Complexity challenge: understanding complicated risks

Emerging risks can mean not just a lack of historical data but also cascading consequences. Lawrence Habahbeh proposes a framework for understanding these more complicated risks

The COVID-19 pandemic has led to a renewed focus on enterprise risk management. It has caused firms to reflect on the effectiveness of their frameworks for categorising, planning, preparing, and mitigating the effects of emerging extreme risks.

Broadly, organisations are faced with three types of risks:

• Known risks are easily identified, and organisations have plans and strategies to avoid and mitigate their consequences

• Emerging risks are also known, but the full extent of their immediate, short and long-term ramifications and interaction with other risks are not yet fully clear
• Unknown unknowns are unprecedented, unimagined, extremely rare events with massive impacts; they are ‘intrinsically unpredictable’, owing to lack of or non-existent reliable historical data on such events.

Extreme emerging risks – such as pandemics, solar storms, multiple and simultaneous severe weather events, mass cyber attacks, volcano eruptions with global impacts, and large-scale terrorist attacks – are significantly more complex than, and different from, traditional risks. These risks manifest in a variety of discrete, linked and compound events, and have cascading consequences.

Emerging risks

Emerging risks act as amplifiers to existing risks. They are characterised as ‘systemic’ in nature because they are concurrent and diverse. These risks set in motion a chain of secondary and higher-order effects, with the potential to cause system-wide breakdown or significant disruption to man-made economic, financial and security systems.

Under current risk assessment frameworks, not much priority is given to these events because they are assessed as being low-likelihood events. In risk registers, they are considered important but non-urgent. However, the downstream knock-on consequences, and the range of triggered, linked and compound risks and cascading consequences they set in motion, are complex. By reducing emerging risks to single, low-probability, discrete events, we miss the full range of possibilities triggered by these events for which one must be prepared; therefore, we fail to properly integrate them in current risk frameworks.

Cascading events create common consequences that can cluster and further cascade. These consequences combine and accelerate; they can generate unforeseen effects and increase the total systemic risk associated with the onset of emerging risks. For example, a large solar storm can lead to a loss of power and loss of functionality in the low Earth orbit satellites that provide communication, information, navigation and timing systems to businesses and households across the world. These consequences can then cascade into other risks, such as failure of energy and food production, telecommunication, supply chains and financial markets. Critical infrastructure failures can also lead to breakdowns in social stability, with impacts of unpredictable direction and unknowable magnitude.

Assessment framework

The identification, planning and assessment of emerging risks require fresh thinking. This means moving beyond an assessment of middle-of-the-road probabilities of individual (discrete) events based on historical data alone, and focusing more on the range of the most likely chain of events that could be triggered by the onset of these risks. The assessment should also focus more on the multiple pathways of possible cascading consequences. These can rip through society, leaving a chain of effects across multiple dimensions such as human welfare, the economy, essential services, the environment, behaviour, national security and international relations.

The assessment should include a framework to structure and build a range of reasonable worst-case scenarios and their associated first, second, third and fourth-order (and so on) societal and economic impacts. These impacts can be quantifiable (such as financial losses, deaths and injuries) or non-quantifiable (such as loss of certain services, and psychological effects over the immediate, short, medium and possibly long term).

This approach removes some of the biases associated with emerging risk assessment, such as the dictates of a variant of Gresham’s law – that the short term drives the long term. In the insurance and banking industries, risk decision-making processes tend to have a very short-term horizon owing to short-term regulatory capital requirements, leading to a one-dimensional risk profile that is characterised by risk class, likelihood of risk manifesting over a short period – usually a year – and the linear discrete impacts that the risk generates. The assessment should rather take into account the timing of cascading consequences, and their range of potential paths or trajectories. In other words, we should consider the range and likelihoods of paths, not just the likelihoods of the events themselves.

The financial crisis of 2007 demonstrated the importance of correctly quantifying counterparty credit risk arising from over-the-counter derivative contracts. The UK is undergoing a Solvency II review, one aspect of which is a reassessment of the ‘fundamental spread’ – the allowance made for risks that insurers are assumed to retain when calculating the matching adjustment. The Prudential Regulation Authority considers that the current fundamental spread design does not appropriately reflect the risks retained by insurers because it is not sufficiently sensitive to movement in drivers of credit and counterparty risks.

Extreme emerging risks and their associated consequences introduce a new set of risk drivers into classical default and credit risk models. Low-probability, high-consequence outcomes, when they manifest, can dominate calculations of total risk. The potential for a rise in the number of defaults and downgrades accelerates during times of extreme emerging risks, and this needs to feed into regulatory capital models. The expected loss on a financial transaction or a portfolio of credit risk exposures or counterparties due to another pandemic is not the same as the expected loss due to a severe solar storm, because these events have different probabilities of occurring. This needs to be adequately reflected in firms’ credit-risk models and regulatory outputs.

There are many different ways an extreme risk, and its associated consequences, can manifest. These can be illustrated using networks of linked scenarios. Including a range of scenarios reduces the high degree of uncertainty associated with a single estimate of one reasonable worst-case scenario and likelihood calculations. A range of scenarios can take into account a base-case scenario reflecting a historical precedent, or a similar disruptive event, as well as an optimistic scenario and a pessimistic scenario.

These scenarios can be constructed through a top-down (feed forward) or bottom-up (feed backward) cause-consequence analysis framework. These approaches are important, and can be building blocks for a more advanced assessment of ‘what might happen?’. Focusing on the common consequences of emerging risks, and searching for the maximum likelihood path that leads to a certain outcome, can reveal information about the links in the chain of effects. These approaches work as follows:

Feed forward emerging risk analysis: Primary cause → primary impact → second effect → third effect → fourth effect. An example of this approach is an analysis of the onset of COVID-19 and the evolution of the pandemic since it was first declared such by the World Health Organization.

Feed backward emerging risk analysis: Fourth effect → third effect → second effect → primary impact → primary cause. For example, we can take this approach to assess how many configurations of primary and secondary risks as a result of an extreme space weather event can lead to electrical shorts, fires, explosions, blackouts, power outages and loss of communications infrastructure.

Risks as systems

A useful framework to encourage thinking about risks and their interactions is to frame risks as ‘systems’. Analogously to complex systems in physics and mathematics, we can define a complex risk system as a system with multiple independent, or interacting, risk processes. The space of a single-risk process is the total number of possible states the process can attain in finite time or infinite time. Likewise, the space of a risk system is the total number of states the risk system can attain in finite or infinite time.

Moreover, under current risk frameworks, a risk tends to be assessed in terms of the likelihood of occurrence and the impact of the risk. There is often a lack of a more detailed assessment, taking into account other characteristics of the risks and their context. However, characteristics such as risk velocity, acceleration and jerk (see ‘Key definitions’, below) can indicate risk onset and signal the passing of tipping points in the risk process that drive the output of a risk system.

The state of a risk system is dependent on the states of the risk components and the interactions between the components driving the risk system. In fact, the configuration of risk components in terms of risk level, velocity, acceleration and jerk is more important than the trajectory of events themselves, because the trajectory is a function of these components. Therefore, the probability that the risk system is in any particular state is based on the probability that the risk components are configured in a certain way. This configuration maps to the risk system state and likelihood.

An array of possibilities

Assessing emerging risks is complicated because of their rare and conjectural nature. The likelihood of an emerging risk event cannot be accurately quantified, and any assessment of these risks built on a likelihood-impact matrix can be misleading. It can lead to a false sense of confidence, particularly in terms of prioritisation of risk.

The goal of an emerging-risk assessment should not be to provide a specific prediction, but to help decision-makers see what may lie beyond the horizon by offering an array of possible futures. This is achieved through having accurate and sincere articulation of the risks and discussions of reasonable worst-case scenarios, and implementing efficient risk frameworks that successfully forecast the common, probable, primary, secondary, linked and cascading consequences triggered by extreme events, based on the best available historical, statistical, and scientific evidence and analysis.

Adequate risk analysis requires a better understanding of emerging-risk characteristics such as velocity, acceleration and jerk, which may give indications of when a risk shifts its trajectory into a more extreme state with higher impact.

Finally, it is now clear that the risks posed by the COVID-19 pandemic are far greater than previously anticipated. The pandemic has led actuaries and risk managers away from focusing on middle-of-the-road outcomes and into the harsh light of physically evident extreme emerging risks, and their complex interactions in shaping the risks. It has also led them to recalibrate their risk frameworks based on a more prudent risk-management approach with a tough and objective look at the real risks we face – especially those high-end, extreme-risk events whose cascading consequences may be damaging beyond quantification. Sensible risk management better anticipates, prepares and responds to a range of challenging scenarios, in time, including those that we have never experienced before.

Key definitions

• A risk tipping point can be understood as the passing of a critical threshold in the state of a risk process, defined in the context of a risk system, such that the breach of the threshold in the risk process can lead to a discontinuity in the output of the whole risk system.The progression towards these tipping points occurs due to positive feedback. A small change in a risk system, such as a change in a single risk component, a driver of a risk process or a parameter driving the dynamics of a risk process, leads to changes in other risk processes in the risk system, and ultimately feeds back to the original risk process, amplifying its effect. This can lead to a discontinuity in the risk system’s output. In other words, it can produce an abrupt, rather than a smooth, change in the output, leading to extreme states in the risk system.
• Risk attractors. In the context of risk tipping points, it is critical to know the potential extreme states a risk process can attain in a finite time, and the total number of subsets of the risk phase space that contain extreme states. The progression towards these extreme states has indicators associated with their dynamics, such as speed, acceleration and jerk (see below) of the risk process and co-dependency with other risk processes. Therefore, studying the total amount of time a risk process or a risk system stays in a subset of the risk phase space that is considered ‘normal’, and the distance between the subset of extreme states and normal states, indicates when a risk might jump into an extreme state. These single points or subsets of the phase space with connected regions are called risk attractors – they are sets of states toward which the risk system tends to evolve, and indicate the cycles that exist in the system.
• Risk velocity and acceleration characterise the rate of change (and its derivative) in the level, or impact, of a single risk with regard to time. The drivers of risk velocity can be changes in the underlying parameters of the risk process, or the rate of change of such parameters. Velocity can indicate when a risk will shift its state from a low to a high-likelihood risk – that is, a tail risk developing into a more likely risk with an extreme state. In other words, this is the velocity of a risk moving from low to high-impact.
• Risk jerk is the rate of change of a risk process’s acceleration with regard to time (that is, the third derivative of the risk level with regard to time). The risk jerk for underlying processes within a risk system is important for identifying the (un)stable regions in the risk system phase space. The timing of the jerk could reveal periods of risk regime shifts – for example, when the risk processes shift into a subset of the risk system phase space that is unstable. This change could be transitory or permanent, and entails a potential shift in the trajectory of a risk system.
• The edge of chaos of a risk system is the threshold of a risk system at which it starts progressing into a chaotic state. Here, the risk processes become chaotic, with extreme (fat-tailed) outcomes. The parameters of the risk system – the combined independent levels of each risk and the dependencies between them – adjust and adapt to the risk environment in such a way that the edge of chaos is a transient but recurring phenomenon. The edge of chaos could be the point at which a risk system crosses into a risk trajectory that is considered ‘extreme’ in the old risk trajectory and ‘normal’ in the new trajectory.

Lawrence Habahbeh is a traded and enterprise risk specialist, a member of the Risk Management Board and chair of the Black Swans Insurance Working Party

Image credit | Joe-Waldron