BSBRSK501 Readings

It is not necessary to emphasize the importance of risk management in view of the daily media information about the consequences of the worldwide financial crisis, company bankruptcies, and other emergencies. In the news coverage about risk, central concepts are often interpreted and applied in different ways. What follows is an overview of the different types of risk and a process-oriented description of risk management. Risk identification and an overview of the different types of risk will round off the fundamentals of risk management.

1.1 The definition and reasons for risk management

There is no unified definition of risk concepts applied in the business literature. The word “risk” derives from the early Italian risicare, which means “to dare”. A relatively commonly used definition of risk is based on possible damage or the potential loss of a net asset position, with no potential gains to offset it. The neglect of potential gain is especially important because in further concepts, for example the RoRaC concept, the measurement of returns is separate and occurs independently of the risk measurement. There must be sharp distinctions between risk and return, otherwise it’s possible for the same profit to be considered more than once, which could lead to inconclusive results.

In business decision theory, the concept of risk is based on knowledge of probabilities or probability distributions regarding uncertain future events. In particular, consideration of the synergies between different risks, the so-called diversification effect, represents an important distinction between the treatment of individual risks and of combined risks. The term risk controlling, often used in both practice and theory in this context, is substantively distinct from risk management. In the following material, risk controlling is viewed as a component of risk management which supports the planning and steering of the company. From this perspective, risk controlling fulfills a strong organizational and oversight role. By contrast, risk management revolves around the concrete implementation of provisions for risk measurement and risk steering. Risk controlling is one part of the process-oriented description of risk management (see Section 1.2). The reasons for risk management are manifold and complex. Ever since the 2008 financial crisis there has been a mutual consensus about the necessity of a functioning business risk management strategy. Since the grounds for pursuing risk management have an effect on the way it is conducted, the reasons will be described and elucidated. The reasons can be divided into three categories:

• Legal framework
• Economic reasons
• Technological advances

Legal framework include first of all the respective national laws and regulations. For example, the following legislation applies in Germany: The German Act on Corporate Control and Transparency (KonTraG) from 27 April 1998, which expands the duty of care required from companies and stipulates disclosure of the business risks in the management report. The Corporate Governance Code contains non-legally-binding recommendations for risk management. The Risk Limitation Act of 12 August 2008 regulates the disclosure requirements of major company shareholders (financial investments) and is supposed to make company acquisitions by investors more transparent. The Commercial Code (Handelsgesetzbuch/HGB) and the German Accounting Standard (Deutscher Rechnungslegungsstandard/DRS) describe the most important laws regulating German reporting.

In America the Dodd-Frank Act constitutes an important legal framework in response to the financial market crisis. The goal of the Dodd-Frank Act is to promote stability of the financial market as well as increase responsibility and transparency in the US financial system. The US GAAP (Generally Accepted Accounting Principles) regulate, among other things, risk reporting for US companies.

However, there are also international laws and regulations that form a legal basis for risk management. For banks Basel III sets out the current and future international legal framework for structuring risk management. For the insurance industry, Solvency II is the corresponding counterpart to Basel III. Descriptions of industry-specific features will be omitted here and elsewhere in this book in favour of more generally accessible accounts. The IFRS 9 (International Financial Reporting Standards) applies to external risk reporting from 2018. The application of international laws depends on how they are integrated into national law and often represents a long process. Thus, the USA has not so far adopted Basel III. The greatest alignment between national and international law being observed at the moment is with the IFRS, although the differences between the US-GAAP and the IFRS are also evident here.

Over the course of the financial crisis, numerous laws and regulations have been passed in the last few years which have especially changed the legal framework for banks and financial markets. The effects of the financial crisis on risk management for non-banking institutions will also be further clarified there.

The economic reasons for risk management lie basically in the strongly increasing globalization of the financial markets and the introduction of new financial products (especially in the area of derivatives). The launch of the Euro in combination with inadequate regulation of these new products was one cause of the financial crisis and therefore a reason to pursue risk management. Finally, there is technological advances, primarily the quicker spread of information through digital media and the Internet. But also, businesses now make products that become obsolete faster, thus shortening the product cycle and increasing the product risks. As a result, the commodities and goods markets also grow faster due to the technological advances in spreading information and accompanying globalization. The result of the increasing globalization and shortened product cycles are seen in the numerous bankruptcies of the past years and not least also in the financial crisis.

The concept of risk management and the reasons for pursuing risk management are summarized in Figure 1.1.

• Risk: potential loss of net assets / damage, without consideration of possible profits / income
• Risk Management: Risk measurement and steering of all risks, consideration of the synergies
• Legal framework:
  • Act of Corporate Control and Transparency
  • Basel II / III, Solvency  II
  • Corporate Governance
  • Risk Limitation Act
  • Reporting Standards
  • Laws and Regulations with regard to financial crisis (e.g. Dodd-Frank-Act)
• Economic reasons:
  • Globalization of the financial markets
  • New financial products
  • Launch of the Euro
  • Inadequate regulation of products / markets
• Technological advances:
  • Quicker spread of information / Internet
  • Shorter product cycles
  • Globalization of the commodities / goods markets

1.2 Risk management as a process

Starting from the concept of “risk management” as defined in Section 1.1, the topic of risk management will now be systematized. There are different criteria for doing this. One of the classifications that is used most often in the literature considers risk management as a process, i. e., as a sequence of events in time (dynamic). Risk management is a dynamic process and not a one-time event (static). The schematic representation of risk management processes shown in Figure 1.2 is often found in the current literature in this or slightly modified form (based on the classic management process).

Economic risks in the sense of the above definition (see Figure 1.2) will be included in the scope of risk identification. There are a number of different approaches for this purpose, which depend on the special features of the business and its organizational structures. Generalizations are simply not possible, yet there are different instruments that can be deployed. For a complete compilation of all risks see Section 1.3, where a systematization of business risk types (for example, market risks) can be found.

After risk identification comes risk measurement and the accompanying assessments or risk analysis. In the context of risk measurement, it is then useful to distinguish between quantitative and qualitative measurement procedures. Quantitative measurement is largely about key figures (for example volatility), whose calculation is based on existing observable prices, rates and other market data. For many risks, however, such market data are not available, for numerous reasons. In these cases, qualitative measurement techniques are used.

In risk analysis, the measurement results are evaluated. Here, the risks are filtered for relevancy first. The central goal of the analysis is to answer the question of whether the measured and relevant risks require action. The core of risk analysis is the so-called concept of Return on Risk-Adjusted Capital. The outcome of the risk analysis is the foundation for the necessary risk control (risk steering). Because of the numerous and complex instruments and strategies for risk control, at this point the strategies will be roughly divided into:

• Provision
• Risk shifting
• Compensation and
• Diversification.

1.3 Risk identification and risk types

Identification of business risks that exist in the context of corporate activities cannot be described in general form. Types of risk and especially their respective importance for a business depend heavily on the specific features of the business, such as for example industry characteristics, regional peculiarities or product types. In order to be more accessible and comprehensible to a wider readership, this book will not delve further into these special features. Instead, it will revolve around other principles and emphases. The interested reader will find references to the available specialist literature in the relevant sections where the various industries and other special features are mentioned. However, some general fundamental principles and basic tools can be applied to risk identification independently of that. For example:

• analysis grids
• risk tables
• interviews
• analysis of operational processes

A basic component and prerequisite of risk identification is the systematization of the types of business risk. There are various kinds of systematizations of the different risk types in the literature and in business practice. What decides the type of systematization and especially the related criteria is the corresponding question. The objective of this book is a general, business-wide discussion of risk management, independent of industry features, company size and region.

At the highest level, a distinction will be drawn between scientific and economic risks. This might seem banal at first glance. However, a fundamental problem will become apparent: the various risks cannot always be clearly separated from one another. Thus, scientific risks like, for example, earthquakes are inextricably intertwined with the economic risks of reinsurance companies. This problem cannot be solved through systematization. Nonetheless what follows will try to minimize the problem by using the clearest possible definitions of the risk categories.

The economic and business risks will be suitably separated in a second step. Here the impossibility of precision will be seen again: cyclical risks directly affect the business sales risk.

On the corporate or business level a distinction in financial and performance risks will be drawn. This is in line with the goal of capturing all possible business risks based on internal accounting systems. The financial risks will be further divided into market, default and liquidation risks. The performance risks will be subdivided into operational and sales/procurement risks.

The interdependence between the various economic risks must be emphasized. A default risk can lead to a liquidation risk if the agreed interest and principle payments can no longer be met by debtors. The stock price risk cannot be separated from the insolvency risk (=default risk) because a corporation threatened with insolvency also automatically carries a considerable amount of stock price risk. A production process that requires crude oil entails a procurement risk through rising oil prices. The crude oil must be bought in US-$, which along with the procurement risk creates a currency risk from appreciation of US dollars.

These examples illustrate the allocation problem of assigning various types of risk to transactions. Different methods and tools are used for different types of risk. Thus, it is advisable to use the most precise categories possible. This allocation can be achieved with the help of the causation principle and the control principle. Both principles will also be applied in organizational risk controlling and risk management in Section 6.2. With the causation principle, transaction risks are assigned according to primary causal risk. Overdue debtor payments and threatened corporate bankruptcy are thus classified according to the primary causal principle of default risk. Increasing crude oil prices would be classified according to procurement risk. On the control principle, the risks are allocated where they can be most sensibly controlled. So, the exchange rate risks arising from crude oil procurement is classified as a currency risk (currency management). The overdue interest and principal payments are classified as liquidation risks (liquidation management). The control principle is also necessary in the context of risk controlling, in order to grasp the compensation effect for, e. g., exchange rate risks or liquidation control throughout the entire company.

Building on the discussion of integrated risk management, and ISO 31000 in particular, in the previous chapter, this chapter begins to describe a proposed approach to better risk management. In this chapter, I will focus on the scope, context and criteria of risk management. To reiterate once again, the overall aim of this approach is to be able to present proposals for investing in risk management to senior managers as normal business decisions, based on robust estimates of the return on investment. As discussed in the previous chapter, there is considerable overlap in ISO 31000 between this process step and elements of the risk management framework. I have already discussed the risk perspectives of different stakeholder groups in some detail in Chapters 1 and 2, and the need to engage with internal and external stakeholders was repeatedly emphasised in ISO 31000. A good understanding of the organisation’s stakeholder groups, and their risk perspectives forms the context for any risk management programme. To summarise some of the key stakeholders’ perspectives:

• Owners (where these exist) will be primarily concerned with expected outcomes, the variability in outcomes and the likelihood and cost of financial distress
• Senior managers will be primarily concerned with missing targets; and
• Other staff members, customers, suppliers and lenders will primarily be concerned with the likelihood of financial distress.

This chapter begins by looking at how these different shareholder perspectives can be used in setting the organisation’s risk criteria. The aim of integrated risk management is that these risk criteria are then consistently applied to all risks but as will be discussed, this is not always the case in practice. Ensuring consistency involves various elements of the risk management framework, most importantly the assigning of roles, authorities, responsibilities and accountabilities, as well as appropriate arrangements for monitoring and review. The chapter concludes by discussing how one justifies the resources to be allocated to risk management.

Agreeing risk criteria

Consideration of stakeholders’ risk perspectives should enable the organisation to express its risk criteria, that is, what sort of risks are acceptable or tolerable to stakeholders. Logically, stakeholders will only wish to accept risks if there is expected to be some benefit to them, so what one is really trying to establish is answers to questions such as:

• How much compensation do stakeholders require to accept an increased probability of an extreme event; and
• How much compensation do stakeholders require to accept an increased variability in outcomes?

However, in keeping with the focus on risk treatments rather than risks themselves, these two key risk criteria can be more usefully phrased as:

• How much are stakeholders willing to pay to reduce the probability of an extreme event; and
• How much are stakeholders willing to pay to reduce variability in outcomes?

In order to implement a quantitative approach to managing risk, as advocated in this book, one actually needs to put a figure on these values, rather than a vague statement of intent or a list of principles. As has been discussed previously though, this may require the reconciling of very different risk perspectives of different stakeholder groups, so agreeing on these risk criteria represents the first real challenge to a quantitative approach. Recalling the discussion of reconciling conflicting interests in Chapter 1, expressing risk criteria numerically will likely involve elements of satisficing rather than optimising, and the values may well evolve with time and experience. However, as I argue time and again throughout this book, it is preferable to have an initial estimate that people can then argue about and improve over time, rather than conceal these tensions under vague, qualitative verbiage. The potential for conflicts of interest also highlights, once again, the criticality of establishing a sound risk management framework. Roles and responsibilities, up to Board level, need to be clearly defined, and lines of communication, internal and external, established to ensure that different stakeholders’ views are heard and incorporated into the risk criteria. Critically, the risk management framework needs to be robust enough to ensure that no single stakeholder group (e.g., senior management) can appropriate the risk management programme for their own benefit.

Reducing the probability of an extreme event

In considering extreme events, at a very minimum it is necessary to calculate how much it is reasonable to spend to reduce the probability of a loss that would result in bankruptcy. There may also be other levels of extreme loss short of this that need consideration in their own right. For instance, any loss that was large enough to breach banking covenants, or to violate conditions imposed by a regulator, would have a significant impact on the organisation. Indeed, Hubbard (2020, p.69) proposes plotting a complete “loss exceedance curve”, illustrating the acceptable probability of any level of loss. Particularly within the public and not-for-profit sectors, there may also be significant value in reducing the likelihood of non-financial extreme events that could, for example, damage the organisation’s reputation or put it in breach of its contractual or statutory obligations focusing solely on the probability of bankruptcy, a number of stakeholder groups will be impacted by such an event, including:

• Owners who see the value of their investment wiped out;
• Lenders, particularly unsecured lenders, whose loans are not (fully) repaid;
• Staff who suffer personal financial loss; and
• Customers and suppliers who face disruption to their supply chain

Of these, the cost to owners (where applicable) and the cost to lenders are relatively easy to calculate. Considering the example of a small firm with £600,000 of shareholders’ equity, total losses of greater than £600,000 would result in bankruptcy and the loss of all of this equity. If one can reduce the annual likelihood of a loss of over £600,000 by 1%, then the expected loss to owners has been reduced by £6,000 a year (1% of £600,000). If, in addition, the organisation has loans of £1 million, and lenders expect to be able to recover only 50% of this amount in the event of bankruptcy, then this reduction in the likelihood of financial distress would save an additional £5,000 (1% of 50% of £1 million) annually.* Thus, as a starting point, one can say that for this firm it is worth paying at least £11,000/year for a 1% reduction in the likelihood of sustaining a loss of greater than £600,000. Expert judgement can then be applied to evaluate the impacts on other stakeholder groups in order to estimate the overall benefit of reducing the probability of bankruptcy.

Reducing variability of outcomes

In the context of an entrepreneurial firm with a single owner, one can directly apply Utility Theory (or a more modern approach to individual choice such as Prospect Theory) to estimate the value of a reduction in the variability of outcomes. Attempting this in the rarefied environment of an MBA workshop, where students were asked to role-play being an entrepreneur with all their wealth tied up in a business similar to the one described in the previous section, I found that, for instance, a reduction in the standard deviation of profit and loss from £100,000 to £50,000 was valued at about £20,000.* However, the empirical evidence reviewed shows that the level of compensation required to accept variability in outcomes is very dependent on the prevailing economic conditions. Therefore, an alternative way to estimate this risk criterion, based on inferring stakeholders’ risk perspectives from a profit and loss model for the organisation. This yields a relationship between expected returns and variability of returns, specific to that organisation at that particular point in time, that is, presumably, acceptable to all stakeholder groups.

As discussed previously, investors in large corporations can significantly reduce the risk to themselves of variations in performance of individual firms simply by diversifying their portfolios. Thus, one would expect the value to well-diversified investors of specific risk treatments to be significantly less than their value to entrepreneurial owners. It is possible to gain a good idea of the value to such investors of reducing variability from empirical studies of stock market data. Malkiel and Xu (1997), studying publicly traded US firms from 1963 to 1990, and Dempsey et al. (2001), studying publicly traded Australian firms from 1990 to 2000, found very similar results. In both cases, it appears that stock market investors require roughly a 1% increase in annual returns for each 4% increase in the idiosyncratic variability of returns (i.e., variability not correlated with the market). Once again though, this will presumably depend on economic conditions. As regards public sector and not-for-profit organisations, there is no ownership argument, but there may still be practical reasons for wishing to minimise variability.

Ownership and delegated authority

An effective integrated risk management system requires ownership of risks at an appropriate level throughout the organisation; this involves individual managers making risk-based decisions within their own areas of responsibility. However, in making these decisions managers should consistently apply the corporate risk criteria, not one appropriate to their own business unit or department. I have previously noted that risk-taking decisions should be based on exactly the same criteria as risk management decisions. Thaler (2015, p.187) eloquently illustrates the problem of applying inappropriate risk criteria in the context of risk-taking, in a story about running a workshop for a group of executives working for a large print media company. Each of the 23 executives in the workshop was asked if they would accept an opportunity for their own business unit that offered a 50% chance of $1 million gain and a 50% chance of $500,000 loss. Although the expected outcome was positive, only 3 of the 23 executives taking part said that they would accept the project, but their CEO, who was observing the workshop, wanted them all to proceed with the projects. Why were the decisions made by almost all of the executives not in line with their CEO’s wishes?

It would appear that the majority of the executives were applying inappropriate risk criteria based on the perspective of their own business unit and, potentially, their own self-interest. As I discussed, managers are generally concerned with the likelihood of missing targets: a loss of $500,000 would probably be very significant for most of the business units as stand-alone entities and would most likely result in a missed target (and lost bonus). However, the business units are not stand-alone entities, and if all 23 executives had opted to take the opportunity, there is a very significant potential upside, and less than a 5% chance of the firm losing any money.* This example echoes my initial comments about how integrated risk management seeks to manage risks as a portfolio.

Rabin and Bazerman (2019) provide a detailed and entertaining critique of organisational decision-making, which further highlights the need for a consistent application of risk criteria across the organisation. Whilst the main focus of the article is on the observed tendency towards risk aversion, the authors also highlight the problem of inconsistent risk attitudes across an organisation: typically, some functions within the organisation (e.g. sales) are positively risk-seeking, whilst others (e.g. legal) are very risk-averse. Rather than these differing approaches to risk balancing each other out, as one might imagine, the waste of resources through unnecessarily risk-averse decisions in some parts of the organisation means that there is less available in reserves to deal with the consequences of risk-seeking decisions made elsewhere in the organisation. Thus, inconsistency in the application of risk criteria actually makes the organisation more vulnerable.

Justifying resources

ISO 31000 (2009, para 5.3.4) emphasises that “The management of risk should be undertaken with full consideration of the need to justify the resources used in carrying out risk management”. In Chapter 6, I will show how potential risk treatments can be evaluated based on a straightforward return on investment calculation, so there is no need to provide further justification for the resources committed to individual risk treatments. However, this does not justify the central costs of running a risk management programme; these will normally consist primarily of staff costs, but may also include for example consultancy fees, IT equipment and software licences. There is no elegant solution to this problem, but I can offer some practical advice. First and foremost, my professional experience is that these central costs are dwarfed by the costs of mitigating specific risks: typically, central costs would be an order of magnitude less than implementation costs. That is not to say that they can be ignored though. I would strongly advocate an incremental approach to implementing risk management, perhaps using consultants and contractors initially before recruiting an in-house team, and measuring the return on investment at each stage before expanding the programme.

Summary

In this chapter I have begun to outline a quantitative approach to risk management, broadly based on the principles of integrated risk management outlined in ISO 31000. In particular, I have reinforced the need for an effective risk management framework and discussed the scope, context and criteria of risk management.

It is vital to agree on appropriate risk criteria; this requires effective, two-way communication with all stakeholder groups. I looked specifically at the value (to stakeholders) of reducing the likelihood of an extreme loss and reducing the variability in outcomes. The importance of ensuring that managers throughout the organisation apply the agreed risk criteria consistently was also highlighted. The resources committed to risk management must be justified. It was suggested that a flexible, incremental approach to implementation allows an organisation to gradually build up the data required to justify further expenditure as the programme rolls out.

As the name indicates, a Preliminary Hazard Analysis (PHA) is a “preliminary” or initial analysis of a system design, facility, or process that is used in many industries and applications. PHA is used by safety professionals to identify hazards and necessary control measures and allow for risk levels to be prioritized for further risk assessment and management. It is one of the eight risk analysis and assessment techniques listed in the American National Standard, ANSI/ASSP Z590.3, Prevention through Design, Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes. The ANSI Z590.3 standard makes note that PHA, along with Failure Mode and Effects Analysis (FMEA), and What‐If methods are sufficient to address most risk situations. This chapter will offer a careful review of the preliminary hazard analysis process and evaluation of prevention measures.

Preliminary Hazard Analysis (PHA) is a systematic approach originally developed in the 1960s by the United States Army and published in the MIL‐STD‐882 standard as a method to identify hazards, assess the initial risks, and identify potential mitigation measures early in the design stage. It is referred to as a “preliminary” analysis since is it usually followed by more refined hazard analysis and risk assessment studies in more complex systems. Variants of PHA have been developed including Hazard Identification (HAZID) and Rapid Risk Ranking (RRR) methods according to Rausand. Although it is called an “analysis,” the preliminary hazard analysis method is usually considered a risk assessment tool since it is used to analyze, estimate, and evaluate risk. For the purposes of this chapter, the method is also referred to as a PHRA or preliminary hazard and risk analysis to reflect both preliminary hazard analysis and preliminary risk analysis terms.

In the ASSP TR 31010‐2020, Technical Report: Risk Management – Techniques for Safety Practitioners, PHA is defined as “an ‘initial’ systematic analysis of a system design, facility or process used to identify hazards and necessary control measures and allow for risk levels to be prioritized for further risk assessment and management” (ASSP TR 31010 2020). A PHA is used to identify and describe significant hazards that could arise from failure modes, defects, and unsafe conditions in the design and operation of a system or subsystem. The PHA model also provides an analysis of the “current state” risk levels, and the “future state” risk levels with proposed risk reduction measures.

Clemens states that a PHA “produces a hazard‐by‐hazard inventory of system hazards and an assessment of the risk of each of them. A PHA is also a screening or prioritizing operation. It helps separate hazards that pose obviously low, acceptable risk from the intolerable ones for which countermeasures must be developed.” A limitation of PHA is indicated by Clemens in his following statement: “A PHA does not readily recognize calamities that can be brought about by co‐existing faults/failures at scattered points in a system.” Since hazards are identified and analysed individually, the potential for synergistic effects from combined hazards can be missed. For example, a PHA may not recognize a combined exposure such as cold temperatures and vibration which can cause increased risk of soft tissue damage to hands, arms, feet, or other exposed areas.

The scope of PHA should consider worst‐credible hazards that can result from the system and its function. The following elements to include in a PHA are adapted from the MIL‐STD‐882E standard:

• System components.
• Energy sources.
• Hazardous Materials.
• Material compatibilities.
• Safety‐related interfaces between system elements including software.
• Interface considerations to other systems.
• Environmental factors and constraints affecting the system.
• Procedures for system’s life‐cycle modes including operating, test, maintenance, built‐in‐test, diagnostics, emergencies, explosive ordnance render‐safe and emergency disposal.
• Health hazards.
• Environmental impacts.
• Human factors engineering and human error analysis of operator functions, tasks, and requirements.
• Inadvertent activation.
• Life support requirements and safety implications in manned systems, including crash safety, egress, rescue, survival, and salvage.
• Event‐unique hazards.
• Facilities, equipment, and training.
• Safety‐related equipment, safeguards, and alternate controls.
• Malfunctions to system.

In the 2019 version of ANSI/ASSP/ISO 31010 risk assessment standard, the preliminary hazard analysis method is not included. However, the previous version of the ISO 31010 adopted by ANSI as ANSI/ASSP Z690.3‐2011 describes PHA as “a simple, inductive method of analysis whose objective is to identify the hazards and hazardous situations and events that can cause harm for a given activity, facility or system” (ANSI/ASSP Z690.3, 2011). While Z690.3 indicates that the method is a “qualitative” tool, it is often used as a “semiquantitative” tool. Manuele in his book, Innovation in Safety Management issues a word of caution against placing too much faith in numerical scores or values that are based on subjective judgments. Very few so‐called “quantitative” scores are truly based in quantitative data. One advantage to using numerical scores whether based on qualitative or quantitative data is the ease of recognizing, performing mathematical calculations, and comparing risk levels within a risk matrix or profile.

Preliminary hazard list

As described, a Preliminary Hazard Analysis (PHA) is considered a fundamental system safety method of identifying hazards which is best conducted early in the design process. Prior to a PHA, a Preliminary Hazard List (PHL) is commonly used to identify and compile a list of potential, significant hazards associated with a system’s design. The purpose of a PHL is to initially identify the most evident or worst‐credible hazards that could occur in the system being designed. Such hazards may be inherent to the design or created by potential energy release in the system. A PHL is only a list of the hazards; however, it can be the basis for an analysis that becomes a PHA or other risk assessment.

A PHL is normally developed by collecting information from available sources such as historical loss data, and similar systems. Specifically, information on the system’s specification and requirements is collected including potential energy sources and controls; potential hazardous materials and their containment; general and specific checklists; lessons learned from similar systems; incident reports and analyses; interviews and discussions with system users or other knowledgeable parties. A PHL lists hazards that may require special safety design emphasis or areas where in‐depth analyses are needed. PHLs are used to provide inputs in determining the scope for hazard analyses and are typically documented in a spreadsheet or table.

Upon collection of the information, a team of qualified members reviews the information and conducts brainstorming to complete the list of potential significant hazards, a brief description of the hazard, and its causal factor(s).

PHAs and their application

The Preliminary Hazard Analysis method was designed to be used as an exploratory or initial analysis early in the design stage when little information is available on design details or operating procedures. Early in a system’s conceptual design and development, PHA is used to identify potential hazards and necessary design specifications to avoid, eliminate, and reduce identified hazards. Specific control measures and design specifications identified through a PHA can then be built into the system’s design.

Taking the time to perform a PHA early on may actually speed up the design process and avoid costly mistakes. Any identified hazards that cannot be avoided or eliminated in the project design phase must be controlled so that the risk is reduced to an acceptable level. The hierarchy of controls concept should be the basis for selecting risk reduction controls as required by the ANSI/ASSP Z590.3, Prevention through Design standard and other risk‐related standards.

PHAs often lead to the need for more refined analyses and assessments such as Failure Mode and Effects Analyses (FMEA), Failure Mode, Effects and Criticality Analyses (FMECA), Fault Tree Analyses (FTA), and even Bow‐Tie analysis. These methods are commonly used to further identify, evaluate, and avoid hazards in more complex or safety sensitive designs. PHA should be updated as necessary during phases of design, construction, and testing to detect any new hazards and controls needed. While primarily used early in the design phase, a PHA may be performed at any point in a system’s life cycle. PHAs are used by many industries to examine existing systems, prioritize risk levels, and select those systems requiring further study. The use of a single PHA may also be appropriate for simple, less complex systems, or when financial limitations will prevent more extensive techniques from being used.

The control of hazardous energy

HAs often include a basic review of potential energy or hazardous materials and their potential uncontrolled release (Rausand). The Haddon Energy Release theory developed by Dr. William Haddon, Jr., in the 1970s provides a foundation for this review process. Haddon’s “Energy Release Theory” based on a system safety approach establishes a relationship between the causation and risk control method selected. Haddon’s model should be considered when conducting a PHA or design safety review due to the fact that engineers understand systems thinking and can relate to the energy control strategies.

Haddon’s “Energy Release Theory” includes sequential control strategies listed in a hierarchy of control fashion that should be considered early in the design. Haddon’s strategies are listed below in an abbreviated form:

• Prevent stored energy: Prevent the marshalling of the form of energy in the first place, such as preventing the generation of thermal, kinetic, or electrical energy, or ionizing radiation that can be potentially released.
• Reduce stored energy: Reduce the amount of energy marshalled by its amount and concentration, such as limiting the amount of chemicals stored, reducing the size of materials handled, or reducing the speed of vehicles.
• Prevent energy release: Prevent the release of the energy by incorporating physical containment.
• Reduce rate of release: Modify the rate or spatial distribution of release of energy from its source such as reducing compressed air pressure to 30 pounds per square inch (psi), or reducing the slope of warehouse ramps for forklifts.
• Separate energy release from humans and assets by space or time: Separate, in space or time, the energy being released from that which is susceptible to harm or damage. This strategy eliminates the intersection (exposure) of energy and humans or assets. Examples include increasing the distance between the point of operation of a punch press and the operator or scheduling human interaction with machine when its functions are neutralized.
• Separate energy release from humans and assets by physical barriers: Separate by interposition of a material “barrier” such as the use of insulation on electrical lines, machine guards, or welding curtains.
• Modify contact surfaces: Modify appropriately the contact surface, subsurface, or basic structure, as in eliminating, rounding, and softening corners edges, and points with which people can come in contact.
• Strengthen susceptible structures: Strengthen the structure, living or non‐living that might otherwise be damaged by the energy transfer such as the reinforcement of storage racks exposed to forklift damage.
• Increase detectability and prevention of harm: Move rapidly in detection and evaluation of damage that has occurred or is occurring and counter its continuation or extension. Examples include fire alarms and sprinkler systems, proximity limit switches or presence sensing devices.
• Prevent further damage: After the emergency period following the damage energy exchange, stabilize the process. Examples include disaster recovery plans, and emergency action and evacuation plans.

Haddon’s control strategies validate the thinking that when appropriate energy controls are incorporated into the design, potential energy release is avoided, eliminated, or effectively controlled. Safety professionals using PHA, or other risk assessment methods should pay close attention to the potential for hidden energies in products and systems.

Fundamental system safety tenets

Preliminary Hazard Analysis is a system safety analysis method. Therefore, it is appropriate to include a list of fundamental principles that apply to the system safety approach. The following listed tenets are taken from Roger Stephans’ book System Safety for the 21st Century: The Updated and Revised Edition of System Safety 2000. These principles are consistent with those found in many safety and risk management texts as well as related standards. They are considered important to the safety professional and worth repeating.

• Systematically identify, evaluate, and control hazards in order to prevent accidents or mitigate the severity of consequences. (as in the practice of Risk Management)
• Apply a precedence of controls to hazards starting with their elimination, designing to preclude hazards, or reduce risks. (The lowest precedence are those controls that rely on people.) (The Hierarchy of Risk Controls)
• Perform proactively rather than reacting to events. This starts with a program plan.
• Design and build safety into a system rather than modifying the system later in the acquisition process when any changes are increasingly more expensive. (Prevention through Design)
• Develop and provide safety‐related design guidance and give it to the designers as the program is initiated. (Design Safety Reviews; Preliminary Hazard Analysis)
• Use appropriate evaluation/analysis techniques from the tabulated variety available. (Risk assessment methods as described in this text, ANSI Z560.3, ASSP TR 31010, and ISO 31010)
• Rely on factual information, engineering, and science to form the basis of conclusions and recommendations.
• Quantify risk by multiplying the ranking of undesired consequences of an event by the likelihood of occurrence. There are variations to this “equation.”
• Design, when allowed, to minimize or eliminate single‐point failures that have an undesired consequence. Make at least 2‐fault tolerant, that is tolerant of multiple faults or system breakdown that would have adverse safety consequence. (Redundancies in controls, Layers of Protection/Controls)
• Identify, evaluate, and control hazards throughout the system’s life and during the various operational phases for normal and abnormal environments. (Prevention through Design)
• After application of controls to mitigate a hazard(s), management must recognize and accept the residual risk. (Acceptable Risk Level)
• Recognize the quality assurance interface: (1) decreased risk by using materials that are properly specified and possess adequate quality assurance and (2) implement to continually improve the system.
• Tabulate and disseminate lessons learned and incorporate those lessons for future safety enhancement.
• Apply system safety to systems to include processes, products, facilities, and services.
• Recognize that near‐miss (undesired incidents that could cause harm) conditions, if not corrected, most likely develop into accidents (incidents resulting in harm).

In MIL‐STD‐882E, the standard identifies a sequence of risk assessment steps used in system safety displayed in Figure 6.1. These essential steps can be found in other standards referring to the risk assessment process as well.

Conducting a preliminary hazard and risk analysis (PHRA)

A preliminary hazard and risk analysis or PHRA is essential to the preventive and proactive aspect of a safety management system. The primary purpose of preliminary analyses is to identify, describe, and assess significant hazards that might arise from defects and unsafe conditions in the design and operation of a system or subsystem. The process steps for conducting a PHRA are similar to other hazard identification methods and risk assessments. Figure 6.2 provides the process steps for conducting a PHRA.

The PHRA process is described in the following steps:

• Establish Risk Criteria: An organization shall create and obtain broad agreement on risk criteria that are suitable to the hazards and risks with which it deals.
• Establish the Context: The purpose of establishing the context is to customize the risk management process, enabling effective risk assessment and appropriate risk treatment. The PHRA’s purpose and scope are defined with its objectives and limitations. The scope should include a clear definition of the system to be assessed, including physical boundaries, operating phases, etc.
• Establish PHRA Team: A team is recommended over a single individual when performing a PHRA. The team should consist of an experienced facilitator to lead the team, a scribe to document the analysis, and several team members with the necessary knowledge and experience in the system and associated hazards.
• Identify Hazards/Risks: Identify the system’s potential hazards and their targets, including hazardous events or activities. A team approach using brainstorming to identify hazards is recommended. Resources that assist in identifying hazards may include checklists, PHL, similar designs/studies, codes and standards, historical loss data, interviews with system users, and a review of energy sources and their potential release.
• Consider Causes and Failure Modes: The possible failure modes that could result in hazardous situations shall be considered, including the reasonably foreseeable uses and misuses of facilities, materials, and equipment.
• Analyse Severity of Consequences: For each identified hazard, the worst‐credible case severity resulting from the hazard is analysed and scored according to the severity risk ratings.
• Analyse Likelihood: For each identified hazard, the likelihood of the hazard occurring is determined and scored according to the likelihood risk ratings.
• Estimate Risk: Each identified risk is estimated using the established risk criteria to determine the likelihood of occurrence, severity of consequence, and level of risk.
• Evaluate Risk: The estimated levels of risk are compared with the established risk criteria to determine the significance of the level and type of risk, and where the risk is acceptable to the organization. For risks that are categorizes as unacceptable, further action is required to reduce risk.
• Select and Implement Risk Reduction Methods: When the initial risk assessment so indicates, risk avoidance, elimination, reduction, or control methods shall be selected and implemented to achieve an acceptable risk level for each identified hazard.
• Re‐evaluate Risk: For risks that have been treated with selected risk reduction measures, a re‐evaluation of the resulting risk level is performed. If the treated risk level is still considered unacceptable, actions are taken to further reduce the risk before proceeding with the operation.
• Monitor, Record, and Report: The PHRA process, risk reduction actions taken, and resulting residual risk levels are recorded, and reported to management and key stakeholders. The risk reduction measures, and risk levels are continually monitored for any changes.

The required inputs are information on the system to be assessed and details of the system’s design as are available and relevant. The outputs include a list of hazards; an estimation of severity of consequences; an estimate of likelihood of occurrence; an estimate of risk level of current state and future state with recommended risk reduction measures; and action to be taken according to risk level. Some of the limitations of a PHA or PHRA are that it provides only preliminary information, is not comprehensive, and does not provide detailed information on risks and how they can best be prevented.

In this chapter, we investigate reporting tools that empower the operational risk function with the opportunity to contribute to the business decision making at the firm. We consider loss data reporting in some depth and also discuss reporting on the other elements in the framework, including risk and control self-assessment, key risk indicators, and scenario analysis. Examples of fictional data are used to demonstrate how risk analysis can be applied to raw data in order to provide relevant reporting conclusions that can drive business decision making.

Role of reporting

An operational risk framework is designed to identify, assess, monitor, control, and mitigate operational risk. All of the elements of the framework contribute to these goals, but without effective reporting even the best of programs will be ineffective in changing the risk culture of the firm. The place of reporting in the operational risk framework is illustrated in Figure 13.1. The reporting of operational risk is key to the program’s success. There are many ways to ensure that the reporting of each element drives action and to protect against the danger of producing reporting that receives a “so what?” response. Generally, an operational risk department will be looking to report on several things, including:

• Operational risk event (loss) data for the previous period
• Remediation action being taken
• Key risk indicators (KRIs)

• Results of risk and control self-assessment (RCSA)
• Results of scenario analysis
• Capital calculation
• Whether the operational risk department is on track with its deliverables

However, the chief risk officer (CRO), risk committee, or other executive management may have different expectations, and they are more likely to be looking for reporting that addresses:

• Where is our risk?
• What action do we need to take?
• Who is under control?
• Who is not?
• Are we meeting our regulatory requirements?

Effective reporting is presented in a way that demonstrates the risk analyst role of the operational risk department. Just as market and credit risk specialists are focused on risk analysis, so too operational risk specialists should be risk analysts. Market risk and credit analysts:

• Analyse raw data
• Analyse trends and predictors
• Follow news articles
• Present opinions
• Present capital at risk (value at risk [VaR] and stressed VaR)
• Recommend action and hedging strategies

In the same way, operational risk managers should take on the same responsibilities for operational risk and should not just be data gatherers but should also:

• Analyse raw data
• Analyse trends and predictors (KRIs)
• Follow news articles
• Present opinions
•  Present capital at risk
• Recommend action and mitigating strategies

Operational risk event reporting

Operational risk event (loss) data reporting is often the central reporting activity in an operational risk function. Operational risk event data can be a mine of vital information that can contribute to effective operational risk management and measurement. However, it can also be redundant data if it is not properly presented in a way that can drive decision making. Operational risk event data reporting typically looks something like the fictional example seen in Table 13.1. While these data are somewhat self-explanatory, the method of collection and underlying assumptions might lead to a misinterpretation of the data. Therefore, it is important to ensure that the recipients of the event data reporting understand the background.

Impact of gains on internal event reporting

For example, in Table 13.1 the data may actually contain gains as well as losses. It may be an operational risk event report rather than a losses report. Table 13.1 shows that there were eight events in Investment Banking in December 2020 and that the net value of events was $10,000. However, there is no more detail provided on the nature of those eight events, and there may be significant information that is being masked from view. An example of the underlying data for investment banking is seen in Table 13.2. From the underlying data it is clear that one of the events was a gain of $12,500 and this gain is skewing the net events so that they total $10,000, when in fact operational risk losses totalled $22,500 if gains are excluded. The amount at risk might actually be $35,000—the absolute value of the events, as it was probably only luck that the seventh event was a gain instead of a loss.

Table 13.1 Example Operational Risk Event Data Table

December 2020					12 - Month Total
Business Line	Absolute S Value of Events	# Events	Gross $ Value of Events	$ Recovery	Net $ Value of Events	Trend	# Events	Gross $ Value of Events	Net $ Value of Events
Fixed Income	150,000	10	(65,000)	5,000	(60,000)	↔	185	(650,000)	(350,000)
Investment Banking	35,000	8	(10,000)		(10,000)	↔	65	(435,000)	(400,000)
Equities	250,000	65	(208,000)	55,000	(153,000)	↑	450	(8,500,000)	(2,500,000)
Asset Management	120,000	28	(120,000)	25,000	(95,000)	↔	235	(11,350,000)	(5,500,000)
Private Wealth Management	70,000	35	(70,000)		(70,000)	↓	625	(12,560,000)	(2,000,000)
Total	625,000	146	(473,000)	85,000	(388,000)		1560	(33,495,000)	(10,750,000)

Table 13.2 Example Investment Banking Operational Risk Event Detail

Investment Banking Events in $, December 2020
	Absolute	Gross	Recovery	Net	Total Net Loss
Event 1	2,000	(2,000)	0	(2,000)	(2,000)
Event 2	2,000	(2,000)	0	(2,000)	(2,000)
Event 3	4,000	(4,000)	0	(4,000)	(4,000)
Event 4	2,000	(2,000)	0	(2,000)	(2,000)
Event 5	5,000	(5,000)	0	(5,000)	(5,000)
Event 6	2,000	(2,000)	0	(2,000)	(2,000)
Event 7	12,500	12,500	0	12,500	0
Event 8	5,500	(5,500)	0	(5,500)	(5,500)
Total	35,000	(10,000)	0	(10,000)	(22,500)

Therefore, it is important to ensure that the recipients of a report such as Table 13.1 are aware of whether gains are being netted against losses. Perhaps this nuance would be lost on the audience. If so, the absolute dollar value of the events might be a better indicator of operational risk and the report might be changed to reflect that.

Trends in internal loss

The fictional operational risk data Table 13.1 includes a trend column. This trend needs more explanation in order to be informative. The presenter of the report will need to clarify whether the trend relates to month-on-month changes, changes relative to the average over the past year, or some other benchmark. The trend could also relate to any of the previous columns, and so clarification is needed as to whether it relates to the number of events or to the dollar amount of the absolute, gross, or net amount. Trends can be helpful, as they can indicate a changing risk environment that may require action.

Trends of loss size against number of events might provide insight into improving or worsening control environments. An example of using trends to compare events and net losses is provided in Figure 13.2. It can also be helpful to compare trends in business lines and in risk categories to see where the risks are elevated. This information is particularly helpful when considering entering into a new business. Trends and history from similar business lines can be used to help with the assessment of the likely operational risk exposures that may arise in this new business line.

Risk analysis of Table 13.1

There may be a story behind the raw numbers that is not apparent without explanation and analysis from the operational risk department. Looking again at the fictional operational risk event in Table 13.1, it is clear that there is a large difference between the total gross amount of losses ($33,495,000) and the total net amount ($10,750,000) of losses for the past 12 months. This difference begs for analysis and explanation and suggests that this firm is very good at recovering amounts lost in operational risk events. Recoveries are usually achieved through expert employees who intervene and recover some, or all, of the initial loss amount. Recoveries are more often driven by people than by automated systems, suggesting that the excellent recovery rate reflected in this data is dependent on experienced personnel. This analysis takes on significance if the firm is currently downsizing or has experienced a significant structural change in its staffing model, such as all of the employees working remotely due to a global pandemic.

An operational risk manager could use this loss data to alert senior management that they might experience an increase in net losses due to weaker recovery rates as a result of the current downsizing or remote working strategy of the firm. The recovery rate might also be used to drive a discussion about what efforts could be made to further improve the recovery rates and what the cost benefit might be of such initiatives. This type of analysis, linking operational risk data to the business activities and strategies of the firm, demonstrates the relevance and importance of the operational risk function and properly provides increased transparency into operational risk exposures.

Internal losses by risk category

The same operational risk event data can also be presented by risk category rather than by business line, as follows. The fictional data in Table 13.1 provides a view into how each business is doing compared to the other business lines. There may be opportunities for more analysis if the data are cut differently, by risk category, as in Table 13.3.

Risk analysis of Table 13.3

Several stories can be told from this cut of the data. It is clear that most of the events occur in the Execution, Delivery, and Process Management category as it has experienced 1,100 events over the past 12 months—significantly higher than any other category. However, the highest loss amounts occur in the Clients, Products, and Business Practices category, which has the lion’s share of the dollar value of the losses at $18.5 million over the past year. This suggests that the latter are more prone to fat-tail events. The firm will want to confirm whether this pattern of losses is to be expected, and it can be helpful to compare risk category data to external benchmarks. The data can be compared to benchmarks from sources such as the ORX consortium data discussed in Chapter 8. Further analysis of these data shows that this firm has a good experience with recoveries from fraud events. They have experienced 32 internal events and two external events, but the net losses are small compared to the gross losses, indicating that there have been successful recoveries in these cases.

Timeliness

A report that tracks the timeliness of reporting of internal loss data events can be a powerful tool in driving culture change within a firm. Transparent reporting of loss reporting behavior can be very effective in inspiring better behavior and can drive reporting times down. If loss data is reported late, it not only exposes the firm to unmitigated risks, but it may also impact the capital calculation if the firm has an AMA or Standardized Approach that uses loss data as a direct input into the model. Timeliness can be tracked in several ways:

• Time from occurrence to identification
• Time from identification to entry in the loss database
• Time from entry to sign-off

It should be noted that legal losses often have a long-time lag between occurrence and identification, and this needs to be handled thoughtfully when tracking timeliness of loss data. Any combination of the above criteria can be used to drive better reporting behavior. Timeliness can often be adversely impacted due the slow response of another department, and this can also be reflected in reporting statistics. For example, the front office areas might complain that the finance department is very slow to complete their portion of the data when accounting issues are involved. Tracking the timeliness of all events that impact the finance department can be made transparent and encourage more efficiencies in the finance area.

Example Operational Risk Event Data Cut by Risk Category

December 2020					12-Month Total
Risk Category	Absolute $ Value of Events	# Events	Gross $ Value of Events	$ Recovery	Net $ Value of Events	Trend	# Events	Gross $ Value of Events	Net $ Value of Events
Bussiness Disruption and System Failure	5,000	8	(5,000)	$5,000	0	↔	45	(650,000)	(150,000)
Clients, Products, and Business Practices	265,000	28	(158,000)	0	(158,000)	↔	88	(18,500,000)	(7,450,000)
Execution, Delivery, and Process Management	190,000	97	(145,000)	80,000	(65,000)	↑	1,100	(6,540,000)	(2,400,000)
Damage to Physical Assets	20,000	10	(20,000)	0	(20,000)	↔	235	(1,200,000)	(200,000)
Employment Practices and Workplace Safety	120,000	2	(120,000)	0	(120,000)	↓	56	(3,450,000)	(500,000)
Internal Fraud	25,000	1	(25,000)	0	(25,000)	↔	32	(2,655,000)	(50,000)
External Fraud	0	0	0	0	0	↔	4	(500,000)	0
Total	625,000	146	(473,000)	85,000	(388,000)		1560	(33,455,000)	(10,750,000)

Operational risk reporting often includes a summary and analysis of relevant external events over the past reporting period. These should be reviewed for relevance and lessons learned. It is always more popular to discuss bad things that have happened to competitors than it is to talk about bad things that have happened at the firm. Significant external events offer an opportunity to consider “could it happen here?” Senior management are often very engaged in such discussions, and this can lead to proactive operational risk mitigation activities that can be led by the operational risk function or kicked off and tracked by that function. Any emerging trends, such as an increase in regulatory fines in a particular area, should be compared to the firm’s internal experience and current risk and control environment. For example, if external data indicate that there has been an increase in the levying of regulatory fines for breaches in the Foreign Corrupt Practices Act (FCPA), then the operational risk manager might propose a review of the firm’s current FCPA training and awareness to ensure that these controls are functioning at peak levels of effectiveness. If the firm is a member of a consortium of loss data, then the internal loss results should be compared to the benchmarking results that the consortium makes available. Comparisons between external and internal data should always be treated with caution, as there may be significant differences in the business models, products, and control environments that could lead to incorrect conclusions. However, as discussed earlier, external data can provide helpful awareness of risks that may not yet have occurred at the firm but that should be seriously addressed.

Risk and control self-assessment reporting

The output from RCSAs is generally reported in detail to the participating department and in summary or thematic form to senior management. While the full RCSA output demonstrates that analysis and recommendations are based on strong underlying data, the details themselves are rarely of interest to the risk committee or CRO. Instead, the operational risk department can analyse the RCSA output and identify areas that require escalation and raise themes that are best addressed on a firm-wide basis. For example, if multiple departments have identified through RCSAs that their employee training is weak, then a firm-wide training and development initiative might be a more appropriate response than many individual training programs. The operational risk department might also have noticed underlying themes during their facilitation of the RCSA exercise, such as a lack of awareness of appropriate fraud controls. This might give rise to a firm-wide initiative to raise awareness of appropriate fraud risk mitigation activities. RCSA thematic data might also be enhanced by regular monitoring of triggers that have been identified as requiring a reassessment of all or part of an RCSA. A large internal or external event might result in a recommendation by the operational risk department that the firm, or one division of the firm, revalidate the risk and control scores for that particular risk. For example, a sudden increase in fines for FCPA breaches might result in the next operational risk report to senior management including a request to reassess all corruption and bribery risks in the firm.

A consolidated view

All of this operational risk data can be brought together into one view, to provide a snapshot of the current overall risk profile for each department. Just one example of how this might be done is shown in Table 13.5. If this report is for the CRO, risk committee, or board, then the overall risk rating should be the independent view of the corporate operational risk function, acting in its role as a second line of defense

Dashboards

Some firms bring together all of their reporting into one view so that the total risk exposure for each department can be clearly seen and compared. There are many sophisticated software solutions for this type of reporting. Some have drill-down capabilities so that an area of interest can be clicked on in order to see the underlying data.

The results of risk analysis lead to the question of which measures to undertake in the context of corporate management in order to control the measured and analysed risks. The possible control instruments are so numerous and complex that they must first be narrowed down. Discussion of instruments that are reserved for certain businesses on legal and industry specific grounds (in particular, banks) will be omitted. Rather, the fundamental functioning of general control instruments within risk strategies that can be applied to nearly every business will be discussed.

The image above shows a possible breakdown of the various risk strategies and the associated control instruments. The “no holds barred” risk strategy (full risk-taking) is not listed here, since in this case, strictly speaking, there is no risk control and therefore it also follows that no control instruments can be assigned. The business consciously opts to take full risk in order to remain open to all the associated profit possibilities. In the following, the strategies and associated instruments are discussed and their effects on the Return on Risk adjusted Capital (RoRaC) are explained.

Risk provision

Risk provision means planning future risks with a view to present and future required risk bearing capacity. “Risk analysis,” the crucial economic figure for risk bearing capacity of a company was already represented, namely as equity capital. An increase in the equity capital means an increase in the risk bearing capacity to respond to any new risks (for example, in the context of planned investment) or to provide better provisions against risks already deliberately taken.

Along with the equity capital showing on the balance sheet, provisions and hidden reserves also represent a buffer for risk bearing capacity. To what extent hidden reserves and provisions are suitable for covering incurred risks is worth assessing critically against the background of the financial crisis. Risk tolerance and with it risk provision can be increased through the following procedures:

• Increasing the equity capital on the capital market or by the partners (shareholders)
• Putting profits in retained earnings or other reserves
• Building hidden reserves through excessive depreciation and/or increased liability estimates

These various risk provision possibilities are nonetheless to be judged differently according to their significance as risk buffers. An equity capital increase is not accepted by capital markets and capital made available to better cover existing risks (especially in times of financial crisis); rather, long-term investments in the business performance area are usually linked to equity capital increases. The operating income (so, no capital gains) should be available for the assessable business risk potential. This is only the case when the profit is not paid out but rather put into the profit reserves. For crisis times when, as a rule, no profit is realised, the profit reserves are not available for risk provision.

The establishment of provisions is usually bound up with a concrete existing risk (tax payments, guarantee claims etc.) and is thus not available as a general risk buffer. Hidden reserves are also only conditionally suitable as risk provisioning, since they are not explicitly valued and thus their size can only be known, or they can only be made available through realization. Hidden reserves are also unsuitable for times of crisis. Risk provision through increasing the risk bearing capacity has no direct effect on the RoRaC of a risk position. The amount of the equity capital has no influence on the risk or the expected profit of a risk position. In the RoRaC calculation, the amount of the risk position enters into the risk-free equity capital interest rate. Thus there is only an indirect connection between the equity capital and the risk-free equity capital interest rate as a part of the profit. Increasing the equity capital directly affects the risk analysis in the comparison of VaR with equity capital.

A further possibility of risk provision consists in acceptance of collaterals. Collaterals play an especially important role in managing credit risk. Although management of credit risk through collateral represents a core competence of credit institutions, this form of risk provision is also irrelevant for many non-banks. Here in particular collateral plays an important role in the form of – trust receipts, – ownership reservations and – guarantees in connection with the granting of loans to customers (e. g. to encourage the sale). The acceptance of collateral affects the creditor’s RoRaC in two ways. First, his default risk in the amount of the additional collateral sinks, through which his RoRaC, all other things being equal, climbs. On the other hand, the debtor will demand a more favourable interest rate for his additional collateral. A lower interest rate would diminish the profit and thus the RoRaC of the creditor. How the creditor’s RoRaC changes overall then depends on the bargaining positions between creditor and debtor. The RoRaC would e. g. climb when the default risk of the creditor sinks more sharply than his profit through a possible lowering of the interest rate. Risk provision is tightly bound up with risk limitation, since with risk provision the risk buffer in the form of equity capital is increased and thus the proportion of the business’s total VaR decreases in relation to the risk buffer. If, however, an increase in the equity capital as discussed above is not possible or reasonable then the proportion of the VaR to the equity capital can only be reduced if the VaR is reduced through e. g. risk limitation.

This chapter deals with the practical problems and challenges that people face when making risk management work: pitfalls that the reader of this book will be able to prepare for and avoid. Every pitfall described in this chapter has come from a real, current risk practitioner – someone who has shared with us their concerns and frustrations about making risk management work. Some of the pitfalls are at the heart of risk management, such as people confusing risks with issues. Others are more subtle. We include them all because this chapter is designed to provide immediate help to people who are facilitating risk management.

The chapter is structured into three broad categories:

• Pitfalls when applying the risk management process
• Pitfalls when facilitating
• Pitfalls when trying to create a culture where risk management works well.

Each pitfall is stated in bold italics, followed by our response on how best to tackle it. Often, there is more detail elsewhere in the book, but this chapter is meant to give quick, practical advice that the risk facilitator can apply immediately. We suggest that, rather than reading this chapter in detail, you flick through the pitfalls listed below to find those of most relevance to you.

Pitfalls when applying the risk management process

In this section you’ll find a range of pitfalls related to the process of risk management, along with tips to help you avoid them in the future.

We have no risk process

It will be important to agree with the management team how the process will be governed, and the roles people will play. Getting as much buy-in to the risk process at the start is vital.

People think that if we’ve got a risk register – however partial – we are doing risk management

It’s important to have a risk register, so you have a start, even if your register has metaphorical cobwebs or is incomplete. The key thing is to improve the content of the risk register and the value that it brings. You could rejuvenate the risk register in a number of ways, beginning with making sure information from all the steps in the risk management process are included. For example, you could validate the risks on the register with risk owners, refreshing or deleting them as necessary.

Alternatively, you could begin the process anew and tidy the existing risk register as part of a wider risk identification exercise. The key thing is to facilitate some change so that people can start to see the benefits quickly.

The people I work with don’t understand the process

As a risk facilitator, one of your most important roles is to make sure that everyone has a clear understanding about the steps in the risk process and the chance to ask questions if they want to. Often people are confused about what risk management involves, and it is important to make sure that questions and misunderstandings are cleared up. Often people will understand the risk management process much better if you explain clearly which part, you are focusing on at a particular time. There are different questions to be answered at each step and different skills involved in doing each step.

My manager seems to think that a complex process will fix our current problems

It won’t. ‘Garbage in, garbage out’ applies just as much to risk management as to computer systems! The process itself is simple in principle – there’s no need to make it more complicated. The difficult part of risk management is engaging the people. That is why facilitation is increasingly recognised as being so crucial.

People don’t understand what risk is, or have unclear or even conflicting definitions of risk

Risks are uncertainties that matter. If something is a fact, it’s not uncertain, so it can’t be a risk – although it may be the cause of one or more risks. If something is uncertain, but doesn’t directly affect the objectives, then it’s not a risk to that work – it doesn’t matter. It’s a good idea to run people through the key concepts around risk before running a risk workshop or starting the risk management process.

People confuse issues with risks Issues are known situations that need to be managed.

They are not uncertain future events. Issues need to be dealt with, but not by the risk process. Although some people argue that they can effectively manage a process that deals with issue resolution and risk management together, our experience is that this does not work well for either issues or risks. There are links, of course. Issues can be causes of risks, and unmanaged risks can become issues. We strongly advise you to keep separate logs and have separate discussions of issues and risks in meetings. Otherwise risks (things that might happen) will always take second priority to issues (things actually happening) because they’re more urgent, although not necessarily more important.

When I work with people, they come up with ‘risks’. Often these are not risk events, but the cause or even the effect of a risk. What can I do about this frequent muddle?

It’s important to make sure that people understand what a risk event is and how it differs from the cause and the effect. If you don’t, then it’s almost impossible to prioritise risks and make good decisions about where to focus your time. It can also be really difficult for other people to understand the risk descriptions. Using the three-part risk description set out in Chapter 2 works really well. It helps people tease out causes from risk events and events from effects, and it brings clarity to the whole process. Challenge and question people to make sure that your risk register contains risk events, rather than the background cause or the subsequent effect. Reframe statements that people have made and ask them if this is what they really meant – they are usually grateful for the clarity.

We tend to be too woolly with risks – we’re not specific enough; this makes them hard to quantify or explain

Make sure that you’ve been clear about the big picture and risk categories before moving into the detailed work of identifying risks. Encourage people to be as specific as possible about what might happen and why when they are identifying risks. As risk facilitator, you need to challenge people to provide more detail if required. You may need to help people articulate what the event that may occur actually is, why it may occur, and how that would affect the objectives. Try using everyday language, for example: ‘What are the things you are worried about?’ or ‘What are the things that could go better than planned without you doing anything about them?’ Then tease out the cause – ‘Why might that occur?’ Next, tease out the effect – ‘What would happen if your worry/hope came true?’ Our experience is that people become skilled at this really quickly if you can help them frame their perspective on the risk in question.

All the risks we identify are obvious – so there seems that no added value is gained by going through the process

It is a common problem for people to focus mainly on what we’d call ‘business-as-usual risks’, that is, those things that experience tells you will always be risky in the type of work you do. The normal variability you’d expect in your work, for example based on availability of resources, should be dealt with as part of normal business planning. Risk management is about identifying and managing the ‘unusual’ risks. As a facilitator, you need to keep the group focused on what’s special about the situation in question.

People focus on potential threats and tend to leave out potential opportunities

Always start with opportunities. It is very difficult to move into a positive mindset after dealing with threats. If your current process ignores positive opportunities, think about how you can include them. There may not be the same number of good things that might occur as bad ones, but you’ll be missing a trick if you don’t try. Good things might happen!

Describing opportunities is really difficult – sometimes they end up just as responses to threats

One of the biggest mistakes people make when starting to work with positive risk is to describe opportunities as binary choices – we could do x, or not. There is no chance of occurrence associated with such a statement – the outcome is in your control: you are either going to do it, or not. The objective in risk management is to focus on potential opportunities. These are events that might happen anyway, without any intervention. They are important because they may warrant management effort to make them more likely or to have greater impact. Risk management best practice says that we should, at least, be ready to seize potential opportunities if they occur because they are rare.

No one takes ownership of risk

First of all, see if your senior leaders are taking overall ownership of risk management. If leaders are not ‘walking the talk’, then it can be really difficult to get others to follow. As a facilitator, you can help to coach senior leaders about their role. More practically, you need to make sure that owners are allocated at the risk identification stage. You can also set up follow-up mechanisms for risk owners that make best use of their time. It’s really important not to take on the risk ownership role yourself. Stay vegetarian. You can still offer positive support to the risk owners without inappropriately taking on their role yourself. Note: the exception to this is if you are performing a dual role as risk facilitator and a member of the management team for the work. In this situation you may well be a risk owner for some risks, in addition to being the facilitator for others.

Probability is hard to calculate

Not just hard – impossible in many situations. Unless you have comprehensive historical data that is directly relevant to the risk (which is rare), then all you can do is guess how likely it is that the risk will occur. Start with whether the group judges the risk to be more or less likely to occur, then decide how much more than 50 per cent or how much less than 50 per cent feels right. Most companies have standard probability scales that force the assessment of probability into a small number of ranges, for example, very high probability is greater than 70 per cent chance. Risk management standards judge this to be best practice.

We are poor at prioritisation and get bogged down at this point

People most commonly prioritise risks by using a combination of probability (what’s the chance this risk event will happen) and impact (how much it matters if it does). Where risk management standards advise using company standard probability scales as mentioned above, they state that work specific impact scales should be created. Our advice on how to do this is as follows:

• Think about what objectives matter most to your work
• Define what would be a catastrophic impact on each objective, for example, what time delay would be a ‘showstopper’
• Define what impact would be insignificant, for example, the amount of money that it is not worth proactively trying to save
• Define impact scales (three, four, or five categories) that represent the specific impact on objectives that would really matter to your work
• If you invest time in doing this, that is, defining how you will prioritise before you start, it will save you hours of frustration later.

We do a reasonable job at prioritisation, but then ignore low priority risks

It is really important that the facilitator helps the group focus on the highest priority risks at each workshop. But the risk prioritisation is only a snapshot in time. Who’s to say that the assessment of probability and impact will be the same in a month’s time? The risk owner is the person who should keep an eye on this, but as facilitator you may need to play an active role to ensure this happens. It might be necessary at some point to hold a special session to readdress those lower priority risks and see what can be learned.

We need to use appropriate ways to respond to risk – not just mitigate!

There are many different ways to respond to risks. The option you choose will depend on a number of things, including the appetite for risk (how much uncertainty can you tolerate) and the resources available (does it make sense to invest time and money now to reduce the uncertainty). Changing language often leads to a change in thinking that is very beneficial for the overall process.

Out of the frying pan, into the fire: we always seem to forget about the secondary risk

Identification of secondary risks is a part of response planning. Make sure your process makes this crystal clear and that risk owners understand their responsibilities. A response plan is not complete without secondary risks identified and described well in the risk register. We find also that when you make this a discipline you get a much better quality of risk response in the first place because all the consequences are thought through.

People tend not to follow up on the risk plan

Why have a separate risk plan if actions don’t happen? Add the risk actions into the project, programme, or operational plan so you can be sure they are resourced and monitored. You also need to find ways of holding risk owners accountable.

We often leave workshops with poor outcomes: inappropriate actions, no agreed plan to manage, or both

Challenge actions if you feel they are inappropriate. It is also important to check people’s intent to carry out their specific risk response actions. Put in place some sort of follow-up mechanism.

We leave workshops with plans, then behave as if the risk has already been managed

A while ago, Ruth was speaking with a colleague who is a very experienced risk consultant. During the conversation it became apparent that even experienced people can be fooled into thinking that a plan to respond to a risk is a ‘done deal’. Of course, a plan to respond is just that. It needs to be resourced and implemented if the exposure to risk is to be changed. The example we were discussing involved eliminating the cause of a threat. It would be normal to say the residual risk was zero in this situation, but of course this is only true if the response plan has been successfully implemented. Facilitators need to be very clear with their language and talk about the risk remaining should the plan be unsuccessful. We also need good systems for tracking and monitoring the success of response actions. If we leave out this step, we are only doing risk assessment, not managing risks properly.

We handle risks by listing problems and, all too often, random thoughts

By raising this as a problem, you know that this isn’t too useful. Look at Chapter 5 to gain a fuller understanding of the steps you need to cover along with the process that you can follow and adapt to suit your organisation. But don’t lose those inputs, just turn them into good risk descriptions later. People are likely to be grateful that their thoughts have been listened to and channelled into a useful process.

I’m a business analyst, working with requirements. We don’t have any traceability of risks to requirements. This can cause problems with changes of scope.

Add in traceability if that will help your work. When considering risks to requirements, you could hold a separate workshop. During this workshop you could link each risk to the appropriate requirement.