In the risk assessment step the enterprise identifies the critical risks to strategy, it analyses and evaluates these critical risks and it prioritizes the critical risks. Risk assessment has been the traditional focus of many risk managers for decades. However, in ERM critical risks include all risks whether operational, competitive, financial, regulatory or from other sources. Finally both positive and negative risks are considered in the context of their criticality as it could affect the strategy.

2.2 BRIEF OVERVIEW OF CINDYNICS

Georges-Yves Kervern

Formerly Ancien Élève de l'Ecole Polytechnique, and founder of Cindynics

Jean-Paul Louisot

Formerly Université Paris 1 Panthéon-Sorbonne, Directeur pédagogique du CARM Institute, Paris, France

One of the major difficulties for a risk manager is not only to identify and quantify the emerging risks, the known-unknowns, but also to imagine those that are not yet emerging, the unknown-unknowns. For that brainstorming exercise there is no relying on past events, on data bank and mathematical models that have no basis to be developed. Even systems safety approaches fall short of a total vision as they incorporate human elements as components of the system with their own rate of failure, but fail to really take account of what is now known as the “human factor”. The human element is part of the system, but he acts also to modify it for his benefit. Understanding everyone's motivation and point of view is essential to foresee what may contribute to future risks, opportunities and threats.

It is with this objective in view that some French scientists and executives, led by Georges-Yves Kervern, developed a new approach to foreseeing, rather than forecasting, future developments when they imagined the “hyperspace of danger” and founded what they called Cindynics.

Since the early 1990s, a group of practitioners gathered around Jean-Luc Wybo, a professor at the École Nationale Supérieure des Mines de Paris, to develop practical examples of using Cindynics to understand past complex events and project their findings for future action and decision making. Their application included “Explosion”, for example, the explosion at the AZF factory on September 22, 2001 in France; “Pollution”, like that on the beaches of Brittany, “Social Unrest” events, as occurred in the suburbs in France, to name but a few.

Some trace the first step in Cindynics⁶ to the earthquake in Lisbon. Science starts where beliefs fade. The earthquake in Lisbon in 1755 was the source of one of the most famous polemic battles between Voltaire and Jean-Jacques Rousseau. The main result was the affirmation that mankind was to refuse fate. This is reflected in Bernstein's⁷ comment “Risk is not a fate but a choice.”

In a way, the Lisbon episode may well be the first public manifestation of what is essential in managing risks: a clear refusal of passively accepting “fate”, a definite will to actively forge the future through domesticating probabilities, thus reducing the field of uncertainty.

However, since the financial crisis of 2008, black swans or fat tails represent a major challenge to all professionals in charge of the management of organization. Clearly, the traditional approaches to identifying and quantifying uncertainties based on probability or trend analysis are at a loss in a world that changes fast and may be subject to unexpected, and sometimes unsuspected ruptures.

As a matter of fact, these “dangerous or hazardous” situations can develop into opportunities or threats depending on how the leadership can anticipate them and exploit them for the benefit of their organization, and its growth in a resilient society.

Human factors are a key factor in the anticipation and development of such situations. Although it is essential that decision-makers learn to make decisions under uncertainty, it is far from sufficient to prepare for the black swans. Furthermore, system safety approaches that consider the human component as a physical element fall short of taking into account the fact that humans are part of a complex system that they influence and try to change to their benefit; and the system can be affected and modified even through a simple act of observation.

In such a volatile situation, the concepts developed as early as the late 1980s could prove very valuable if properly used and translated into practical tools, even though they may appear at first to be too conceptual for practical application. As a matter of fact the concepts of “Cindynic situation” and “hyperspace of danger” allow for the identification of divergences between groups of stakeholders in a given situation and thus allow for the anticipation of “major uncertainties” and to be able to work on them to reduce their likelihood and/or their negative consequences (threats) while enhancing the positive consequences (opportunities).

This scientific approach to perils and hazards was initiated in December 1987 when a conference was called at the UNESCO Palace. The name “Cindynics” was coined from the Greek word “kindunos”, meaning hazard. Many industrial sectors were in a state of shock after major catastrophes like Chernobyl, Bhopal, and Challenger. They offered an open field for experience and feedback looping. Since then, Cindynics continues to grow through teaching in many universities in France and abroad. The focal point is a conference organized every other year. Many efforts have been concentrated on axiology and attempts at objective measures. Before his death in December 2008, Professor Georges-Yves Kervern reviewed the presentation that follows (see bibliography) in the light of the most recent developments in Cindynics through the various Conferences, until September 2008.

2.2.1 Basic Concepts

The first concept, situation requires a formal definition. This in turn can be understood only in the light of what constitutes a peril and hazards study. According to the modern theory of description, a hazardous situation (Cindynic situation) can be defined only if:

The field of “hazards study” is clearly identified by

• Limits in time (life span).
• Limits in space (boundaries).
• Limits of the actors' networks involved.

The perspective of the observer studying the system. At this stage of the development of the sciences of hazards, the perspective can follow five main dimensions.

• First dimension: Memory, history – Statistics (the space of statistics)

  This consists of all the information contained in the data banks of the large institutions, feedback from experience (Electricity of France power plants, Air France flights incidents, forest fires monitored by the Sophia Antipolis Centre of the École des Mines de Paris, claims data gathered by insurers and reinsurers).

• Second dimension: Representations and models drawn from facts – Epistemic (the space of models)

  This is the scientific body of knowledge that allows for the computation of possible effects using physical and chemical principles, material resistance, propagation, contagion, explosion and geo-Cindynic principles (inundation, volcanic eruptions, earthquake, landslide, tornadoes and hurricane, for example).

• Third dimension: Goals and objectives – Teleological (the space of goals)

  This requires a precise definition by all the actors, and networks involved in the Cindynic situation of their reasons for living, acting and working.

  In truth, it is an arduous and tiresome task to express clearly why we act as we act, what motivates us. However, it is only too easy to identify an organization that “went overboard” only because it lacked a clearly defined target. For example, there are two common objectives for risk management “survival” and “continuity of customer (public) service”. These two objectives lead to a fundamentally different Cindynic attitude. The organization, or its environment, will have to harmonize these two conflicting goals. It is what we call “social transaction”, which is hopefully democratically solved.

• Fourth dimension: Norms, laws, rules, standards, deontology, compulsory or voluntary, controls, etc. – Deontological (the space of rules)

  This includes all the normative sets of rules that make life possible in a given society. For example, the need for a highway code was felt as soon as there were too many automobiles to make it possible to rely on courtesy of each individual driver: the code is compulsory and makes driving on the road reasonably safe and predictable. The rules for behaving in society, like how to use a knife or a fork when eating, are aimed at reducing the risk of injuring one's neighbor as well as a way to identify social origins.

  On the other hand, there are situations in which the codification is not yet clarified. For example, skiers on the same track may be of widely different expertise thus endangering each other. In addition some use equipment not necessarily compatible with the safety of others (cross country skis and snowboards, etc.). How to conduct a serious analysis of accidents on skiing domains? Should experience-drawn codes be enforced? How can rules be defined if objectives are not clearly defined beforehand? Should we promote personal safety or freedom of experimentation?

• Fifth dimension: Value systems – Axiological (the space of values)

  It is the set of fundamental objectives and values shared by a group of individuals or other collective actors involved in a Cindynic situation.

  As an illustration, when the forefathers declared that “the motherland is in danger”, the word motherland, or “patria” (hence the word patriot), meant the shared heritage that, after scrutiny, can be best summarized in the fundamental values shared. The integrity of this set of values may lead the population to accept heavy sacrifices. When the media use the word apocalyptic or catastrophic, they often mean a situation in which our value system is at stake.

These five dimensions, or spaces, can be represented on a five-axis diagram and Figure 2.1 is a representation of the “hyperspace of danger”.

In combining these five dimensions in a different way – these five spaces – one can identify some traditional fields of study and research.

Combining facts (statistics) and models gives the feedback loop so crucial to most large corporations' risk managers.

Combining objectives, norms and values leads to practical ethics. Social workers have identified authority functions in this domain. These functions are funded on values that frame the objectives and define norms that they enforce hereafter. If there is no source of authority to enforce the norms, daily minor breaches will soon lead to major breaches and soon the land will dissolve into a primitive jungle.

This new extended framework provides a broader picture that allows visualizing the limitations of the actions too often conducted with a narrow scope. Any hazard study can be efficient only if complete, i.e. extended to all the actors and networks involved in the situation. Then, the analysis must cover all of the five dimensions identified above.

2.3.1 Foreword

The purpose of this article is to zoom in on a subject not really addressed in the RM Standards published worldwide, including ISO 31000; it proposes a practical tool for identifying, analysing and prioritizing the portfolio of exposures, and opportunities, as well as threats that confront any organization that envisions its future.

The “space of exposure” will prove a powerful tool for all embarking in the ERM (Enterprise-wide journey) to help “lift the fog of uncertainties in decision making and implementing” to paraphrase a recurring theme in Felix Kloman's¹² conferences and presentations.

2.3.2 Threats and Opportunities: How to deal with uncertainty in a changing world?

The future is never known with certainty, “Who knows what tomorrow will bring?” but managing organizations means making decisions, enlightened by information drawn from different methods that shed light on the future.

For a long time, men have tried to improve tomorrow by influencing the forces that guide the future, or by offering sacrifices to the gods. It was only at the end of the seventeenth century, that Pascal and Fermat and their successors, including Bernoulli, started developing ways to open the gates to the future by drawing from past and present experiences. Probability and trend analysis were the first approaches to see through the “cloud of unknowing”.¹³

During the last decade of the twentieth century, the development of risk management, resting on more elaborate forecasting models, seems to have focused on only the downside aspect of risk, the threats, and has slowly put aside the upside, usually called “opportunities”. Confronted with the uncertainties of the future, organizations are rediscovering that “threats” and “opportunities” – the yin and the yang of risk – represent two sides of the same coin.

It has never been more important that directors and officers, as well as investors, remember the basics of economic and financial theories. Risk is inherent to the undertaking of any human endeavor. Indeed, it is the acceptance of a significant level of risk that provides the type of return on investment that is expected by investors. The theory of finance defines the expected rate of return as the sum of two components:

Basic return, of the risk less investment (usually measured by the US treasury bond rate of similar maturity); and

The risk premium, i.e. an additional return that the investor deserves for having accepted a higher volatility of profit, to enhance some societal goal, like improved technology, a new drug, etc.

Of course, all volatilities are not “equal”. Traditionally, scientific authors distinguish between probabilistic future (risk) and non-probabilistic future (hazard).

Most of the time, deciders are in the first situation (risk) when they have enough reliable data to compute law of probability or draw a trend line for future events and can define confidence intervals, i.e. limits between the likely and the unlikely future. For example, in analysing past economic conditions, it should be possible to have a reasonable idea of the numbers of cars to be sold in the EU, in the US or in Australia. The booming and recent Chinese market may not lend itself easily to this type of reliable trending. While an automobile company can predict with a fair degree of precision its mature market, forecasts are far more volatile in emerging markets. Therefore, there is a higher risk to market cars in emerging markets, but the reward may be much higher in case of success.

On the other hand, when launching a new model, especially if some defects are revealed in the first year of sales, it is much more difficult to justify the investments if reliable forecasts can prove the existing models will be profitable. Banks have experienced a similar situation when they embarked on the management of operational risks to comply with the new Basel II¹⁴ requirements. When no data bank is at hand, experts' opinions will have to be formalized using a Bayesians network¹⁵ approach and scenarios.

As a matter of fact the above examples might be considered as incorrect for looking only at the negative side of risks. However, operational risks are also a significant opportunity for competitive advantage for the banks that invest more than others in this endeavor. Not only are banks likely to “save” on internal funds, they may even gain expertise that could benefit their clients in the longer term.

A current trend in risk-management is to minimize risk silos in order to reach a real global optimization of the management of risk, taking into account for each unit, each process, each project both threats and opportunities. The organization is analysed as a portfolio of risks with an upside and downside that must be optimized, much as an investor would optimize a personal portfolio of shares.

In practice, this integration of all risks is achieved more easily for the financial consequences at the risk financing level. More and more economic actors consider their risk financing exercise as part of their overall long-term financial strategy. However, it is possible to integrate risk assessment and loss control provided all in charge (at whatever level) are included in the risk management process. This integrated approach is now called ERM and within ERM the managers become “risk owners”. The globalization of risk management is ensured through the principle of subsidiarity: the directors and officers should deal only with the exposures that have impact on the strategy, assured that the risk management process implemented throughout the organization will take care of “minor” threats and seize “tactical” opportunities. That should sound familiar to many in Australia, as this is a fundamental tenet of management guidelines in the Australian/New Zealand Framework (companion to AS/NZ 4360 used in various versions since 1995 and finally replaced since 2009 by the adoption of ISO 31000 under the name AS/NZ 31000:2009).

2.3.3 How to Manage the Risks Derived From Partners' Resources?

Market globalization has generated ever more complex webs that link many organizations worldwide through the externalization process. The large conglomerate has become more and more focused on conception, marketing and assembling parts from all over the world. Many smaller or medium size organizations are only one cog in a very complex supply network.

In most situations, we are confronted with a network of partners rather than a chain, indeed a cloud when the frontiers are not completely defined. This is the reason why procurement risk management has become the backbone of most organizations producing goods and services, while their production relies on an ever-expanding number of outsourced tasks.

Therefore, what “partners' resources” encompass are raw materials, parts, equipment and services as well as distribution networks on which organizations depend on a daily basis for their own operations. These resources can be grouped in three distinct categories:

• Upstream resources: These are purchased by suppliers, service providers and sub-contractors, and delivered to production sites by transporters.
• Lateral resources: These are goods and services provided to clients and that are integrated in complex systems, projects and products, of which your own contribution is part. You may not know them and yet there is a de facto solidarity that links you together. As an illustration you may produce tires that match a given sort of wheel and when the manufacturer goes bankrupt, your client does not need your tires anymore.
• Downstream resources: These are customers or intermediaries, including distribution networks and the transporters that deliver the goods, and financial institutions that guarantee the successful conclusion of transactions.

It is essential to clearly identify all the elements of this class of resources while conducting a risk management assessment as the same principles apply but with a major difference that the three categories have in common: the organization is dependent for its own security on the actions and attitudes that it cannot monitor daily as is the case for the resources under its direct command. In other words, consciously or unconsciously, the organization has “transferred” to a third party an essential part of its risk management activity. Therefore, the crucial question in procurement risk management is to find ways to ensure the organization's overall resilience should one of the “partners' resources” fail to be delivered, in time and to the quality desired.

The basic rule of thumb is not to be too dependent on one given partner, be it a supplier or a customer. Basic common sense applies here: “Don't put all your eggs in the same basket.” Most recommend having at least two or three sources at all time. However, this is not always possible, especially when there is a very advanced technology, patents, or some very specific know-how that can only be obtained from one source. Furthermore, the multiple sources must be balanced against the cost of maintaining several suppliers, with the advantage of them entering a competition to retain the organization's business. Finally, there is increased risk of information leaks if the relationship involves sharing trade secrets of any sort.

Beyond, this basic principle, the same rule applies upstream and downstream, which could be called the “3 Cs” rule.

• Choose – You must choose carefully the partners you want to do business with. First, you must evaluate if the products or services offered meet your needs in quality, quantity and timely delivery. Then you must investigate their financial strength, because a partner that would fail rapidly would be of no use. Furthermore, it is essential to assess their “ethical compatibility” with your own values, specifically those you stress when exchanges with stakeholders take place (one must remember that a major sports good manufacturer went through a difficult period in 1998 during the Football World Cup when it was revealed in the media that a supplier of a supplier was using underpaid, underage children to produce the balls).
• Contract – The quality of risk management throughout the partner's operations must be contractually sealed. It is even more imperative because there is no universally accepted standard so far, contrary to quality. It must provide for your access to site and documentation to ensure that proper risk management is designed and implemented. Also, the contract should resolve ahead of their occurrence any potential conflicts so that the partnership can remain harmonious even through difficult times. For many organizations, too much time is devoted by lawyers to defining the products or services involved in a contract, too little to solving conflicts ahead of time.
• Control – It is essential that staff regularly meet with the organization's partners and be kept informed of developments to make sure they remain the reliable sources its leaders wish to deal with. You must be aware of major changes in their leadership, their ownership, their environment and their strategy.

As far as lateral resources are concerned, unless you are a project leader, which is rarely the case for small or medium size organizations, they are typically partners you have not chosen and you may have no contract with whereas each of them has a contract with the leader. Therefore, the only way to ensure the quality of the risk management is through your common partner, project leader, large firm, etc. In your dealings with the team leader, you should have access to the list of all those involved in the project you share.

Finally, remember that when you transfer risks, you are still socially responsible for the well-being of those who are stakeholders in the overall process. If a member of the team betrays their trust, all the members of the team will suffer. In other terms, risks to reputation are never transferred!

2.3.4 Are There Any “Free” Resources? Taking into Account Externalities

In our global economy, who would dare to claim that there are resources that we do not pay for? Clearly any organization needs both internal and external resources that have been detailed in a previous question. By external we mean those exchanged with the economic partners both up and down stream. These resources are paid for. However, there are also non-transactional exchanges with the environment that are essential for the organization's development, even its survival. These resources received from the environment without direct financial compensation are labeled “free resources” insofar as they do not appear on the organization's accounting documents. However, the term environment is too broad and in each situation should be investigated:

• Physical environment: Comprising air, water and earth.
• Political, legal and social environment: This requires looking at all of the aspects of life conditions and society organization, including cultural differences.
• Competitive environment: This entails looking at all aspects of the current competition, technological breakthrough, and shift in consumers' tastes, but also substitutes for the organization's products and services. Furthermore, one should always analyse the reason for the appeal of our offering; the notion of “magnet site” allows for the investigation of the circumstances outside of our management sphere that are key to our success.

These exchanges represent what economists call “externalities” that are not part of any contractual transaction with economic partners. Remember that these externalities can be positive (society receives a benefit from a private transaction, which is additional to the private transaction), or negative (society incurs a cost additional to the private transaction). It should be noted that the domain of these externalities may vary from country to country; in terms of pollution, the development of codes to protect the environment has forced the “internalization” of the costs of cleaning sites or restricting contaminant releases as private producers have seen some “social costs” transferred to their operation.

It is crucial for any organization planning to diversify or enter new markets in any locale to be aware of its needs for “free resources” as they may not be available in the prospective locations and/or countries involved. More precisely, a very successful SME might well be unaware of the specific circumstances that led to success in its original location that may not be found in the proposed sites, or lost in the case of fusion or acquisition.

The concept can be illustrated with some specific situations keeping in mind that these are only common cases and that each individual organization must conduct a systematic analysis of its circumstances:

• There are industrial processes that use substantial amounts of “cooling water”; the water is released downstream with no chemical or biological pollution, but at a higher temperature than the intake upstream. Have we imagined extreme winters (the river is frozen), summers (a temperature that is too high does not allow for a correct biological exchange or fish cannot survive at the release temperature for lack of oxygen)? In a new proposed location, is there upstream a chemical plant that could release toxics with potential damage to our installation, or a production interruption?
• Throughout the plant, the air must be of a quality compatible with human life and even satisfying local ordinances regarding “workplace conditions”. Is there a neighboring plant that could release a toxic cloud? On the other hand some production processes require the atmosphere to be totally cleaned of any dust. Is it possible that very fine particles would slip through our filters polluting our products (like optical lenses or medical devices)?
• A single historic bridge is the only direct route to a factory. After a minor earthquake, concerns are raised as to its long-term robustness. Local authorities decide to limit its access to trucks of less than 5 metric tonnes. It may be that the new route from a key supplier to the factory is so much longer that delays and costs increases make the plant “uneconomical” with no easy remedy.
• Production in a new country, with substantial gains on wages and salary costs: but is the country politically sound? Is there any threat of nationalization should an opposition party seize power? Will the “social and political” climate remain favorable to foreign investment?
• The precaution principle¹⁴ is now incorporated into the French constitution. It is not yet clear what the consequences will be for the corporation whose domicile or activities are in France. Could it be that innovative products sold in France will in the future come from foreign companies?
• Local cultures may have an impact on the way business is conducted, be it only working hours. When entering a new country, a new province, has the organization questioned its commercial and human resources practices to align them with local customs, even beyond mere compliance to local legislation?
• Do customers come to us because of the superior quality of our products or services or merely for convenience? A retailer in the commercial centre where a national brand hypermarket draws customers should ask himself such a question. But it could be also the case for a restaurant close to an industrial zone from which he draws most of his clientele; what would happen if the industrials chose to establish a restaurant for their workforce?

2.3.5 What Do We Mean by Peril or Hazard?

An organization has been defined as a portfolio of risks or exposures, i.e. threats and opportunities. Each exposure is defined by three dimensions – resource at risk, peril or hazard and impact. Thus the peril is the second of these parameters.

Some define a peril as that which gives rise to a loss whereas a hazard would be that which influences the operation of the peril, i.e. fire would be a peril, a house that could burn a hazard. For others the peril is commonly defined as the cause of loss, whereas the hazard is commonly defined as a condition that creates or increases the chance that a peril will occur.

Here for management purposes, a “peril” is an event that may or may not happen, the occurrence of which would change in a drastic manner the level of one of the organization's resources: for the downside, the resource would be destroyed partially or totally, permanently or temporarily, for the upside a sudden increase of the resource would become available. In most organizations, for risk management purposes, only the downside impact would be assessed.

The two dimension vector, resource/peril, identifies the exposure, and is the foundation for the analysis phase that investigates the impact, quantifying the financial or other consequences, without any consideration for reduction methods.

“Known” perils are qualified with a probability measured through experimental probability drawn from historical data and/or mathematical models. In other cases, the “known unknown”, only a qualitative approach will be possible for lack of reliable data as in the case of emerging risks and even more so for the “unknown unknown” fat tails or a black swan event. Under such circumstances a qualitative scale (exceptional, rare, infrequent, or frequent) could prove useful, provided the group in charge of evaluating the probabilities has a common definition for these terms (once a decade, once a year, twice a year, once a month, etc.).

Many phenomena follow normal distributions (bell-shaped curves) which are completely defined by two parameters:

• Mean or “average”, e.g. hurricanes will hit Florida 4 times a year on average.
• Standard deviation, which allows to define a confidence interval (i.e. the lower and higher level of a given phenomenon, if the standard deviation is 1, the confidence interval at 68% is that there will be between 3 and 5 hurricanes hitting Florida next year, 95% between 2 and 6, and more than 99% between 1 and 7).

For instance, from historical evidence, it is “practically” certain that Florida will be hit by at least one hurricane every year and no more than seven.

For phenomena more easily controlled than natural events, for example, the number of accidents per year in a given large fleet of vehicles, or the number of fires in plants of large multinational firms with over 2,000 sites worldwide, the occurrence of a number of events significantly outside of the confidence interval is valuable information for a long-term number of losses forecast. Depending on the sign of the deviation, improvement or deterioration, the situation will call for an explanation of this evaluation; a check on the deep-root causes.

When the peril lends itself to a quantitative probability distribution, the uncertain future is deemed “probabilistic”; in other cases it is called “non-probabilistic”. This distinction is essential as the tools available to make decisions for an uncertain future rely heavily on the quality and the risk diagnostic is aimed at improving information to make “sound” decisions.

In any case, the probability distribution of occurrence coupled with the probability distribution of impact or severity is the key to rational decision making as it allows for justifying the investments or recurring costs of proposed loss control measures as well as the premium quote by insurers.

It should be stressed that for extremely infrequent events, the average number of occurrences “in the long run” (law of large numbers), has not much meaning for the decider. In these situations, the decision will be based mostly on the impact level, the severity, and consists in reducing the probability of occurrence below a level that will be deemed acceptable by the major stakeholders. For example, when the officers in an organization managing nuclear power plants make a decision on “nuclear risks” they will assess the likelihood of a major accident occurring “tomorrow” rather than on the average cost in the long run, meaning 1 or 10 million years! They must take into account the level of probability above which the population would no longer be prepared to live close to one of their plants.

The nature of the peril will dictate the type of loss control measures that could be implemented. For instance, in the case of a vehicle fleet, if the peril is “drivers' skills”, the remedy will call for training the drivers to modify their attitude behind the wheel – i.e. defensive driving.

2.3.6 Is It Possible to Develop an Efficient Classification for Perils and Hazards?

There are many ways to classify the events that may occur to alter the state of affairs on which an organization formed its strategic decisions. Some would look at the causes, others at the consequences. An analogy that is useful to consider here is the knot of the bow tie rather than the two wings. The classification proposed has no scientific pretension; rather it focuses on providing the risk management professional with a first approach to what loss control instruments might prove appropriate to mitigate the exposure at hand. Perils and hazards are classified under two criteria:

Where the hazard or peril originates

• Endogenous: The origin is found within the organization itself, i.e. within the perimeter it controls (be it physical or procedural). For example, it can be a fire in the premises or an employee going around procedure to wire money to an offshore account. The solution must be found within the organization, and prevention will be often the best approach.
• Exogenous: The origin is found outside of the organization, i.e. outside the perimeter it controls (be it physical or procedural). For example: a strike in a nearby facility, with employees occupying the premises thus preventing access of own employees to the building; a long haul drivers' strike; water pollution due to a chemical spill preventing a brewery from continuing its production. The solution must be initiated by third parties if the probability is to be reduced. Internally, “Plan B” will be the key to loss control, from business continuity planning to disaster recovery and including strategic redeployment planning in the worst-case scenario.

1    THE NATURE OF THE HAZARD OR PERIL

• Economical: The event would be a dramatic change in an economic parameter in the organization's environment creating an unexpected opportunity or a substantial threat. It could be the bankruptcy of a major global competitor opening new markets, a change in the currency exchange rate affecting long-term prospects, a change in consumers' tastes …to name but a few. Clearly, forecasts and attentive global economy monitoring are keys to efficient reaction.
• Natural: It would typically take what some insurance policies call an “act of God”, for example, a hurricane, earthquake, flood or tsunami, not to speak of global warming: too vague a term to be split into its different consequences to be treated. Clearly, prevention is not an option as there is no way to “prevent” a volcano from erupting or a hurricane from forming. That does not mean that a study of data and some scientific evidence would not help in choosing more suited sites and better prepare for what might happen someday. Therefore, pre-event and post-event loss reduction measures are going to be the appropriate mitigation routes. One reminder with natural disaster: the key to choosing the proper investment can be found in a phrase that summarizes the sequence TAI or “Threat, Alert, Impact”. The longer the time elapse between the elevation of the degree of probability (Threat) and the actual strike (Impact) the easier it will be to prepare when the event becomes very likely, which means that investment on loss reduction measures can be channelled to high velocity risks where action prior to any development is essential (compare an earthquake with a flood near the mouth of a river).
• Industrial: These are all the events that result from the overall human economic activity, without the direct implication of human elements in the actual scenario. It could be fire, water damages (other than flood), machinery breakdown, etc. In other terms those are typically non-systematic risks for which the insurance industry is well equipped, both in terms of financial risk sharing and in loss control. Insurance companies have developed a robust experience in dealing with insurable risks like fire and explosion, machinery breakdown, etc. as they did it to protect their own interests as well as those of the insured in their portfolio. Therefore, insurers and reinsurers have developed elaborate competencies in this realm. They are also sometimes referred to as “accidental risks”.
• Human: These are the most common in frequency; it is rare when there is not a human element in the scenario leading to an accident, for example, like a fire in the premises where welding was conducted.

However, the human origin is not enough to understand the root cause of the phenomenon.
It must be further differentiated:

• The involuntary human peril results mainly from an error, an omission or negligence. It can induce the event immediately (a lighted cigarette thrown out on flammable material) or much later (the basement of a house in a flood area not being properly protected by a complete insulation). Finding the person responsible, pointing a finger to the “culprit” will not help. If important damages result from an “involuntary human act”, it is the system that must be reviewed and the procedures: human errors will occur and their consequences should be controlled. This is the obvious common responsibility of quality and risk management.
• The voluntary human peril results exclusively from a conscious and deliberate act from an individual or a team of individuals. However, all conscious acts are not aimed at doing harm to others; therefore we further contrast:
  1. The voluntary human peril: The “wise guy”, which is the unintended consequence of a legitimate action by some actors in a system. They embark on modifications aimed at improving performances and/or facilitating work. However, they do not document their modifications and the rest of the team, unaware of them, can create problems. An example provided by many organizations is the nightly inspiration of a computer specialist “improving” software but warning nobody of the changes. The cure for that resides clearly in procedures to channel the individuals' imagination and transmute it into useful opportunities. (A word of caution for those contemplating operations in France, French employees are particularly prone to the “wise guy” syndrome!).

  2. The voluntary human peril: “Malicious acts” occur when an individual or a group of individuals embark on a mission to appropriate third parties' belongings or assets, be they tangible or intangible. Therefore, they are usually illegal acts, punishable in most countries where they would be performed, for instance, industrial spying, arson, forgery, assault, etc.

     It is further essential to qualify the acts as to whether the individuals try to get wealthy (lucrative malice) or to further a political, religious, or ideological agenda (non-lucrative malice).

     In the first case we are dealing with an enterprise, illegal but still governed by profit seeking. Therefore, these individuals make their decisions like legitimate entrepreneurs and they can be deterred by lowering the “return” on their investment (time, effort, and/or money). Strategies such as the following could work: increase the costs (prison terms, security efforts, etc.) or reduce the value (lower inventories, published information and know-how made public).

     In the second case we are dealing with individuals who work for a cause (from vandals scratching cars in the wealthy section of the town to outright terrorism) and their motivations transcend economical issues. Their reasoning is much harder to crack, punish or “bring heaven to earth”. The tragic events in the USA on 9/11/2001 and also Madrid (2004) and London (2005) are all reminders of how difficult it is to fight terrorism within the framework of a democratic society.

     In any case, “voluntary human perils” are always the most elusive to fight. It is important to recognize that we are confronting an intelligent mind that can and will adapt to whatever new form of loss control measure we will imagine and wait patiently to strike when our guard is lowered. One illustration would be information systems: new worms and viruses are created every day and firewalls and other protections are to be updated all the time. Furthermore, employees may become complacent if not always reminded of the uphill battle to be fought every day.

2    THE CONSEQUENCES OF THE HAZARD OR PERIL

• The third dimension of an exposure is its impact or consequences on the organization's objectives and these consequences can be good, creating an opportunity, or bad, generating a threat. In principle, an unexpected high level of a resource would create an opportunity, and a sudden depletion a threat, but unexpected constraints could provide a path to higher efficiency whereas a sudden affluence of resources could be squandered without careful prior planning.

  Therefore, the “impact” can be positive or negative and be seen at three levels as defined earlier:

  • Primary and Secondary impact: These cover the change in the level of assets and of capacity of earning of the organization in the short term (up to 18–24 months).

  • Tertiary impact: This covers the impact on third parties, including economic partners and other stakeholders, society and other impacts on the environment.

    When they are negative, they may engage the contractual, professional or other civil as well as penal bodies. If they are not involved in a transaction they represent an externality in the sense of economy and can be positive or negative.

  • “Quaternary” impact: This covers the long-term effect when the trust and confidence of stakeholders is enhanced (opportunity) or tainted (threats). Thus the impact can have a long-term impact on the social licence to operate of the organization, in other words, its reputation.

Figure 2.2 summarizes the elements that are included in the exposure diagnostic, or risk assessment, to retain the expression used in the ISO 31000:2009 standard. The risk identification step means marking the first two dimensions that define any exposure (resource and event) whereas the third (impact quantification) will constitute the risk analysis step. The risk evaluation step consists in comparing the quantified impact under current circumstances to the risk criteria defined as acceptable by the leadership (risk appetite or risk tolerance).

2.3.7 VoR or Velocity of Risk?¹⁶

Understand the probability of loss, adjusted for the severity of its impact, and you have a sure-fire method for measuring risk.

Sounds familiar and seems on point; but is it? This actuarial construct is useful and adds to our understanding of many types of risk. But if we had these estimates down pat, then how do we explain the financial crisis and its devastating results? The consequences of this failure have been overwhelming.

However, a new concept has developed to describe how quickly risks create loss events. “Velocity of risk” provides an additional insight into the concept of risk through an evaluation of “time to impact” that implies proactively assessing when the chain of events will actually strike. While it is still relatively new and not yet widely used, it is gaining momentum in professional circles, as it is a valuable concept to understand and more so to apply.

Whereas it is necessary to know how likely it is that a risk will manifest itself into a loss or a gain, and the impact of the manifestation, it is not enough to make the most of the opportunity, or limit the loss. Therefore a better way to generate a more comprehensive assessment of risk is to estimate how much time will be available to prepare a response or make some other risk treatment decision about an exposure when its occurrence becomes imminent. This allows you to prioritize more appropriately between exposures; those that require immediate preventive action and those that can be treated when the event is becoming imminent. An efficient allocation of limited resources is the key to robust risk management.

As a matter of fact, expending limited resources on identification and assessment really doesn't buy much more than awareness; and awareness, from a legal perspective and governance perspective, creates an additional risk, that could prove quite costly if reasonable action is not taken to reduce them in a timely manner. Not every exposure will result in this incremental risk, but a surprising number do.

Even five years into the crisis, there's a substantial number of actors in the financial services sector who wish they'd understood risk velocity and taken some form of prudent action that could have perhaps altered the course of loss events that triggered the situation in which the developed world has since been engulfed.

To better understand the velocity of risk there are several avenues to follow:

• At the operational level: Investigate how the circumstances of concern are impacting others who may have the same or similar exposure. Talk to risk owners who've already been affected and get insight and intelligence about how the event evolved for them. When did they first see evidence of its appearance? What horizon scanning methods did they use to see it coming?
• At the legal level: Consider where attorneys seem to be directing their attention and resources. Consult subject matter experts in your company who understand developments in the fields of technology, advertising or research. Find out what they're concerned about and understand why. These efforts, while typically limited in scope and rigor, can reveal much about the potential for new risks and the speed at which they may emerge, influenced heavily by product development goals and pressures.
• At the intermediate management level: A group of managers who have some accountability for strategy and tactics should be interviewed to get their inputs on where they're going and what factors are driving their plans.

Collectively, these efforts can provide a few of the many data points that can help in piecing together a picture of emerging risks and give some context around the speed with which they could develop and cause loss.

The more of these elements can be assessed, the more opportunity will be offered to develop and implement loss prevention plans that could lead to the avoidance of the loss altogether. Between efforts at prevention and protection, it may prove possible to avoid or mitigate the next crisis, an experience any organization would be better off not going through.

2.3.8 What About Business Impact Analysis?

There is a growing trend to consider BIA (Business Impact Analysis) as a new discipline that consultants promote heavily in the wake of the huge contingent loss of profit experienced by many organizations as a consequence of the various natural disasters that hit Asia in 2011.

However, if we refer to ISO 31000, clearly a growing reference worldwide, the risk assessment part of the risk management process calls for a longer view of the impact of a given event or change in situation. It would be a very poor practice to envision only the immediate consequences at the site of the event. Furthermore, risk should be reassessed as soon as there are significant changes in the organization, its internal and external context, and/or its missions or strategic goals. I trust that encompasses the entire scope of the BIA, which appears only as a tool in the risk assessment process and a reminder to look beyond the immediate and local effect.

Back quickly on the assessment/impact issue: personally I prefer the word “diagnostic” and the analysis/evaluation stage of this process clearly must encompass all of the potential impacts: primary damages, secondary damages (loss of profit), tertiary damages (to third party and society), and “quaternary”, i.e. impact on reputation or “social license to operate”.

It seems to me that the “invention” of impact analysis is linked to insufficient attention to a thorough risk analysis (unless it provides a consultant with a competitive advantage and the actuaries a legitimacy to invade the RM field!).

2.3.9 Why Must Risk-Management Objectives Be Clearly Defined?

Within the ERM framework, as per the ISO 31000:2009 standard, risk management objectives can only be derived from the organization's strategic objectives that they are meant to serve with a major focus on pulling through difficult situations.

Clearly, the mission is to plan for all the resources that will be needed to achieve the organization's goals whatever the circumstances may be, more specifically when it is hit by a severe event. Among the resources vital to the organization are the cash flows needed to compensate for the losses whatever their origin may be. This will be the role of risk financing that will remain a corporate function, part of the overall finance strategy, no matter how decentralized risk management may be to the operational risk owners.

Even when approached from both the perspective of threats and opportunities, the essence of risk management is to plan for situations of high volatility; otherwise it would interfere directly with the cost control mission of any manager. The essential volatility of risk management performance has driven the professionals to contrast clearly two sets of objectives that some call “pre-loss” and “post-loss” objectives. However in a global approach, it would be better to call them “pre-” and “post-” event, thus not pre-judging the nature of the impact of the event, which also could be positive.

It is necessary therefore to set the objectives prior to any unexpected event but with a clear understanding of the different timing with regards to major events occurring.

2.3.10 Managing Risks or Containing the Cost of Risk, Is It the Same Objective?

The core mission of risk management in any organization is to maintain some degree of activity through any type of turbulence in order to allow it to reach its strategic objectives, no matter what happens. The risk manager's core job is to make sure that the vital resources needed to achieve this will be available to reach the level of post-event objectives set by the board.

However, this mission must also be fulfiled with as little resource as possible. To reach the optimal level of economic efficiency, the risk-management operations must be measured against some objective yardstick. Minimizing the long-term cost of risk represents such a standard. However, what is the “cost of risk” in a given organization?

Traditionally, the cost of risk has been broken into these four components:

• Administration costs: These are the expenses directly linked with the implementation of the risk management process throughout the organization. They include the salaries, office expenses, and travel and communication expenses for the personnel in the risk management office as well as the costs of outsourced services for risk assessment or other purposes. These costs are relatively easy to track. However, it is essential to include the additional costs of the time and efforts devoted to risk management in the operational units and other executive branches, and these are far less easy to evaluate properly and objectively.
• Loss control costs: Including not only the annual depreciation of loss control investments but also recurring costs linked to risk mitigation efforts. For instance, when dealing with automatic systems for detecting and extinguishing fire (sprinkler) the initial investment is substantial but the system must be maintained regularly and receive major overhauls over the twenty years of its lifetime. For individual protection, there may be the cost of purchasing the adequate equipment, and replacing it regularly, but sometimes “control” is achieved through modifying processes that may increase the production times, and hence costs. These are not always easy to identify and measure precisely.
• Transfer risk financing costs: For the most part these represent the insurance premiums paid to insurers or reinsurers (through a captive company). These costs are quite easy to track and consolidate, as they should appear as such in the accounting documents. However, with the new ART (Alternative Risk Transfer) instruments, some of which are implemented through financial markets or banks, the organization should be careful to include every element of the cost of transfer, especially in a large global conglomerate. Furthermore, the cost of risk contractual transfer for risk financing to non-insurance partners is extremely difficult to “price” as it is part of an overall deal.

• Retention risk financing costs: These represent all the claims and fractions of losses that remain in the books of the organizations. Clearly that includes those that are not insured or not insurable but also the deductible, self-insured retention, and/or the portion above policy limits, especially in the liability area. For the losses outside the realm of insurance, retention risk financing costs will be reported only if the RM accounting practices provide for their tracking.

  However this breakdown of the “cost of risk” concentrates on the downside, the threats, and does not take into account the upside of risk, the opportunities. A “fifth” component should be added:

  • The cost of investments deemed “too risky”, made possible thanks to a robust risk management process: It is extremely difficult to assess the potential opportunities that are passed up. However, this impact should always be kept in mind when running any investment analysis.

In all organizations, executives are always tempted to benchmark, with competitors as well as partners. A typical question would be “Is our cost of risk in line with the competition?” This is a very difficult game to play as no two organizations have the same risk profile (each has its own specific portfolio of exposures) and no two executives' teams have the same risk appetite.

Once again it should be stressed that if the organization excludes the high frequency losses that should be treated as quality failures, in the short run, an organization with no risk management in place might seem more efficient as it incurs little “cost of risk”. This will last until a catastrophic event happens that kills it off, for it has no means to rebound. Therefore the cost of risk should always be assessed taking into consideration the company's resilience.

2.3.11 Why Is the Concept of Resilience Becoming So Popular With Board Members?

The underlying objective of any risk management program is the survival of the organization under whatever stress level, but it has to include within its scope the very important concept of sustainable development, not only in terms of preserving the natural resources for future generations but also as a way to provide the investors with a reasonable long-term return on investment. This may call for measures far beyond available sources of cash to pay for the damages that would ensure survival in the aftermath of a major claim.

However, even this minimum objective may prove elusive should some extraordinary circumstance take place; of course this may be the case essentially for liability and environment exposures, e.g., the cost of Exxon Valdez and the BP Gulf oil rig disaster which for smaller firms would have threatened their survival. For extremely catastrophic events, it may be necessary to engage with the stakeholders to find an acceptable compromise where the perception of risk is not excessive, in order to grant the organization its “licence to operate” in view of the positive societal advantages: the opportunities it brings to all.

On the other hand, this “survival” approach to risk management may fall short of stakeholders' expectations especially in the “moderate risk class”, i.e. those scenarios that are due to happen with a good degree of certainty over a 5–10 year horizon, but whose annual impact may fluctuate significantly. The objective of survival would not treat situations that take the financial results of a company through a true rollercoaster that would not please the investor community. Furthermore, employees and managers, as well as customers and suppliers, might question the long-term viability of the organization and seek employment and/or partnership elsewhere to protect their own interests. In the same way, the government, the local authorities and the citizen consumers might well be impatient when confronted with what they would perceive at best as short-sighted management.

It is under these circumstances, and with the capital “reputation” in mind, that both the directors and the executives might well consider a higher level of post-event objectives to assign to the risk management operations in the organization, like limiting service or production interruptions to a level compatible with the partners' interests, or imposing a minimum level of profits and/or growth even in the case of unexpectedly large losses. Clearly, they will expect the organization to rebound faster and higher than mere survival would allow, even after a serious loss.

Without undue developments, it is all too clear that these higher post-event objectives are going to require investing more resources, financial in particular, into the risk management process than “absolutely” necessary. This “additional investment” is in conflict with the pre-event objectives of economic efficiency, which call for containing the cost of risk.

Once again, risk management efficiency has to be assessed in the long term. However, long term must be defined. For a CEO whose tenure is going to be anything from three to six years, this is long term; for a government it should be the well-being of this and at least the next generation of human beings (and not the next election); for an environment specialist is a millennium enough (think nuclear waste)? Pension funds that are such an important player in the financial market should look at 20–40 years' horizon for the benefit of their “investors”, not just the next three quarters, which may represent the best interest of their funds managers.

Therefore, if purely financial returns do not provide a clear view on the long-term sustainability of the firm, a new concept, a new measure, is needed to provide a comparison tool. Resilience for an organization was forged as a social concept by analogy with the quality of a metal that regains its quality after a stress. It is often used in modern risk management literature, not always with a clear understanding of its underlying meaning. It was used for the first time in an audit context by the Canadian Auditors Association, too happy to find a word that is the same in English and in French. The definition can be summarized as follows: “The capacity of an organization to rebound even after the most severe stress and still maintain its strategic objectives in the interest of its main stakeholders.”

Therefore the resilience must be assessed by each stakeholder in view of the preservation of its stakes or interests in the organization. As an illustration, the expectations of the organization from the points of view of different groups are:

• Society: Fulfil its obligation.
• Employees: Maintain employment.
• Partners: Insure security of orders/delivery.
• Stockholders: Provide long-term dividends.

2.3.12 How to Conduct an Exposure Diagnostic?

Establishing a diagnostic of the exposures for a given organization is the first step in the risk management process. It can be split into three different phases: identification, analysis and assessment.

One of the problems of the emerging risk management science is that, in spite of the definitions offered in the ISO Guide 73 vocabulary for risk management, so many concepts remain ill defined. Let us therefore state that here we mean by “identification” the recognition that some undesirable event may occur; “analysis” means quantifying the consequences for the organization and hence also its stakeholders, without any consideration of the control measures in place; while “evaluation” takes into account the best possible outcome if all current control measures operate at full capacity, i.e. an analogy with the insurance concepts of MPL (maximum possible loss) and ERL (expected reasonable loss). It should be noted that what we call exposures diagnostic is also referred to in ISO 31000 as “risk assessment”.

It is obvious that the good risk manager envisions the probability of the event occurring, the frequency, the importance of the impacts, and the severity of potential losses. However, this would fall short of an understanding of the phenomenon without giving due consideration to a measure of the uncertainty of the consequences, i.e. the dispersion of the consequences. At the end of the day, what the risk management professional should be concerned with are the consequences on the ability of the organization to achieve its goals and missions, no matter what, i.e. what we have called its level of resilience.

The diagnosis is the cornerstone of the risk management process: our decisions are only as good as the information we base them on; if a risk is not identified, the opportunity will be missed or the threat will not be curbed. On the other hand, when a risk is identified and properly quantified, the risk management treatment may just pop out for the experienced risk manager. Later in the book we will come back to how the diagnosis is transformed in an ongoing process of risk mapping through the feedback loop.

A single event may impact a number of organizations. For example, a used tire facility burns in the vicinity of a populated town. Toxic fumes from the fire are blown by the wind in the direction of a nearby industrial and commercial park. The impact of this event must be analysed from different perspectives, but first of all from the company who owns the inventory and manages the site. The analysis will cover property and equipment damages, loss of personnel, and loss of net revenues. Of course the consequences for all economic partners should be assessed, if only to analyse the potential contractual liability losses. However, each of the partners should also conduct their own evaluation of the consequences. If the context has been defined accurately, then the eventuality of this exogenous event should be included in the exposure diagnosis of each of them as an “external” hazard. Finally, for the tire owner the impact on reputation and image should not be forgotten as economic partners may also suffer. Nevertheless, the impacted organizations may also experience reputation loss even if “innocent”, especially if they cannot demonstrate a proper preparedness for such a “foreseeable” event!

But this analysis in a semi-open system, i.e. a system that is not totally self-sufficient, is not enough as many other stakeholders, some of whom the organization has no contractual ties with may be impacted, e.g. the neighbors, the city and surrounding communities, as well as regional and national authorities, and even other private entities. Therefore, an investigation on the potential impacts on all stakeholders will have to be conducted at the organization level to further assess tort and criminal liabilities that the fire might induce. This is after all an endogenous hazard that may have consequences on an extended environment.

Furthermore, the risk manager of a healthcare organization located within a mile radius should have identified the “tire inventory operation” as a potential hazard as part of its community wellness program, especially in the context of its pulmonary patients, children, and other at-risk persons.

To summarize, the exposure diagnosis consists of a recurring exercise to keep an updated register of the exposures confronting the organization, as exhaustive and current as possible.

The second phase develops a quantified evaluation of the impacts on the organization's resources and objectives, as far as possible. This can be achieved through the use of probability and trend analysis for the “frequency risks” for which there is a data bank. Other quantification methods such as expert advice and Bayesian networks can be used for the median risk category, and scenario analysis is appropriate for “catastrophic” events, especially when many stakeholders could be impacted.

It is a “no brainer” that the more open the system, the more delicate the diagnosis process. Such is the case of malls, healthcare establishments and local authorities where most of the stakeholders have no direct subordination or contractual links with the organization. It is clearly easier to manage risk within the limit of a manufacturing plant where most actors can be trained and educated to recognize risks and act responsibly to limit their consequences.

Finally, there is the case of managing the risks in a project. Projects usually involve different partners that may have not necessarily entirely convergent goals and objectives, indeed even sometimes divergent interests. Project risk management in such a case will require a common approach to managing the risks in the most efficient way while satisfying the needs of all participants.

2.3.13 How to Analyze and Evaluate Risks?

The realm of possibilities that may arise in a situation of uncertainty for a given organization is practically without borders. And even if risk management tends to look principally at downside risk when referring to risk diagnostic, it is essential to have a broad perspective on their potential impact, if only to prioritize risk control efforts.

Too often the risk impact evaluation is limited to the two traditional variables used by the insurance industry to calculate an expected value of the claims:

• The probability, also called frequency, as claims do occur even in a well-balanced portfolio (law of large numbers).
• The severity, or the financial impact, usually measured within the scope of the insurance cover granted to the insured in the contract.

As a matter of fact, if the portfolio is large enough and underwritten cautiously, the multiplication of the frequency by the severity, or expected value, is indeed what the insurer can expect to pay in claims on his portfolio in the long run.

However, when applied to a single organization, large as it may be, the formula will not give insight into the adverse conditions that it may be faced with, except for the very limited and frequent claims like physical damages to a fleet of vehicles. A major variable is missing, that could be summarized in the volatility of the annual losses and the negative cash flows that stem from the realization of the hazardous events. An example drawn from the nuclear industry will illustrate. If any nuclear power plant has a probability of 1 in 10,000 million of suffering a major catastrophe with a $2,000 billion loss, then the long-term annual “cost of risk” for Electricité de France (EDF) that operates less than 100 sites is less than $20,000 a year. That is a quite acceptable burden for EDF; however, does this answer the question for the public: “Is the nuclear industry in France safe enough to ensure both permanent supply of electricity and safety for those living close to one of the power plants?” Who cares if the annual long-term cost over 10 million years is negligible? At the end of the day the question is linked with sustainable development, not expected value of cost. In other words, any exposure assessment will have to take into account the dispersion of the force of the impact, be it in financial terms or in human or environmental evaluation.

For the high frequency risk, the “non risk” exposures in terms of financial implications like health cover for a large population or vehicle fleets, the historical data will provide a good start to forecast the future losses provided trend variables are properly inserted in the model. Furthermore, the “expected value” of annual cost may even prove a reasonable base for a budget exercise, as it will be relatively non-volatile.

For exceptional exposures on the other hand, it is more the severity and the spread of consequences that will guide in the decisions of risk treatment, even to the ultimate option of discontinuing or not engaging an activity deemed too risky. In those situations, what is essential is to determine the stakeholders' appetite for risk. To summarize, the parameters should not be multiplied; it is the three dimensions vector (F, S, and σ)¹⁷ that must be assessed: “At a given level of confidence, are the consequences socially and economically acceptable?”

Some authors have recently advocated looking at the worst case scenario and defined for financial institutions the “value at risk” and for non-financial the “cash flow at risk” as a measure of the stress that the system, the organization, can endure without permanent damage or impairment. Now, recent authors place it in the QBRM (quantile-based risk measures) and argue that it is fundamentally flawed and does not represent a coherent risk measure. It is not within the scope of this book to fully address the debate, which will be left to the FRM (financial risk management) specialist and the actuaries. Suffice to know that it is a fast developing field that the risk management professionals must be aware of.

In any event, assessing severity requires developing an “extreme scenario” according to Murphy's Law (everything that can go wrong, will go wrong). Clearly, from the organization's point of view, recognizing all the negative (and positive?) impact is essential. The worst-case scenario will have to address the question of the stakeholders' confidence and the loss of reputation.

Finally, when dealing with risk assessment, one must exercise caution as some consequences are not readily measurable in monetary terms (long-term impact on the environment) and cannot always be positioned in the financial model of the firm even with the long-term view of value creation for the stockholders. Other objectives have to be taken into account such as whether they are true missions or merely constraints; it is for each board of directors to answer, but they include sustainable development, assistance to distressed persons, etc. It is probably necessary to broaden the assessment tools to include other variables than the three mentioned here.

One final piece of advice: as all is not quantifiable in monetary terms, all that can be must be, with utter care and application, be it only to limit the residual uncertainty!

2.3.14 Risk Centres and How to Use Them for Risk Assessment

The “risk centre” method for assessing risks, exposure diagnostic, is founded on the model that describes an organization as a dynamic combination of five classes of resources (Human, Technical, Information, Partners, and Financial).

The crux of the method is to split the organization defined as a “complex system”, i.e. a system of systems surrounded by environments, into as many sub-systems as needed to make the smaller entities “user-friendly”. Then the sub-system is analyzed as a combination of the same resources.

This identification of sub-systems within an organization is totally compatible within the system safety approach. It must stop when the level of “elementary sub-system” or “micro firm” is reached. It is still a living cell with a manager aware of the missions he/she is to fulfil with the help of the necessary resources in the five classes. It is then possible to identify, analyze and mitigate the risk at the risk centre level, which is a “micro-organization” that can be defined as a set of resources, combining to reach an identified sub-goal, contributing to the organization's overall goals and missions.

The boundaries of the risk centre and the forces of its environment should be apprehensible by the risk centre manager who should have the initiative to manage this “micro enterprise” and navigate at best within the threats and opportunities identified. This is precisely the “risk owner” often referred to in all ERM (Enterprise-wide Risk Management) presentations.

We have already listed and explained the seven risk identification tools; however, once the risk centres have been identified, the main tool to use is the questionnaire, or preferably, the interview of the identified risk-owners. The information gathered during the interview will be the material used for the workshop organized henceforth with the management team to appropriate the risks and agree on priorities and actions.

The interview should be conducted according to the main points listed in the box below:

• Question 1: Aims at understanding the activity of the risk centre and testing the manager's grasp of his missions and position within the organization.
• Questions 2 to 6: Aim at identifying the resources currently used by the centre, including the “free resources” and the interaction with other actors, within and outside the organization.
• Questions 7 & 8: Aim at questioning the manager's comfort so that he/she can accept that potential destabilizing events may occur and envision how he/she would cope in an emergency. Through the absence of staff, on the one hand, and the loss of all equipment on the other, the manager is led to consider which among his/her resources are really “vital” for the continuation of the operation. Furthermore, through the wish list of what to do now, and what to do in the case of a disruption, the manager initiates the process of scenario identification that will help the staff workshop to lead to a robust mitigation plan at his/her level, i.e. to the definition of BCP, the quantification of the need for “exceptional financial resources” to implement it, and the “sentinel event” that should prompt top management attention.
• Questions 9 & 10: Aim at developing a preliminary BCP, the conditions for its successful implementation as well as early detection of the development that may lead to a crisis through media attention and public implication in the consequences of the “undesirable event”. Those situations might develop into crises that are likely to require headquarters input and assistance. Early warning may make all the difference between an aborted crisis and full-blown havoc!

2.3.15 Risk Map or Risk Matrix: What for?

The desired output of the diagnosis exercise is a list of exposures, as exhaustive as possible and a classification by order of priority. It is customary to assess a priority on the basis of the “long-term economic impact” measured by the two variables: frequency and severity.

The risk matrix, that some consultants still insist on calling a “risk-map”, is a two-axis table: on one axis the probability of the event taking place (or frequency) and on the other the potential impact (usually in monetary terms). This matrix does not have the permanency of a physical geography map: it is merely transitory help to decision makers, whose decisions will immediately alter the risk profile of the organization, not to mention the evolution in the external and internal context. However, this function as an information tool for managers and executives must provide them with some insight into the risk; therefore the classes of risks thus described must be in measures that make sense to them in the light of the decision to be made:

• On the probability axis, for example: once a week, once a month, once a year, once a decade, possibly once a century, once a millennium; and
• On the impact axis: for low or middle severities, a reference to the annual profit should be enlightening (less than 1 per mil, 1 percent, 10 percent, etc.); and for catastrophic risks a reference to the company's net worth may prove more appropriate (20%, 50%, and possibly 1000%, or ten times, etc.).

Combining frequency and severity provides the long-term weight of the risk, but judgment must be exercised, especially where improbable catastrophic events are concerned. At this stage the traditional green, yellow and red zones depending on the acceptability of risk level dictated by the deciders' or stakeholders' risk appetite. If an event whose potential impact is 1 per mil of the profit would only happen once a year, it can be ignored. If the same event could occur once a week, the situation will call for treatment. On the other hand, a millenary flood, even potentially catastrophic, may be left untreated.

Clearly the key to efficient risk management is an in-depth understanding of all the exposures to which an organization is confronted, their characteristics and root causes to infer their potential economic impact. The risk matrix clearly provides an appropriate tool for classifying the risks.

2.3.16 Why Does It Make Sense to Invest in a System to Gather and Transform Information?

During the course of the last decade, risk management has clearly become a system to gather, process and communicate information as is clearly illustrated by the developments of analytics and “big data”. At each step of the process, from the diagnosis or risk assessment to the audit of the program, there is a constant need of communication (to obtain the necessary information) to manage information (gather and explain), and communicate again (to present the results and draw practical consequences). This is precisely why installing a risk management information system (RMIS), i.e. a set of hardware and software to gather and treat all relevant data for making and implementing decisions, is an essential tool to manage efficiently risks in any organization. Its main attributes are:

2.5 ENTERPRISE RISK ANALYTICS SYSTEMS

Richard Connelly, Ph.D.

Founder and Director, Business Intelligence International

Jean-Paul Louisot

Formerly Université Paris 1 Panthéon-Sorbonne, Directeur pédagogique du CARM Institute, Paris, France

“Risk doesn't mean danger – it just means not knowing what the future holds.” (Peter L. Bernstein)

This quote is at the heart of what risk management should be for any organization, whether when managing the potential downside of an investment or putting a value on the option of waiting when making irreversible decisions. The ISO 31000:2009 RM standard points to the needs for applying sound enterprise business intelligence analysis to risk management programs through the alignment of the GRC – Governance/Risk Management/Compliance Triangle.

Long before “analytics” came to be known as the reference for the compilation of decision information within and outside an organization, Howard Dresner in 1989 proposed a definition of “business intelligence” as an umbrella term to describe “concepts and methods to improve business decision making by using fact-based support systems” (Dresner, 2009).

Enterprise-wide risk management maturity means auditors' assertions can state that decision making is based on reliable data management processes that comply with governance requirements and legal matters management controls. This can be achieved only through maintaining documented assurance that international standards for evaluating performance accountability, reporting transparency and audit integrity are embedded in the roots of organizational culture.

The value of an investment in enterprise risk management information, as requested in the ISO 31000 standard, may be assessed by the depth of risk factors disclosure information reported to stakeholders and credit analysts. Credit agencies need “reasonable assurance” that the risk assessment data is reliable and consistent throughout the organization. Technical advances in enterprise information technology provide the means to connect management's performance guidance statements to predictive analytics that correlate financial results with asset–liability reserves and risk mitigation response plans. These are the key elements that investors, underwriters and regulators are assessing when stress testing economic forecasts and applying valuation models to capital liquidity analysis.