Without having the ability to effectively measure risk, it will not be possible for the management team to properly assess whether their risk management strategy is either appropriate or cost-effective.
Risk metrics enable management to appreciate the extent to which risk is being effectively managed within the organization and if there are arising risks that need to be considered. To build an effective risk management framework, it is important to commence by working on establishing data availability and accuracy. Without adequate data, the company will be guessing what the position might be and this may or may not be reliable.
Risk metrics fall into a series of classes, including the following:
- Metrics that enable management to understand the risk they are taking
- Metrics that enable management to understand the risk they are mitigating
- Leading indicators, that provide information on a problem the company may be facing, to enable corrective action to be taken
- Lagging indicators, that provide information on problems that the company has already faced so corrective action can be taken.
- Key risk indicators, which are weighted metrics of risk that provide management with a key snapshot of what is occurring.
There needs to be a clear understanding of the level of risk currently being taken by the company. It works from the initial assessment of the risks that are included in the risk register. Remember that these risks will include those that the company can control and those that it cannot (for example, external risks such as taxation changes). Just because a company cannot control a risk does not mean it will go away just as floods and earthquakes will not go away.
The level of risk being suffered by the firm—termed inherent risk—can be thought of as being the level of loss that would be incurred if there were no controls being maintained. A business needs this information to enable them to understand whether the control structure that they are employing is cost-effective and adding value. Too often, as we shall see, this is not the case.
Information on risk here should be aligned to risk appetite as previously discussed, highlighting the chance that the goals and missions of the firm are unlikely to be achieved. It also needs to be provided to management in a format using graphical presentation to enable them to synthesize the key information. Too often, the risk management team produce information in a manner which senior management are either unable to understand or completely misunderstand.
We would generally expect such reporting to be in pure value terms. As we shall see, even qualitative data can easily be put into value terms and shown graphically.
However, the risk team need to understand that apart from the actual level of risk being encountered as a consequence of the activity being undertaken, it is the direction of travel that is particularly important for management.
Will there be a metric provided to the Board on every risk and what really is inherent risk? Answering the first question, the Board or governing grouping will be interested in any risk where there is a risk appetite that needs to be monitored.
If a risk appears to be inconsequential they would not expect to have it reported to them other than perhaps annually to confirm that it is indeed inconsequential. However, there is always the chance that the inherent risk assessment itself may be incorrect or matters that ought to have been considered have not been properly considered.
This can mean, for example, that a company might think they have no risk of a flood since they have never had a flood. The failure to appreciate the risk will mean that any potential mitigation that could have been considered will, in effect, be ignored.
In terms of the inherent risk assessment, there is a real problem. If you ask someone to come up with a value for inherent risk for internal fraud, for example, how would it be calculated? Residual risk as shown in the internal loss data as considered later is only a subset of inherent risk. Often the control environment mitigating the inherent risk will have been fully effective and no loss would be incurred.
So residual risk is not very effective in enabling you to calculate or even estimate inherent risk. However, remember that inherent risk must be at least as large as residual risk.
Another issue is that if a large loss has occurred and management have stated that this is a one-off, they could be doing the business a disservice if they implement a suitable control. An event that is unlikely will occur from time to time, but the implementation of a control that applies all the time will result in a recurrent loss (the cost of the control) which will be hoped to mitigate the event were it to recur (which it might never do).
But inherent risk just like residual risk is a distribution; it is not a single value. The value that you really want to get to is the area under the curve. Different types of event can occur and have different impacts, with each occurring with a different probability. An event that has a 1 percent likelihood may have an inherent risk much lower than an event with a 10 percent likelihood.
If you ask someone to give you a value for an inherent risk, what data will they provide? What will they be thinking? Expected potential loss?
Maximum potential loss? The largest loss they can imagine? Somewhere in-between? In the absence of training and the provision of appropriate examples it is unlikely that management will be in a position to provide the required information reliably or consistently.
The other issue we need to consider is key risk indicators. It is unrealistic for a single metric to be a key risk indicator and as mentioned they are generally weighted metrics made up of a series of leading indicators. These metrics need to be back tested. That will involve looking at events that have occurred in the past and seeing if these metrics would have identified them before they occur.
Key risk indicators need to be predictive otherwise, what is the point? A key risk indicator is not needed to tell you that you have a loss. Accounting does that perfectly well. KRIs look at a range of factors, both internal and external, and synthesize them into a model which hopefully will tell you when risk is increasing. The objective is to take early risk mitigative action rather than just waiting until a loss occurs.