A Journey Around the Risk Process
For many people, process and process requirements send a shudder down the spine. Process is often seen as onerous, constraining and time consuming. Others see good, well-designed process as critical to providing steady, repeatable operations and to freeing up time to deal with areas requiring more attention. I see good process as an enabler.
For many people, risk sends a shudder down the spine. It is often seen as a threat and something to be avoided. Others see as thrills and excitement and something to be sought. I see risk as a source of value and as something to be managed.
Good risk process enables effective risk management.
A Good Process
Process is usually defined as a series of actions, steps, or tasks to accomplish an objective (or objectives).
From this definition, a couple of elements necessary for a process to be “good” are evident.
1. The objective(s) must be:
a. Of value to the organization;
b. Well-defined and clear to ensure it is (they are) fully understood; and
c. Measurable, to ensure they are met.
2. The tasks must be:
a. Well defined and clearly specified;
b. Appropriately sequenced; and
c. Contributory, to ensure benefits can be recognized and resolve is maintained.
Further, a good process must also be aligned with the values of the organization and be achievable with the resources available. The objective(s) of the process must fit with the business strategy.
These and all aspects necessary for a good process are better dealt with elsewhere. In the footnoted reference, Rob Davis provides a list (Effective, Efficient, Relevant, Valid, Usable, Used, Reused, Managed and Measured) and descriptions of each aspect.
Risk Process Objectives
The objectives of the risk process will depend on the level of risk awareness and understanding, risk capability and risk preparedness in the organization. These are dimensions of organizational risk maturity).
In a risk mature organization, the key objective for the risk process is to ensure business strategies and actions are risk-informed and risk-appropriate. While this sounds simple, the span of business decisions affected is very broad. A complete list is not provided here since each organization in each industry will have its own business interests, activities and strategies. A short list would include:
Effective pricing – ensure expected losses are included in product and services pricing;
Appropriate capitalization – ensure the organization has adequate capital of sufficient quality to weather losses; and
Resource deployment and prioritization – ensure businesses are provided appropriate resources (capital, risk appetite, expense) for profitability, growth and development.
The selection of strategic goals directly affects the inherent risks and may introduce new risks or risk sensitivities.
The overall process includes five individual process steps and each of these has a specific objective in support of the primary objective:
Risk Identification: Identify all the risks affecting business performance;
Assessment and Measurement: Understanding the magnitude, sources and direction, and key drivers of the risk exposures;
Analytics and Management: Develop deeper understanding of possible performance outcomes and likelihoods;
Monitoring and Reporting: Know the current risk exposure position and clearly communicate with key stakeholders; and
Proactive Response and Planning: Be prepared for the inevitable.
The overall Risk Process is illustrated in Figure 1 on the following page.
The Process Steps
The process steps are ordered to reflect;
Only risks that are identified can be assessed and measured;
Only risks that can be assessed and measured can be understood, explored in greater detail and effectively managed;
Only risks that are understood can be properly monitored and communicated; and
Only for risks that are understood and actively tracked can proactive plans be created.
While the steps are in order, the cycle never completes. As the business environment changes and new strategic opportunities are developed, the risks must be reviewed, and new risks identified and the process continues.
Figure 1: The Risk Process
Risk identification involves the detection and description of risks that could compromise the ability of the organization to achieve its business objectives. The identification process begins with a clear statement of the business purpose. The purpose should provide information on the inherent risks in the business. For example, at a minimum, a lending business includes the risk of borrower defaults (credit risk), the asset/liability risk involved in funding the lending assets (market and liquidity risk) and the operational risks including handling the ongoing interest and principal payments for both assets and liabilities, monitoring adherence to any covenants and perfecting any security.
The business model employed may introduce new risks or amplify or mute existing risks. In the lending business, a new risk may be created using hedge instruments (reduces the market risk but introduces counterparty risk) and the size of the asset and liability maturity gaps changes the market and liquidity risks.
The key in identification is not to just note risk categories such as market or credit risk. The key is to identify specific drivers of performance outcomes. For example, investment portfolios and trading books are often subject to interest rate movements. The key risk drivers may be the market and investment structure (e.g., term, liquidity), broad macro-economic factors (e.g., quantitative easing, business cycles), specific market volatility expectations and specific events (e.g., flight to quality).
An example of a tool used to identify the sources and direction of interest rate risks is a DV01 calculation. This approach is used across different market risk drivers. Another tool that is used to identify key drivers of performance outcomes is income statement decomposition. Unfortunately, accounting treatments can obscure the economics of the business performance although as mark to market and fair value accounting is increasingly used, the less this difficulty exists. This is an effective tool because losses flow through the income statement and this is where risk outcomes are first experienced. Income statement decomposition is best used for high frequency risk drivers affecting portfolios that are marked to market with a corresponding frequency. Risk registers are also a tool in general use.
The preceding material on risk identification is relevant for known or familiar risks. These are risks that the organization has knowledge of, experience with, and the organizational capability to recognize, assess and manage. Emerging risks are those that are either known risks that are changing in unfamiliar ways or new risks that have never been seen before. An example of the former is the mid-2000’s U.S. home mortgage market and, of the latter, the introduction of complex derivatives in the late-1980’s and early 1990’s.
Current examples of emerging risks that are often identified include: unsustainable national deficit levels; escalating cross-species contaminations; and the wide variety of cyber risks. In recent conversations, several people have identified the emergence of blockchain and smart contracts, viral outbreaks, and commodity pricing and China’s intentions as emerging risks worth considering. Of course, an emerging risk identified for one organization is not necessarily important for another organization.
Identification of emerging risks relies on:
Deep, broad, and multi-disciplinary learning and experience;
Combined analytical and intuitive thinking;
Multiple perspectives – in-out, macro-micro, past-present-future;
Knowledge of diverse human behaviours at a practical level;
Thinking about entanglements and connections rather than isolates; and
Willingness to consider contrarian views.
Sources of information include standard sources to watch for changing emphasis or perspective, but also include “rumor sheets”, internet blogs and the views of contrarians, alarmists, and flakes. While reviewing information and views it is important to be way of biases such as the Ambiguity Effect, the Bandwagon Effect, and the Normalcy Bias. And it is imperative to look beyond the recent, immediate, and obvious.
Assessment and Measurement
Risk assessment and measurement is about building an understanding of the magnitude, sources and direction, and key drivers of the risk exposures. There are risks that can be measured and those that can only be assessed. Figure 2 below provides a representation.
lling capability available to sufficiently capture behaviors and generate reliable exposure Assessment
Assessment is largely a qualitative exercise relying on analytical and intuitive thinking. There may be the possibility of using some existing risk measurement approaches although the lack of data and clear insight into the performance and risk drivers imply that this must be done with caution.
Assessment relies on the same skills, perspectives and approaches outlined above in the discussion on the identification of emerging risks. Assessment often must deal with the lack of recognizable patterns, uncertain significance of observable data and ambiguous consequences and implications. And, as with all aspects of economic systems, interactions and interconnectedness can be complex.
The objective of assessment is “sense-making” to inform business strategic choices and actions.
The approaches need to use multiple approaches – no single evaluative tool is adequate since all have biases and shortcomings. There is a need to use both quantitative and qualitative approaches creatively to build context-specific insight. The assessment should look for patterns and drivers of behaviours and ideas, goals, and ways and means matter. It is important to constantly imagine and reconsider as possibilities are revealed.
There are many risk measurement approaches, and they defy listing in a paper such as this. However, there are several commonalities.
Measurement approaches provide the ability to convert the barrage of data into insightful and actionable information. This provides ability to better understand the forces driving the risks faced and opportunities available. If used properly, measurement approaches allow complex performance and risk information to be communicated in a common language; a business language.
To use measurement approaches effectively, there is a need to:
Transform data into information;
Explore the information and its meaning;
Apply experience and judgment to what the information and models seem to tell you; and
Ensure that any model used for decision making is independently vetted and that all model risks are understood and accepted.
Data, as implied above, is central to most risk measurement approaches. Data is also often the greatest challenge to effective measurement. Measurement approaches transform historical data to develop models of future possible events. Data quality and reliability must be high, and the data limitations must be fully understood.
Any measurement approach is a filtered and simplified view of reality. Risk models use very sophisticated tools to generate future potential states and statistical tools to describe the resulting distribution of these potential states. It is necessary to use knowledge of the approaches used with business understanding and experience to interpret the resulting information.
As noted above, risks flow through the income statement first. In the short list of business decisions requiring risk input, was effective pricing which is a clear link to the income statement. Risks also affect the balance sheet. Another item on that list is appropriate capitalization. That is where economic capital comes in.
Economic capital is a common benchmark that crosses all businesses and risk types so that valid comparisons can be made of risk adjusted performance. It is a forward-looking estimate of the maximum likely unexpected loss in value that an asset, portfolio, or business could incur over a specified time horizon with a defined confidence level due to all types of risk. More specifically, it is the capital necessary for a firm to have a pre-defined probability of remaining solvent.
Economic capital is a very powerful business performance assessment tool. It allows all businesses to be measured on a common element that reflects the economics of the business and, importantly for financial institutions, properly attributes the economic capital to the risk-taking activities of the organization.
Analytics and Management
Effective risk management is a journey of discovery. Risks transform and migrate; they emerge and dissipate. Business needs change and risk exposures and management actions change with them. Markets also change and experience different conditions that may not be adequately reflected in risk measures based on past conditions. It is necessary to undertake ongoing analysis to fully understand the possible factors driving business performance through time. The objective of this process step is to develop risk insights and a deeper understanding of possible performance outcomes to inform business management.
One of my favorite lines is from Tolkien’s description of Aragorn –
All that is gold does not glitter
It is necessary in risk management to look beyond the immediate and obvious and to explore business conditions, behaviors, and ongoing outcomes to discover evolving factors affecting performance and risk drivers including changing interconnections, dependencies, and relationships.
Common techniques are to undertake scenario analysis and stress testing. It is important to consider probable, possible, and catastrophic scenarios to understand future possible states. Ask the “What if?” questions.
Business loss event analysis is another technique. It is based on reviews of reported losses from within the industry to assess the organization’s exposure to similar events or risk drivers. Of course, all material losses experienced by the organization should be reviewed to ensure that the risk drivers are identified, and any driver of unexpected losses are built into future risk approaches.
A final technique previously identified as an aid to risk identification, is income statement decomposition. As noted earlier, this approach helps identify drivers of outcomes and vulnerabilities.
The outcome of this analysis is a better understanding of performance and risk drivers and the effectiveness of the business and risk management approaches.
Monitoring and Reporting
Monitoring and reporting are linked from the perspective of needing to report past and current risk positions. Reporting also requires a forward-looking view so it is also related to risk analytics. Combined, the objective is to capture risk exposures and clearly communicate with key stakeholders, including risk takers, business leaders, regulators, and the Board.
Under risk identification, it was noted that all risks should be identified. In risk monitoring and reporting, there is the need to include only material risks and risks that are changing (they may become material).
The monitoring and reporting needs to reflect the volatility of the underlying risk drivers, business positioning and sensitivities. They must also consider the liquidity holding periods and the time required for management to act.
Reporting must provide information on past and current exposures, the changes in the exposures and reasons for the changes. The reasons for the changes must reflect the changes in the underlying risk drivers. It must also be forward looking. It is important to provide insights into how the exposures may change in the future given expected business activities and market conditions. The forward-looking perspective also allows for an action orientation. If limits are being approached or other issues are arising, management actions can be identified and tracked.
Proactive Response and Planning
The keys to creating effective business plans, or contingency plans, to address risks are a clear understand of exposures and the underlying risk drivers and the critical business vulnerabilities. The identification, assessment and analytics process steps provide this capability. The monitoring process step allows for the identification of risk driver changes and an assessment of the level of risk in the environment. A crisis may not be able to be predicted but increasing risk can be.
The plans must consider the volatility of underlying risk drivers. How quickly the environment can change affects the nature of the required plans.
Another key element is management’s ability and willingness to act. The plans, or course, must establish how decisions are made and who has authority to act. However, committees and the need to work across functions or even organizational structures can significantly affect management’s ability to act. Inexperience and certain locked-in perspectives or biases can affect management’s willingness to act. Slow decision making in normal conditions may be a warning sign that decisions will not be made, or will be made too slowly, in times of crisis.
Market and market participant behaviors also affect an organization’s plans, particularly in systemic crises. Each organization’s competitive environment is different, so it is important to identify what the large competitors are most likely to do and how to respond.
In regulated industries such as financial services, the actions of the regulatory authorities and legislative bodies also play a significant role. In times of crisis, an organization needs to fully understand the resolution frameworks, both formal and informal, created by these areas. As seen in the Global Financial Crisis, the market turmoil increased as the U.S. government initially walked away from the informal process of supporting large financial institutions and allowed Lehman Brothers Holdings Inc. to fail.
All global and domestic systemically important financial institutions are required to have Recovery and Resolution Plans. The strength and maturity of these plans will depend on the strength and capabilities embedded in the preceding four steps of the Risk Process.
Meeting the Objective
The objective of the risk process, as noted above, is to ensure business strategies and actions are risk-informed and risk-appropriate.
The risk process is described here as a series of process steps to accomplish this objective. Implicit in this is that the risk process is a part of the larger strategic process. Any change in strategy involves a change in risk profile and this implies that the risk process is never ended.
As strategies and business decisions are considered, the effect of the expected outcomes need to be assessed through the risk process. The effects need to be investigated prior to the decision to ensure the risks associated with the outcomes are appropriate for the organization and that they can be effectively managed.
Endnotes  Rob Davis’ “What Makes a Good Process?”, BP Trends, November 2009. http://www.bptrends.com/publicationfiles/FIVE11-09-ART-Whatmakesagoodprocess-BPTrends.pdf  It should be reiterated that attempting to implement a mature risk process in an organization lacking risk maturity, whether in terms of understanding and awareness or capabilities and capacity will not generally result in achieving the objectives noted.  Expected loss in the credit risk context: “In statistical terms, the expected loss is the average credit loss that we would expect from an exposure or a portfolio over a given period of time.”, http://financetrain.com/expected-loss-unexpected-loss-and-loss-distribution/  The risk appetite framework is a vey important topic deserving focus. The framework needs to include not just appetite and clear limits, but also capacity. It must be established within the context of strategy and recognizing organizational capabilities.  DV01 – dollar value of a 1 basis point move. A specific underlying instrument price or yield can be moved by 1 (basis point or specified number of cents, if price based) and the portfolio value is recalculated to show the value affect.  Revenue lines are affected by level of sales and changes in prices, in name two drivers and costs and expenses are similarly affected by changes in prices. This type of analysis often does not go deep enough to identify specific strategic or reputation risk affects.  These sources include the Willis Towers Watson 2017 Emerging Risks report (https://www.willistowerswatson.com/en/insights/2017/01/emerging-risks-2017) and DTCC’s recent report (http://www.dtcc.com/news/2017/march/22/a-look-ahead-emerging-risks-in-2017) among many others. The World Economic Forum’s Global Risk Report 2017 is not strictly an emerging risks report, but it does provide excellent coverage of risks from transformations and emerging technologies (https://www.mmc.com/content/dam/mmc-web/Global-Risk-Center/Files/the-global-risks-report-2017.pdf).  Model risk is an important topic that isn’t covered in this paper.  J.R.R. Tolkien, The Fellowship of the Ring, The Lord of the Rings.