Thoughts & Musings
High-quality conversations informed by data, information and analytics.
It is about high-quality conversations informed by data, information and analytics.
It is easy to think Enterprise Performance & Risk Management is about numbers, but it is really about high-quality conversations informed by data, information and analytics.
Risk-Taking Boundaries – A Risk Appetite and Risk Capacity Primer
In this article, I am going to introduce two important concepts related to setting boundaries for risk-taking and seek to clarify there meaning. These two concepts are Risk Appetite and Risk Capacity.
At KRM22, we advocate the implementation of an integrated, real-time, enterprise risk management approach which enables firms to operate at the optimal threshold of risk-taking, driving increased and sustainable shareholder returns.
In this article, I am going to introduce two important concepts related to setting boundaries for risk-taking and seeks to clarify there meaning. These two concepts are Risk Appetite and Risk Capacity.
Unfortunately, there is not a definitive and universally agreed definition for these terms. It is also worth noting that these terms are often used interchangeably and out of context. Where possible, I will refer back to the world's two leading enterprise and operational risk management standards; ISO31000:2018 Risk Management and COSO Enterprise Risk Management Framework.
Risk Appetite
We define Risk Appetite as "the amount and type of risk that a firm is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders'. With the inclusion of the phrase "and must take" we are explicitly signals that risk-taking is a fundamental part of strategy and value creation.
Without taking risk, nothing is achieved. Therefore we see Risk Appetite as a key part of both delivering firm objectives and managing risk.
The COSO Enterprise Risk Management Framework 2018 states that "The organisation defines risk appetite in the context of creating, preserving, and realising value". It lacks a clear and concise definition of what is Risk Appetite.
However, its predecessor, the 2004 version of the COSO framework includes this definition "risk appetite as the amount and type of risk that is acceptable to be taken by an organisational entity over a defined time period, to achieve the objectives of that strategy".
The ISO31000 standard does not include the term Risk Appetite. However, it uses the term Risk Criteria, which has a similar, if broader meaning. Under the definition of Risk Criteria, it includes a statement "the organisation should specify the amount and type of risk that it may or may not take, relative to objectives. Within the definition of Risk Criteria, the ISO31000 standard goes on to state "It [the organisation] should also define criteria to evaluate the significance of risk and to support decision-making processes. Risk criteria should be aligned with the risk management framework and customised to the specific purpose and scope of the activity under consideration. Risk criteria should reflect the organisation's values, objectives and resources and be consistent with policies and statements about risk management.
However, the ISO 73:2009 Risk management — Vocabulary does explicitly define Risk Appetite as the "amount and type of risk that an organisation is willing to pursue or retain".
Risk Capacity
Also known as Risk-bearing capacity, we define Risk Capacity as the maximum amount of risk that a firm can take before the firm fails should those risks crystallise.
We believe that knowing your firm's Risk Capacity is an essential part of the Enterprise Risk management framework. By understanding the firm's Risk Capacity, Boards, and Executive teams can make better strategic and operational decisions. They can also take specific actions to increase Risk Capacity.
Many firms have to submit an ICAAP and ILAAP for regulatory purposes. Too often, this is approached as an annual regulatory compliance exercise only. Forward-looking firms leverage the ICAAP and ILAAP process to understand their Risk Capacity and drill into what risk-taking will lead to the firms failure.
Interestingly both ISO31000 and the COSO Enterprise Risk Management Framework 2018 don't mention Risk Capacity.
Conclusion
Knowing your Risk Appetite and Risk Capacity are two essential tools for firms to use to define and clarity boundaries around their risk-taking. They both have a significant role to play in strategic and operational decision-making and help set the tone of a firm's enterprise risk management approach and culture.
Whereas Risk Appetite is about what risk and the amount of risk that is to be taken to create value, Risk Capacity is about survival. Therefore both are a critical part of your enterprise risk management framework.
And while having a 'fixed' definition of both is essential, there must be flexibility and a regular review process. Both Risk Appetite and Risk Capacity should reflect the state of the business internally and market conditions externally, and change as they change. Living through the COVID-19 crisis shows how quickly firms and market conditions can change.
First posted here
Responding to COVID-19
The COVID-19 pandemic is, with little doubt, the most challenging crisis many people will see in their lifetimes and without a doubt, it will be the more challenging crisis that many businesses will face. To successfully navigate these challenging times, firms will need to take a strategic approach; first and foremost, they must protect their existing business and then, look to grow its value as opportunities will no doubt emerge.
Firms who have implemented and embedded an integrated, enterprise approach to risk management will be best positioned for survival and growth at these uncertain times.
The COVID-19 pandemic is, with little doubt, the most challenging crisis many people will see in their lifetimes and without a doubt, it will be the more challenging crisis that many businesses will face. To successfully navigate these challenging times, firms will need to take a strategic approach; first and foremost, they must protect their existing business and then, look to grow its value as opportunities will no doubt emerge.
Firms who have implemented and embedded an integrated, enterprise approach to risk management will be best positioned for survival and growth at these uncertain times. Such an approach should include;
Business Model and Strategy, including a suite of Business Objectives
Risk Appetite and Risk Capacity
Scenarios
Financial and Non-Financial Risks. These risks will exist at the Enterprise, Market, Compliance, Technology and Operational level.
A holistic enterprise risk management approach will set the context for your COVID-19 response and recovery.
To effectively respond to COVID-19, firms should quickly review and update any existing response plans (often referred to as a business continuity plan, incident management plan, or crisis management plan) to take into account the specific details of COVID-19.
I would recommend that your COVID-19 plan should be made up of a series of ‘crisis levels’ so that your response can quickly evolve as the nature of this pandemic evolves and changes. For example, for COVID-19, your crisis levels could include;
Level 1 – Minor disruption to business activities
Level 2 – Major disruption of business activities
Level 3 – Partial cessation of business activities
Level 4 – Complete cessation of business activities
Level 5 – Firm Recovery or Resolution
At each level, we would recommend you include in your response plans the following eight critical components.
1. Business Impact Assessment (BIA)
Building on your existing enterprise risk assessment process and methodology, undertake a Business Impact Assessment to ensure that the impact of COVID-19 is fully considered, well defined and to identify potential gaps that currently exist.
The Business Impact Assessment should be used to create a shared understanding of the crisis across your business; the board and executive should be heavily involved in conducting the BIA and results should be shared within the firm, as widely as possible. Of course, with appropriate consideration given to protecting sensitive information that will be in BIA.
2. Financials
Determine how to stabilise your financial position to ensure you can survive the crisis in the short term, minimise damage to the business in the medium term and position the firm for growth in the long-term.
Quickly getting clarify on your cash, capital, liquidity and profitability over each of these time horizons is the key to successfully responding to COVID-19.
3. Objectives
Determine a set of very clear objectives for each stage of the crisis and be clear about accountabilities per objective. In the early stages of a crisis, it is reasonable to maintain your focus on pre-crisis objectives mostly; however, as the crisis evolves and deepens this may change.
As your firm moves through the various levels of a crisis; the number of objectives should be reduced to create focus, minimise distractions and ensure effective deployment of resources.
You should get to a point where the board and executive are focused on a small number of well-defined objectives, with clear accountabilities and a clear understanding of the ‘road-map’ which signal where the focus will move to, should the crisis go to the next level. Of course, this road-map must also signal when and how we recover the business and move to (a new) normal operating environment.
4. Critical activities, systems and assets
As the COVID-19 crisis evolves, your definition of what is critical to your business will change. Therefore, it is important to define, for each crisis level, clear, immediate objectives and a set of essential activities (processes and initiatives), systems and assets to be protected and managed.
For your firm to successfully get through COVID-19, and to be positioned for rapid recovery, your brand, your people and your information assets are going to be particularly important. Therefore, particular care must be given to managing these through the crisis.
If your firm has implemented the CIA triad (confidentiality, integrity, and availability) for information assets, use this prioritise and re-prioritise as the level of crisis changes.
Review your process architecture and portfolio of change initiatives to determine what is the earliest point when individual processes and initiatives can be shut down and restarted. If your firm uses the ‘big three’ business continuity indicators; Recovery Time Objective, Recovery Point Objective and Maximum Tolerable Period of Disruption, these should inform decision-making as the crisis evolves.
5. Risk Management, particularly 3rd Party Risk & Counterparty Risk
In any crisis, particularly one of the size and scope of the COVID-19, firms must continue to undertake their risk management activities. As per other critical activities, the level and nature of risk management activities undertaken during a crisis should reflect the crisis level which your firm is operating at. Given the nature of COVID-19, Financial, People, 3rd Party and Counterparty risk will be particularly important.
In addition to managing business-as-usual risk activities, a crisis such as COVID-19, will, without doubt, lead to gaps in the firm’s enterprise risk management framework and processes surfacing.
New risks that are directly related to the crisis will need to be managed as per existing risk management processes. Whether these risks become part of the business-as-usual risk management framework, is a decision for post-crisis.
6. Measurement
The old mantra of ‘can’t manage what you don’t measure’ applies during the COVID-19 crisis; however, what you measure should change in three distinctive ways.
1. Reduce your business-as-usual measurement
To reduce your people’s workloads, and to create focus, reduce the amount of measurement in line with decisions around the firm’s objectives, risks, and critical activities, systems and assets.
2. Use measurement to trigger changes in your response
Use measurement, along with updated risk and business impact assessments, to trigger changes in your response to the crisis. With COVID-19, there are good data sets available which can be included within your decision-making processes. This includes external data sets such as inflection rates, inflection growth rates, death rates. Additionally, national and local governments are communicating actions that the population must take, which will be vital in your respond decision-making.
3. Add measurement to track your response
Add a new, limited set of metrics to track how well your firm is responding and aligned these measures to your (new) prioritises. Change these metrics as your firm moves to different crisis levels.
7. Response Plan and specific tasks
The response to COVID-19 will be driven by a series of very specific, short-term (hopefully) response plans and tasks with clear accountabilities that need to be executed as quickly and effectively as possible. If your firm creates a specific COVID-19 crisis management team or manages through existing management structures, having clear visibility to the status of your response plans and associated actions will be vital. Response plans should signal what will need to be done next at each step, which of course can and probably will change rapidly and often.
8. Communication Plans
Finally, no document about responding to COVID-19 would be complete with mentioning communication. The way that your senior leaders and the firm as a whole communicate to your firms’ stakeholders, both internal and external stakeholders will be vital in navigating this crisis and positioning your firm for recovery and post-crisis growth.
This blog post was originally written by Andrew Smart and posted here
COVID-19 - Bill Gates saw it coming!
In 2014, the world avoided a global outbreak of Ebola, thanks to thousands of selfless health workers -- plus, frankly, some very good luck. In hindsight, we know what we should have done better. So, now's the time, Bill Gates suggests, to put all our good ideas into practice, from scenario planning to vaccine research to health worker training. As he says, there is no need to panic but we need to get going.
In 2014, the world avoided a global outbreak of Ebola, thanks to thousands of selfless health workers -- plus, frankly, some very good luck. In hindsight, we know what we should have done better. So, now's the time, Bill Gates suggests, to put all our good ideas into practice, from scenario planning to vaccine research to health worker training. As he says, there is no need to panic but we need to get going.
Is COVID-19 a Black Swan event?
In the matter of a few weeks, the way that people work and play has been turned on its head due to COVID-19. Governments and businesses worldwide have been scrambling to react to the latest twists and turns of this crisis. Many have been caught flat-footed and ill-prepared. Given the nature of COVID-19, and the speed with which it has spread and the impact it is having globally, it is tempting to think about COVID-19 as a Black Swan event.
However in this article, I argue that rather than a Black Swan, we should categorise COVID-19 as a Gray Rhino.
In the matter of a few weeks, the way that people work and play has been turned on its head due to COVID-19. Governments and businesses worldwide have been scrambling to react to the latest twists and turns of this crisis. Many have been caught flat-footed and ill-prepared. Given the nature of COVID-19, and the speed with which it has spread and the impact it is having globally, it is tempting to think about COVID-19 as a Black Swan event.
Blacks Swans
Nassim Nicholas Taleb popularised the concept of a Black Swan event in his highly acclaimed book, The Black Swan. Taleb characterised a Black Swan event using the following three criteria;
It is an outlier; it lies outside the realm of regular expectations because nothing in the past can convincingly point to its possibility.
It has an extreme impact
Despite its outlier status, we work hard to develop an explanation for the event, after the fact, making it explainable and ‘predictable’ (even though it was never previously predicted)
The temptation for Government, Business and other leaders to label COVID-19 as a Black Swan event is compelling.
By labelling it a Black Swan, they do not have to confront the uncomfortable question of; why were we not prepared for this?
By labelling it a black swan, we can brush away concerns that none of our risk management reports or dashboards mentioned pandemic. When voters, regulators, investors and other key stakeholders ask the uncomfortable questions; labelling COVID-19 a black swan event provides an easy answer.
This would be fine except for one very import thing; it is not a Black Swan event.
COVID-19 is no black swan
Simply stated, COVID-19 is not an outlier. It is within the realms of our regular expectations, and there are several similar events in the past.
Spanish flu (1918, 1957 and 1968) was estimated to have infected 500 million people and resulted in 50 million deaths.
Severe Acute Respiratory Syndrome (SARS) (2002-2004), a coronavirus, resulted in approximately 8000 cases reported with 774 deaths across 29 countries.
Middle East respiratory syndrome (MERS) (2012 – 2013) aka Camel Flu, another coronavirus. Approximately 1360 cases reported and 527 deaths.
Western African Ebola virus epidemic (2013–2016). 26, 646 reported cases and 11,323 deaths.
One could also add to this list the various outbreaks, many relatively localized, of bird flu and swine flu that have occurred regularly over the last 20 plus years.
Bill Gates also hightlighted the risk of a virus-driven global pandemic in 2015 via a Ted Talk he gave in light of the Western African Ebola virus epidemic.
COVID-19 can hardly be called a Black Swan and outside the realm of regular expectations when;
Governments have included Pandemic on National Risk Registers. For example, the UK Government National Risk Register 2017 included the risk of a pandemic caused by the emergence of new infectious diseases was one of the key risks.
Governments have ‘war-gamed’ a pandemic scenario; as the UK Government did on October 2016 and as the outgoing US administration did on January 2017.
So if COVID-19 is not a Black Swan, how should we categorise it?
Gray Rhinos
Rather than a Black Swan, perhaps we should categorise COVID-19 as a Gray Rhino. In the context of risk management, the concept of a Gray Rhino was introduced by Michele Wucker in her book; THE GRAY RHINO: How to Recognize and Act on the Obvious Dangers We Ignore. Wucker characterised a Gray Rhino as a highly probable, high impact yet neglected threat.
Could a global pandemic, such as COVID-19 be considered a highly probable event? Would such an event be high impact? Was this is a threat that was neglected? I think the answer to each of these questions is yes.
Highly probable – as already stated, there have been several similar events as COVID-19, including SARS and MERS both of which are strains of coronavirus.
High impact – again, the effect from similar previous events and the current crisis demonstrates the high impact nature of this event.
Neglected threats – given the number of governments, particularly those in the ‘western’ world which had a global pandemic on their national risk registers or had ‘war-gamed’ this risk, and given the apparent lack of preparation done, it is clear global pandemic was a neglected threat.
While I have set out a series of steps that can be taken in response to the COVID-19 crisis here (insert link), below, I would like to set out some thoughts on how and where to include ‘Gray Rhinos’ risks within your Enterprise Risk Management framework.
Many business and risk leaders will naturally feel, in light of COVID-19, that Gray Rhinos type risks should be included in regular board and executive risk reporting packs. However, for many firms, this is probably not the right approach.
Regular Board and Executive risk reporting should focus on those risks directly related to delivering the firm’s strategy; including delivering specific objectives, maintaining the right level of capital and liquidity and protecting operational performance in their ‘normal’ operating conditions. At this moment, pandemic might be regarded as normal operating conditions however it is probably better to make use of an emerging risk report or dashboard to include highly probable, high impact risks.
Alternatively, (and my recommended approach) pandemic and other similar Gray Rhino type risks could be included in scenarios. For many firms, the use of scenarios within their Enterprise Risk Management framework is often limited to meeting regulatory obligations such as the ICAAP, ILAAP and SREP.
However, extending the use of scenarios and war-gaming to ‘stress’ your business strategy, business model and operational resilience in the face of Gray Rhino risks, can add significant value to firms. Four areas where incorporating scenarios into your Enterprise Risk Management framework adds values include;
Establishes a shared view and clarify around the firm’s operating environment and strategy. In particular, the critical success and risk factors of the firm’s strategy, and their relative importance on the firm.
Enable the firm to establish and maintain the right level of capital and liquidity under ‘normal’ business operating conditions, and quickly understand new levels when operating conditions change.
Enables robust challenge and stressing of underlying assumptions made around the firms business strategy, business model and operational model.
Finally, including scenarios within your Enterprise Risk Management framework helps create a ‘Risk-Based decision-making’ culture; a culture where risk, of all types, are key considerations within the decision-making process.
So COVID-19 is not a Black Swan event but it does add a new phase to the risk management lexion – Gray Rhino and as is often said, one should never waste a good crisis.
Once we have got through COVID-19, use this experience to strength your approach to risk management, and if I can leave you with two recommendations they would be;
Review your approach to risk management and ask do you have an enterprise approach that works, in good times and bad?
Consider the use of scenarios as part of your enterprise risk management approach but go beyond using these just to met regulatory obligations (as important as that is) and use them to generate actionable business insights and to build a Risk-Based culture.
This blog post was originally written by Andrew Smart and posted here
Strategy as a Hypothesis. Risk as a Hypothesis.
Strategy is a hypothesis of how the firm will create value. Risk is a hypothesis about the uncertainties of delivering the strategy. Risk Management provides the frameworks and tools to understand the uncertainties, challenge and stressing the strategic hypothesis while managing the uncertainties within the risk hypothesis.