levels were assigned to each of its strategic objectives, it was straightforward to visualise the different appetites of each business unit and function.
Another client employed a similar, but slightly more sophisticated and comprehensive approach. After developing a risk appetite based on a number of ‘dimensions’ such as capital, cash flow, reputation, etc., the organisation considered questions such as:
- “To achieve this objective, how much capital are we willing to put at risk?”
- “What potential impact on cash flow can we accept?”
- “How much of a hit on our reputation can we afford?”
For both of these examples, an analysis of risk exposure was subsequently carried out to ensure alignment with appetite.
It is important for organisations to keep in mind that acceptable levels of risk appetite and exposure might change on a regular basis due to changes in the internal or external business environments, so appetite/exposure must be re-evaluated on a regular basis.
Also, organisations need to develop good systems and mechanisms for the early detection of changes to the external competitive or operating environment that might have a significant effect on the risk appetite/exposure equation.