Monitoring And Measuring

Risk maps and summary risk profiles can be valuable for assessing risk appetite and tolerance, says Carole Edrich

As part of a survey launched in July 2002, PricewaterhouseCoopers identified 10 attributes of a world-class risk management culture. The results of the follow-up survey show that, while most financial institutions are already beginning to adopt some of these attributes, even the best-run organisations believe they have significant scope for further improvement. The survey found that 75% of respondents articulate risk appetite at the highest level of their organisation and that more than 50% have revamped policies for the authorisation of risk-taking, to ensure closer alignment with the organisation's strategic objectives.

This apparent convergence in the top level views of risk management is not, however, followed by a common understanding of the meanings, use and context of risk appetite, risk tolerance and risk profiling and mapping. Even though the new FSA guidelines and rulings and the forthcoming Basel II Accord are already exerting a significant influence, there is still considerable difference in interpretation of what the techniques are, what should be measured, and how to derive and act upon results. The same variation in interpretation can also be seen in non-financial sectors. It reflects the difference between individual organisations' strategies, requirements, internal processes and cultures It also reflects the fact that they mature differently and often do not share the same benchmarks.

Any organisation, whether it considers its risk management framework to be 'holistic', 'group-wide' or 'enterprise-wide', should incorporate a method of monitoring and measuring its risk appetite and tolerance. The principles described here can be applied in a manner consistent with the maturity of the organisation's risk management processes, decision support systems and culture.

A risk map is typically a matrix with four quadrants, or a graph with two axes. It can represent severity and frequency, impact and consequence, impact and probability, or other combinations of risk attributes. Each quadrant or section then refers to a particular category of risk, each of which may require different risk management responses.

At its simplest, a risk map is a form of qualitative risk estimation, which demonstrates quickly and intuitively an estimation of the severity of a risk. This technique is commonly used in parts of central government, construction projects, public-private partnerships and occasionally in information security risk analysis.

In its complex form, often used in the financial sector, risk mapping is a technique for analysing a company's portfolio of risks in a way that clarifies the linkages between them and their impact on each other. Risks can be mapped to the existing organisational structure, its logical structure, its business lines or processes, or to the categories defined in regulatory and legislative requirements. Very complex risk maps include those that have been extended to encompass entire proprietary methodologies.

Sometimes risks are plotted against organisational structure, process, workflow, or project structure, but the objective should be to classify risks according to a relevant criterion, so that it is clear to see what should be done to manage them, if it is considered necessary to do so.

Applying quantification techniques to risks that may range through political, social and economic spheres is a complicated business. Each set of individual risks is examined separately, then is combined in like groups with an appropriate scale. Once these groups have been represented, a new scale is often determined, as well as a method of compounding or adding to the risks so that they reach their final form

The final step in very complex risk mapping - sometimes known as risk portfolio management - is the most difficult. It requires senior managers to take an unconventional look at their businesses and to see the set of organisational units or departments as a portfolio of going concerns and contributing risks. They must then actively manage the organisation, unit or subdivision relative to the risks it takes to provide services or obtain a return.

Some sectors call a specific type of complex risk map a 'summary risk profile'. This is a graphical representation or 'snapshot' of information, such as that which is normally found on a risk register, at a single point in time. In the past, the summary risk profile was most often used for information technology and programme risk, but the technique has developed in popularity over the last few years. The application of a summary risk profile is mandatory in the Management of Risk methodology of the Office of Government Commerce (part of HM Treasury). It is mandatory for all UK central government projects where there is an IT component.

Appetite and tolerance
Risk appetite is the amount of risk an entity is prepared to be exposed to at any point in time. The board normally sets the organisation's overall appetite for risk and may also set guidelines for its component entities. This is because risk appetite is likely to vary between component entities. For example, it is likely to be greater in aggressive, entrepreneurial entities than in established service-oriented entities. Below board level, senior managers may set risk appetite for specific areas, derived as a result of previous risk assessments or the result of negotiation within set parameters.

There is considerable discussion as to the way that risk profiles in component entities should be aggregated and this reflects current debate on risk aggregation in general. It is normally accepted that the scales of measurement should differ according to the risk appetite of an organisational unit. For example, new product development is necessarily more risky than back office supporting processes. But there is considerable debate as to whether it is acceptable to use different measurements for component entities. Some organisations feel it would be as inadvisable to decrease the level of quantitative detail where it is available as it would be to force other organisational units to adopt a way of reporting and estimating risk that they would not understand or buy into. The result is often a common framework and a complex system for aggregating risk, reflecting the good quantitative data in some components, and the lack of quantitative data and varying levels of qualitative data in others.

Producing summary risk profiles showing risk appetite and risk tolerance offers a way for the corporate centre to monitor how businesses behave, without over-controlling them. The risk tolerance line shows a boundary for risks – those that appear above the line cannot be tolerated. Managers of components have discretion as to how they manage risks below the level of tolerance, but must refer upwards for decisions on significant risks.

The chart is re-plotted on a regular basis as the risks are reviewed and revised. This enables progress tracking as well as providing a good overview of the exposures. By plotting against scales, such as impact against likelihood or probability, and allowing for the effects of mitigating actions, the summary risk profile gives a good overall snapshot of risks. The use of an expanded Red/Amber/Green status is often used to incorporate the status reporting from risk registers, logs or other derived records into the risk profiles.

Provided senior management clearly articulate risk tolerance levels and the process is undertaken correctly, this obviates the need to perform complicated prioritisation exercises for identified risks. It facilitates the allocation of risks to appropriate levels of management, supporting the idea that risks should be identified and managed at different organisational levels and escalated along clearly defined paths, while providing a certain level of flexibility. Risk profiles can be created with scales that include economic capital, probability, impact, severity, frequency, error rates, volumes, capacity, value at risk, real options and more simple and composite measures. Ideally, the risk indicators used in the summary risk profile are easily quantifiable measures currently available to management. The more familiar that managers are with the data and measures selected, the more likely they are to trust and use them.

Most risk maps and risk profiles are easy to understand and provide instant graphical representation of risks and their relationships with aspects of the organisation and other risks. They provide a good graphical overview of the portfolio of risks to which an organisation, asset, process, or project may be exposed, and often offer clear indications of the best risk management strategy to use.

However, the terms risk map and risk mapping are very misleading. They embrace completely different techniques in the private and public sectors, and several more techniques in the financial sector. Confusion is compounded by conflicting opinions about what should be mapped. There is also a danger that, where formal standards are not enforced, individuals may select the easiest risk mapping approach rather than the most appropriate. For critical aspects of an entity, process, asset or project a short risk analysis of the different forms of risk map may be valuable, even though this is a time consuming activity. This is particularly appropriate if the risk map is to support decisions expected to be transparent and accountable.

It is important to remember that the summary risk profile – where only those risks that have been identified are shown – is only as good as the quality of information collected. It does not validate or otherwise connect any of that information. And, unless the time of the snapshot is clearly recorded, the summary risk profile loses much of its validity.

Risk maps and summary risk profiles support the idea that risk is not just one person's problem. They facilitate communication, escalation to appropriate levels and decision making at different organisational levels and provide a transparent way of demonstrating that risk management is the responsibility of line managers and the board.

Carole Edrich is principal of KAI Corporation (Risk),

E-mail: cedrich@kaicorporation.com Financial Market Risks
The Swiss-based International Financial Risk Institute provides on-line information on market risk disclosure and methods of measuring exposures for financial institutions. Examples given include