Paul Hopkin. Fundamentals of Risk Management
Подождите немного. Документ загружается.
234 Risk response
Risk appetite
Point A
Risk appetite
Point B
Increasing gain
Increasing loss
Control acceptanceHazard tolerance Opportunity investment
Increasing
hazard
tolerance
Increasing
opportunity
investment
worst possible
outcome (95%)
Range of possible
outcomes (95%)
Range of possible
outcomes (95%)
Best possible
outcome (95%)
Figure 26.1 Risk and uncertainty
risk appetite for that type of hazard risk. In setting a risk appetite, the organization will realize
that a range of outcomes for that risk appetite is possible. That range of outcomes is shown as
the 95 per cent certainty lines.
Likewise, in pursuit of an opportunity, the organization will have an appetite presented by
point B. Again, there will be a range of possible outcomes for this opportunity investment.
The intended outcome is a positive return, but a loss may be suffered if the investment is not
successful. The range of possible outcomes is demonstrated by the 95 per cent certainty
lines. Figure 26.1 is used to demonstrate that a range of outcomes is possible when a value
is put at risk. This fi gure also provides the basis for demonstrating the contribution of risk
management (discussed below and shown in Figure 26.5) that plots risk management and
uncertainty.
Importance of risk appetite 235
Risk exposure
Total cost of risk (TCR) calculations were commonplace in the 1980s. These calculations were
usually undertaken by organizations or their insurance brokers. They enabled an organization
to determine the total cost of hazard risks to the organization. The calculation had three main
components: insurance premium; money spent on loss-control actions, and cost of claims not
covered by insurance.
Tables were published on total cost of risk in various organizations and it was possible to
benchmark the performance of an organization against other companies in the same sector.
This sort of total cost of risk calculation was useful and was often used as a justifi cation for
setting up an in-house or captive insurance company, as discussed in Chapter 30.
The diffi culty with this type of calculation was that it depended substantially on historical
information. Historical loss data is not necessarily a good guide to future loss performance.
This approach was intended to encourage organizations to seek the lowest overall cost for the
management of hazard risks. Unfortunately, this lowest-cost approach often proved to be a
mistake when a major incident occurred.
Organizations should be aware that the TCR calculation could represent the lowest cost for
the management of hazard risks, but that might be achieved at a high overall risk position. It
is worth noting that the purchase of too much insurance could represent a position for the
organization that is the lowest risk position but achieved at a high overall cost.
The type of total cost of risk calculation undertaken by organizations is now somewhat differ-
ent. Organizations often use the concept of risk appetite to undertake calculations that iden-
tify the level of risk that the organization is willing to accept. The risk appetite of the board can
then be compared with the actual risk exposure that the organization faces. The actual risk
exposure in this calculation is an updated version of the total cost of risk calculation, but
should include all types of risks – not just those that can be insured.
Generally speaking, as the marketplace becomes more volatile, the organization will be forced
to increase its risk exposure. This requires a discussion in the boardroom leading to an agree-
ment to increase the total value that the organization is willing to put at risk and/or to fi nd
mechanisms to reduce the total risk exposure. As a consequence, risk management becomes
more important in times of rapid change and increased marketplace volatility.
Risk exposure will also increase when an organization decides whether to embark on a merger
or acquisition. Organizations need to undertake an opportunity analysis of all acquisition
opportunities and this analysis should include consideration of at least the following features
of the acquisition opportunity:
fi nancial strength and reputation of the proposed acquisition;
•
potential for developing further revenue/profi
t from the acquisition; •
236 Risk response
risks associated with suggested purchase contract terms and conditions; •
anticipated profi tability and sustainability of the proposed acquisition; •
investment required to deliver the anticipated future plans for the acquisition; •
impact on existing investment and business development plans. •
Risk exposure is the actual cumulative total at risk, but it is often calculated on a risk-by-risk
basis, without consideration of whether the risks are correlated. An organization will need
to allow for correlation of risks and thereby take account of the likelihood of the risks mate-
rializing. When calculating the total actual risk exposure of the organization, it is important
that the cumulative total of the values at risk is adjusted to take account of whether risks are
correlated.
Nature of risk appetite
Organizations face a number of risks that can cause disruption. These are the hazard risks that
have been discussed throughout this book and give rise to the organization having a hazard
tolerance. In other words, the organization will be willing to accept exposure to certain hazard
risks as part of its normal operations. British Standard BS 31100 defi nes risk appetite as the
‘amount and type of risk that an organization is prepared to seek, accept or tolerate’.
There will be a cost associated with hazard risks, both in terms of the cost of incidents that do
occur and also in terms of the cost of loss-prevention, damage-limitation and cost-contain-
ment activities, including insurance costs. For each hazard risk, there will be a range of possi-
ble outcomes, all of them negative and this is illustrated in Figure 26.1.
The organization will need to quantify the possible hazard risks and costs associated with
those risks. It should be able to decide how much hazard risk it will tolerate and this is part of
the total risk appetite. Although the organization may decide how much hazard risk it will tol-
erate, the actual exposure to hazard risks may be greater than the anticipated.
Also, all organizations face uncertainties and the control risks that give rise to these uncertain-
ties. These are risks linked to events that, if they materialize, will have uncertain outcomes. As
an example of control risks, if all fraud controls in an organization were removed, there would
be a net saving represented by the cost of the controls. However, fraudulent behaviour might
result and substantial losses might be suffered, but there would be uncertainty about how
much fraud would actually result from the removal of all controls.
There will be control risks embedded within the projects that the organization is currently
undertaking. The cost of necessary controls may be part of the overall budget for a project.
When planning a large project, it would be unwise not to include the cost of necessary controls
Importance of risk appetite 237
in the budget for the project. The cost of the controls within the project budget represents the
control acceptance of the organization.
The portion of risk appetite that is associated with opportunities can be considered to be the
opportunity investment that the organization is willing to embrace. Organizations will be
willing to invest resources in opportunities that the organization believes will produce a posi-
tive gain. However, the organization should recognize that value put at risk in this way may
not produce a positive gain. Implementation of strategic decisions may result in losses. In fact,
more value can be destroyed by incorrect strategic decisions than by hazard or control risks.
Figure 26.1 illustrates the range of outcomes for different risk exposures. In relation to oppor-
tunity investment, a range of outcomes are possible from complete loss of the invested
resources to a substantial gain. Sometimes, the losses may exceed the initial investment, if the
total negative risk exposure associated with the investment was not correctly calculated.
The organization may have an appetite for investing a sum of money in an opportunity, but it
needs to be sure that it has the capacity to endure any loss that may result. It also needs to be
sure that the total amount invested, or value at risk, is not beyond the capacity of the organiza-
tion. Careful calculation of the actual risk exposure associated with the opportunity should be
undertaken.
Figure 26.2 illustrates the concepts of risk appetite, risk exposure and risk capacity. Risk appe-
tite is illustrated by way of shaded squares on the risk matrix and the overall risk exposure of
the organization is shown as a curved line. This illustration represents risk appetite, exposure
and capacity for a risk-averse organization.
Impact
Likelihood
Comfort zone
Cautious zone
Concerned zone
Risk exposure
Risk capacity
Ultimate risk
capacity
Optimal risk
exposure
Figure 26.2 Risk appetite, exposure and capacity (optimal)
238 Risk response
The lighter area represents a situation where the organization is comfortable with taking the
risk. The medium-shaded area represents a cautious zone, where management judgement is
required before the risk is accepted. Accepting risks in the darker area will cause the organiza-
tion concern, and these risks will only be accepted when there is a business imperative.
The curved lines in Figure 26.2 represent the overall risk exposure of the organization and this
is the optimal position, where the overall exposure cuts through the lighter section. The risk
capacity of the organization is shown as higher than both the risk appetite and the risk expo-
sure and is embedded well in the darker area. This represents an optimal state of affairs. This
ensures that the organization is taking risks that are within the appetite of the board and not
exceeding the ultimate risk capacity of the organization.
Figure 26.3 represents a risk-aggressive organization with a much larger comfort zone for
accepting risk. The lighter-shaded or cautious zone is smaller and the darker zone is an even
smaller part of the overall fi gure. This situation can be described as representing an approach
to risk that has a very limited universe of risk. The universe of risk for the organization is rep-
resented by the darker squares and it is only in this area that the board of the organization will
consider that the risks are signifi cant.
In Figure 26.3, the ultimate risk-bearing capacity of the organization is shown as within the
medium-shaded zone. This represents a situation where the organization may be taking risks
that are beyond the ultimate risk capacity of the organization. To make circumstances worse,
the actual risk exposure of the organization is shown as well within the darker area. This makes
the organization vulnerable to risk, because its actual risk exposure is shown to be well beyond
its ultimate risk-bearing capacity.
Impact
Likelihood
Comfort zone
Cautious zone
Concerned zone
Risk exposure
Risk capacity
Actual risk
exposure
Ultimate risk
capacity
Figure 26.3 Risk appetite, exposure and capacity (vulnerable)
Importance of risk appetite 239
The identifi cation of the risk appetite for the organization requires judgement, and this judge-
ment can be exercised at different levels within the organization. Consideration of risk appe-
tite will be a strategic driver at board level. Risk appetite is likely to be an operational constraint
at line-manager level because line managers will be expected to operate within the risk appetite
policy that has been established by the board.
At the individual level, it is likely that consideration of risk appetite will be a behaviour regula-
tor. This is because individual members of staff should only operate within the risk appetite
framework that has been developed at board level and is implemented by line managers.
Cost of risk controls
The inherent level of a risk is the level of the risk with no control measures in place. This is
sometimes referred to as the gross level of the risk. The current level of risk is the level that
takes account of the control measures currently in place. This is sometimes referred to as the
net level of risk or the residual risk. Throughout this book, ‘current level’ has been used instead
of ‘residual level’, because this implies a much more dynamic approach to risk management.
Figure 26.4 provides an illustration of the control effect or control vector when controls are
put in place. When considering the current and target risk levels, the organization should be
aware of the cost involved in implementing the controls that have been identifi ed. The cost of
the control measures should be considered to be part of the total cost of risk for the organiza-
tion. The organization can then evaluate whether the controls in place are cost-effective.
Impact
Likelihood
Control 2
Control 1
Figure 26.4 Illustration of control effect
240 Risk response
As can be seen in Figure 26.4, a line can be drawn to represent the effect of each individual risk
control measure. It is obvious that the longer the line, the greater the effect of the control. It
will also be the case that the longer the line, the greater control effort is required, in terms of
management time, effort and money.
A simple diagram like Figure 26.4 provides an illustration of the distance between the inherent
and current level of the risk. If a target level of risk is established, additional control effort
would be required in moving the level of risk from the current to the target level. This simple
illustration of control effort is important, and demonstrates that there is value in undertaking
a risk assessment at the inherent level of risk (if this is possible) so that the required control
effort can be clearly identifi ed and illustrated.
If a calculation is undertaken of the risk exposure at the original level and a further calcula-
tion is undertaken of the risk exposure at the new level, the overall benefi t of each control
can be measured. Consideration of the cost of each control can then be undertaken, so that
a cost–benefi t analysis of individual controls may be completed. This will be an important
exercise for the organization to undertake, so that cost-effective risk control priorities may
be established.
Risk management and uncertainty
Reducing uncertainty is at the heart of risk management. In fact, British Standard BS 31100
defi nes risk as the ‘effect of uncertainty on objectives’. Although management of uncertainty
should only be considered to be a part of the risk management approach, it is vitally impor-
tant. A component of reducing uncertainty in an organization is to manage and reduce the
level of inconsistency in the way risks are managed.
For an organization that is highly regulated, detailed systems and procedures will be pro-
duced and these will be monitored by the regulator. These rules and procedures represent
the controls that must be in place. Part of successful risk management is to ensure that these
controls are always implemented and a high level of consistency is achieved in relation to
staff behaviour.
The overall approach of risk managers is to facilitate the identifi cation of the signifi cant risks faced
by the organization. Risk managers tend to take the approach that risk assessment is complete
when existing controls have been identifi ed and the need for any additional controls has been doc-
umented. However, different controls have different levels of effectiveness and effi ciency.
An alternative, but complementary, approach to the management of signifi cant risks is to use
risk assessment as a tool that ultimately leads to the identifi cation of the critical controls for
the organization. The critical controls are the most important controls in relation to the man-
agement of the signifi cant risks.
Importance of risk appetite 241
Figure 26.5 illustrates the effect of risk management on the uncertainty. In effect, this fi gure
demonstrates the value of critical controls in changing the range of possible outcomes at a par-
ticular level of risk exposure. The identifi cation of critical controls is important, because staff
and managers may be more concerned about the implementation of the critical controls than
the details of the risk assessment that identifi ed those controls.
Figure 26.5 illustrates the contribution of different control mechanisms and the effect that
those mechanisms have on the range of possible outcomes. The impact of loss control and
insurance on hazard risks is shown. The contribution of opportunity management and hedging
or joint ventures on opportunity risks is also shown.
The approach based on the identifi cation and evaluation of critical controls is closely aligned
to the activities of the internal audit. It is worth remembering that internal auditors prefer to
Increasing gain
Increasing loss
Increasing
hazard
tolerance
Increasing
opportunity
investment
Internal
control
Hedging
or JVs
Insurance
Risk response
and loss control
Opportunity
management
Control acceptanceHazard tolerance Opportunity investment
Exposure before risk
control measures
Exposure after risk
control measures
Figure 26.5 Risk management and uncertainty
242 Risk response
undertake a risk assessment of the inherent level of risk, assuming that there are no controls in
place. This is a valuable approach, because it identifi es critical controls. The diffi culty is that it
is sometimes impossible to identify the inherent level of risk, or it is sometimes the case that
such an approach is not helpful because it becomes too theoretical.
Risk appetite and lifestyle decisions
There is a relationship between personal risk appetite and lifestyle decisions. Decisions will be
taken about, for example, long-term health issues, depending on family history and personal
lifestyle. Decisions will also be taken on medium-term health issues, based on medical treat-
ment, dieting and weight gain. Short-term decisions will also need to be taken on health issues,
including those related to exercise, alcohol and recent illness or accident.
Individuals will need to take lifestyle decisions based on risk appetite, risk exposure and risk
capacity. In relation to health issues, decisions will need to be taken on the level of exercise that
the individual is willing to take in the short term to maintain weight within a healthy range.
There may be a certain appetite for risk issues associated with health and well-being, but the
exposure that an individual actually suffers may be greater than the appetite for such risks. For
example, people are willing to smoke cigarettes, but also wish to develop a healthier lifestyle.
This is an example where the appetite for risk may be less than the actual risk exposure.
There is a tendency for people to take a course of action when the outcome is immediate, pos-
itive and certain. Therefore, a smoker will want a cigarette because the nicotine effect will be
immediate, positive and certain. In contrast, giving up smoking will probably result in long-
term benefi t, but that benefi t will be delayed and uncertain and there will also be negative feel-
ings of being without nicotine.
The box below describes attitudes of individuals to the risks associated with lifestyle decisions.
This demonstrates that the attitude of people to risk taking will vary considerably depending
on the type of risk that is being considered. For example, individuals may be very risk averse
in the way they drive their cars, but accept signifi cant risk factors in relation to their health.
Importance of risk appetite 243
Health risk factors
The number of Canadians who are overweight or obese has increased dramatically
over the past 25 years. Obesity is a risk factor in a number of chronic diseases.
Achieving and maintaining a healthy weight is important to reduce the risk of those
diseases and improve overall health.
Although smoking remains the greatest threat to public health in Canada, poor eating
habits, physical inactivity and their contribution to obesity are also critical public
health challenges. Statistics Canada reports that two out of every three adults in
Canada are overweight or obese.
Many factors have contributed to the increasing rates of overweight and obesity.
Changes in society, work and leisure have affected activity and eating patterns, leading
to a rise in excessive weight and obesity. There has been a shift towards less physically
demanding work, as well as an increased use of automated transport and passive
leisure activities, such as television viewing and playing video games.