Welcome Guest! To enable all features please Login or Register.



#1 Posted : Tuesday, October 29, 2013 9:09:33 AM(UTC)

Rank: Administration

Groups: Registered, Administrators
Joined: 10/23/2013(UTC)
Posts: 7


Creating shareholder value requires generating returns in excess of the organization’s weighted average cost of capital. Understanding the economic value added by activities is as much a risk manager’s responsibility as it is a Chief Financial Officer’s responsibility. Modeling risk treatments must consider the impact of the treatment on the value of the enterprise both as a prerequisite for engaging in a treatment, and also as a confirmation of the value of a treatment once the treatment period has come to pass.

Before discussing key considerations, it should be acknowledged that not all risk exposures and treatments need to be modeled. Experienced risk managers understand that many exposures, particularly residual risk levels governed by established controls, can be quickly assessed as well within tolerance levels, and additional analysis is not productive. That said, the risk manager might still wish to capture risk levels and treatment details for some such risks, when material, if only to ensure that reporting captures the total impact of risk management strategies.

Key Considerations

The first critical step in modeling a treatment is to have a well-defined estimate of risk levels. Risk levels represent the difference between what could happen in excess of what is within the risk appetite, or more specifically, exposures to risk that eclipse the criteria for the risk. For example, an organization may have zero appetite for environmental contamination incidents resulting in damage in excess of $10 Million. In analyzing the risk of such incidents, the organization might conclude that there is a chance for environmental contamination damage of $50 Million. In this scenario the exposure is $50 Million, the Risk Criteria becomes $10 Million, and the Risk Level is $40 Million before treatment.

There are some important steps in the above example that need to be considered more carefully. Namely, “What is the exposure based on?” Most experts would concede that exposure estimates are ideally based on some combination of sound expert opinions and probabilities derived from data. Since data is not always available, other tools including Monte Carlo simulation might be employed in order to develop a reasonable range of possible likelihood and consequence values. In agreeing on an exposure estimate, foresight dictates that some level of confidence must be taken into consideration. In other words, in the event the risk occurs, it should be anticipated that boards would inquire as to what tolerance levels were used to estimate the potential exposure in terms of likelihood and potential consequence. The Risk Manager should be sure that such standards are reached with the approval of the board, and communicated in risk management policies.

The Risk Manager must also be sure that criteria for risks is well understood. This can to be done with two complimentary approaches that meet in the middle. First, a top-down approach can be used by Risk Managers to communicate the risk appetite of the organization and remove any ambiguity regarding the type and level of risk that the organization is willing to partake in pursuit of its objectives. The risk appetite policy should be reasonably explicit, specifying appetite in the context of well understood risk categories and processes, and denoting protocols for escalating exposures to risk that conflict with the appetite.

The second approach, bottom-up, involves ensuring managers understand how to measure individual risk levels in their day-to-day risk management activities. This step is important to ensure that risk levels are consistently derived based on standardized techniques. For example, the policy might stipulate that a quantitative estimate of risk level be based reached with 95% confidence for both the likelihood and consequence variables, and that only the amount in excess of what was planned for, or some other reasonable benchmark, comprise a risk level. Also, as a matter of policy, it’s a good practice that all estimates be reviewed by a manager before treatments are finalized. Review by experienced managers is an important step not only in validating the thought process behind the analysis, but also in providing a reasonableness check, since experienced managers will know when an analysis is “out in left field”.

The top-down and bottom-up approaches discussed above need to meet in the middle. Risk Managers need to have access to aggregated risk level data to ensure that the sum of individual risk levels do not exceed overall appetite.

There are at least two characteristics of the ERM framework that can facilitate the reconciliation of top-down and bottom-up approaches. First, aligning risk management responsibility with financial responsibility in order to decrease the likelihood that any unit in the organization will take unauthorized risks, or not leverage the authorization they are allowed to improve their chances of achieving objectives through risk management. Aligning risk management responsibility with financial responsibility positions organizations to monitor aggregate risk levels (namely residual risk level variances) to plan at a lower level, and potentially address them more quickly. The second opportunity is to leverage information systems. If an organization relies on manually generated reports for summarizing risk data, then errors and delays in the process can impact the effectiveness of the ERM program. Also, manual summaries are extremely inefficient. Conversely, a well-designed database application can provide instant access to risk data in the appropriate context across the organization without the opportunity for errors. Information systems also can be leveraged to ensure that policies for analyzing and risk levels are applied.

With reasonable assurances that policies governing risk assessment are in place, treatments can be evaluated with more consistent results. The same analysis can be used to model treatments targeting the high end and low end of a risk level, ensuring that prospective opportunities are handled with the same standards as risks. Whether it is the high end or low end depends on the risk (investment price risk would necessitate targeting treatments at the low end, whereas input price risk would be concerned with the high end). In either event, the impact of the treatment should be calculated and applied to the risk level to enable evaluation on a pre-treatment and post-treatment basis, as well as the level of residual risk (or risk level net of mitigation). To accommodate variations in treatment periods, it might be beneficial to review this data in nominal and present value terms.

The final consideration for treatment modeling is cost. The cost needs to be included to enable calculating the maximum cost-benefit of the mitigation (or more precisely, the times cost recovered), which enables the comparison of alternative treatment strategies to one another, and benchmark financial criteria. When reviewing such metrics, it is critical to ensure that the treatment period for which the treatment is being modeled is the same as the period used for generating the estimated risk levels. It serves very little purpose to evaluate the effectiveness of a 90 day treatment for a 180 day exposure, which would theoretically cost twice as much to treat. In addition, for some treatments, particularly those involving changes to controls that may not be 100% effective, the treatment model should facilitate adjusting the impact based on expected control effectiveness.

If this sounds overly straightforward, it is by design. Developing complicated models for risk analysis, modeling and evaluation should limited to those situations where no alternative is available, and there are subject matter experts in place to use them. For the remainder of the risk management constituency, risk management tools and techniques should be easy to understand and apply. This must be so in order to achieve the bespoken goal of embedding risk management in the management processes and culture or the organization.

RiskWaves Treatments Module

RiskWaves supports your modeling needs with automatically calculated pre-treatment and post-treatment risk levels, treatment impacts, and residual risk amounts in nominal and present values. In addition, RiskWaves treatment modeling allows you to select from a variety of vehicles from including Calls and Puts, Swaps, Futures and Forward Rate Agreements, Indemnities (including per event deductibles and caps, and policy level caps), Short and Long positions, Investments, and contingencies to user defined vehicles. Treatments allow you to incorporate control effectiveness into your modeling activities too. RiskWaves will also calculate your potential payback, allowing you to compare alternative treatments to help determine the optimal strategy.

RiskWaves permits you to aim your treatment based at specific targets, which can be the upper or lower end of a total risk level or consequence specific risk level. RiskWaves will also convert your treatments into Follow-Up analysis where you can enter your actual observations and calculate the actual payback and ROI for your treatment. You will also find extensive reporting in RiskWaves to monitor risk levels and treatments.

Download your free sixty day trial version of RiskWaves beta today and tell us what you think. We welcome your feedback.

Edited by user Monday, March 02, 2015 10:58:08 PM(UTC)  | Reason: Administrative

Thank You
Risk Control Assoc. Admin
Users browsing this topic
Guest (22146)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.