[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries

Risk identification and measurement framework

T he publication by the Financial Services Authority (FSA) of Consultation Papers (CP) 140 and 142 has increased the need for management of all types of risk, including operational risk. The CPs focus on the FSA’s requirements in the form of management information and processes, but do not offer guidelines for implementation. This article explores the difficulties of implementing risk management and proposes a framework to ensure best practice risk management is achieved throughout the organisation.
Risk management
Regardless of the regulatory need, a governing board wants to know that all the risks inherent in its business are identified and quantified. Where appropriate, the risks should be mitigated efficiently, so that the extent and cost of the mitigation is commensurate with the risk impact. A high-level summary of the risk-management process can be described as follows:
– Identify each risk.
– Quantify each risk’s significance as:
—the probability of the risk occurring; and
—the magnitude of the potential loss.
– Quantify the effectiveness of the mitigating controls.
– Take appropriate steps to reduce either the probability or the amount of the net loss to a level that can be retained.
In practice this process presents many difficulties, which we will illustrate by examining some of the questions that arise.

Risk identification
Successful risk management relies on a common understanding within the organisation of the risks it is exposed to. To someone unfamiliar with the topic, operational risk might be loosely associated with administration and IT systems. In fact, the Basel Committee on Banking Supervision has suggested operational risk is: ‘the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events.’ Using this definition, operational risk is embedded in every aspect of a business. The most pressing question facing any organisation is: ‘how do I know that I have completely identified all of the risks in the business?’ While 100% risk elimination is neither desirable or possible, every effort must be made to identify the critical risks. A multi-faceted approach is needed to consider the risks inherent in the industry and those that are unique to the firm’s own processes. This approach must take into account industry practice, as well as existing controls and the knowledge of management and staff.

Quantification of the risk probability and size of loss
In the June issue of The Actuary Mark Chaplin illustrated the problem of risk quantification. He showed a table of estimated mortality increases for one year ranging from 20% to over 50%, derived using various methods. These estimates were for mortality risk, which is clearly defined, easy to identify, has a large pool of supporting data, and is widely studied. It is much more difficult to estimate potential losses from an intangible event, such as the failure of a process.

How effective is our risk mitigation?
It is important to identify and quantify the effectiveness of the mitigating controls. While some controls are tangible, such as economic hedges, others are less tangible, and rely on people completing processes correctly. Measurement of the effectiveness of processes, their documentation and level of compliance must be part of any risk management review.

The risk management framework
Consistent methods must be applied throughout an organisation to ensure risk management standards are maintained in all areas. This framework should form part of a common risk philosophy embedded in the organisation’s culture.
There are various approaches to facilitate risk management and each has its own strengths and weaknesses. Research conducted at Cranfield University helped develop an approach combining the best aspects of a number of techniques. The risk identification and measurement (RIM) framework is a tool for collecting information on risk and mitigating controls, and analysing that information to assess the performance of a risk management programme.

Although it is tempting to try and assess the whole organisation simultaneously, it is better to divide the organisation into a number of units, based on either organisational or functional boundaries. Each of these units becomes the basis of a review area. Precise scoping of the review area and review objectives is critical to success.
The review team must then identify the existing business controls and processes. They also identify best practices in the relevant industry and in other industries facing the same issues. A panel of experts is chosen from the business area under review. Each panel member is interviewed to identify the risks in their area.
By combining the data gathered in the interviews with industry best practices, and the organisation’s business processes, the review team can produce a comprehensive list of the risks the organisation faces. The list forms the basis of a questionnaire which is used by the expert panel to assess the probability and impact of the risk, and to give their opinion as to how well the firm has mitigated the risk. These results are tabulated, and the members of the panel are presented with the group response or their individual response and given an opportunity to reassess their opinion. This process is repeated three or four times until either consensus is reached or results between each iteration are stable.
The plotted results illustrate the significance of each risk and how successfully it is mitigated. If the level of significance and mitigation is broadly proportional then the results should fall along a diagonal line.
In practice, some risks are managed very well when compared to their level of significance. These are called ‘excessive’ risks. Other are not well mitigated when taking into account their significance these are ‘negligent’ risks. Every organisation can be expected to have at least a small number of negligent and excessive risks. However the RIM method has shown a significant number of risks can fall into these categories. An example of the results from a RIM review is shown in figure 2. The number assigned to each point on the graph references a specific risk. There are a significant number of negligent and excessive risks, showing that the organisation in question is overmanaging some less significant risks while undermanaging and even ignoring some very significant ones.

Continual self-assessment
The framework forms the basis of continual self-assessment of risk analysis and mitigation. Once the process has been conducted once or twice, it can be implemented by the organisation itself as often as necessary.
The RIM framework can also be applied to special projects, such as a major change project, an acquisition, or responding to a crisis. Implementing a RIM practice over the project helps manage the new risks and also makes the organisation appreciate that this is ‘out of the ordinary’, automatically changing risk culture in the project team.
The risk and mitigation analysis can be a cornerstone for discussion with the regulator in assessing capital adequacy for operational risk. It will also allow management to be better informed as to the nature and extent of the risks being borne by the shareholder’s capital.