1 C o m m i t t e e o f S p o s o r i g O r g a i z a t i o s o f t h e T r e a d w a y C o m m i s s i o T h o u g h t L e a d e r s h i p i E R M R I S K A S S E S S M E N T I N P R A C T I C E By Deloitte & Touche LLP Dr. Patchi Curtis Mark Carey The iformatio cotaied herei is of a geeral ature ad based o authorities that are subject to chage. Applicability of the iformatio to specific situatios should be determied through cosultatio with your professioal adviser, ad this paper should ot be cosidered substitute for the services of such advisors, or should it be used as a basis for ay decisio or actio that may affect your orgaizatio.
2 Authors Deloitte & Touche LLP Pricipal Cotributors Dr. Patchi Curtis Director, Deloitte & Touche LLP Mark Carey Parter, Deloitte & Touche LLP COSO Board Members David L. Ladsittel COSO Chair Douglas F. Prawitt America Accoutig Associatio Richard F. Chambers The Istitute of Iteral Auditors Marie N. Hollei Fiacial Executives Iteratioal Chuck E. Lades America Istitute of CPAs (AICPA) Sadra Richtermeyer Istitute of Maagemet Accoutats Preface This project was commissioed by the Committee of Sposorig Orgaizatios of the Treadway Commissio (COSO), which is dedicated to providig thought leadership through the developmet of comprehesive frameworks ad guidace o eterprise risk maagemet, iteral cotrol, ad fraud deterrece desiged to improve orgaizatioal performace ad goverace ad to reduce the extet of fraud i orgaizatios. COSO is a private-sector iitiative joitly sposored ad fuded by the followig orgaizatios: America Accoutig Associatio (AAA) America Istitute of CPAs (AICPA) Fiacial Executives Iteratioal (FEI) The Istitute of Maagemet Accoutats (IMA) The Istitute of Iteral Auditors (IIA) Committee of Sposorig Orgaizatios of the Treadway Commissio
3 T h o u g h t L e a d e r s h i p i E R M Research Commissioed by Committee of Sposorig Orgaizatios of the Treadway Commissio October 2012
4 Copyright 2012, The Committee of Sposorig Orgaizatios of the Treadway Commissio (COSO) PIP All Rights Reserved. No part of this publicatio may be reproduced, redistributed, trasmitted or displayed i ay form or by ay meas without writte permissio. For iformatio regardig licesig ad reprit permissios please cotact the America Istitute of Certified Public Accoutats licesig ad permissios aget for COSO copyrighted materials. Direct all iquiries to or AICPA, Att: Maager, Rights ad Permissios, 220 Leigh Farm Rd., Durham, NC Telephoe iquiries may be directed to
5 Thought Leadership i ERM Risk Assessmet i Practice iii Cotets Page Itroductio 1 The Risk Assessmet Process 2 Develop Assessmet Criteria 3 Assess Risks 8 Assess Risk Iteractios 1 2 Prioritize Risks 1 4 Puttig It ito Practice 18 About COSO 19 About the Authors 19
7 Thought Leadership i ERM Risk Assessmet i Practice 1 Itroductio Value is a fuctio of risk ad retur. Every decisio either icreases, preserves, or erodes value. Give that risk is itegral to the pursuit of value, strategic-mided eterprises do ot strive to elimiate risk or eve to miimize it, a perspective that represets a critical chage from the traditioal view of risk as somethig to avoid. Rather, these eterprises seek to maage risk exposures across all parts of their orgaizatios so that, at ay give time, they icur just eough of the right kids of risk o more, o less to effectively pursue strategic goals. This is the sweet spot, or optimal risk-takig zoe, referred to i exhibit 1. That s why risk assessmet is importat. It s the way i which eterprises get a hadle o how sigificat each risk is to the achievemet of their overall goals. To accomplish this, eterprises require a risk assessmet process that is practical, sustaiable, ad easy to uderstad. The process must proceed i a structured ad disciplied fashio. It must be correctly sized to the eterprise s size, complexity, ad geographic reach. While eterprise-wide risk maagemet (ERM) is a relatively ew disciplie, 1 applicatio techiques have bee evolvig over the last decade. The purpose of this paper is to provide leadership with a overview of risk assessmet approaches ad techiques that have emerged as the most useful ad sustaiable for decisio-makig. It represets aother i a series of papers published by Committee of Sposorig Orgaizatios of the Treadway Commissio (COSO) aimed at helpig orgaizatios move up the maturity curve i their ogoig developmet of a robust ERM process. Exhibit 1: Optimal Risk-Takig Isufficiet Risk-Takig Optimal Risk-Takig Excessive Risk-Takig Expected Eterprise Value Sweet Spot Risk Level 1 Committee of Sposorig Orgaizatios of the Treadway Commissio (COSO) Eterprise Risk Maagemet Itegrated Framework, 2004.
8 2 Risk Assessmet i Practice Thought Leadership i ERM The Risk Assessmet Process Withi the COSO ERM framework, 2 risk assessmet follows evet idetificatio ad precedes risk respose. Its purpose is to assess how big the risks are, both idividually ad collectively, i order to focus maagemet s attetio o the most importat threats ad opportuities, ad to lay the groudwork for risk respose. Risk assessmet is all about measurig ad prioritizig risks so that risk levels are maaged withi defied tolerace thresholds without beig overcotrolled or forgoig desirable opportuities. Evets that may trigger risk assessmet iclude the iitial establishmet of a ERM program, a periodic refresh, the start of a ew project, a merger, acquisitio, or divestiture, or a major restructurig. Some risks are dyamic ad require cotiual ogoig moitorig ad assessmet, such as certai market ad productio risks. Other risks are more static ad require reassessmet o a periodic basis with ogoig moitorig triggerig a alert to reassess sooer should circumstaces chage. Exhibit 2: Assess Risks Process Flow Diagram Assess Risks Idetify Risks Develop Assessmet Criteria Assess Risks Assess Risk Iteractios Prioritize Risks Respod to Risks Idetify risks. The risk (or evet) idetificatio process precedes risk assessmet ad produces a comprehesive list of risks (ad ofte opportuities as well), orgaized by risk category (fiacial, operatioal, strategic, compliace) ad sub-category (market, credit, liquidity, etc.) for busiess uits, corporate fuctios, ad capital projects. At this stage, a wide et is cast to uderstad the uiverse of risks makig up the eterprise s risk profile. While each risk captured may be importat to maagemet at the fuctio ad busiess uit level, the list requires prioritizatio to focus seior maagemet ad board attetio o key risks. This prioritizatio is accomplished by performig the risk assessmet. Develop assessmet criteria. The first activity withi the risk assessmet process is to develop a commo set of assessmet criteria to be deployed across busiess uits, corporate fuctios, ad large capital projects. Risks ad opportuities are typically assessed i terms of impact ad likelihood. May eterprises recogize the utility of evaluatig risk alog additioal dimesios such as vulerability ad speed of oset. Assess risks. Assessig risks cosists of assigig values to each risk ad opportuity usig the defied criteria. This may be accomplished i two stages where a iitial screeig of the risks is performed usig qualitative techiques followed by a more quatitative aalysis of the most importat risks. Assess risk iteractios. Risks do ot exist i isolatio. Eterprises have come to recogize the importace of maagig risk iteractios. Eve seemigly isigificat risks o their ow have the potetial, as they iteract with other evets ad coditios, to cause great damage or create sigificat opportuity. Therefore, eterprises are gravitatig toward a itegrated or holistic view of risks usig techiques such as risk iteractio matrices, bow-tie diagrams, ad aggregated probability distributios. Prioritize risks. Risk prioritizatio is the process of determiig risk maagemet priorities by comparig the level of risk agaist predetermied target risk levels ad tolerace thresholds. Risk is viewed ot just i terms of fiacial impact ad probability, but also subjective criteria such as health ad safety impact, reputatioal impact, vulerability, ad speed of oset. Respod to risks. The results of the risk assessmet process the serve as the primary iput to risk resposes whereby respose optios are examied (accept, reduce, share, or avoid), cost-beefit aalyses performed, a respose strategy formulated, ad risk respose plas developed. Discussios of evet idetificatio ad risk respose are beyod the scope of this paper. For detailed treatmet, refer to the COSO Eterprise Risk Maagemet Itegrated Framework (2004). 2 COSO, Eterprise Risk Maagemet Itegrated Framework (2004).
9 Thought Leadership i ERM Risk Assessmet i Practice 3 Develop Assessmet Criteria Traditioal risk aalysis defies risk as a fuctio of likelihood ad impact. Ideed, these are importat measures. However, ulikely evets occur all too ofte, ad may likely evets do t come to pass. Worse, ulikely evets ofte occur with astoishig speed. Likelihood ad impact aloe do ot pait the whole picture. To aswer questios like how fast could the risk arise, how fast could you respod or recover, ad how much dowtime could you tolerate, you eed to gauge vulerability ad speed of oset. By gaugig how vulerable you are to a evet, you develop a picture of your eeds. By gaugig how quickly it could happe, you uderstad the eed for agility ad rapid adaptatio. Developig Assessmet Scales Some form of measuremet of risk is ecessary. Without a stadard of compariso, it s simply ot possible to compare ad aggregate risks across the orgaizatio. Most orgaizatios defie scales for ratig risks i terms of impact, likelihood, ad other dimesios. These scales comprise ratig levels ad defiitios that foster cosistet iterpretatio ad applicatio by differet costituecies. The more descriptive the scales, the more cosistet their iterpretatio will be by users. The trick is to fid the right balace betwee simplicity ad comprehesiveess. Scales should allow meaigful differetiatio for rakig ad prioritizatio purposes. Five poit scales yield better dispersio tha three poit scales. Te poit scales imply precisio typically uwarrated i qualitative aalysis, ad assessors may waste time tryig to differetiate betwee a ratig of six or seve whe the differece is icosequetial ad idefesible. Illustrative scales are provided for impact, likelihood, vulerability, ad speed of oset. Every eterprise is differet ad the scales should be customized to fit the idustry, size, complexity, ad culture of the orgaizatio i questio. Impact Impact (or cosequece) refers to the extet to which a risk evet might affect the eterprise. Impact assessmet criteria may iclude fiacial, reputatioal, regulatory, health, safety, security, evirometal, employee, customer, ad operatioal impacts. Eterprises typically defie impact usig a combiatio of these types of impact cosideratios (as illustrated below), give that certai risks may impact the eterprise fiacially while other risks may have a greater impact to reputatio or health ad safety. Whe assigig a impact ratig to a risk, assig the ratig for the highest cosequece aticipated. For example, if ay oe of the criteria for a ratig of 5 is met, the the impact ratig assiged is 5 eve though other criteria may fall lower i the scale. Some etities defie impact scales for opportuities as well as risks.
10 4 Risk Assessmet i Practice Thought Leadership i ERM Illustrative Impact Scale Ratig Descriptor Defiitio 5 Extreme Fiacial loss of $X millio or more 3 Iteratioal log-term egative media coverage; game-chagig loss of market share Sigificat prosecutio ad fies, litigatio icludig class actios, icarceratio of leadership Sigificat ijuries or fatalities to employees or third parties, such as customers or vedors Multiple seior leaders leave 4 Major Fiacial loss of $X millio up to $X millio Natioal log-term egative media coverage; sigificat loss of market share Report to regulator requirig major project for corrective actio Limited i-patiet care required for employees or third parties, such as customers or vedors Some seior maagers leave, high turover of experieced staff, ot perceived as employer of choice 3 Moderate Fiacial loss of $X millio up to $X millio Natioal short-term egative media coverage Report of breach to regulator with immediate correctio to be implemeted Out-patiet medical treatmet required for employees or third parties, such as customers or vedors Widespread staff morale problems ad high turover 2 Mior Fiacial loss of $X millio up to $X millio Local reputatioal damage Reportable icidet to regulator, o follow up No or mior ijuries to employees or third parties, such as customers or vedors Geeral staff morale problems ad icrease i turover 1 Icidetal Fiacial loss up to $X millio Local media attetio quickly remedied Not reportable to regulator No ijuries to employees or third parties, such as customers or vedors Isolated staff dissatisfactio 3 Fiacial impact is typically measured i terms of loss or gai, profitability or earigs, or capital.
11 Thought Leadership i ERM Risk Assessmet i Practice 5 Likelihood Likelihood represets the possibility that a give evet will occur. Likelihood ca be expressed usig qualitative terms (frequet, likely, possible, ulikely, rare), as a percet probability, or as a frequecy. Whe usig umerical values, whether a percetage or frequecy, the relevat time period should be specified such as aual frequecy or the more relative probability over the life of the project or asset. Sometimes eterprises describe likelihood i more persoal ad qualitative terms such as evet expected to occur several times over the course of a career or evet ot expected to occur over the course of a career. Illustrative Likelihood Scale Ratig Aual Frequecy Descriptor Defiitio Probability Descriptor Defiitio 5 Frequet Up to oce i 2 years or more 4 Likely Oce i 2 years up to oce i 25 years 3 Possible Oce i 25 years up to oce i 50 years 2 Ulikely Oce i 50 years up to oce i 100 years 1 Rare Oce i 100 years or less Almost certai Likely Possible Ulikely Rare 90% or greater chace of occurrece over life of asset or project 65% up to 90% chace of occurrece over life of asset or project 35% up to 65% chace of occurrece over life of asset or project 10% up to 35% chace of occurrece over life of asset or project <10% chace of occurrece over life of asset or project
12 6 Risk Assessmet i Practice Thought Leadership i ERM Vulerability Vulerability refers to the susceptibility of the etity to a risk evet i terms of criteria related to the etity s preparedess, agility, ad adaptability. Vulerability is related to impact ad likelihood. The more vulerable the etity is to the risk, the higher the impact will be should the evet occur. If risk resposes icludig cotrols are ot i place ad operatig as desiged, the the likelihood of a evet icreases. Assessig vulerability allows etities to gauge how well they re maagig risks. Vulerability assessmet criteria may iclude capabilities to aticipate evets such as sceario plaig, real optios, 4 capabilities to prevet evets such as risk resposes i place, capabilities to respod ad adapt quickly as evets ufold, ad capabilities to withstad the evet such as capital buffer ad fiacial stregth. Other factors ca also be cosidered such as the rate of chage i the idustry or orgaizatio. There is o oe-size-fits-all assessmet scale. Every etity must defie scales to meet its eeds. Illustrative Vulerability Scale Ratig Descriptor Defiitio 5 Very High No sceario plaig performed Lack of eterprise level/process level capabilities to address risks Resposes ot implemeted No cotigecy or crisis maagemet plas i place 4 High Sceario plaig for key strategic risks performed Low eterprise level/process level capabilities to address risks Resposes partially implemeted or ot achievig cotrol objectives Some cotigecy or crisis maagemet plas i place 3 Medium Stress testig ad sesitivity aalysis of scearios performed Medium eterprise level/process level capabilities to address risks Resposes implemeted ad achievig objectives most of the time Most cotigecy ad crisis maagemet plas i place, limited rehearsals 2 Low Strategic optios defied Medium to high eterprise level/process level capabilities to address risks Resposes implemeted ad achievig objectives except uder extreme coditios Cotigecy ad crisis maagemet plas i place, some rehearsals 1 Very Low Real optios deployed to maximize strategic flexibility High eterprise level/process level capabilities to address risks Redudat respose mechaisms i place ad regularly tested for critical risks Cotigecy ad crisis maagemet plas i place ad rehearsed regularly 4 A real optio is a optio ivolvig real, as opposed to fiacial, assets. Real assets iclude lad, plat, ad machiery. Real optio aalysis uses optio pricig theory to value capital ivestmet opportuities. A example of a real optio would be the overbuildig of a facility to provide strategic flexibility i the evet that demad were to icrease faster tha productio capacity.
13 Thought Leadership i ERM Risk Assessmet i Practice 7 Speed of Oset (or Velocity) Speed of oset refers to the time it takes for a risk evet to maifest itself, or i other words, the time that elapses betwee the occurrece of a evet ad the poit at which the compay first feels its effects. Kowig the speed of oset is useful whe developig risk respose plas. Illustrative Speed of Oset Scale Ratig Descriptor Defiitio 5 Very High Very rapid oset, little or o warig, istataeous 4 High Oset occurs i a matter of days to a few weeks 3 Medium Oset occurs i a matter of a few moths 2 Low Oset occurs i a matter of several moths 1 Very Low Very slow oset, occurs over a year or more Iheret ad Residual Risk Whe assessig risks, it s importat to determie whether respodets will be asked to assess iheret risk, residual risk, or both. I Eterprise Risk Maagemet Itegrated Framework (2004), COSO defies iheret risk as the risk to a etity i the absece of ay actios maagemet might take to alter either the risk s likelihood or impact. Residual risk is the risk remaiig after maagemet s respose to the risk. Applyig this cocept is trickier tha it might seem at first glace. Some etities iterpret iheret risk to be level of risk assumig resposes curretly i place fail, ad residual risk to be the level of risk assumig existig resposes operate accordig to desig. Other etities iterpret iheret risk to be the curret level of risk assumig existig resposes operate accordig to desig ad residual to be the estimated risk after resposes uder cosideratio are put ito place. The first approach is focused more o cotrols effectiveess of the curret eviromet ad the secod approach o evaluatig risk respose optios. There is o oe right aswer ad either approach may be useful depedig upo the purpose of the assessmet ad the ature of the risks beig cosidered.
14 8 Risk Assessmet i Practice Thought Leadership i ERM Assess Risks Risk assessmet is ofte performed as a two-stage process. A iitial screeig of the risks ad opportuities is performed usig qualitative techiques followed by a more quatitative treatmet of the most importat risks ad opportuities ledig themselves to quatificatio (ot all risks are meaigfully quatifiable). Qualitative assessmet cosists of assessig each risk ad opportuity accordig to descriptive scales as described i the previous sectio. Quatitative aalysis requires umerical values for both impact ad likelihood usig data from a variety of sources. The quality of the aalysis depeds o the accuracy ad completeess of the umerical values ad the validity of the models used. Model assumptios ad ucertaity should be clearly commuicated ad evaluated usig techiques such as sesitivity aalysis. Both qualitative ad quatitative techiques have advatages ad disadvatages. Most eterprises begi with qualitative assessmets ad develop quatitative capabilities over time as their decisio-makig eeds dictate. Measuremet Techiques Compariso Techique Qualitative Quatitative Advatages Is relatively quick ad easy Provides rich iformatio beyod fiacial impact ad likelihood such as vulerability, speed of oset, ad o-fiacial impacts such as health ad safety ad reputatio Is easily uderstood by a large umber of employees who may ot be traied i sophisticated quatificatio techiques Allows umerical aggregatio takig ito accout risk iteractios whe usig a at risk measure such as Cash Flow at Risk Permits cost-beefit aalysis of risk respose optios Eables risk-based capital allocatio to busiess activities with optimal risk-retur Helps compute capital requiremets to maitai solvecy uder extreme coditios Disadvatages Gives limited differetiatio betwee levels of risk (i.e. very high, high, medium, ad low) Is imprecise risk evets that plot withi the same risk level ca represet substatially differet amouts of risk Caot umerically aggregate or address risk iteractios ad correlatios Provides limited ability to perform cost-beefit aalysis Ca be time-cosumig ad costly, especially at first durig model developmet Must choose uits of measure such as dollars ad aual frequecy which may result i qualitative impacts beig overlooked Use of umbers may imply greater precisio tha the ucertaity of iputs warrats Assumptios may ot be apparet
15 Thought Leadership i ERM Risk Assessmet i Practice 9 For qualitative assessmets, the most commoly used assessmet techiques are iterviews, cross-fuctioal workshops, surveys, bechmarkig, ad sceario aalysis. Quatitative techiques rage from bechmarkig ad sceario aalysis to geeratig forward lookig poit estimates (determiistic models) ad the to geeratig forward lookig distributios (probabilistic models). Some of the most powerful probabilistic models from a eterprise-wide stadpoit iclude causal at-risk models used to estimate gross profit margis, cash flows, or earigs over a give time horizo at give cofidece levels. Aalysis of Existig Data Reviewig iteral ad exteral data ca help idividuals assess the likelihood ad impact of a risk or opportuity. Sources of risk occurrece data iclude iteral ad exteral audit reports, public filigs, isurace claims ad iteral loss evet data icludig ear misses, published reports by isurace compaies, idustry cosortia, ad research orgaizatios. While relyig o existig data provides objectivity, it s importat to evaluate the relevace of the data uder curret ad projected coditios. Adjustmets may be warrated usig expert judgmet. I these cases, the ratioale for adjustmets must be clearly documeted ad commuicated. Iterviews ad Cross-Fuctioal Workshops Assessmet ca be coducted through oe-o-oe iterviews or facilitated meetigs. Cross-fuctioal workshops are preferable to iterviews or surveys for assessmet purposes as they facilitate cosideratio of risk iteractios ad break dow siloed thikig. Workshops improve uderstadig of a risk by brigig together diverse perspectives. For example, whe cosiderig a risk such as iformatio security breach, workshop participats from iformatio techology, legal ad compliace, public relatios, customer service, strategic plaig, ad operatios maagemet may each brig differet iformatio regardig causes, cosequeces, likelihoods, ad risk iteractios. Iterviews may be more appropriate for seior maagemet, board members, ad seior lie maagers due to their time costraits. Workshops may ot work well i cultures that suppress free sharig of iformatio or diverget opiios. Surveys Surveys are useful for large, complex, ad geographically distributed eterprises or where the culture suppresses ope commuicatio. Survey results ca be dowloaded ito aalytical tools allowig risks ad opportuities to be viewed by level (board members, executives, maagers), by busiess uit, by geography, or by risk category. Surveys have drawbacks too. Respose rates ca be low. If the survey is aoymous, it may be difficult to idetify iformatio gaps. Quality of resposes may be low if respodets give survey questios superficial attetio i a rush to completio, or if they misuderstad somethig ad do t have the opportuity to ask clarifyig questios. But perhaps most of all, respodets do t beefit from cross-fuctioal discussios which ehace people s risk awareess ad uderstadig, provide cotext ad iformatio to support the risk ratigs, ad aalyze risk iteractios across silos. For these reasos, surveys should ot be cosidered a substitute for workshops ad other techiques for i-depth aalysis of key risks. Bechmarkig Bechmarkig is a collaborative process amog a group of etities. Bechmarkig focuses o specific evets or processes, compares measures ad results usig commo metrics, ad idetifies improvemet opportuities. Data o evets, processes, ad measures are developed to compare performace. Some compaies use bechmarkig to assess the likelihood ad impact of potetial evets across a idustry. Bechmarkig data are available from research orgaizatios, idustry cosortia, isurace compaies ad ratig agecies, govermet agecies, ad regulatory ad supervisory bodies. For example, a oil field services compay might bechmark its safety risk usig measures such as lost time ijuries usig data for similar compaies available from the Bureau of Labor Statistics, the Occupatioal Health ad Safety Admiistratio (OSHA), the America Petroleum Istitute (API), or others.
16 10 Risk Assessmet i Practice Thought Leadership i ERM Sceario Aalysis Sceario aalysis has log bee recogized for its usefuless i strategic plaig. It is also useful for assessig risks ad tyig them back to strategic objectives. It etails defiig oe or more risk scearios, detailig the key assumptios (coditios or drivers) that determie the severity of impact, ad estimatig the impact o a key objective. I the example below, maagemet wated to uderstad how earigs could be egatively impacted. Six scearios impactig earigs were idetified, causal factors (such as price or volume chages or state of the ecoomy) determied, detailed assumptios calibrated, ad the earigs impact estimated. Scearios ca be developed joitly by risk owers ad ERM persoel ad built out ad validated with specialists from various fuctios ad maagemet. Sceario Aalysis Sceario Descriptio Detailed Assumptios EBIT* Impact ($MM) 1) Currecy chages impact 15% volume decrease - $500 competitive ladscape 20% price decrease Sustaied for 9 moths Recovery takes additioal 9 moths 2) Natural gas prices icrease $5/MM Btu icrease - $150 Sustaied for 12 moths No ability to pass through icrease 3) Crude oil prices icrease 100% icrease - $15 Sustaied for 3 moths Pass through 25% of cost icrease 4) Techology shift 15% volume decrease/year - $275 15% price decrease/year $2MM less i R&D expeditures 5) Competitive pressure 10% price decrease - $200 Sustaied for 24 moths 6) Supply chai disruptio 10% volume decrease - $175 Sustaied for 6 moths * Earigs before iterest ad taxes. Source: Frederick Fusto ad Stephe Wager, Survivig ad Thrivig i Ucertaity (Hoboke, NJ: Joh Wiley & Sos, Ic., 2010), 69.
17 Thought Leadership i ERM Risk Assessmet i Practice 11 Causal At-Risk Models Gross Margi at Risk (GMaR), Cash Flow at Risk (CFaR), ad Earigs at Risk (EaR) are metrics built o causal models where specific risk factors drive future ucertaity of key cash flow or earigs compoets. Each risk factor ca be modeled i detail ad icorporated ito the overall model. Usig a causal at-risk model ca provide isight ito how historical relatioships might become ucoupled ad deviate meaigfully from expectatios. Armed with the kowledge of how each risk factor could vary i the future ad impact cash flow or earigs, risk ca be better measured ad maaged. It is the added isight of the risk factors drivig ucertaity that makes causal models a step up from simply extrapolatig past relatioships i a pro forma approach. Model iputs may be derived from past records, relevat experiece, relevat published literature, market research, public cosultatio, experimets ad prototypes, ad ecoomic, egieerig or other models. Where historical data are ot available, ot relevat, or icomplete, expert elicitatio may be used. Expert elicitatio is most commoly used to estimate reasoable probabilities especially for low likelihood, high impact evets. Experts are valuable sources of iformatio ad kowledge. But experts also brig biases. Fortuately, a large body of kowledge exists with regard to heuristics ad biases ad ways to address them. For example, see COSO s recetly issued thought paper, Ehacig Board Oversight: Avoidig Judgmet Traps ad Biases (March 2012). I reality, both pro forma models built aroud historical ratios ad causal at-risk models ca be helpful ad should be see as complemetary views of a ucertai future. Regardless of the type of model, the cofidece placed o estimates of levels of risk ad assumptios made i the aalysis should be clearly stated.
18 12 Risk Assessmet i Practice Thought Leadership i ERM Assess Risk Iteractios ERM eables a itegrated ad holistic view of risks. The key here is that the whole does ot equal the sum of the parts. To uderstad portfolio risk, oe must uderstad the risks of the idividual elemets plus their iteractios due to the presece of atural hedges ad mutually amplifyig risks. Uderstadig risk iteractios ad the maagig them requires breakig dow silos. A simple way to cosider risk iteractios is to group related risks ito a broad risk area (such as groupig risks related to sourcig, distributio chaels, vedor cocetratios, etc. ito supply chai risk) ad the assigig owership ad oversight for the risk area. Three explicit ways to capture risk iteractios icreasig i level of complexity ad richess of iformatio are risk iteractio maps, correlatio matrices, ad bow-tie diagrams. Risk Iteractio Map A risk iteractio map is the simplest form of graphical represetatio i which the same list of risks form the x ad y axes. Risk iteractios are the idicated by a X or other qualitative idicator. Exhibit 3: Illustrative Risk Iteractio Map Risk Supply Chai Disruptio Customer Preferece Shift Copper Price Icrease >25% Work Stoppage >1 Week Ecoomic Dowtur Supplier Cosolidatio Local Competitor Eters Market New Substitutes Available Cost of Capital Icrease >5% Tighter Emissio Stadards FCPA Violatio Exchage Rate Fluctuatios Supply Chai Disruptio Customer Preferece Shift Copper Price Icrease >25% Work Stoppage >1 Week Ecoomic Dowtur Supplier Cosolidatio Local Competitor Eters Market New Substitutes Available Cost of Capital Icrease >5% Tighter Emissio Stadards FCPA Violatio Exchage Rate Fluctuatios
19 Thought Leadership i ERM Risk Assessmet i Practice 13 Where historical data are available, risk iteractios ca be expressed quatitatively usig a correlatio matrix. This is a especially useful techique to apply withi a risk category such as market risk. Difficulties i determiig correlatios for risks iclude the possibility that past causal relatioships will ot be idicative of future relatioships, lack of historical data, differeces i time frames (short-, medium-, ad log-term), ad the large umbers of risks required for a eterprise-wide assessmet. Developig the Full Picture Fault Trees, Evet Trees, ad Bow-Tie Diagrams Diagrams that break a complex risk occurrece ito its compoet parts showig the chais of evets that could lead to or result from the occurrece ca be idispesable for idetificatio ad assessmet of risk resposes ad key risk idicators. The diagrams ca be qualitative or serve as the basis for quatitative models. Three commoly used diagrams are fault trees, evet trees, ad bow-ties. Fault trees are used for aalyzig evets or combiatios of evets that might lead to a hazard or a evet. Evet trees are used for modelig sequeces of evets arisig from a sigle risk occurrece. A bow-tie diagram combies a fault tree ad a evet tree ad takes its ame from its shape. Probabilistic models built o bow-tie diagrams are versatile for quatifyig iheret ad residual risk levels ad performig what-if, sceario, ad sesitivity aalyses. Exhibit 4: Bow-Tie Diagram Risk Factors Risk Cosequeces Trigger Evet Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Trigger Evet Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Itermediate Evet Ed Evet Risk Cosequece Ed Evet (Loss) Coditio Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Coditio Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Coditio Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Note: The terms fault tree, evet tree, ad bow-tie diagram are sometimes used iterchageably.
20 14 Risk Assessmet i Practice Thought Leadership i ERM Prioritize Risks Oce the risks have bee assessed ad their iteractios documeted, it s time to view the risks as a comprehesive portfolio to eable the ext step prioritizig for risk respose ad reportig to differet stakeholders. The term risk profile represets the etire portfolio of risks facig the eterprise. Some etities represet this portfolio as a hierarchy, some as a collectio of risks plotted o a heat map. Etities with more mature ERM programs ad quatitative capabilities may aggregate idividual risk distributios ito a cumulative loss probability distributio ad refer to that as the risk profile. Similar to assessig risks, rakig ad prioritizig is ofte doe i a two-step process. First, the risks are raked accordig to oe, two, or more criteria such as impact ratig multiplied by likelihood ratig or impact multiplied by vulerability. Secod, the raked risk order is reviewed i light of additioal cosideratios such as impact aloe, speed of oset, or the size of the gap betwee curret ad desired risk level (risk tolerace threshold). If the iitial rakig is doe by multiplyig fiacial loss by likelihood, the the fial prioritizatio should take qualitative factors ito cosideratio. Hierarchies ad Rollig Up ad Drillig Dow The simplest way to aggregate risks is to orgaize them accordig to a hierarchy. This is ofte doe i risk maagemet systems where risks ca be orgaized by orgaizatioal uit, risk type, geography, or strategic objective. The better systems allow users to roll up ad drill dow for aalysis ad reportig. This provides a complete listig of the assessed risks but does ot help with prioritizig. Exhibit 5: Risk Hierarchies Risk Hierarchy by Org. Uit Risk Hierarchy by Risk Type Eterprise Eterprise Busiess Uit 1 Strategic Risk ABC Risk ABC Risk DEF Risk ABC i Bus. Uit 1 Project 1 Fiacial Risk ABC i Bus. Uit 2 Risk UVW Risk DEF Risk XYZ Risk DEF i Bus. Uit 1 Project 2 Risk UVW Risk XYZ Busiess Uit 2 Risk ABC Risk GHI Risk JKL Risk GHI Risk GHI i Bus. Uit 2 Operatioal Risk UVW Risk UVW i Project 1 Risk UVW i Project 2 Risk DEF Risk DEF i Bus. Uit 1 Compliace Risk...