Executive Sponsorship

At the start of the risk assessment cycle, a senior-level sponsor (e.g., CEO, CFO, or CRO) should communicate the board's and executive management's commitment to the risk assessment process, its key objectives and expected benefits, and the expected timeline, along with primary milestones. Given the time constraints and other priorities business managers face, it can be difficult to get their full and candid input without high-level sponsorship. The project sponsor and other corporate leaders should lead by example, engaging in the risk assessment process with candid and thoughtful input.

Organization and Roles

The implementation team should produce an overall plan to define tasks, accountabilities, and deadlines. Key roles may include an RCSA manager to execute specific tasks and delegate responsibilities; subject matter experts to provide technical expertise; trained facilitators to assist in managing meetings and workshops; and risk analysts to capture, organize, analyze, and report on results. Together, these roles will constitute the RCSA project team.

Risk Taxonomy

Having a common language is key to an effective discussion. This is particularly true in risk management, since each company will have its own hierarchy of risks, depending on its business model, industry, and many other factors. Therefore, establishing definitions and categories of risks to facilitate discussion is crucial to running a successful RCSA. As much as possible, these categories should be common to all business units and functional areas in order to facilitate aggregation across the organization. In this regard, it is important to align the risk taxonomy with the business language used in the organization.

A popular way for companies to classify risk is according to operational events, a system the Basel Committee endorses. For example, a company might establish a broad category of employment-practice events with further subcategories such as employee relations, workplace safety, and diversity.

Other companies choose cause-driven or impact-driven classification. Under the former, risks are classified according to the root cause of operational losses. However, this method can run into difficulty when there are multiple root causes for a loss, or when the cause is unclear. The impact-driven method classifies risks by the financial impact of operational losses. While the classification itself poses few challenges, it may leave companies with an insufficient understanding of root causes. I believe the cause-driven method, despite its challenges, is the preferred method. Management can only address root causes (e.g., employee training), but not consequences (e.g., employee errors).

In addition to this taxonomy, it is often helpful to have a glossary of key terms (e.g., probability, severity, tolerance, etc.). This can help avoid unnecessary confusion and ensure the entire company is on the same page.

Risk Assessment Tools

The RCSA project team should employ the tools that facilitate the risk assessment process in the most effective and efficient way. Typically, assessment tools fall into two categories: short-answer surveys and open-ended interviews. The former is most appropriate for gathering aggregate data during staff workshops. The latter can provide a fuller and more contextualized discussion of risk issues. Polling a large group of operational personnel requires a standardized question/answer template while the detailed input of senior executives and board members is best captured by open-ended questions. Figure 13.2 shows an example of an executive questionnaire.

In the past, the available technology could support either of these tools, but rarely both in a sufficiently integrated fashion. Modern cloud-based technologies not only support both assessment approaches, but are also able to integrate them seamlessly, making data aggregation easier and less error prone—and, in many cases, completely automated in real-time.

Education and Training

A knowledgeable staff is essential to a company's success in risk assessment. The project team should be conversant in best practices for implementing risk assessments, analyzing and aggregating risk assessment results, and providing analyses and reports to management and the board. Other participants must understand the role of risk assessment, why the risk assessment is being done, what the value is to the business, how they can best participate and contribute, and how they can apply the results to mitigate risks and enhance business performance. A well-planned and executed training program can achieve both these goals.

Common Pitfalls and Practical Solutions

• Lack of senior management participation. As part of the project planning process, senior executives should commit their time to participate in the process. Senior management should not only be the “audience” for the risk assessment in terms of receiving the final risk assessment reports, it should be an active participant. In addition to communicating executive sponsorship, senior management can provide useful input on key risks and controls. As with any enterprise-wide initiatives, there is a high correlation between senior management engagement and success in risk assessment.
• Inappropriate resource planning and allocation. A critical success factor in the implementation of risk assessment is having the right level and mix of professional resources. On the one hand, some companies only allocate minimal, part-time staff resources to conduct risk assessments. Inadequate resources may result in inaccurate or superficial assessments of risks and controls. On the other hand, it is possible to over-allocate professional resources. At one mid-size bank, a team of more than 20 full-time risk staff and consultants worked on an annual risk assessment that took nine months to complete. The result was an overly bureaucratic process that drained corporate and business unit time and resources. Moreover, the end product was several thick binders of risk assessment information that was ultimately of little use.
• Insufficient preparation. Risk assessment is not an ad-hoc process that companies can implement on the fly. It requires thoughtful planning and organization. The development of risk assessment tools and training programs should be a fundamental step. For most companies, risk assessment is an ongoing annual process that requires significant corporate and business unit time and attention. Thus, thoughtful preparation can go a long way to ensure that the risk assessment process is efficient and effective.

Business Objectives

A key tenet of ERM is to identify, assess, and manage risks in the context of business objectives. Part of strategic and business planning is establishing key objectives at the corporate and business unit levels, each associated with a key performance indicator or KPI (e.g., market share, operating efficiency, earnings growth, etc.). In turn, key risks may impact the achievement of these business objectives and variability in the KPIs. These key risks are associated with key risk indicators or KRIs (e.g., product/service quality problems, operational risk metrics, unexpected earnings volatility, etc.). Associating key business objectives and KPIs with key risks and KRIs provides the basis for integrated performance reporting and management.

In pursuit of business objectives, businesses must also comply with regulations and corporate policies, another key objective of ERM. In risk assessment, it is useful to summarize the regulatory requirements and guidelines, as well as corporate policies and associated risk tolerance levels (if available) for each key risk.

Identifying Risk

Before cataloguing risks via surveys, interviews, and workshops, it is important to understand the status of each risk within the current environment. This is best defined in terms of inherent risk, controls, and the resultant residual risk.

Risk Assessment Interviews and Workshops

As discussed previously, it is useful to conduct interviews using open-ended questions when working with senior executives on risk assessments. In addition to identifying key risks associated with corporate objectives (i.e., top-down risk assessment), these interviews can gather important institutional knowledge about business strategy and culture, lessons learned from previous risk events, and the kinds of KPIs and KRIs that senior executives find most useful. For business unit teams, it may be more appropriate to organize workshops to develop bottom-up risk assessments. During the interviews and workshops, participants identify risks or risk events, and assess probability, severity, and effectiveness of controls through the use of polls or surveys. They may also decide on risk treatment, such as avoidance, mitigation, transfer, or acceptance.

Risk Assessment Reports and Maps

The interviews and workshops may result in a large number of risk assessments. It is the responsibility of the project team to aggregate and report on these results. Risk assessment reports generally provide the following information for each risk:

• Description of the risk or risk event
• Assessment and rating of probability (or likelihood)
• Assessment and rating of severity (or impact)
• Assessment and rating of control effectiveness
• Responsible person(s) and oversight committees
• Management response and action plans

In addition to risk assessment reports, heat maps (or “risk maps”) can help visualize the risk assessment information. On a heat map, risks are plotted against probability along the y or vertical axis and severity along the x or horizontal axis. An alternative methodology is to plot risks according to their severities and effectiveness of controls. Attention should then be focused on risks with high severity and low control effectiveness. Regardless of the methodology used, it is important to note that risk assessments and heat maps are generally not considered by board members and senior executives as actionable information that can support board- or executive-level decisions. Rather, they should be viewed as initial risk assessment and visualization reports that can support further analyses and modeling. In other words, risk assessments and reports are “start products,” not “end products.”

Risk Prioritization

Based on the aggregate risk assessment results, the company should identify its most critical risks (e.g., top-10 risks). This is not to say that the company should only pay attention to 10 risks. In fact, each business unit or functional area may identify their own top risks and collectively monitor all of the key risks recorded in the risk assessment process. However, it is useful to establish a priority list of enterprise-level risks. For example, one large asset management firm reported over 700 risks. It would be impractical for executive management or the board to review and monitor such a large number of risks. Instead, the project team should identify the top-10 risks for the company based on the risk assessment information and confirm their analysis with executive management.

Common Pitfalls and Practical Solutions

• Lack of clear business objectives or risk policy constraints. Most companies have a clear sense of regulatory requirements and guidelines. However, some companies have not clearly defined their business objectives, and/or have not established explicit risk tolerance levels. For these companies, it may be difficult to assess risks in the context of business objectives and policy constraints. In some instances, the company develops business objectives and risk policies in parallel with the risk assessment process. In other instances, this management issue is recognized as a risk of its own.
• Defining risks in terms of consequences rather than root causes. Companies often define risks based on consequences instead of root causes. This can create frustration in determining the appropriate risk treatment because consequences are not directly controllable. For example, a company cannot decrease production errors or customer complaints directly, but it can increase process automation and staff training. Another example would be that a company cannot determine its debt rating, but it can manage the company's capital structure and interest coverage capabilities given their target debt rating. The last example is that a company cannot control foreign exchange (FX) rates, but it can control its FX exposures and monitor volatility.
• Inconsistent estimates of probability and severity. What is the probability and severity of a risk event? The answers depend on the timeframe and more importantly how the company defines worst case. Any risk can be conceptualized and, with adequate data, quantified as a bell curve. The bell curve represents a range of probabilities and severities. When assessing the probability and severity of a risk event, different people may be thinking of different levels of worst case. To address this issue, the project team should establish clear guidelines with respect to the worst case, as well as the timeframe for the risk assessment. For example, companies that calculate value-at-risk across products or economic capital across business units always harmonize the probability level (e.g., 95% or 99%) and timeframe (e.g., 1 year) that they use in their models. That is the only way they can produce apples-to-apples results. ERM teams implementing RCSAs should consider this approach so the risk assessment results are consistent.

Deep Dives

Deep dives are more granular risk assessments. Beyond the information gathered during Phase 2, deep dives may add risk assessments from the next level down in the organization, external benchmarking of the risk and related controls, process maps that clearly document the key business and operational flows, independent assessments from auditors and regulators, and control effectiveness testing. Overall, the purpose of deep dives is to gather more detailed and actionable information.

Key Risk Indicators

Peter Drucker was right when he said “What gets measured gets managed.” For key risks, that means developing actionable KRIs that support the quantification and monitoring of top risks. In addition to measuring risk exposures, it is useful to track risk metrics related to control effectiveness (key control indicators) and leading indicators (early warning indicators).

Risk Tolerance Levels

Risk tolerance levels, as outlined in the company's risk appetite statement (RAS), provide benchmarks against which management can evaluate risk assessments and KRIs and represent the company's risk appetite on key risks. Examples of risk tolerance dimensions include market risk, credit risk, or liquidity risk limits; business performance targets and triggers; operational performance goals and limits; and other benchmarks for desirable and undesirable performance. Ideally, the company tracks KRIs against risk tolerance levels so management can clearly see if risk levels are within acceptable ranges.

Risk Management Strategies and Action Plans

Without strategies to reshape the company's risk/return profile, every process up to this point would be an intellectual exercise. Based on an assessment of key risks relative to business objectives and tolerance levels, management should decide on the appropriate strategy to address each one. These strategies will incorporate one or more of the four broad categories of risk response: avoidance, mitigation, transfer, or acceptance. Any risk acceptance should be followed by discussions of how to incorporate the total cost of risk into product pricing and/or performance measurement systems. The total cost of risk includes expected loss, unexpected loss (e.g., cost of economic capital), risk transfer costs, and administrative costs. To support the execution of risk-management strategies, the risk function should develop action plans (e.g., creating corrective actions, project change requests, and risk transfer strategies) with clear accountabilities and approval from management.

Early Warning Systems

Risks are inherently fluid, dynamic, and difficult to predict. Thus even the best risk assessment and quantification processes may not identify the next risk event that impacts the organization. Companies should develop early warning systems to indicate emerging risk issues before a risk event occurs. While KRIs are associated with specific risks, early warning systems provide a more generalized and comprehensive way for companies to foresee potential risk events. For example, a spike in employee absenteeism or customer complaints may hint at more significant operational risk issues. Or an uptick in credit spreads and price volatility may provide early warnings about capital markets turmoil. In conjunction with these early warning systems, companies should invest in preparedness with respect to early-action and crisis-management strategies. For example, in a financial market crisis, early actions may include contingent liquidity and capital plans to raise financial resources during the initial stages of the crisis when funds are still available. In a natural disaster, the crisis management program may include business contingency planning and recovery plans, as well as internal and external communication protocols.

Common Pitfalls and Practical Solutions

• Failure to prioritize top risks. The risk assessment process in Phase 2 will likely produce a large number of key risks that could impact business objectives. But a key risk for a business unit may not be a key risk for the company as a whole. It would be too burdensome to develop KRIs, risk tolerance levels, risk management strategies, and early warning systems for all of these risks. Thus the company must identify its top risks so management and the board can focus their attention appropriately. However, this does not preclude business units developing more granular analysis and action plans for their own key risks.
• Insufficient quantification. Information collected from risk assessments is largely qualitative. Even the probability, severity, and control assessment ratings usually represent numeric expression of qualitative inputs. In order to build confidence in the appropriate risk management strategies and actions, objective risk quantification must supplement risk assessments. This includes developing KRIs, risk tolerance levels, and early warning indicators.
• Insufficient risk management strategies and action plans. One of the biggest complaints about risk assessment is that the process does not result in value-adding strategies and actions. Companies spend significant time and resources to produce and review a large volume of risk assessment reports and heat maps, but these documents may sit on the shelf until the next assessment cycle. The end goal of risk assessment is not only to produce better information, but also to support more intelligent decision-making based on that information. It is critical to develop specific risk management strategies and action plans as part of the risk assessment process. Moreover, companies should integrate risk assessment into business processes and other ERM practices. We examine this integration further in the next section.

Strategic Planning

Companies must establish clear links between strategic planning and risk assessment. In fact, the integration of strategy and ERM is a key initiative as boards and executive management take a more active role in risk oversight. This integration offers significant benefits. The strategic planning process results in business objectives that should drive risk assessment. On the other hand, risk assessment illuminates key risk exposures and the cost of risk, both of which are essential in making risk/return tradeoff decisions during the strategic planning process. In addition to strategic planning, companies should also integrate risk assessment into strategy and business review processes. As companies execute their business strategies, they often organize strategy and business review sessions to consider new information such as competitive trends, customer data, and business performance. They can then update risk assessments and related monitoring processes with this new information.

Business Processes and Operations

Key business processes and operations should include risk assessment on a day-to-day basis. For example, the pricing of the company's products and services should fully incorporate the cost of risk. Risk assessments can also support other processes such as new product and business development, M&A transactions, project management, and capital allocation. Operational processes should also integrate risk assessment analysis. For example, a process map can depict where key risks (and actual errors and losses) may occur within an operational process. Management can then embed specific controls and risk-monitoring processes where they are most effective.

Scenario Analysis and Stress Testing

Companies should not only be concerned about the worst-case scenario of any single risk, but also the possibility of a more consequential scenario of multiple risk events, such as a failed product launch, an economic downturn, or a new competitive threat. Moreover, the company may stress test the combined failure of key controls, such as risk model error, incorrect data, and departure of key risk personnel. While less likely than a single risk event, the confluence of multiple risk events (i.e., the “perfect storm”) may present the company with critical challenges worth preparing for.

Dashboard Reporting

The sheer volume of data from risk assessments, other ERM analytics, and business performance systems can be overwhelming. In order to provide senior management and the board with the appropriate information, I strongly recommend creating dashboard reports designed to support the specific decision-making and informational needs of corporate executives and board members.

At the board level, for example, these reports would provide a concise executive summary of business/risk performance as well as external performance drivers. They would focus on key board discussion and decision points, providing forward-looking analyses of organization-wide performance, including key performance and risk indicators shown against specific targets or limits. And they would offer actual performance data on previous business/risk decisions as well as rationale for management recommendations. A modern dashboard system, which we'll examine more thoroughly in Chapter 18, can also provide drill-down capabilities to underlying data and analysis when desired.

Loss/Event Database

Every risk loss or event represents a valuable learning opportunity, but only if the risk team captures and reviews them systematically. Companies should develop and maintain a loss/event database to capture all material losses and incidents. This database can inform postmortem analyses in terms of root causes and needed controls, reveal key risk trends and emerging patterns, help address risk issues before they become major problems, and close a feedback loop on the efficacy of risk assessments and dashboard reporting. Based on my experience, developing a loss/event database is a low-cost but high-value ERM initiative.

Risk Escalation Policy

Risk events do not occur on a regular interval, but in real time. Thus, annual risk assessments—even if they are updated monthly or quarterly—may not support timely alerts or management responses. A risk escalation policy can mitigate this problem by establishing specific notification triggers for material losses or events (e.g., losses above a certain threshold, risk events that impact a certain number of customers, etc.). A lesson learned from previous corporate disasters is that bad news does not always travel up the organization. A risk escalation policy establishes the explicit expectation and specific criteria for communicating risk events on a timely basis.

Common Pitfalls and Practical Solutions

• Integration occurs only in back-end reporting. Some companies simply provide consolidated reports of various business and risk management processes. However, integrating risk assessment with other ERM and business processes should not only occur on the back end. It should involve integrated planning and analysis in the front end on an ongoing basis in terms of performance and risk monitoring as well.
• Insufficient change management. At most companies, the integration of risk management with strategy and business activities requires significant changes in organizational processes. Each organizational unit may have well-established policies and procedures for its business. To implement the necessary change, the RCSA team should establish a clearly defined change agenda. This includes change-management strategies to align goals, overcome barriers, and measure and track success.