Chris Lewin looks at the risk initiative between the actuarial and civil engineering professions
For the past 20 years, actuaries and civil engineers have been working together on risk management. Starting with the development of a methodology known as RAMP (risk analysis and management for projects), the work has broadened out to include strategic, operational and enterprise risk. This article outlines the results and indicates how actuaries might be able to use them in the financial services industry and elsewhere.
The RAMP guide, first published in 1998, covers the management of risks in change projects, large and small. It was later recommended by HM Treasury for the government's own projects and rolled out to government departments. We also published guides related to the management of strategic risk (2006), a framework for implementing enterprise risk management (2009), and recommendations on handling uncertainty (2011). A few months ago, we learned that our guides on project risk and strategic risk are being used by London's Crossrail in its own risk management systems.
Components of enterprise risk
Bringing all this work together, we summarised the components of enterprise risk into the form shown in Figure 1: The double lines between the three components represent the overlaps between them, and the double line round the whole triangle represents the dynamic interface between enterprise risks and the risks of the outside world. Each of the three components is normally managed by separate groups of executives, but there should also be concentration at the centre on the overall risk faced by the enterprise.
RAMP is an iterative process, which is applied in gradually increasing depth as the development of a project proceeds. It is particularly useful when employed from the very start, while alternative projects are being considered and there is a need to evaluate the risks in each of them. The process emphasises the need to reduce uncertainty, by conducting a methodical and focused search for additional relevant knowledge. The guide covers the production of a risk register, but calls for it to be constructed in greater depth than is common practice, for example by treating assumptions as risks and indicating connections between different risks. Criteria are proposed for determining whether possible risk mitigation actions would be cost effective. Special attention is paid to catastrophe risks. To aid decision-makers, it is suggested that scenario analysis is carried out, illustrating the value of the project if various key scenarios occur, and leading to a single risk-adjusted net present value that represents the value of the project after allowing for risk. The results can be presented in a simple diagram such as Figure 2.
The left-hand section illustrates the net present value of the project before risk mitigation and the right-hand side shows the corresponding value if risk mitigation actions are implemented. In each section, the net present values from five scenarios, A to E, are shown, where A is 'as expected' and the other four scenarios illustrate the results if specific groups of risks materialise.
The 'risk-adjusted value' of the project, displayed in the final column of each section, is the weighted-average of the results from the five scenarios, allowing for the estimated likelihood of each scenario group occurring as shown. In this example, the risk mitigation has not only brought the outcome for each scenario within the board's level of risk tolerance for the project but it has also increased the risk-adjusted value of the project, even after allowing for the cost of the mitigation actions.
Our guide to the management of strategic risks is colloquially known as STRATrisk and was underpinned by a Bristol University study based on interviews with directors and senior executives, mainly in the construction industry. The guide stresses the need for effective board leadership and commitment, and suggests that a short list of up to 10 strategic threats should be drawn up for the board to monitor regularly, as well as a short list of key opportunities. A participative open culture involving the entire staff is recommended, with two-way communication about emerging risks, as well as organisational learning and knowledge sharing. The guide also recommends that there should be a comprehensive ERM framework, with a central organisational focus on risk. Among other aspects, the risks already embedded in the organisation should be studied, such as the use of mathematical models that do not reveal extreme events, or erroneous spreadsheets and inadequately understood computer programmes. A section of the guide deals with self-inflicted strategic risks, such as those that could follow from cutting out a layer of management or from giving insufficient attention to risks identified already.
Some useful tools for managing strategic risks are described, including horizon scanning, concept mapping, pattern recognition and risk grouping.
Enterprise risk management
We know that most boards understand the concept and desirability of having a holistic enterprise risk management framework, but we also realise that many organisations have found difficulty in introducing one.
We have therefore produced a comprehensive guide to implementing such a framework in any business, covering organisational principles and the details of a central focus on risk.
The other topics discussed include uncertainty, risk appetite and capacity, scenario analysis and stress testing, responses to risk, risk governance and developing an action plan. There is also a section on managing a list of common operating risks, which we drew up following a Southampton University study on operating risks in the energy, transport, waste management and water industries.
This list includes reputation damage, problems with IT systems, reductions in demand, customer service problems, supply chain issues, malevolent third parties and numerous risks we identified relating to staff and finance.
Applications in financial services and other industries
The results of our work have potentially wide applications in a variety of businesses, with appropriate adjustments for the particular context. In financial services, for example, there are many projects that could usefully be managed by RAMP, including IT schemes and the launch of new products, and many strategic risks that could be managed by applying the concepts and tools of STRATrisk.
Those insurance companies that do not yet have a fully comprehensive system of enterprise risk management might be able
to benefit from the framework we recommend, using it as a checklist of the action which is needed. Moreover, a new field of possible application is now opening up.
Last year, the Financial Reporting Council consulted about strengthened risk-reporting requirements for listed companies, which call for deeper analysis and the use of models, scenario analysis and stress testing.
If actuaries become involved in helping companies to comply with the new requirements, the results of our work may provide a useful background for all concerned.