If I ask you what level of fraud could occur in your business, how would you answer? What value would you give me? Have you ever had to deal with a fraud? If you have, is that the value that you would provide? But this is just one occurrence. How would you know what the value of another fraud might be? How could you know how often frauds might take place? You only have a sample of one.
Where risk management often makes a mistake is in asking people questions that they cannot realistically be expected to be able to answer. They have little or no information, limited experience and inadequate training. Of course, all the staff will need to receive some training in risk management. That is a given. However, this high-level training will only enable them to understand some of the tasks that they are being asked to do and why they are important. It will not enable them to come up with the mathematical answer that the risk manager wants. How could it? Every business unit is different.
The embedding of risk management within the business needs to come up with answers that are consistent within individual units and also between businesses. Clearly, that is going to be difficult to achieve.
Risk is always a distribution, a curve; the only problem is we do not know the shape of the distribution. The expected end of the curve we may know something about. That information will come from internal loss data, which again we shall discuss in more detail later. But there are other problems as well. When something goes wrong and a loss is incurred in excess of a budget, this could be because the event was unusual by its nature. It could also be because the event was unusual by its frequency. Finally, it could also be a consequence of the control system that you have implemented.
Put at its simplest, you might expect to have items of inventory that need to be discarded because they are faulty. You might expect to have to discard $10k per year, which might be made up of 200 items. You do not expect to have to dispose of $100k or 20,000 items. You also do not expect to lose all of your inventory. The first is a loss that is unusual by frequency (and consequently, amount) whereas the second is the loss that is unusual by its nature (a fire, for example).
If you have a sprinkler system in your office, you hope that it will work and put out a fire. There is the risk that the sprinkler system will not work or will be inadequate and that you will still lose your building if there is a fire. There is also the risk that there is a failure in the panel leading to the sprinkler system being activated and that you will have your building and staff soaked without fire. This type of loss is a consequence of the implementation of the control or what might be called a second level of risk.
So, taking all of this into account, how could anyone answer a question such as “How much would you lose”? There are lots of answers to the question, starting with what you expect, which is normally a conservative overestimate. Is what you expect in a year? In a week?? The next loss itself???
What risk need to focus on is what they need. If losses are being incurred, then budgeting for them is a good thing as is monitoring them. It allows the business to regularly consider whether the control system they have implemented remains appropriate or whether it should be improved.
It also facilitates including these costs into product pricing since activity-based costing is the best way to know that your sales price covers all of your costs, including where possible, indirect costs. Direct costs are those that relate directly to the item being manufactured, for example, time spent on a lathe milling engineering parts. Indirect costs need to be allocated to the product and include things such as management time and systems support. And risk management.
So, we need to know actual losses and these need to be recorded by the business unit in their language, which the risk management function know how to consolidate with other business units. You might call it a hammer. I might call it a portable percussion persuasion instrument. As long as we both know what we call it and we can easily translate between the two, then this will work.
You can compare the actual losses over a period of time and see how they change. This will start to give you information that is helpful both to the business and to risk management as to how variation actually takes place. However, what this is not going to tell you is what could happen that has never happened before. Good risk management is about trying to see what might happen and to stop it happening. So now you need mystic Meg.
Be very careful with quantification. The business unit management might be in a position to provide you with an estimate of the worst possible loss that could occur. What might happen if one of your competitors stole all your key trained staff? How many losses would you have then? What might you lose?
I would not ask the management how likely this type of event would be since they would have little ability to answer the question. As a risk manager, I might define such an event at a 99.9 percent confidence level. However, when communicating to management I might refer to it as a once-in-a-year event or something similar.
What risk management will be doing is using this estimated data to anchor the tail of their loss distribution. They will then use the actual loss data to populate the expected part of the distribution. Most management do not need to know that there is a distribution. Instead, what they need to focus on is that if the unexpected happened, what would they do to mitigate the loss. Embedding risk management is about action and thinking through options in advance of an event occurring.
I might refer to this unlikely event as being the maximum potential loss or MPL. The internal loss data will always give me the shape of the expected part of my curve and the maximum loss, another point in the tail. It will not tell me much about the shape of the tail, so you will still need to do a lot of thinking with the team understanding and appreciating what could go wrong and the different tail events that could occur. Stick to being in the real world though. There is no point in trying to assess the impact of being invaded by Martians or in working out the loss if everyone is dead. If everyone one is dead, whether you have a plan or not is not a worry. There would be nobody to implement it—including you.
Typically, as discussed, risk management will look at the shape of the expected losses as demonstrated by the internal loss data, and then use that to build a curve anchoring the distribution using the maximum potential loss. There is also no point in doing severity calculations with business units. What are they supposed to do with this information? If you are told that you could lose $10 million with a 1 percent probability, then severity would be calculated as follows:
$10m x 1/100 = $100k
But I have told you anything about a loss of $100k. I have been considering a $10 million loss that may or may not occur and have said that it probably will not occur most of the time. Indeed, 99 times out of a 100, it will not occur. If the $10 million loss is unacceptable to your management, what you have said is that it could occur, and therefore management need to implement controls and actions to prevent its occurrence.
One potential use of severity is to compare this value to the cost of an additional control. Some risk managers say that if the cost of the additional control needed to prevent the event is less than the severity, then you should implement it, but again, I would reiterate that care needs to be taken. We were not discussing a $100k loss. We were talking about a remote event that could result in a $10 million loss. Sounds to me that we need to move into the area of insurance, options and mitigating actions.
When the risk function reports their information to the business management, they do seem to like to show how clever they are. Their models will show risk data to a number of decimal places. Once in 3,000 years, they might report that you could lose $48.4 million. What does management hear? Once in 3,000 years. 3,000 years ago . . . was that when Stonehenge was built? It was before the Romans. 3,000 years. What they are thinking is that they will be dead anyway, so who cares.
Anyway how accurate could the figure of $48.4 million be? If you would be wiped out at $10 million, then who cares about the $48.4 million loss? Presumably, the figure you are giving is the center of some form of estimate, but there is massive uncertainty. None of us can really know for sure what loss could occur to us. We can find out what losses have occurred to other firms from external loss data and scale it so it can be applied to our firm in some way, but that will never be accurate. We can develop a curve from our expected data and estimate the tail from the shape of the curve, but that also is only an estimate. Most estimates of this type could be easily wrong by 25 percent, so what is the point in saying $48.4 million? You could say you have estimated a loss value off between $36.3 million and $60.5 million, but you might as well have said it was probably between $35 million and $60 million. You do not know much more than that, so what is the point in setting yourself up for failure by including spurious accuracy within your reporting?