When approaching risk financing decisions, the first step is to establish your foundation for risk appetite. (See part one of this series in last month’s issue.)
Next, analyze a key risk or risks to investigate whether alternative mitigation strategies would be a better management approach. By leveraging the risk identification and prioritization elements of a risk management program, the key risks to model can be identified.
“Examples of key risks include supply chain risks, political risk, fraud and commodity price risk,” says Keith DeCoster, managing director, Aon Risk Services. “If one of the key risks arising from the risk management program is similar to those evaluated in the risk appetite determination, the risk appetite model can then be leveraged in the analysis.”
In part two of a three-part series, Smart Business spoke with DeCoster about how to analyze your risks.
What is the initial objective of modeling key risks?
The initial objective should be to estimate their potential unmitigated impact. Begin without mitigation to provide a strong baseline for management strategy comparison. A supply chain risk such as a sole source supplier risk should be measured without the impact of mitigating factors such as safety stock or other business continuity strategies. Only then can strategies such as additional suppliers, safety stock for supplies, or additional inventory for finished goods be compared. When building a risk model, it is important to align it to three key management objectives:
- Maximize risk versus reward trade-offs
- Maximize success within risk appetite and risk tolerance levels, where risk tolerance is simply a portion of an organization’s risk appetite for an individual risk
- Mitigate catastrophic events that can prevent the firm from reaching objectives
These often do not work directionally together. An organization’s ability to analyze this balance can help guide a decision to select the best-suited risk management strategy.
How can you model the impact of potential risks?
It’s important to mimic the potential for event occurrence and impact ranges during model construction through a well-thought-out set of assumptions. For a workers’ comp casualty risk model, distributions and parameters for occurrence and impact can be based on historical events and future exposure trends. For more complex models, or those with less data to rely on, assumptions regarding event sequencing, interdependencies, occurrence and impact need to be carefully vetted to ensure they are providing a good proxy for the system or series of risks under investigation.
Assume an organization wishes to measure the impact of several operational and political risks to understand the potential disruption impact. To do this, the underlying exposure or potential causes of loss (or gain) need to be understood, including natural disasters, sovereign agreements and underlying elements, nationalization, terrorism and expropriation. Next, consider the organization’s specific operations to understand the magnitude of potential gain (or loss); get a sense of how events can occur based on the asset, operations and relationship profile; and understand any operational or event sequence interdependencies.
Finally, information regarding additional occurrence and impact assumptions needs to be incorporated to construct a more appropriate proxy of reality. Potential sources include engineering reports, incident reports, inventory information, supply chain redundancies and political risk information. This may serve as the justification to modify model parameters.
The graph below shows the measurement of a specific set of operational risks for an organization. On the Y axis is an impact scale, shown as the total cost of risk (net retained risk given the mitigation under consideration plus the cost of the mitigation strategy). The X axis is the confidence level. The graph shows the raw impact of risk (red line) and also the net impact given the risk management strategies incorporated measurement in the ‘as-is’ risk profile. This comparison allows organizations to identify alternative risk response strategies that may be better suited than the ‘as-is’ strategy. The blue line represents risk tolerance for the operational risks under investigation. This is a static value derived from the risk appetite measurement and provides a constraint for decision-making for these operational risks. In addition to the quantification output shown, it is also possible to add the key risk to the risk appetite model to see how various treatments of risk can impact enterprise volatility.
Next month: Part three.
Keith DeCoster is managing director of Aon Risk Services. Reach him at (317) 237-2400 or Keith_Decoster@aon.com.