Achieving Corporate Goals and Resilience through Risk Management
21st June 2016
This article was written by Edward Sankey, Director at Larocourt Risk and Past Chairman at the Institute of Operational Risk. Edward is a contributor to The Risk Management Handbook.
Significant development is taking place in risk management. It is leading to organisational improvements, advising management of corporate issues, and supporting major initiatives. It also makes it a very interesting discipline to work in.
Best practice is increasing the focus on resilience against severe events, interconnected risk events, and “a very bad quarter”, adding to the traditional ground of limiting the occurrence and damage of risks events.
Applicable in all organisations, the distinctive feature of Operational Risk Management is to:
• extend systematic risk management
• integrate risk evaluations
• assess the aggregated risk exposure of the organisation.
These estimations are not only in relation to single occurrences but importantly to losses in a period of time (typically a year) and, in order to know the potential for severe and extreme events, one in twenty or fifty year outcomes for losses. (Banking and Insurance regulators require such exposure assessments of individual or aggregate losses at very much less probable levels but very much more damaging.)
These developments have led to significant advances in quantitative techniques, especially for:
• addressing the potential for extreme losses
• assessing interconnected risks
• for aggregating exposures.
This is bringing information and advice to Boards and Directors about issues of corporate concern, for their decision. This is in addition to the usual information about balancing the expenditure on controls with the potential losses, and optimising between the various risks.
Importantly, focus on the potential for major losses is a tool in anticipating important emerging risks. For example Cyber attacks are now at a much higher level of aggression, and systematic assessment of potential attacks improves the preparedness, responses and resilience of corporate and business units. It ensures the resources to limit the exposures are adequate and used to greatest long-standing effect.
As illustrated above, integration and aggregation gives new impetus to risk strategy and appetite (tolerance as some prefer). The ability of the Board to define limits to exposures for different types of risk is greatly enhanced by the better understanding of the total risk portfolio and potential for some risks to create major losses. In turn, the enhanced statement of risk strategy and appetite provides the means to re-optimise controls, whilst the standards against which to monitor changing exposures of important risks influences the review of corporate aims.
Many disciplines say their activity needs to be controlled by the CEO! Risk is developing as a discipline that demonstrates direct worth to the directors at all times. Through the important messages it can now deliver it is becoming required information by CEOs and directors.