Precis: Risk comes in many different forms. Understanding the basic types can help your organisation deal with challenges more effectively. However, charting risk is not enough. Sometimes you have to change direction to avoid the reefs. If you are stuck in one, spending time working out how to avoid the reef is wasted time.
Successful policy makers and entrepreneurs have one thing in common - they are alert to risk, and understand how it comes wrapped. They are prepared, where necessary, to adapt.
Concepts
Risk
- Since ISO 31000-2009 (the world standard on risk
management), risk is now understood to include both the "chance or probability of risk” and “the
effect of uncertainty on objectives”.
-
Risk Management
- ISO 31000-2009 provides basic guidelines for establishing whole-of-enterprise risk management processes.
Risk may managed through a number of strategies, including risk avoidance, sharing, financing, retention, acceptance or mitigation. These management strategies may include clear risk management statements, formalising risk management processes, structuring framework processes and continuous improvement.
Risk may managed through a number of strategies, including risk avoidance, sharing, financing, retention, acceptance or mitigation. These management strategies may include clear risk management statements, formalising risk management processes, structuring framework processes and continuous improvement.
- ISO 31000-2009 provides a preferential list on
managing risk:
1.
Avoiding the risk by deciding not to start or
continue with the activity that gives rise to the risk
2.
Accepting or increasing the risk in order to
pursue an opportunity
3.
Removing the risk source
4.
Changing the likelihood
5.
Changing the consequences
6.
Sharing the risk with another party or parties
(including contracts and risk financing)
7.
Retaining the risk by informed decision
- While this list provides a sensible basic and generic
framework for dealing with some types of risk, it does not assist with certain
types of events (where the early adoption of risk policy may provide a more resilient approach).
Systemic Risk
- In a particular market, the risk of the entire
market (rather than a single entity) collapsing.
- Collapse can be precipitated by inherent
instability in the inter-linkages and interdependencies of entities within the
entire market.
.
- Policy intervention here is designed to add
resilience to the entire market, but has the propensity to worsen the initial problem, come too late or be seen as partial.
Eg: Collapse of part of a supply chain may quickly impact on all parts of the chain. Loss of confidence in a bank or insurance company may spread to failures in all parts of the market as consumers and stakeholders lose
confidence. Policy
intervention may seek to dampen the effect of runs, increase the resilience of the
entire system, and remove root causes for failure (prudential regulation). Because of the lag in intervention, it often happens after the event, and may hinder redevelopment of the market.
-
The term is most commonly found in economic descriptions of the
financial market.
Systematic Risk
- In a particular market, vulnerability to shock
(from weather events, government activity – fiscal, monetary or regulatory, - or
economic downturn) which affect aggregate outcomes across a market (loss of
assets, capability or market share).
- The term is used in finance and economics, and
is used in investment analysis (eg, when attempting to assess the trade-off between
low risk activities and high risk activities - which is reflected in increased
rates of return for higher risk activities).
Eg: Credit squeezes may place
financial stress across all financial institutions.
- Where a shock may decrease aggregate outcomes in
one area but increase it in another, trades between the two may dampen the
impact of the shock (hence the attraction of future trading, insurance market
setoffs and hedge funds).
- The term, as used in finance and economics, is
equivalent to aggregate risk, market risk or undiversifiable risk.
Idiosyncratic Risk
- In a particular market, idiosyncratic risk is the vulnerability to shock
peculiar to a specific entity (internal fraud, failure of governance, poor
management, poor employees) to the prejudice of the entity's outcomes (loss
of assets, capability or market share).
- Sometimes, idiosyncratic risk can be reduced by
diversification (to avoid some classes of risk, but inviting exposure to difference
risk).
Eg: Malfeasance within a company
might lead to the collapse or poor performance of the company.
- The term is used in finance and economics and is
equivalent to specific risk, unsystematic risk, residual risk or diversifiable
risk.
Individually, these descriptors and associated tools have been developed for specific uses
by market analysts and policy makers (specifically for portfolio construction
or market regulation). Taken individually
they do not provide a satisfactory approach to risk.
Risk Policy Approach
A risk policy approach requires a cultural shift. The early identification of vulnerabilities
moves, through problem solving (including use of ISO 31000), to strategies to
deal with the vulnerability.
New
enterprises may adopt at inception – existing enterprises may adapt through gap
analysis and refocussing objectives.
Risk policy – identifying vulnerabilities
Every enterprise is exposed to the three types of risk described above. In addition, managers need to be aware of
what catastrophic failure looks like and have a plan for dealing with it early.
For example, a car parts manufacturer, dependent on a component
industry specific to local car manufacturers, is exposed to:
-
Systemic risk (event -> the car industry
moves off shore)
-
Systematic risk (event -> an economic
downturn)
-
Idiosyncratic risk (event -> fraud within the
business)
-
Catastrophic failure (event -> business on
point of trading insolvent)
Risk policy – protecting vulnerabilities
Managers need to be able to distinguish between these
classes and identify strategies to deal with probable outcomes. There is no one strategy that applies in
every situation – managers need to be adaptive: while analysis may benefit from
market-based considerations, it must be enterprise specific.
At first blush, it might appear that the first two types of
risk are outside the control of an enterprise, and can be ignored. Dealing with these risk types can be
challenging, but the risks cannot be ignored.
The process of problem solving can be cathartic – problem solving can
lead to identifying new opportunities.
Examples of adaptive approaches, in relation to the risks in
the example above, are:
-
Systemic risk (strategy -> follow the car
industry off shore)
-
Systematic risk (strategy -> diversify into
other component markets)
-
Idiosyncratic risk (strategy -> effective
prudential governance – utilising ISO 31000)
-
Catastrophic failure (strategy -> wind up
company)
Risk Policy - Early adoption
It is often too late to deal with a risk event once it is in progress. In
the manufacturing example given, if the company was unwilling to move offshore, is only capable of producing one product and places its financial
management in the hands of a single bookkeeper it will have difficulty adapting to the risk. However, it may be that the company deliberately adopted that narrow approach to generate good
returns. In that case, when the risks materialise, it may be prepared to wind up at the earliest possible time to avoid further loss.
Adaptive risk policies attempt to actively understand global business opportunities and be ready to
diversify. These enterprises are more resilient to risk. How the enterprise is prepared to adapt will
differ from enterprise to enterprise – generally small local businesses (a hairdressing salon or a local insurance broker) don't attempt such an approach. Within medium and larger scale businesses, common risks may generate similar risk strategies.
Risk policy starts at the top and influences all formative
decisions about the shape and stance of an enterprise. In mid or larger sized enterprises,
specialists (managerial and financial) may be necessary to assist the
identification and response to risk types.
These are best able to contribute to this process where they understand
the business as well as the broader business and economic context. They must be able to develop effective levels
of prudential management to meet the third type of risk – without themselves
contributing to the risk.
-
Systemic risk (policy -> a global focus –
from silos to related/connected entities)
-
Systematic risk (policy -> internal and
external networks focussing on stakeholders/ causalities)
-
Idiosyncratic risk (policy -> effective
structures, authority, support and audit)
-
Catastrophic failure (strategy -> monitoring
of key indicators)
No comments:
Post a Comment