Risk quantification: It’s not just math

How does risk quantification fit into a long-term risk management strategy?

Given the uncertainty in the market today, the assessment of the risk is not taken lightly or viewed as insignificant. Rather, many business leaders and decision-makers lack the proper tools and capabilities to assess, quantify, and monitor business risk accurately. Without a solid understanding of which risks are most important to the business, decision-makers cannot identify the best course of action, prioritize issues, or steer the business in the right direction through informed decisions.

Risk quantification is NOT about just using math or creating complex statistical models for risk management. The objective of quantifying risk is to make better business decisions. Risk quantification creates a more accurate picture of risk, informing the business and meeting the main goal of risk management – mitigating risk and address constraints that hinder business goals that grow corporate and shareholder value.

Enterprise risk management has been part of organizations for years in some manner and in some cases, organizations have created substantial approaches. However, most of those programs are built on qualitative analysis approaches. While those methods may start the conversation, a purely qualitative approach falls short on the tough questions being asked around the board room table. Risk quantification allows risk teams to utilize the data and experience they already have in new and exciting ways. Risk can be analyzed, aggregated, and visualized in ways that speak to the business. Risk teams can go from simply ‘reporting risk’ to actually ‘communicating risk’ through the power of quantification.

What methods can be used to get moving in the right direction and bring value to the business through risk management?

Risk management contains many elements – from engaging business operations to understand potential risks to analysing those risks and then presenting information to support decision making. Risk management should be an advisory function that provides input to the business to consider while making decisions at both the tactical and strategic level. At the heart of that decision making input is providing the right analysis that gives actual business insights – not just identifying possible areas of exposure.

Risk analysis could be just simple, qualitative, rational thinking; it could be in-depth statistics; or it could be anything in between. Risk analysis should be the quickest, the most believable, and the most defensible way to help guide decision-making in solving problems. Risk quantification represents the next phase in driving greater precision and meaning in discussions risk management teams have with their business partners.

Unfortunately, many risk managers may recoil at the thought of implementing quantitative statistical or probabilistic methods for a variety of reasons. But they are closer than they think to adding risk quantification to their toolset:

• Most organizations have implemented multiple processes to gather risk and compliance data, such as risk assessments, business impact analyses, and compliance reviews. Additionally, many organizations track some type of losses related to business operations. These processes provide tactical views into the state of risk and controls in your environment – but they can be leveraged for so much more. These processes provide enough of a basis to formulate basic inputs into quantitative models such as the success rate of certain controls, possible loss categories and impacts or frequency of incident types.
• Quantitative approaches are really about being able to say the thing that you mean. At a very simple level, risk quantification enables probability and impact – traditional inputs to the risk equation – to be expressed in increasingly more precise measures. Risk quantification enables you to use the same qualitative measures – likelihood and impact – as you are today, with added expression of what you think AND the full benefits of quantification. Understanding the mechanics and principles of risk quantification is a key risk management skill to have within your organization.
• Transitioning existing heat map approaches with qualitative estimates for impact and likelihood to quantitative methods is not a large leap. For organizations that are just beginning formalization of risk analysis, starting out using simple, quantitative methods short cuts towards a better, more informed view of risk. Why take the long way around? Begin where it makes sense, then grow and learn from there.

How can we improve communicating risk to leadership? What practical approaches can be used?

Get leadership support: Risk is a topic that many executives discuss quite frequently. It is important to understand the gaps in the conversation and prepare executives for a shift in how risk is measured and communicated. A short review of current practices should look at what data typically is available and the past structure of risk reporting. Focus should be placed on gaps or inconsistencies.

Start simple: A critical component of bringing risk analysis to an organization is to train the analysts in risk modeling. Sufficient time should be allowed for exercises and problems that are designed to reflect the types of problems the business faces. For everyone involved, analysis of bounded, simple examples allows everyone to gain experience of their respective roles, and to learn some lessons on how risk analysis can be structured to work for the organization.

Seek to answer some basic questions first: 

1. Work out the risk-based questions with senior management
2. Figure out what relevant data you have
3. Develop and get agreement on a plan of how to respond to the questions
4.  Build a model and populate with uncertain estimates
5. Run simulations (preferably with different possible options) and produce the risk analysis result
6. Present results to senior management, get feedback
7. Collate comments, recommendations and lessons learned

Quantitative risk analysis is acknowledged by many authorities on risk management as a valuable tool for any types of business, if it is well-organized and adopted throughout your organization. It is not complex and can be incorporated into a business’ current methods with little difficulty. With moderate investment in time and money, risk quantification will provide substantial value to your organization through effective communication and efficient management of risk.