Identifying Risk
By Kallman, James
Creating a risk management program is a critical prerequisite to
measuring risk. But once we have a clear understanding of our
organization's goals, the risk associates who will help and the
standard operating procedures, it is time to roll up our sleeves and
tackle the next step-risk analysis. First, we should have a clear
understanding of what types of risks we will be measuring. One way
to categorize risks is as strategic, operational or economic. Recall
that strategic risks are those opportunities that have long-term
variations in outcomes. This includes reputation risk, quality risk,
brand risk and others that have multi-year impacts. Operational
risks are the traditional business and hazard risks that we have
been managing for years. These risks have variations in outcomes
within one operating period. Economic risks are political and
financial situations that are created by micro- and macroeconomic
events. Examples include exchange rate risk, kidnap and ransom risk,
convertibility risk, and interest rate risk. We try to separate
risks into these general categories because it facilitates the
understanding of the associated perils and hazards. The better we
can describe our risks, the easier it is to treat them.
Next in the risk identification step, we set up the parameters that
will clearly define each risk and its characteristics. In ERM we
have pure and speculative risks. For each type of outcome we have
some established and some new terms to describe the risks. First, we
have exposures for pure risks and projects for speculative risks.
Exposures are those things that are subject to a loss in value.
Projects (from the finance discipline) are activities that may
result in a gain or loss in value. These risks are further defined
by describing the cause of the change in subject's value. Changes in
pure risk exposure values are caused by perils; changes in
speculative project values are caused by opportunities. Finally, we
define those conditions or events that increase the probability and/
or impact of the change. In pure risk, these are called hazards; in
speculative risk, these are drivers.
We try to describe risks in great detail in order to facilitate
their management. The better a risk is understood, the more obvious
the solutions will be.
Now that we have a set of parameters to describe our enterprise's
risks, we can head into the thick of operations to help our risk
associates identify their risks. There are seven proven techniques
for identifying risks. Each has its advantages and disadvantages, so
a risk manager should use all of these techniques to ensure due
diligence.
Statistical analysis. When sufficient (and relevant) internal or
industry data is available, a statistical analysis of outcomes is a
popular method of forecasting mean values and standard deviations.
Actuaries have numerous models to analyze loss data; managerial
accountants also have many models to project future sales, costs and
financial outcomes. One advantage of this method is that the results
are generally accepted by decision makers. The numbers are "real"
and reflect past performance. As long as the environments are
reasonably stable, the forecasts from these loss runs and sales
reports yield acceptable projections. The disadvantage of
statistical analysis is that the analyst often lacks enough
sufficiently reliable data to create statistically valid inferences-
a large number of independent, homogeneous observations are crucial
for proper statistical predictions. Fortunately, computer
simulations (e.g., cat modeling) can help alleviate this challenge
in many cases.
Another problem with this technique is that business environments
can be so dynamic that past performance may not be a valid predictor
of future outcomes. Companies are constantly changing products,
services, processes, operating territories and many other variables.
With such variation, past performance may be of limited value in
predicting the future. In many organizations, however, the
environments are sufficiently stable, allowing risk managers to base
future risks off of historic information.
Contract analysis. People sign or agree to contracts on almost a
daily basis. Examples include purchase orders, sales orders,
employment agreements, mergers and acquisitions, and insurance
contracts. Yet seldom do people carefully read or review these
contracts with either their risk manager or general counsel. As a
result, the organization may be exposed to many contractual risks.
Therefore, it is prudent to read (or have a qualified attorney read)
the contracts to identify these risks. Examples of risk that may be
found in contracts include hold harmless agreements, exculpatory
clauses or waivers. Some of these risks could place the organization
in a vulnerable position. The advantage of this technique is that it
forces the organization to carefully read through all of its
contracts. A disadvantage is that usually a qualified (and
expensive) legal counsel must be engaged to decipher the legalese.
Surveys and checklists. As familiar tool to risk managers, risk
surveys and insurance checklists are quite popular. Some advantages
of insurance checklists are that the intermediary usually provides
them free of charge and often completes them for the insured. A
disadvantage is that the hazards identified are often limited to
those most commonly insurable. In contrast, risk management surveys
are more comprehensive and help identify many unique risks. However,
their disadvantages include greater cost and time required. Both
checklists and surveys are good starting points to build an
individualized risk register for your organization. This register
can be updated as your organization grows.
Chart analysis. Charts provide an excellent visual guide to
identifying risks. One of the best is an organizational flow chart.
This illustrates the flow of materials, resources and time through
the organization's processes. Flow charts are lauded for their
ability to identify bottlenecks and superfluous processes. A
disadvantage of flow charts is they may only reflect the intended
flows as dictated by policy. Actual flows may be modified in
practice, making it important for the risk manager to verify the
charts with the people actually performing the work. Another
important chart to review is the organizational chart, which can
identify any potential human resource bottlenecks.
Expert interviews. An organization's experts can be external or
internal. External experts include bankers, accountants, lawyers,
auditors, safety engineers and consultants. Each brings a broad base
of experience and knowledge to the risk manager. Their diverse
familiarity with other organizations' operations may enable the risk
manager to discover new or unimagined risks. The disadvantage of
using external experts is they charge for their services. Internal
experts are not limited to senior managers. Often the person on the
shop floor has specialized knowledge and experience that permits
identification of many risks not imagined in the board room or
anticipated by system designers. This practical, hands-on knowledge
makes these workers vital risk associates. Strategic risk
identification is the purview of C-level managers and board members.
Their visionary skills should be enhanced with the ability to
forecast variations from the intended long-range goals. The risk
manager's interview should facilitate this brainstorming session.
Financial statement analysis. Different financial statements are
prepared for several audiences. For example, managerial reports are
intended as internal tools to set goals and budget resources. They
may contain accounts that are not reported in external reports that
must follow generally accepted accounting principles (GAAP). For
example, expected losses and incurred but not reported losses, plus
a buffer for variation, can be reported in budgets. The
organization's annual report also provides a plethora of risk
management information. Asset groups can be identified in the
balance sheet; important variable expenses are identified on the
income statement; and critical cash flows are revealed on the
statement of cash flows. However, one of the most revealing parts of
the annual report is the notes section. Significant and material
disclosures are presented in the notes. The risk manager should
carefully study and review this section with the CFO.
Personal inspections. Perhaps the most effective technique for
identifying risks is for risk managers to get up out of their
chairs, get away from their computers and books, and get out onto
the shop floor. This is where the risk manager can observe the
operational risks first hand. Personal inspections should be
regarded as a required part of risk identification. Regular (and
sometimes surprise) inspections assure the most effective
application of this risk identification technique.
James Kallman, Ph.D., ARM, is the owner of Kallman Consulting
Services. He writes materials for and teaches RIMS Fellow in risk
management courses and is a professor of risk management at the
International School of Management and Kaplan University.