By Bryan Richardson
Multiple risk impacts in succession can end a firm, so ERM programs should flag them.
Some companies aren’t minding their risks properly. In a recent survey of The NeuGroup’s Corporate ERM Group, half of the respondents indicated they have not done any studies on risk correlation and nearly two-thirds indicated they do not include risk correlation as part of their risk assessment process or their risk training. Yet, according to one member of the group, “risk correlation is what ERM is all about. Multiple events are what bring companies down.”
Keep it simple
The tendency to avoid something so fundamental to enterprise risk management is probably due to risk managers getting too hung up on trying to quantify exactly the correlation or cause and effect between each and every risk to which their firm is exposed. Instead, risk correlation analysis is best begun simplistically with consideration of just two variables, namely the two “P’s.” That means the approach should be “practical” and “pragmatic.”
Ask yourself this question: Does the approach to risk correlation we are contemplating help us make better risk decisions for the company?
One simple way to answer this question is to start with a correlation table where risk owners identify where they see correlations at all between risks they have identified (see sample below). This process offers a quick and clear visual aid for identifying where correlations exist. From there, the owners of these risks can interact to determine their net impact, and whether it is more likely to be a net positive or negative to the firm’s risk portfolio.
Another tip is to avoid the term “correlation” altogether.
“Correlation implies precision,” noted one ERM manager, “so think in terms of dynamic interactions instead.”
Yet another way to look at risk correlation is to think of the proverbial falling dominos: if one falls then a chain reaction ensues. The main problem with the domino visualization, however, is that the sequence of the dominos falling may not be as linear as one might think.
Treasury likely involved
Most enterprise level risks will intersect with funding or liquidity risks to some extent. For instance, BP could assess the questions: Do we have access to the funds needed to clean up an oil spill and pay all claims if one of our drill platforms explodes and leaks major amounts of oil into the Gulf of Mexico? Will the reputational damage to our market standing impede our ability to access funds in the timely fashion we are accustomed to?
It follows, then, that treasury as a risk owner for these will have a role to play in assessing the dynamic interaction or correlation between its risks and many, if not most of the enterprise-level risks of the business.
Risk models still have value
“Models are a favorite whipping boy these days,” said another member of the ERM Group, in light of the failure during the financial crisis of a wide range of models. However, many proponents believe that models still have merit not just for measuring individual risks but their portfolio effects and include them in their correlation activities.
One of the more commonly used models is Value at Risk (VaR) which is generally confined to financial risks and used to measure the risk and range of expected outcomes within a portfolio of risks. VaR is helpful to treasury risk managers, for example, in identifying risk factors and their contribution to total risk, as well as natural hedges, and the resulting true, or net risk that needs hedging.
Another check on models is the quality and quantity of the data. One risk manager noted that his firm will contemplate modeling risk and correlation only “if we have a decent time series of data.”
Still, models have their limits and shouldn’t be relied upon in a vacuum.
In addition to modeling, many risk managers turn to scenario analysis, where various scenarios can be thought through for likelihood, severity, implications and triggers. Walking through scenarios, and conducting thought experiments with them, can help risk managers to see dynamic interactions between risks.
Using hypothetical “what if” scenarios or real life events as proxies is a good starting place (e.g., what happens if an oil rig blows up creating an unstoppable oil leak in the bottom of the ocean?). One member cautioned that when doing scenario analysis make sure you avoid the “precision pitfall” where you drop below the enterprise risk level and get bogged down in too much detail and specificity. The key is to identify which risks matter in a particular risk scenario.
Risk managers should also use good judgment to balance the plausible with the need to stress-test their risks to death.
With so much awareness raised about “black swan” events in response to the financial crisis, everyone is inclined to see enhanced probabilities in the tails of outcome distributions. However, certain adverse scenarios may also be too academic to contemplate seriously.
For example, at a recent meeting of bank treasurers, some noted a refusal to address anything other than short-term liquidity scenarios where it is presumed that access to the Fed is gone. At some point, such as when the monetary system has collapsed, people have larger concerns than their firm’s survival.
Not to be overlooked, too, are the risk mitigation efforts that may be put in place. Dynamic interactions of risk are often impacted by mitigation efforts, not exclusive to financial hedges. Furthermore, if risk managers take the time to think through risk interactions across their major risks, they may come up with better mitigation strategies than if they were to mitigate each potential risk impact on an individual basis.
Scenario analysis, including the dynamic interactions of risk, also should tie back into business planning processes. For example, some firms create or utilize pre-packaged scenarios (such as the economic scenarios offered by Moody’s) for both risk management and strategic planning to ensure that the two are in sync and that risk managers and planners are working on the problem of how the various components of their firm’s business interact under different circumstances.
Components of a risk report
Again, since risk correlations are so fundamental to enterprise risk management they should not be forgotten in risk reporting—even to senior management.
As an example, a member of The NeuGroup’s Corporate ERM Group shared with the components of his report on top risks to senior management. It includes:
- Risk: Identify the specific risk
- Risk Owner: Identify who owns the risk
- Assessment: Describe the current status of the risk
- Monitoring/Key Risk Indicators/Trends: Describe those variables at play regarding the risk and how they are changing
- Mitigation: Describe what, if anything, is being done to manage the risk and determine if you should report risk in its gross, or unmitigated form or in mitigated form which may be less severe
- Correlated Risks: Describe the other risks that will be impacted
- Risk Plot: Visually depict the severity, probability and trend of the risk on a graph.
Don’t Forget the Thinking Caps
Models and scenario analysis are helpful in doing correlation analysis, but neither brings any value without applying general business acumen to the outcomes.
“Just as your resting heart rate may give clues to your health but not predict whether you’ll suffer a heart attack if chased by a hungry lion, risk management needs to be cognizant of analytical limitations.” (see “WIll Treasury Fail to Learn Lessons of ‘62?” IT, April 2010)
There is significant value added to risk correlation from the business judgment, observations and experiences of risk owners, ERM teams and audit committee members. Quantitative metrics tend to have more credibility but these qualitative contributors to risk correlation should not be underestimated.
Indeed, just over half of The NeuGroup’s ERM members indicated that efforts at risk correlation are based 75 percent or more on qualitative input, while 21 percent indicated input is evenly split between quantitative and qualitative data. The remaining member companies have yet to tackle risk correlation exercises.
If qualitative assessments of risk correlation are seen as a proxy for use of judgment and experience, then these ERM programs appear to be on the right track.