Friday, 14 March 2014

Making sense of Risk

Precis: Risk comes in many different forms.  Understanding the basic types can help your organisation deal with challenges more effectively.  However, charting risk is not enough.  Sometimes you have to change direction to avoid the reefs.  If you are stuck in one, spending time working out how to avoid the reef is wasted time.

Presentation in 2014 to students and professional groups.

Successful policy makers and entrepreneurs have one thing in common - they are alert to risk, and understand how it comes wrapped.  They are prepared, where necessary, to adapt.



-     Since ISO 31000-2009 (the world standard on risk management), risk is now understood to include both the "chance or probability of risk” and “the effect of uncertainty on objectives”.


Risk Management

-      ISO 31000-2009  provides basic guidelines for establishing whole-of-enterprise risk management processes.

      Risk may managed through a number of strategies, including risk avoidance, sharing, financing, retention, acceptance or mitigation.  These management strategies may include clear risk management statements, formalising risk management processes, structuring framework processes and continuous improvement.

-     ISO 31000-2009 provides a preferential list on managing risk:
1.       Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
2.       Accepting or increasing the risk in order to pursue an opportunity
3.       Removing the risk source
4.       Changing the likelihood
5.       Changing the consequences
6.       Sharing the risk with another party or parties (including contracts and risk financing)
7.       Retaining the risk by informed decision

-     While this list provides a sensible basic and generic framework for dealing with some types of risk, it does not assist with certain types of events (where the early adoption of risk policy may provide a more resilient approach).

Systemic Risk

-     In a particular market, the risk of the entire market (rather than a single entity) collapsing.

-     Collapse can be precipitated by inherent instability in the inter-linkages and interdependencies of entities within the entire market.
-     Policy intervention here is designed to add resilience to the entire market, but has the propensity to worsen the initial problem, come too late or be seen as partial.
Eg: Collapse of part of a supply chain may quickly impact on all parts of the chain.  Loss of confidence in a bank or insurance company may spread to failures in all parts of the market as consumers and stakeholders lose confidence.  Policy intervention may seek to dampen the effect of runs, increase the resilience of the entire system, and remove root causes for failure (prudential regulation).  Because of the lag in intervention, it often happens after the event, and may hinder redevelopment of the market.

-          The term is most commonly found in economic descriptions of the financial market.

Systematic Risk

-     In a particular market, vulnerability to shock (from weather events, government activity – fiscal, monetary or regulatory, - or economic downturn) which affect aggregate outcomes across a market (loss of assets, capability or market share). 

-     The term is used in finance and economics, and is used in investment analysis (eg, when attempting to assess the trade-off between low risk activities and high risk activities - which is reflected in increased rates of return for higher risk activities).

Eg: Credit squeezes may place financial stress across all financial institutions. 

-     Where a shock may decrease aggregate outcomes in one area but increase it in another, trades between the two may dampen the impact of the shock (hence the attraction of future trading, insurance market setoffs and hedge funds).

-     The term, as used in finance and economics, is equivalent to aggregate risk, market risk or undiversifiable risk.

Idiosyncratic Risk

-      In a particular market, idiosyncratic risk is the vulnerability to shock peculiar to a specific entity (internal fraud, failure of governance, poor management, poor employees) to the prejudice of the entity's outcomes (loss of assets, capability or market share). 

-     Sometimes, idiosyncratic risk can be reduced by diversification (to avoid some classes of risk, but inviting exposure to difference risk). 
Eg: Malfeasance within a company might lead to the collapse or poor performance of the company. 

-     The term is used in finance and economics and is equivalent to specific risk, unsystematic risk, residual risk or diversifiable risk.

Individually, these descriptors and associated tools have been developed for specific uses by market analysts and policy makers (specifically for portfolio construction or market regulation).  Taken individually they do not provide a satisfactory approach to risk. 

Risk Policy Approach

A risk policy approach requires a cultural shift.  The early identification of vulnerabilities moves, through problem solving (including use of ISO 31000), to strategies to deal with the vulnerability.  

New enterprises may adopt at inception – existing enterprises may adapt through gap analysis and refocussing objectives.

Risk policy – identifying vulnerabilities

Every enterprise is exposed to the three types of risk described above.  In addition, managers need to be aware of what catastrophic failure looks like and have a plan for dealing with it early.

For example, a car parts manufacturer, dependent on a component industry specific to local car manufacturers, is exposed to:
-          Systemic risk (event -> the car industry moves off shore)
-          Systematic risk (event -> an economic downturn)
-          Idiosyncratic risk (event -> fraud within the business)
-          Catastrophic failure (event -> business on point of trading insolvent)

Risk policy – protecting vulnerabilities

Managers need to be able to distinguish between these classes and identify strategies to deal with probable outcomes.  There is no one strategy that applies in every situation – managers need to be adaptive: while analysis may benefit from market-based considerations, it must be enterprise specific.

At first blush, it might appear that the first two types of risk are outside the control of an enterprise, and can be ignored.  Dealing with these risk types can be challenging, but the risks cannot be ignored.  The process of problem solving can be cathartic – problem solving can lead to identifying new opportunities.

Examples of adaptive approaches, in relation to the risks in the example above, are:
-          Systemic risk (strategy -> follow the car industry off shore)
-          Systematic risk (strategy -> diversify into other component markets)
-          Idiosyncratic risk (strategy -> effective prudential governance – utilising ISO 31000)
-          Catastrophic failure (strategy -> wind up company)

Risk Policy - Early adoption

It is often too late to deal with a risk event once it is in progress.  In the manufacturing example given, if the company was unwilling to move offshore, is only capable of producing one product and places its financial management in the hands of a single bookkeeper it will have difficulty adapting to the risk.  However, it may be that the company deliberately adopted that narrow approach to generate good returns.  In that case, when the risks materialise, it may be prepared to wind up at the earliest possible time to avoid further loss.
Adaptive risk policies attempt to actively understand global business opportunities and be ready to diversify.  These enterprises are more resilient to risk.  How the enterprise is prepared to adapt will differ from enterprise to enterprise – generally small local businesses (a hairdressing salon or a local insurance broker) don't attempt such an approach.  Within medium and larger scale businesses, common risks may generate similar risk strategies.

Risk policy starts at the top and influences all formative decisions about the shape and stance of an enterprise.  In mid or larger sized enterprises, specialists (managerial and financial) may be necessary to assist the identification and response to risk types.  These are best able to contribute to this process where they understand the business as well as the broader business and economic context.  They must be able to develop effective levels of prudential management to meet the third type of risk – without themselves contributing to the risk.
-          Systemic risk (policy -> a global focus – from silos to related/connected entities)
-          Systematic risk (policy -> internal and external networks focussing on stakeholders/ causalities)
-          Idiosyncratic risk (policy -> effective structures, authority, support and audit)
-          Catastrophic failure (strategy -> monitoring of key indicators)

Peter Quinton
Palerang 2014 

No comments: