Strategic Risk Management

1 - Introduction

1.1 Introduction 1/2

Level and complexity of risks increase as function of organisational size and complexity

1.2 The Concept of Risk 1/2

New forms of risk emerge (e.g. increased reliance on IT)

-Malicious interference, fraud, theft

-Increased vulnerability to external risk (e.g. power interruption)

Risk is inherent in every human endeavour

Maximum loss limit: upper limit of range of acceptable outcomes

Risk analysis: function of human cognitive process

Risk is not negative

-Must identify, manage, ensure do not threaten continued existence

-Positive: intimidates competitors

-Risk appetite: own range of acceptable outcomes

1.3 The Basic Risk Types 1/5

Classification topologies around origin of risk and nature of effect

Risk level

-Strategic risk

-Change/project risk

-Operational risk

-Unforeseeable risk

Nature of risk: origin, characteristics, interdependencies

-Financial and knowledge risk

-Internal and external risks

-Speculative and static risks

-Risk interdependency

Can overlap

1.3.1Strategic Risk 1/6

Corporate level: development/implementation of strategy

Assessment of market conditions & forecast of changes

-Market: economic variables

-Corporate governance: reputation, ethics

-Stakeholders: shareholders, business partners, customers, suppliers

Examples:

-Incorrect strategic plan: assumptions, environment, resources, organisational objectives

-Compromised plan: reorganisations, expected changes, processes not introduced (satisfactorily)

-External changes: environment, competitors, competing products, statutory controls

Strategic risk more difficult to model/assess than operational and change/project risk

Variance envelope:

A: current position (market position, size, vulnerability, gearing, asset base...)

B: desired position in X years

Warning is signalled when strategy diverges beyond limit

Strategic Risk Management must detect, predict consequences, justify corrective actions

1.3.2 Change Risk 1/9

Change risk relates to both:

-Imposed changes: variations from within and outside the organisation

-Planned changes: engineered to achieve objectives

Projects (definition):

-Not main process of production

-Short

-Clear start & finish

-Relatively complex

-Clear time, cost, performance objectives

-Multidisciplinary teams (usually)

1.3.3 Operational Risk 1/10

Related to production process:

-Asset base

-People

-Legal controls

1.3.4 Unforeseeable Risk 1/10

Cannot be accurately forecast

Can sometimes be allowed for up to a point with contingencies

-After depletion must secure resources from elsewhere

Insurance: fire, flood, subsidence

Risk mitigation with appropriate precautions

Establishment of reserves

Business continuity plan (BCP) includes disaster recovery plan (DRP)

1.3.5 Financial Risk and Knowledge Risk 1/12

Financial Risk: market, credit, capital structure and reporting risk

Knowledge Risk:

-Information stored using IT

-Access to crucial business information

-People knowledge: acquired specific knowledge

  • Post-acquisition departures:
  • Disillusionment
  • Resentment
  • Loss of power and/or authority
  • Loss of motivation and commitment
  • Inability/unwillingness to adapt

1.3.6 External and Internal Risks 1/13

Internal risks: somewhat calculable and controllable

External risks: may be calculable but not controllable

External risks:

-Interest rate risk (influence on discount rate for NPV)

-Volatility risk: purchased options volatility increases value; written options volatility increases risk

-Convexity risk: e.g. change in interest rate leads to greater change in bond prices

-Time-dependent risk: insurance policy expiration

-Competitor risk: new company, product

-Customer demand risk

-Exposure risk: gearing, borrowing; oil producers to oil prices

-Shareholder risk: (loss of confidence makes it difficult to raise capital)

-Political risk: home and neighbouring countries, fiscal policy, UK/Euro

-Legislative risk: change existing statutes, introduce new one, (e.g. green)

Internal risks:

-Operational process: HR, staff availability, capacity limit

-Legal risk: contracts, insurance policies – protection and liability not as perceived

-Liquidity risk

-Supply chain risk: more efficient SC => more dependent: supplier production continuity, supplier reliability (quality of products)

-Competence risk: employee and management

-Complexity risk: modern electronic systems difficult to understand/interpret quickly

-IT and Technology risk

-People risk: difficult to replace, succession planning, IPR, expertise=>rival

-Residual risk: after all risk treatment and response; achieving zero is prohibitively expensive

1.3.7 Speculative and Static Risks 1/20

Speculative can lead to gain or loss: investment, internal reorganisation

-Share flotations, competitor activities, R&D investment, new products, economic activity

-Speculative business risk: trading with assets; spread among stakeholders

-Speculative financial risk: gearing ratio

Static can only lead to loss

-Minimise risk with safeguards and protection

-Insurance: fire, public liability, professional indemnity, personnel

-Reduce effects with insurance and by diversifying; no reward can be expected from static risk

1.3.8 The Concept of Risk Interdependency 1/23

Strategic risks can affect implementation of strategic plan

Plan implementation involves internal changes which also produce change risk

-May also involve internal operational changes

1.4 The Concept of Risk Classification 1/26

First level equation for risk:

Risk = f(event, likelihood, impact)

Second level equation for risk

Risk = f(event, hazard, safeguard)

Hazard: source of danger

Safeguard: mitigation or defence

Risk is residual and reflects the reduction of absolute risk attained through the control

1.5 Exposure, Sensitivity and the Risk Profile 1/30

Risk profile: risks that are acceptable for a given organization at a given time

-Simple representation: list identified risks with impact and probabilities

-Complex software: conditional modelling with probabilistic branching

Exposure –measure of extent to which organisation’s functions are open to risk

Outsourcing: transfers risk (doesn’t eliminate)

Risk may impact Key Performance Indicators

Firm sensitivity is function of:

-Severity of exposure to occurrence of events

-Likelihood of events

-Ability to handle events

Questions for risk taker:

-What are possible outcomes

-Are outcomes related

-How sensitive are strategies, earnings etc to occurrence

-Is achievement of critical objectives affected

-How capable are we of responding

-How much potential reward is required to accept risks

-If we accept to we have sufficient capital to absorb unforeseen losses

1.6 The Concept of Risky Conditions for Decision Making 1/32

Conditions of risk: known unknown events, reasonable likelihood of event and impact is assessable

Conditions of certainty: known event

Uncertain condition: unknown unknown event (e.g. great storm)

-Identify range of outcomes or discrete set of scenarios

-Resolve as much uncertainty as possible

-Reduce uncertainty to a level that it can be contained in limits of RMS

  • Sufficient reserves and responsive mechanisms to cope

1.7 The Concept of Risk Management 1/34

Risk Management System can reduce and control but not eliminate risk (not even desirable)

-Control mechanism to ensure risk remains within acceptable limits

-Typical RMS includes:

  • Identification
  • Analysis and classification
  • Controlled consideration of attitude/strategy
  • Safeguard related to appetite
  • Response process
  • Eradicate, reduce likelihood/impact, transfer, accept
  • Ongoing control and self-assurance

2 - Background to Risk

2.1 Introduction 2/2

2.2 Some Common Questions about Risk 2/3

2.2.1 Introduction 2/3

2.2.2 Ten Questions 2/3

Risk so bad that should be eliminated at all costs? Zero risk unachievable, cost exponential as risk approaches zero

Risk takers adopt portfolio approach.

Risk breeds innovation.

2.3 Some Common Misconceptions about Risk 2/6

2.3.1 Introduction 2/6

2.3.2 Some Common Misconceptions 2/6

!! Risk is bad

!! Better not to take risks: opportunity cost

Pitfalls

-Risks taken for sake of taking risk: groupthink, bravado, desperation

-Potential gain greater than risk stake (may risk a lot of a little)

-Inaction due to opposition or apathy of others

-Risk more than can afford to lose

!! Some Risks are so great they must be eliminated

!! If in doubt play safe

-People tend to avoid Type II errors (reject hypothesis unless they are sure)

  • Hypothesis Right but rejected: Type Ieasier to quantify
  • Hypothesis Wrong but accepted: Type IIdifficult to quantify

!! Groups make less risky decisions than individuals

-Anonymity in group

-Appearance as risk seeking preferred

-Increased risk shift over time and with greater diversification

!! Well-established groups more efficient at identifying and handling risk

-Groupthink: displacement (assuming group’s objectives)

  • High peer pressure, delusions of importance, sense of invincibility, team filters (suppress dissent)

2.4 The Variable Significance of Risk 2/13

2.4.1 Introduction 2/13

2.4.2 Issues Related to the Significance Risk 2/14

Most significant risks are those not identified

-Decree of assessment accuracy and monitoring extent

-Root cause:

  • Failure to identify
  • Failure to assess
  • Failure to monitor
  • Failure to control

2.4.3 Risk Profile 2/19

Risk profile: probability of given return for risk or group of risks

-Summary of all the individual risks facing an organisation

2.5 Risk and the Decision-Making Process 2/21

2.5.1 Introduction 2/21

Human cognition is enormous and extremely complex

2.5.2 Pattern Recognition and Attention 2/21

Decisions related to perceived rewards and risks

Pattern recognition: brain presented with stimulus through sensory organs

Attention: filter so brain can focus on relevant information

Memory:

-Short-term memory stored basic pattern recognition information. After interpretation and subjective assessment it moves to long-term memory

-Long-term memory stored information about previous events where risks were evident and where they did or did not occur

  • Greater emphasis on negative past events

2.5.3 Bounded Rationality 2/23

Individual or organisation will generally opt for rational behaviour

-Pattern recognition and learning naturally preferred

2.5.4 Risk Forecasting and Prediction Momentum 2/24

Bounded rationality uses knowledge of past events and extrapolates: risk forecasting

-Use of past to analyse the present

-Use past and current to forecast the future

-Largely qualitative or subjective

-Modelling techniques can support it

-Not restricted to mathematical modelling

-Requires breadth of vision as well as modelling

-Is time-based (accuracy diminishes over time)(

Two-stage process:

-Predict future based on past (without proposed action)

-Predict future based on past (with proposed action)

Forecasting considerations:

-Only as accurate as data

-Time-dependent: longer the timescale the less accurate

-Degree of change increases potential for inaccuracy

-Expensive: accurate records, complex modelling, intensive labour

-Vulnerable to intuition and bias

-Impact of unforeseeable events

-Takes place within dynamic environment

Intuition: combination of experience and extrapolation using instinct

-Example of pooled interdependency using cognitive process

-Can be individual or organisational

2.5.5 Summary 2/26

2.6 Risk Conditions 2/28

2.6.1 Introduction 2/28

2.6.2 Conditions of Certainty 2/29

Decision-maker knows which state of nature will occur.

Double-headed coin

2.6.3 Conditions of Risk 2/30

Probabilities and payoffs are known.

2.6.4 Decision Making under Conditions of Uncertainty 2/32

No assigned probabilities. Possible outcomes can be identified..

Firm doesn’t know in advance the magnitude and change in key (external or internal) variables

Hurwicz criterion: Maximax

-Optimistic: Maximise profits of best-case

Wald criterion: Maximin

-Pessimistic: minimise the maximum losses

Savage: minimax

-Bad loser: minimise the maximum regret (difference between best & actual)

Laplace:

-Equal probability to each outcome

2.6.5 Section Summary 2/37

2.7 Risk and Risk Management 2/37

2.7.1 Introduction 2/37

2.7.2 The Need for a Risk Management Strategy 2/38

Structured risk management system:

-Range of analytical tools

-Operates at all levels (strategic, operational, project...)

-Risk universe: interdependencies

-Risks can be foreseeable, partly foreseeable, and unforeseeable

-Not infallible

-Complex and expensive

-Must be dynamic

-Organisation-wide

-Only as reliable as people using it

-Must be calibrated

  • Danger of information overload or information omission

Emerging Risks of phasing/fast-tracking and concurrent engineering

2.7.3 Risk and Risk Management 2/39

Identifiable stages:

-Registration system

-Classification

-Control of risk attitude

-Risk response

2.7.4 Summary 2/40

2.8 Case Studies 2/40

2.8.1 Case Study 1: Black Gold 2/40

2.8.2 Case Study 2: The Signs Were There 2/46

3 - The Concept of Risk Management

3.1 Introduction 3/2

3.2 Some Common Questions about Risk Management 3/3

3.2.1 Introduction 3/3

3.2.2 Some Questions 3/3

3.2.3 Summary 3/5

3.3 The Concept of Risk Management 3/5

3.3.1 Introduction 3/5

3.3.2 Characteristics of an Effective Risk Management System 3/5

Effectiveness: able to identify and assess all risks that affect objectives

Enterprise-wide capacity: and consider external risks

Practicality: usable, standardised across organisation

Realism: Detail not required for every risk, selective and sufficiently sensitive to highlight important risks

Compliance with internal and external standards

Cost efficiency: must add value to organisation (difficult to identify losses that have been prevented)

Life-cycle applicability: Duration of strategy, change implementation process, operational process

3.3.3 Organisational Requirements for the Successful Implementation of a Risk Management System 3/9

Formal Risk Management policy

Commitment to organisation-wide risk management

Accurate design and implementation planning

-Time, cost plan, long-term operation, resource allocation, formal management review and sponsorship

Design, implementation and operation managemnet

3.3.4 Summary 3/10

3.4 Risk Management Methodology 3/11

3.4.1 Introduction 3/11

3.4.2 The Main Elements of a Risk Management System 3/11

Stages of framework:

-Risk context

  • Strategic, process, operational framework

-Risk identification

-Risk classification, analysis, evaluation

  • Primary risk drivers => risk map, grid

-Risk evaluation

  • Evaluate consequences

-Risk appetite

  • Attitudes of decision maker

-Risk response

  • Keep, transfer...

-Risk management system monitor and review

3.4.3 Risk Context 3/13

Define objectives and processes to attain objectives

-Strategic objectives, change, operational objectives

Organizational sensitivity: reserves, borrowing capacity

Work-breakdown structure

3.4.4 Risk Identification 3/15

Identified risk may give rise to new risks

Consequential risks

Cascade risks

Risk identification methods

-Source and effect

  • Identify risk effect
  • Brainstorm to identify cause and effect
  • Draw effect box and prime arrow
  • Identify possible categories of contributors
  • Identify possible causes
  • Develop proposed corrective action

-Brainstorming

-Delphi method

  • No expert interaction, anonymous contribution, steering group consolidates and distributes

-Nominal group technique

  • Brainstorm problem, list answers, discuss ideas, private individual ranking, display collective ranking

-SWOT Analysis

3.4.5 Risk Classification, Analysis and Evaluation 3/24

Quantitative approach:

-accurate, absolute variables

Semi-quantitative approach:

-approximation or equivalent

-numerical approximation of qualitative assessment

Qualitative approach:

-text, graphical representation; majority of risk assessments

Risk Classification:

-Risk type

-Risk source/scope

-Risk impact

Risk Analysis:

  1. Identify and evaluate all relevant information
  2. Consider risk appetite
  3. Consider risks characteristics
  4. Controllability
  5. Establish measurement system
  6. Modelling/ subjective
  7. Interpret results
  8. Make decision

Alternate approach:

  1. Identify source and extract all relevant information
  2. Identify all threats/opportunities (SWOT)
  3. Map variables that determine probability/impact
  4. Assess probability and impact
  5. Consider all available options
  6. Develop target risk map
  7. Assess value added through approach
  8. Set up monitoring and reporting system

Risk Evaluation

-Code or descriptor labels the magnitude of risk

  • E.g yellow, A1...
  • Defines response options

Risk Map

-Similar to risk profiling, aka risk foorprinting

-Quadrants (Y: Impact, X: Likelihood)

  • Red: immediate action
  • Yellow 1: HI, LL: Contingency planning, monitor
  • Yellow 2: LI, HL: Net effect as for Y1
  • Green: ensure do not propagate

-Map is dynamic

  • Current risk map, Target map, risk migration

-Variability limits

  • Boundaries and limits with confidence and sub-probabilities

Risk Matrix

-Alternative to Risk Map; more common

3.4.6 Risk Appetite 3/37

Risk seeker, Risk neutral, Risk averse

Most organisations balance risk attitude

-Higher risk investments for large earnings

-Lower-risk investments “as bankers": stable income stream

Creativity and risk inherent in some job types

3.4.7 Risk Response 3/39

Depends on:

-Nature of risk

-Detail of analysis

-Attitude of risk taker

Range of variables

-Company policy

-Duration of exposure

-Individual interests

-Voluntary/involuntary risk

-Alternatives

Risk distribution (contract)

-Is outcome worth the risk

-Who has greatest risk control

-Who has greatest risk liability

  • Onus on least affected; concept of vicarious liability (e.g. implied by employee action)

-What incentive does each party have

Risk response stages

-Identification of response options

  • Risk reduction
  • Training and development; redefinition of objectives
  • Risk transfer
  • Contract
  • Damage clauses
  • Insurance
  • Insurability
  • Premium cost
  • Maximum probable loss
  • Likely cost of loss
  • Full reinstatement
  • Probably cost if uninsured
  • Risk avoidance
  • Decision not to proceed
  • Rescission (determination) following breach of contract
  • Court rectification of unreasonable term: can nullify risky condition
  • Seeking information
  • Risk retention
  • Residual risk

-Evaluation of cost/benefit of option

  • Low cost for large risk reduction
  • Safety training
  • High cost for low risk reduction
  • Satellite launcher
  • Changing risk profile
  • E.g. flooding more common due to global warming

-Preparation/implementation of response plan

  • Project sponsor
  • Defined time, cost, quality
  • Clear aims and objectives
  • Monitoring and control system

3.4.8 Risk Monitoring and Control 3/46

Record all assumption and evaluation processes

-System may be incorrect

-Items may be missed in identification

-Errors may occur during evaluation

Regular reports on red quadrant

-Constant programme review for handling risks

3.4.9 Summary 3/47

3.5 Risk, Contracts and Procurement 3/48

3.5.1 Introduction 3/48

For transactions with external contract or supplier

Purpose:

-Define risk

-Create degree of control

Competitive bids

-Description of works

-Terms and conditions

Protection against disagreement and conflict

-Inadequate documentation

-Incorrect estimates and pricing

-Unreasonable risk

-Insolvency

-Ambiguous specification

Commensurate risk:

-Inability to fulfil obligation due to own inadequacy or interference from outside events

Some contracts depend on uberrima fides (utmost good faith)

-Obligation to disclose all relevant information

3.5.2 Basic Contract Theory 3/49

Contract document:

-Signature block and project title

-Definition of terms and scope

-Information/facilities provided by client