How to Manage Portfolios of Enterprise Risks: Part 2
Updated: Jan 14, 2020
Enterprise Risk Management (ERM) is a critical business decision in its own right as it spans a company’s exposure to all risks stemming from its ongoing operations and critical business decisions. Like other critical decisions, ERM strategies carry high stakes for a company’s well-being and survival. They are also vulnerable to unintended consequences stemming from poor design, flawed execution, and unanticipated contingencies.
My book, Bending the Law of Unintended Consequences, describes a method for improving the quality of critical decisions and reducing the likelihood of undesirable outcomes. This method uses simulations to test drive decisions before committing to them, much like consumers test drive cars on different types of roads to explore their steering, braking, acceleration, visibility, and comfort before buying them. Similarly, test drives for decisions project the outcomes of alternative strategies under a range of possible future conditions, uncovering unintended consequences in a safe, virtual environment. This enables decision-makers to avoid poor decisions or refine decent ones to improve their outcomes.
A test drive for ERM strategies simulates the consequences of placing ERM bets on a company’s risk gaming table, as described in Part 1. This process consists of the following steps:
1. Building a Risk Gaming Table
Businesses construct risk gaming tables by conducting a comprehensive analysis of enterprise risks. That analysis identifies consequential threats and target sets, maps threats onto relevant target sets, and estimates the total risk for each such pairing. Threats can be gleaned from industry trade publications, insurers, and risk experts. Target sets for those threats can be identified and sized using a company’s accounting and personnel systems. Methods for quantifying risks can be found in the literature on risk or obtained from risk consultants.
2. Defining ERM Bets
Developing ERM strategies is the most challenging phase of the decision test drive process, requiring expert knowledge and creativity. An ERM bet is modeled as a plan for rolling out risk reduction measures over time. Plans generally include both new and existing measures. The latter may be fully in place or in the process of being deployed (or phased out) across the company. Plan components consist of a schedule, a cost profile, and the anticipated risk reduction impact of a measure on a risk exposure segment. The schedule defines the rate at which a risk management measure is rolled out across one applicable target set. Costs are broken out into three categories: start-up, labor, and operations and maintenance. Effect is estimated as the percentage impacts on threat likelihood and consequence for the given risk exposure segment. A measure reduces a likelihood if it improves detection and/or prevention of the threat. It reduces consequence if it mitigates harm, such as property damage or deaths and injuries. These values can often be derived from the financial, engineering, or actuarial models originally used to assess risks.
For example, a measure to increase physical security might roll out surveillance cameras at the rate of one site per month. This measure might be estimated to reduce the likelihood of attacks by 8% per site but not reduce consequence at all. Such a measure might cost an average of $30,000 in start-up costs per site, $6000/month in incremental labor costs, and $1000/month for operations and maintenance. Training programs typically incur one-time costs. These specifications enable the test drive simulator to project outcomes for ERM bets.
3. Identifying Contingencies
Like other critical decisions, ERM strategies depend upon assumptions about future conditions. It is highly unlikely that these predictions will all come true, rendering strategies brittle in the face of uncertainty. To improve robustness, test drives project the outcomes of decisions across scenarios—a set of alternative futures in which disruptive events occur, trends and forces vary, and parties such as customers, competitors, and hackers change their behavior patterns. These dynamics are important because they alter a company’s risk gaming table over time. Events such as mergers or divestitures add or remove risk exposure segments from the gaming table. Business growth or layoffs cause the sizes of target sets to change, while new technologies and political forces transform threats and their attendant risks.
4. Identifying Performance Metrics
The key factors for assessing ERM portfolio strategies are risk and cost. The following metrics enable decision-makers to compare projected outcomes:
● Risk reduced: how much risk is eliminated (or covered) by risk management activities
● Residual risk: how much total uncovered risk remains as ERM strategies are rolled out over time
● Cost: how much money is spent on risk management measures
● Return on investment (ROI): combines total cost of the ERM bet and total risk reduced to measure financial efficiency
● Time efficiency: a metric that favors measures that reduce risk rapidly over slower ones
These metrics are seldom aligned. For example, measures that reduce large amounts of risk but are labor-intensive tend to incur high costs, producing mediocre ROI. Measures that reduce risk quickly may have poor ROI. Leaders must make trade-offs between these metrics to identify the “best” ERM strategy.
5. Running Simulations
The test drive simulator projects the “payoffs” (i.e., outcomes) of a company’s ERM strategy bets on its risk gaming table across multiple scenarios. The pairing of an ERM strategy and a scenario of contingencies amounts to the script for a play or movie. The simulator dutifully executes the directions specified in that script, month by simulated month. It injects timely events and changes in trends, forces, and behavior patterns on cue from the scenario, altering the risk gaming table. It also deploys (or withdraws) risk reduction measures according to their schedules, updating risk metrics for relevant rectangles and the accumulated costs for each measure to reflect labor and operations and maintenance expenses for measures already in place (plus incremental start-up costs). The simulator then updates total enterprise risk, cost, ROI, and time efficiency. This “bookkeeping” produces a log of the simulated performance of ERM strategies over time. Decision-makers can analyze and compare these logs to identify gaps in coverage of risk exposure segments and unintended consequences of ERM bets and contingencies that require remediation. They can apply these insights to improve ERM bets by trimming or eliminating measures that reduce too little risk or cost too much, add measures to cover risks from contingencies, and double down on measures that reduce large amounts of risk at reasonable cost.
This portfolio approach to managing risk allows decision-makers to answer four key questions:
A. What is the most effective way to manage the risk for all target sets subject to a particular threat?
B. What is the most effective way to protect a particular target set against all relevant threats?
C. How much risk can be reduced (or covered) with a fixed budget of Y dollars?
D. How much risk can be reduced (or covered) with high-efficiency measures (i.e., ROI > threshold X)?
Question A focuses on ERM bets placed along one row of the gaming table, while B looks at bets along one column. For example, we performed a test drive of maritime counter-terrorism strategies for the US Coast Guard. Threats consisted of terrorist attack modes involving hijacking, assault teams, and boat bombs using small vessels. Targets included bridges, refineries, cruise ships, and tankers in a coastal region containing seven ports. Risk reduction measures consisted of increasing security patrol boat hours (which requires purchasing new boats and hiring new crews) and refining patrol tactics. This test drive explored trade-offs between risk reduced, cost, and ROI for various investment and deployment strategies over a five-year period.
By contrast, Questions C and D involve bets placed across all rectangles on the gaming table. We conducted another test drive for the Transportation Security Administration. Their gaming table for this study encompassed thirteen terrorist attack modes against eighteen target set made up of different types and sizes of commercial truck and bus fleets that travel the nation’s highways. The study analyzed three ERM betting strategies: covering all risk exposure segments with all relevant measures, applying security measures to segments only when they generate an ROI that exceeds a cutoff value, and applying measures to cover one-third of all target sets with the highest risk. Strategy S1 assumed an unlimited budget (and produced a dismal ROI = 0.004), while S2 and S3 assumed the current budget level. Strategy S2 maximized ROI (= 9.0), but offered no protection for the vast majority of soft targets such as school and commercial buses. This is politically unfeasible, so Strategy S3 (ROI = 2.0) attempted to compromise by ensuring some coverage to all rectangles by funding measures that produce the highest ROI for those target sets. These results can be refined by using the simulation logs to guide more selective betting.
In conclusion, the portfolio approach enables decision-makers to tune ERM strategies from both global and threat- or target-specific perspectives. Equally important, enterprise risk is dynamic: threats, target sets, budgets, and the effects of risk reduction measures all change over time. Risk reductions and the costs to achieve them accumulate in complicated ways. For example, expenses to develop new security measures accrue from day one, but they reduce no risk until they are actually deployed. Failure to appreciate these nuances leads to poor estimates for key risk metrics, which results in flawed ERM strategies and unnecessary exposure to risk. Simulation-based test drives for ERM strategies require more effort than simple back-of-the-envelope or before/after “snapshot” analyses. However, that extra effort buys a far more accurate assessment of the performance of, and trade-offs between alternative ERM strategies, and produces better outcomes.
For More Information
My book, Bending the Law of Unintended Consequences, describes the decision test-drive method and its application to ERM in more detail. See Robert Kaplan and Anette Mikes’ article for a more detailed discussion on categories of risk and Werner Meyer’s article for an introduction to risk quantification.