Risk Mapping A Risk Management Tool with Powerful Applications in the New Economy



Similar documents
Much attention has been focused recently on enterprise risk management (ERM),

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Zurich s approach to Enterprise Risk Management. John Scott Chief Risk Officer Zurich Global Corporate

Deriving Value from ORSA. Board Perspective

Prudential Practice Guide

Admission Criteria Minimum GPA of 3.0 in a Bachelor s degree (or equivalent from an overseas institution) in a quantitative discipline.

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

How to Develop Successful Enterprise Risk and Vendor Management Programs

Insurance management policy and guidelines. for general government sector, September 2007

Enterprise Risk Management

Capital Management Standard Banco Standard de Investimentos S/A

Operational Risk Management Program Version 1.0 October 2013

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT

Integrated Risk Management:

Willis Group Holdings. February 2014 I Bank of America Merrill Lynch Insurance Conference

STRESS TESTING GUIDELINE

Business Continuity Management

CONSULTATION PAPER Proposed Prudential Risk-based Supervisory Framework for Insurers

Hedging at Your Insurance Company

Central Bank of The Bahamas Consultation Paper PU Draft Guidelines for the Management of Interest Rate Risk

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

THE INSURANCE BUSINESS (SOLVENCY) RULES 2015

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Central Bank of Ireland Guidelines on Preparing for Solvency II Pre-application for Internal Models

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Guidelines on Investment in Shares, Interest-in-Shares and Collective Investment Schemes for Islamic Banks

Opening the black box

Financial Planner Competency Profile

Risk Management Programme Guidelines

PRACTICAL APPLICATIONS FOR BUSINESS CONTINUITY MANAGEMENT

EIOPACP 13/011. Guidelines on PreApplication of Internal Models

RISK MANAGEMENT GUIDANCE FOR GOVERNMENT DEPARTMENTS AND OFFICES

Risk Analysis and Quantification

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

Preparing for ORSA - Some practical issues

Transportation Risk Management: International Practices for Program Development and Project Delivery

Insurance Insights. When markets hit motorists. How international financial markets impact Compulsory Third Party insurance

Scenario Analysis Principles and Practices in the Insurance Industry

Evaluating Insurers Enterprise Risk Management Practice

Emphasis: Proactive Management of Asbestos Liabilities

Placing a Value on Enterprise Risk Management ADVISORY

Answers to Concepts in Review

Developing an Effective Enterprise Risk Management Program

Captive Strategies: Enhancing Value and Ensuring Compliance

Guidelines on Investment in Shares, Interest-in-Shares and Collective Investment Schemes

Policy : Enterprise Risk Management Policy

Organizing a Financial Institution to Deliver Enterprise-Wide Risk Management By Kaan H. Aksel PricewaterhouseCoopers

P3M3 Portfolio Management Self-Assessment

Enterprise Risk Management: Concepts & Issues

Project Risk Management

Outline of Types of Information that would be Useful in an Emergency Situation

Negative Risk. Risk Can Be Positive. The Importance of Project Risk Management

FOREIGN EXCHANGE RISK MANAGEMENT

GENERAL INSURANCE BUSINESS UNDERWRITING

Solutions for Balance Sheet Management

Claims Paying Ability Ratings for General Insurance Companies

Preparing for ORSA - Some practical issues Speaker:

Application Security Maturity Model (ASM)

CAS Enterprise Risk Management (ERM) Vision (4/2/07)

By Seth Gillston, with commentary from Tom Kim

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Disclosure of European Embedded Value as of March 31, 2015

on Asset Management Management

Rating Methodology Life / Health Insurance

NCUA LETTER TO CREDIT UNIONS

CHAPTER 7 PLANNING THE AUDIT: IDENTIFYING AND RESPONDING TO THE RISKS OF MATERIAL MISSTATEMENT

VALIDUS ANNOUNCES 2015 FULL YEAR NET INCOME OF $374.9 MILLION 2015 NET OPERATING RETURN ON AVERAGE EQUITY OF 11.3%

Bridgend County Borough Council. Corporate Risk Management Policy

Guidance for the Development of a Models-Based Solvency Framework for Canadian Life Insurance Companies

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

Project Risks. Risk Management. Characteristics of Risks. Why Software Development has Risks? Uncertainty Loss

Practical Business Application of Break Even Analysis in Graduate Construction Education

Winding up a Captive. July Willis ECP/DW/July Winding up a Captive

Tutorial Paper on Quantitative Risk Assessment. Mohammad Reza Sohizadeh Abyaneh Seyed Mehdi Mohammed Hassanzadeh Håvard Raddum

LIFE INSURANCE RATING METHODOLOGY CREDIT RATING AGENCY OF

Enterprise Risk Management & Information Technology

Directors and Officers Liability Insurance Guidance and Advice for Risk Managers

Corporate Portfolio Management

Risk Management 100 Success Secrets. Gerard Blokdijk

White Paper from Global Process Innovation. Fourteen Metrics for a BPM Program

Insurance Guidance Note No. 14 System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive

Sovereign Debt Management Forum 2014

Financial Risk Management Courses

Benchmarking Real Estate Performance Considerations and Implications

ICAAP for Asset Managers: Risk Control Limited

How To Manage Risk With Sas

Criteria Insurance General: Summary Of Standard & Poor's Enterprise Risk Management Evaluation Process For Insurers

A. M. Best Company & The Rating Process

Chief Risk Officers in the Mutual Fund Industry: Who Are They and What Is Their Role Within the Organization?

Enterprise Risk Management

Schroders Investment Risk Group

Accenture Risk Management. Industry Report. Life Sciences

Transcription:

Risk Mapping A Risk Management Tool with Powerful Applications in the New Economy By Todd Williams and Steve Saporito What if your company s major business risks, obstacles to strategic objectives, and e-commerce vulnerabilities could be depicted on one page in a concise manner for executive management and members of the board? What if a few additional pages could communicate details of these risks, as well as specific actions to mitigate or eliminate them, time frames for implementation, measurements of success, and the management executive responsible for successful implementation? What if you were assigned the responsibility of developing this information and presenting it to the executive committee and board within the next 30 days? A risk map/risk profile could be your solution. This article defines risk mapping, highlights the benefits, summarizes one method of developing risk maps, and describes several applications, some unconventional, for risk mapping in an organization. Risk Mapping Benefits In addition to identifying a company s show-stopper risks, there are numerous benefits to risk mapping. On a stand-alone basis, the risk profile is an effective communications tool particularly for members of senior management and board members. As the old expression goes, a picture is worth a thousand words. The risk map prioritizes risks by their placement on the profile and reveals which threats require management s time and company resources. This may entail reallocation of time and resources from controlled threats to those that require immediate attention. Different mapping techniques, depending on the methodology, have varying benefits. Methodologies utilizing facilitation build consensus and bring the senior management team together. However, the most important benefit for the facilitation method is a drastic reduction in decision-making cycles. Decision time is often reduced from months to weeks or from weeks to days. (Facilitation is discussed later in this article.) If risk profiling is part of an enterprise risk management (ERM) process, the benefits increase significantly. Complying with corporate governance requirements, improving the allocation of resources, and eliminating the silo mentality are among the potential benefits of devising a risk map. Decision-making is also optimized a decision made by one department or division might be the correct decision when considered in isolation, but when considered in the context of the company as a whole, that decision may not be optimal. Risk Mapping Defined A risk map is a graphical depiction of a select number of a company s risks designed to (1) illustrate the impact or significance of risk on one axis, and (2) the likelihood or frequency on the other axis. Many types and variations of risk maps exist. For example, the axes can vary (impact and likelihood on different axes), the scales can vary, and some are even three-dimensional. The following example in Figure 1 illustrates a typical risk map. LIKELIHOOD A Figure 1 Zurich IC² Profiler B ❻ ❹ C ❷ ❸ D E F ❶ ❺ IV III II I IMPACT This risk map depicts likelihood or frequency on the vertical axis, and impact or significance on the horizontal axis. In this configuration, similar to that of a mathematical Financing Risk & Reinsurance 3

distribution curve, likelihood increases as you move up the vertical axis, and impact increases from left to right. The points on the profile represent risks that have been categorized into four impact categories and six likelihood categories. The categories simplify the prioritization process by forcing placement of each risk into a particular box showing its position relative to the others. The stepped line is the Critical Issue Tolerance Boundary. Scenarios or risks above this boundary are considered intolerable and require immediate attention, while risks below the boundary do not require immediate attention. The methodologies used to develop risk maps are as varied as the different risk map types. We will summarize one such process. Risk Mapping Process The risk mapping process is part of a systematic, comprehensive methodology to identify, prioritize, and quantify (at a macro level) risks to an organization. This example of the mapping process is taken from the Zurich IC² Profiling process, a methodology that entails a facilitation session and application of proprietary software to capture information. Other methods of capturing information include structured interviews, surveys (written and electronic) or a combination of these. Individual client characteristics and needs dictate the appropriate method of data collection. We will describe the facilitation risk profiling process by highlighting the major elements. These include the workshop, scope, team composition, time horizon, scenario development and categorization, tolerance boundary, profile development, action plan, process and technology transfer, and quantification and modeling. The Workshop The profiling process entails a highly interactive workshop with one or two trained facilitators to guide the team through the process. The workshop can last from one to two days. In our experience, workshops lasting one and one-half days, including an overnight break, achieve the best result. In most cases, the role of the facilitator is not that of a functional or content expert, but that of a process manager keeping the team on track and goal-oriented. In certain cases where specific expertise is required, functional or subject matter experts can supplement the team. Scope The scope of the exercise is determined at the beginning of the analysis to specify the areas of the business considered. The scope provides the parameters for the analysis. Scope is often defined as identifying, prioritizing, and understanding risks and impediments to achieving corporate and strategic objectives. The scope can be as broad or as narrow as desired; however, a balance exists between the breadth of scope and the value of information derived from the risk mapping process. For example, the value of one risk map for a multi-billion dollar firm would be significantly less than one risk map for each division or business unit of that company. We will address different scope options later in this article. Zurich IC² Scenario Catalog Figure 2 Zurich IC² Scenario Catalog Company: Sheet of Scope: By/Date / No. Vulnerability Trigger Consequences Severity Probability 4 Financing Risk & Reinsurance

Team Composition The composition of the organization s team is critical to the success of the profiling process. The team should consist of senior level specialists and management staffs who possess the experience, expertise, and institutional knowledge necessary to perform a thorough analysis of the areas addressed in the process. Most teams contain six to ten individuals. The scope of the risk profile should determine who comprises the team. When accessing risks to corporate objectives, a typical team is usually comprised of the CEO and senior leaders from areas such as finance, treasury, legal, audit, strategic planning, risk management, IT, logistics, manufacturing, marketing, sales, and other relevant functions. For a narrower scope, such as the risks specific to a particular division or operating unit, the team would consist of the senior members of the division s management team. Or, if the scope were limited to a specific area such as e- commerce, the team composition would consist of senior representatives from appropriate functional areas and the divisions most likely affected. Most importantly, the team must represent the institutional knowledge of the organization and the seniority to implement the actions agreed upon by the group. Scenario Catalog & Categorization Through the facilitation process, the team undertakes controlled brainstorming to identify potential risks. Once identified, risks or scenarios are thoroughly discussed to gain consensus and develop written descriptions of the scenarios. Each scenario is comprised of a vulnerability, a trigger, and a consequence. A vulnerability is an inherent, potential threat or weakness, offset by any controls or mitigating factors. Triggers cause consequences. Consequences are expressed in terms of (1) the nature and (2) the magnitude of the loss(s) resulting from the vulnerability and trigger. (Refer to Figure 2 for examples of vulnerability, trigger, and consequence.) The second step in this phase of the process is to categorize scenarios in terms of impact and likelihood. The team defines both impact and likelihood in terms relevant to the organization. For example, in qualitative terms, the four impact categories are often defined in descending order as (1) catastrophic, (2) critical, (3) significant, and (4) marginal. Likelihood categories, of which there are six, are defined in qualitative terms on a scale from almost impossible to very high. Both scales can also be defined in company-specific quantitative terms, and the team can elect to use either the qualitative definitions and/or the quantitative definitions. The output from this exercise is known as the Scenario Catalog as illustrated in Figure 2. Tolerance Boundary The critical issue tolerance boundary, a stepped line on the profile, separates those risks that are currently tolerable and those that are intolerable. Business risks above and to the right of the boundary line are considered intolerable and require immediate management attention. Those threats below and to the left of the boundary are currently considered tolerable. This boundary varies depending on the risk appetite of the organization. Prior to plotting business risks on the profile, the team determines the tolerance boundary line. Profile Development The final step in developing the profile is the placement of the business risks onto the risk map based on the their impact and likelihood categorizations. In our example, software is used to place each risk in the appropriate impact/likelihood box. It is important to note that the ultimate value of the risk profile does not lie in determining the precise impact or likelihood level of a particular threat, but it is the placement of that threat relative to the placement of other threats that determines its value. Action Plan Business threats that lie above the tolerance boundary require immediate attention by the team. It is important to develop specific action plans to reduce either the potential impact or likelihood, or both. The team also develops success measurements, target completion dates, and assigns responsibility for each action to team members. The purpose of the action plan is to move each intolerable risk (above the tolerance boundary line) into the tolerable zone. Process and Technology Integration Upon completion of the risk mapping/profiling exercise, it is important that the process and technology be integrated into the firm s operations. This allows updates and future profiling to be performed by company management. The software enables the manipulation of data, and provides a basis from which management can readdress issues on an annual or periodic basis, or after events occur that could change the organization s profile. Financing Risk & Reinsurance 5

Quantification and Modeling The degree of detail necessary to analyze a particular risk varies from one risk to the next. If a team consensus can be achieved, then significant detail is not required. Some business risks and actions plans will require more detailed examination and quantification than can be achieved in the profiling facilitation workshop. Profiling acts as a filtering mechanism to determine which risks, if any, require special or detailed quantification. However, experience demonstrates that the vast majority of risks and action plans can be successfully addressed within the workshop s allotted time. For risks requiring additional analysis, we utilize sophisticated quantification and modeling techniques. Applications that Create Value Risk mapping is an excellent tool for identifying, assessing and prioritizing key business risks. Yet, there can be unrealized value in the risk mapping process that could significantly enhance the ability of an organization to generate new economic value. We have proposed using risk mapping techniques to test existing strategies in the context of unrealized/under-realized risks and opportunities (such as e-commerce), or to support a new strategic development process. To put this in context, first consider the potential weakness of traditional strategic planning approaches in the new economy. While most companies perform some type of formal strategic planning, they often do not have a process for identifying, assessing, and integrating learned strategy that is, in many cases, the best source for generating new economic value. The relevance of this concept can be illustrated in the context of e-business where traditional strategic planning methods cannot cope with the speed of change. The unremitting nature of technological change assures that the basis for many of today s decisions will likely be different in six months, and will bear no resemblance to current thinking three years from today. Summary In The Rise and Fall of Strategic Planning, Professor Henry Mintzburg specifically challenges traditional strategic planning processes. He believes that the term strategic planning is an oxymoron in that strategy is about synthesizing something, while planning is about disaggregating something. He points out the gap between those (normally) driving a strategic planning process, and those interacting with customers and responsible for winning or losing actual business deals on a daily basis. Perhaps the best way to understand the gap is this: traditional strategic planners rely on knowledge available at a specific point in time, while line management relies on knowledge developed live based on actual market dynamics, also called learned strategy. Not surprisingly, Mintzburg believes business success depends on the quality of decisions made in the dynamic present. A facilitated risk mapping process aimed Figure 3 Zurich IC² Action Plan Zurich IC² Action Plan Company: Sheet of Scope: By/Date / Risk Profile Location No. Risk Improvement Action / Success Measure By/Date 6 Financing Risk & Reinsurance

at company strategy can bridge the gap between strategy planners and individuals on the front lines by capturing live information about where competitive advantage is actually being realized. While risk mapping can be a powerful analytical tool for sorting out and prioritizing business risks, it is clear that this technique has potential business applications beyond the scope of the risk management process. As the New Economy, i.e., e-business, matures, we believe that the methodologies reviewed here will play an important role in the planning and execution of existing and future business strategies. FRR Todd Williams is Principal Consultant and Steve Saporito is Senior Vice President of Zurich IC 2. QUOTE OF THE MONTH The primary goal of corporate risk management is communication We don t manage risk. It s a stupid title. Chris Lajtha corporate risk manager of Schlumberger Ltd. in Paris 2000 World Captive Forum WHAT IT IS AND HOW IT WORKS Legacy Liability Transfers Unlike any other time in history, insurance companies are actively looking for alternative ways to reposition themselves in the financial services marketplace. Part of the impetus behind this movement is the vast amount of underemployed, excess capital held by almost every insurer and reinsurer. At the same time, many corporations have become interested in new and innovative ways to restructure their balance sheets. A legacy liability transfer is a form of retroactive insurance covering the future value of actual losses or loss exposures incurred or existing in past periods. This is not a new concept; loss portfolio transfers (LPT) (transferring the future value of incurred workers compensation and general liability losses to an insurer) have been done for many years. Today, however, new forms of the old LPT structure are evolving that include extremely high limits of liability as well as a wide variety of liabilities eligible to be removed from the balance sheet. In fact, many of the liabilities transferred today are not even insurable in the conventional sense. This phenomenon is driving innovative insurers to change the ways in which their capital can be used to underwrite new structured financial products that bear little resemblance to conventional insurance. For example, a multinational corporation incurs a known, quantifiable tax liability as a direct result of a series of complex international transactions. The tax liability must be recognized on the balance sheet and will ultimately be paid; the amount and timing are unknown factors. Nonquantifiable balance sheet contingencies such as this tax liability can cause potential earnings volatility and unfavorable reactions from both shareholders and Wall Street analysts. Legacy liability transfers are underwritten differently from other insurance transactions. While the actual precise amount of the liability is not known, an educated estimation of the ultimate sum must be identified which forms the basis of the policy s limit of liability. There is no doubt as to whether the policy will be required to pay off; the only variables are how much, and over what period of time the liability will be due. Underwriters then are able to build the premium factoring in risk transfer charges for potential interest rate risk (the possibility that the amount of interest earned on the premium will fall below projections) and the risk of premature payout, thus denying the insurer adequate time to earn a profit on the transaction. The benefits of such a transaction can be significant: one company s stock price shot up several points upon the announcement of the successful conclusion of one such deal. FRR Financing Risk & Reinsurance 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information