Risk is the potential for undesirable outcomes such as financial losses, damage to property or reputation, and personal injuries or deaths. Businesses face a multitude of risks from ongoing operations and critical decisions aimed at improving their performance, growth, or competitive positioning. Critical decisions—such as adopting new business models, creating new lines of business, merging with other companies or restructuring, and replacing technology platforms—tend to be complex, play out over years rather than weeks or months, impact multiple stakeholder groups, and carry high or even existential risks.
Prudent companies formulate and execute strategies called Enterprise Risk Management (ERM) to minimize exposure to significant risks. Part 1 of this article presents a model for thinking about ERM, while Part 2 describes a decision support method for implementing that model.
ERM encompasses two primary activities—risk analysis and management. Risk analysis identifies and assesses threats that can trigger losses. Risks can be categorized as strategic, preventable, or external. Strategic risks arise from poor critical decisions, flawed execution of critical decisions, or failures to respond to changes in markets, customer needs, or technologies. For instance, decisions about developing new products are vulnerable to misreading market needs, sourcing errors, and unanticipated market entrants. Preventable risks derive from flawed business processes or human errors, which can result in defective products, security failures, industrial accidents, or violations of laws and ethical norms. External risks arise from events, trends, or forces that are largely uncontrollable, such as disasters, wars, disease, and social, political, or economic turmoil. Many sectors define risk taxonomies tailored to their specific needs. For example, the financial services industry worries about market, credit, insurance, operational, and liquidity risks.
Once a risk is identified, it must be assessed and modeled causally. How does it produce losses and how big are they? How does the threat arise—what conditions and sequences of events are required to produce it? For example, cyber threats are carried out through various attack modes: hacking, ransomware, phishing, denial of service, and insider sabotage. Each mode of attack is carried out by gaining access to a web site or computer network and then compromising it in specific ways tied to attack objectives.
Engineers and insurers quantify risk using the following formula:
Risk in $ = Likelihood of occurrence * Economic value of loss in $
However, estimating risk is often challenging. Likelihoods are difficult to appraise for infrequent events such as pandemics or satellite launches. And anticipating the magnitude of losses from terrorist attacks or hurricanes, immediate and long-term, is similarly daunting, as is translating intangible losses such as reputational or symbolic damage and social or psychological harm.
Risks are managed by allocating resources to prevent, mitigate, or recover from harm. Effective management presupposes a thorough analysis of risk. Business resources are never sufficient to address all salient risks. By quantifying risks, analysis allows them to be compared and prioritized, which facilitates the assignment of scarce resources to where they will provide the most benefit. Understanding how threats arise and cause losses is similarly crucial to developing measures to avoid them or mitigate and recover from their effects.
Risk can be managed in four ways: it can be avoided, reduced, shared, or accepted. Risk is avoided by refraining from actions that could lead to losses. For example, companies decline to purchase contaminated industrial properties to prevent exposure to legal liabilities.
Risk is reduced by lowering the likelihood of threats or the magnitude of losses they produce. For example, products and manufacturing processes can be re-engineered to reduce the probability of defects. Companies can reduce losses by adopting “business continuity” methods such as emergency preparedness, training, and investing in redundant data centers, backup power supplies, and multiple sourcing vendors. Cybersecurity threats are generally reduced by adopting technology solutions such as firewalls and intrusion detection systems, coupled with enhanced governance and workforce education.
Risk is shared by transferring portions to other parties such as insurers or partners. Insurance protects against risks that are external or preventable, such as natural disasters, theft, accidents, and legal liabilities. It helps compensate for economic losses, but doesn’t prevent or reduce harm, or cover non-intangible losses such as reputational or strategic damages.
Risks that are not avoided, shared, or reduced are accepted. Businesses commonly accept risk for events that are affordable, rare, or unmanageable. Acceptance need not be purely passive. Government regulations require banks and insurers to maintain certain levels of assets in reserve to cover losses. Many large companies also accept risk by self-insuring to manage employee health care expenses.
Risk-Based Resource Allocation: A Portfolio-Based Approach
Most businesses fund ERM begrudgingly because it doesn’t grow revenues or contribute to bottom-line profits. Thus, resources allocated to ERM must be apportioned carefully across enterprise risks to maximize their effect. One approach is to apply portfolio management methods originally developed for financial investments. A financial portfolio consists of instruments drawn from multiple asset classes, such as stocks, bonds, real estate, and commodities, that each carry their own distinctive risks. The central idea behind portfolio theory is that holding a diverse set of financial assets protects against losses because some assets will tend to perform well when others do not. Portfolio theory applies optimization techniques to maximize returns on investment relative to particular tolerances for risk. A portfolio for managing enterprise risks rather than financial assets inverts this objective: it seeks to maximize the amount of risk reduction from a fixed set of resources. That is, an ERM portfolio allocates resources to maximize the enterprise’s “bang for the buck” for reducing (or covering) its exposure to risk.
Financial portfolios are created by selecting percentages of funds to allocate to different asset classes, and then picking instruments within each class based on their expected rates of return and degrees of risk. Constructing a portfolio for managing risk is not all that different. Three ingredients must be specified:
● Targets for threats
● Current and proposed measures to manage risk.
Threats are adverse events or conditions that produce risk. Targets consist of assets, business units, or populations of stakeholders that are vulnerable to threats—offices or plants in regions prone to earthquakes or power disruptions, key production equipment, employees with rare or costly medical conditions, raw materials with volatile supplies and prices, and web sites, control systems, and computer networks. A target set consists of one or more targets of the same type. Threats must be mapped onto target sets because not all threats apply to all target sets. For example, drug side-effects pose no threat to physical assets or intellectual property, only to patients (and drug brands). The pairing of a threat and a target set vulnerable to that threat is called a risk exposure segment.
Enterprise risks can be modeled as a gaming table. Each rectangle on the table corresponds to one risk exposure segment. A bet on a casino table places chips on one or more rectangles that correspond to a roll of dice or spin of a roulette wheel. A decision “bet” in a risk portfolio “game” specifies one or more risk management measures to apply against one or more rectangles, as shown in Figure 1. ERM bets are constrained by how many “chips” are available—business assets and employees already dedicated to existing ERM measures plus investments in new personnel, processes, and assets.
Figure 1. Enterprise Risk Management "gaming table"
The rectangles for placing bets on a roulette table correspond to the number of slots on the wheel plus special combinations such as any red or black slot. By contrast, the number of rectangles on a risk gaming table is variable, determined by the number of risk exposure segments identified for a company at a given time. On a standard gaming table, the odds of winning and payoffs are fixed for each rectangle, with special combinations having different odds and rewards from bets on the standard rectangles. By contrast, total risk for risk exposure segments and the “payoff” for risk management measures are highly variable. Total risk for a risk exposure segment equals the product of the risk for an individual target and the size of its target set population. Payoffs depend on the risk reduction measure and the nature of the threats and targets to which it applies. To add insult to injury, risk gaming tables are dynamic: as businesses grow (or shrink) and their environments evolve, the number of risk exposure segments and their total risk can change.
Part 2 describes a “test-drive” method for simulating the outcomes for ERM bets on a company’s risk gaming table. This method enables decision-makers to analyze and improve the risk reduction yield of ERM strategies, much as financial portfolios can be tuned.