CHAPTER 13
Quantitative Risk Assessment in ERM
JOHN HARGREAVES
Managing Director, Hargreaves Risk & Strategy
First weigh the considerations, then take the risks.
—Helmuth von Moltke (1800–1891)
INTRODUCTION
The German military strategist Helmuth von Moltke advised that risks should be assessed before they are taken. This chapter discusses how risk assessment and risk quantification can best be achieved in a commercial or governmental enterprise.
Most companies have completed surveys of the risks they face, and have adopted systems to control some of the risks they have found. The depth of this analysis has varied from one company to another, depending on local factors. Not least among these factors would be the assessment by the management team and board members of the benefits that may be obtained from the risk-management approach.
However, many regulators, stock exchanges, and professional bodies have encouraged companies to improve the quality of their risk measurement, and have issued guidance, so there is considerable institutional conformance pressure (e.g., COSO 2004, Australia Standards 2004).
Some insights can be gained from the COSO definition of enterprise risk management, which reads as:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO 2004)
Many people are involved, so we need a structured method for assessing individual risks, but also we need to be able to look at the picture from an enterprise point of view in order to be able to assure ourselves that the total risk being taken is within our risk appetite.
This chapter examines how risks may be quantified. After a consideration of general principles, four differing approaches to the quantification of individual risks are explained and evaluated. Statistical methods for calculating and reporting a company’s total corporate risk are described and illustrated by a simple example. Finally we consider how quantified risks may be incorporated in the business-planning process. We do not cover the specialist methods used to quantify risks in financial institutions.1
In this chapter, it is postulated that there is no single best way of evaluating and prioritizing risks. Different organizations will find different and equally valid solutions. Over time, these solutions evolve in response to changing circumstances and in the light of experience. The aim of this chapter is to provide organizations with some further ideas that contribute to the ongoing evolution and refinement of their risk-management practices.
We start by asking a simple question: Why do we need to quantify a particular risk? There are four main reasons: First, we need to be able to decide which risks we should concentrate on and which ones are not so important. There are large differences in magnitude between risks, as Box 13.1 illustrates. It is much more beneficial to life expectancy to cut down on smoking than to stop drinking coffee. So it is useful to be able to put risks into classes of relative importance. Second, we need to be able to decide whether to spend money on controlling the risk. We can estimate how much a new control will cost, but before implementing it we need to know whether the control will justify itself through reducing the risk. Third, the presence of risk will reduce the economic value of the corresponding activity, and may be sufficient to cancel out any financial contribution being made. Fourth, we need to be able to estimate how much a particular risk is contributing to the total risk being run by the organization.
In achieving the above we need to take account of William of Ockham’s insight, which is just as valid now as it was 700 years ago. This is illustrated in Box 13.2.
It is instructive to examine a typical situation under which risks are initially identified and analyzed. We usually become aware of a risk either through an internal brainstorming session or analytical paper, or through a report of an external development. Initially the risk may be loosely defined and there may be conflicting opinions as to its importance.
Moving on from this initial stage, we try to discover more about the risk. We become more knowledgeable about the processes that can cause the risk to happen, and be better placed to make an estimate of the probability that the risk will materialize within our planning period. Sometimes probability estimates can be based on statistical frequency data. For example, data is available regarding the frequency of IT problems of various degrees of severity, and we can inform our probability estimates using this data, adjusting where necessary to reflect whether our situation differs from average. Also, we become more knowledgeable about the consequences of the risk materializing. Sometimes these are clear and defined, but often there are a number of different possible types of consequences. We need to consider what mix of these occurs, and judge the relative importance of them. Refer to Box 13.3 for a list of these consequences.
The consideration of these consequences is necessary because it allows us to make an estimate of the possible impact of the risk on the organization.
Exhibit 13.1 Impact Range Probability Distribution
| Impact range ($) | Probability | Typical value ($) |
| 0 to 4,999 | 95% | 1,000 |
| 5,000 to 49,999 | 4% | 20,000 |
| 50,000 to 249,999 | 0.9% | 100,000 |
| Above 250,000 | 0.1% | 1,000,000 |
Sometimes it is sufficient to take a typical outcome as the basis for our further work, but often it is necessary to consider two or more levels of intensity for the risk, each with its corresponding causal circumstances. For example, the cost of a fire in an office can be as little as a scorch mark on a table or it could be large enough to cause a company to go bankrupt. If we decide to use a complex methodology to model our risk, we might represent the relationship between probability and impact as a probability distribution. However, if we are using a simpler methodology we might estimate probabilities of an out-turn within each of a range of impacts. The example in Exhibit 13.1 illustrates this concept. In this example, we might consider the smaller risks to be operational issues, but the small-probability large-impact combinations could be of concern at the company level.
Note that at this stage of our work, we will probably become aware of the controls that are currently in place in relation to the risk, and we may also find out about other possible controls and actions that might be implemented to reduce its impact or reduce the probability of it happening. For a “new” risk, some of these actions may be clearly necessary, perhaps with a good risk reduction benefit for a small cost outlay. Others may be rather expensive to implement or may have a lesser result in terms of risk reduction, so it may not be clear as to whether to implement these or not.
RISK ASSESSMENT: FOUR ALTERNATIVE APPROACHES
When deciding the most appropriate method of evaluating an organization’s risks, there is a choice between several broad alternative approaches. These are illustrated in Exhibit 13.2. The appropriate choice between them depends on cultural and environmental considerations, and on the industry concerned. In this chapter, we consider mainly strategic risks and managerial situations where financial risks are not dominant. Methods for quantification of financial risks in the financial services and energy sectors are covered in other chapters.
It is worthwhile to examine the four main alternative methods for the assessment of strategic risks, and to consider issues that contribute to the choice between them. These four methods are described next.
Method 1: Active Management of the Largest Risks
Chief executives will often maintain that they are already aware of the main risks facing their organizations. In view of this, they would maintain that the most important risk-management task is to manage these risks well. This attitude is justified by the fact that about 80 percent of the total risk facing an organization is usually concentrated in the top dozen risks.
Exhibit 13.2 Methods of Quantifying Risk
In organizations that are beginning the implementation of risk management, and in those going through crisis situations, the resources available to control risk may be limited. In such circumstances it may be best to concentrate initially on the effective management of key risks. This avoids spreading the management effort too thinly and less effectively.
As illustrated previously, there are large differences between the impacts of different risks. Our example was drawn from ordinary life, but the point applies to company risks as well.
There are large differences, too, in risk probabilities. Some risks occur rarely and others happen quite frequently. Nevertheless, to uncover the top dozen risks with confidence it is usually necessary to consider at least twice that number of risks. This analysis often reveals a couple of large risks that have been underestimated by management.
It is sensible to take advantage of the effect of large differences in risk impact and probability through the adoption of an “Active” style of risk management (Box 13.4). It is certainly better to actively manage the top 12 risks than to make a long list of risks and do little about any of them!
The idea of concentrating on the top risks is good as a first approach to risk evaluation. Often it is also appropriate in a transitory situation where an organization is going through a process of rapid change. However, it is not an adequate basis for confident risk management in the medium term.
Active management of the top risks suffers from the drawback that it is not comprehensive. The business world is littered with examples of infrequently occurring risks that have led to the downfall of organizations. Sector regulators seek to ensure that companies do not overlook any risks that may have significant adverse impacts, but recent experience tells us that this is difficult to achieve in practice. However, favorable experience of the savings or risk reductions made by good management of the important risks indicates the benefits of extending management attention to the less significant risks as well.
Method 2: “High/Medium/Low” Classification of Risks: The Two-Dimensional Risk Map
A more complete coverage of risks may be obtained by using the two-dimensional risk map approach illustrated in Exhibit 13.3. Following this approach, a detailed list of risks is drawn together that, as far as possible, covers all the company’s activities. For each risk, estimates of the probability of the risk occurring and the impact of the risk are made. These estimates are expressed in terms of High/Medium/Low categories and plotted on a risk map to illustrate graphically the relative rankings of their respective probabilities and impacts.2
It is common in this sort of approach to use traffic-light color highlights (i.e., red, amber, and green), in reports to distinguish high, medium, and low risks. Noncritical risks that are being managed satisfactorily are signified by a “Green Light” signal, and conversely high-risk situations that are causing concern are indicated by a “Red Light” signal.
Exhibit 13.3 An Example of a Two-Dimensional Risk Map
The High/Medium/Low approach can work quite well if the risk analysis is done mainly by one person. However, if the risks are to be tackled at all levels of the organization, a number of people will need to be involved and there will be different views of specific risks. Often the definitions of the terms “high,” “medium,” and “low” are not exact and this can cause practical problems. Local managers, for example, may consider a specific risk in their projects to be high. This is because the projects they deal with represent the complete spectrum of their experience of the company. A board member or senior manager might only rate the risk as medium in light of a full knowledge of the company’s risk map. Thus, classification bands need to be clearly defined so that all members of staff can participate in risk assessment.
The High/Medium/Low classification suffers from the deficiency that it is a crude yardstick. It does not register graduations of risk other than within the threefold classification. So, if management expends effort to reduce a particular risk, it may well continue to register as “high.” Thus, a system with only three graduations may be difficult to use for control purposes and at lower levels of the organization most risks would be classified as low. Thus, although this methodology meets the needs of some standards and regulators, we do not recommend it since, for a relatively small additional effort, a slightly more sophisticated methodology on the lines of Method 3 described below will be much more effective.
Method 3: Risk Assessment Using Refined Classifications: Refining the Classification
A possible solution to a simple but more effective risk management methodology is to employ a more refined classification of probabilities and impacts. For example, the graduations may be increased to five classifications such as Very High, High, Medium, Low, and Very Low, as recommended in the Australian and New Zealand Standards (Australian Standards 2004).
Defining Detailed Scales
If we have more scale graduations, it is more important to define exactly what we mean by each one. In order to achieve uniformity, numeric bands are established both for impact and probability. Thus, for a medium-sized company we might define a very high financial impact to mean an impact of more than say $10 million. Managers may not initially feel confident in making quantified probability estimates. However, in practice they are usually happy to estimate a probability using the probability scale as shown in Exhibit 13.4. In this scale, there is an approximate tripling of probability between one level and the next—this level of accuracy works well for many risk-management purposes, except for the most important risks that may need to be examined in detail.
In a situation where a risk is present with an associated set of controls, the question arises as to which probabilities we should assess. In particular, we normally assume that the existing controls are in place, and assess the probability that the risk will occur either in the following year or over the course of a short planning period. Some practitioners, in particular those with an internal audit background, try to estimate also the probability that the risk would occur without the controls in place. This provides information on the value of the existing controls.
Exhibit 13.4 An Example of a Probability Scale
| Probability Score | Description | Range |
| 5 | Very High | More than 90% |
| 4 | High | 31% to 90% |
| 3 | Medium | 11% to 30% |
| 2 | Low | 3% to 10% |
| 1 | Very Low | Less than 3% |
Similarly, managers are usually able to make a rough estimate of a financial impact, to the level of accuracy required by a system of scales, without too much effort. However, managers tend to be confused when faced with a situation where a risk has several types of impact, and their task is considerably simplified if they are supplied with a clear set of definitions such as those shown in Exhibit 13.5.
When using the scale shown in Exhibit 13.5 to assess a risk, managers should decide which has the highest type of impact and make the assessment based on this type. If a risk has mainly staff impact, and more than 50 staff are significantly affected, then the risk would be recorded as impact score 4. Similarly if there was major reputational damage, the score would be 4. However, if there were two or more types of impact at the same level, then the score would be one degree higher (i.e., a score of 5 in the above case).
Risk Perception Biases
It is known that estimates of impact or probability are prone to estimation bias, whether in quantified form or expressed as High/Medium/Low. There is a body of research work by Slovic, Tverski, Kahneman, and others on risk perception biases, mainly in the area of safety assessment. This research is now being applied to commercial risks (see Box 13.5). For a good summary of the development of the above theory, see the article on risk perception in Wikipedia.
A word of warning—care needs to be taken in using experts to assess risk. Paul Slovic found that experts are not necessarily any better at estimating probabilities than lay people. Experts are often overconfident in the exactness of their estimates, and put too much stock on small samples of data. When evaluating controls, you should guard against threshold bias. People prefer to move from uncertainty to certainty rather than making a similar gain that does not lead to full certainty. For example, most people would choose a control that reduces the incidence of a risk from 20 percent to 0 percent over one that reduces the incidence of the risk from 35 percent to 10 percent.
Documenting the Risk Appraisal
It is essential to keep good documentation of the causes of the risk that is being evaluated, and the assumptions being made as to how the company would be affected. Clear documentation enables an analysis of the nature of a risk to be shared between managers, gives a basis for tracking risks over time, and helps in the removal of estimation biases. The scales methodology assigns a value to each probability or impact band as a representative value. Sometimes exact estimates rather than scale values are available, and in these cases the more accurate figures should be included. Managers should not forget to document their assumptions so that later revisions can be made.
Exhibit 13.5 An Example of an Impact Scale
| Impact score | Description | Strategic | Financial % of turnover | Customers and staff | Reputational | Legal/Regulatory |
| 5 | Very High | Major impact on direction of business | Above 10% | Compulsory transfer of assets | ||
| 4 | High | Major impact on important business objective | 3.1% to 10% | Significant impact on many (50-plus) customers or staff; Significant resource to rectify | Major adverse publicity and external interest with damage to reputation and/or long-term impact | Prosecution/regulatory supervision |
| 3 | Medium | Noticeable impact but business still on course | 1.1% to 3% | Noticeable Impact | Longer term adverse publicity, locally contained | Loss of regulatory approval |
| 2 | Low | Minor importance | 0.3% to 1% | Minor or short-term problems | Short-term local adverse publicity | More serious breach but no long-term implications |
| 1 | Very Low | Less than 0.3% | Impact both minor and short-term | No adverse publicity | Minor breach of legal/regulatory requirements |
Risk Databases
Many companies use spreadsheets to hold their risk information, but as their knowledge grows, and the number of controls increases, the spreadsheets become cumbersome. A best practice is to hold risk information in a relational database, together with all the other information regarding each risk. The database will typically contain specifications and control information in relation to all of the actions that are currently underway to reduce the risks that have been found and will also include risk reduction targets.
It is sometimes useful to differentiate in the database, for certain critical risks, between their short-term impact (i.e., their surprise element), and their medium-term effects. Risks whose impact is mainly short-term are likely to require different methods of management, and it is beneficial to be able to analyze the company’s vulnerability to short-term shocks.
Method 4: Statistical Analysis
So far this chapter has discussed the use of bands or single “best guess” estimates of the impact and probability of each risk to represent its importance. However, this is a simplification of reality because in practice we may be uncertain of the probability estimates and the possible impact of the risk may vary continuously from almost zero to a high figure. Sometimes we may want to examine the impact of a number of risks together, for example, because their incidence is strongly interconnected.
In such cases we might be able to make some progress by examining a set of “what if” scenarios, making a range of assumptions for each risk. However, there may be too large a set of possibilities for this to be practical, in which case a more exact model can be created using Monte Carlo simulation techniques. This Monte Carlo approach is similar to the “what if” scenario method because it generates possible scenarios, but the number of scenarios examined is large and the variables used to generate the scenarios are weighted by the probability of their occurrence. Thus, each risk can be represented by a probability distribution rather than as a single value. The objective of the simulation model is to calculate the combined impact of the various uncertainties to obtain a probability distribution of the total outcome, perhaps at total-organization level. In practice this is easier to accomplish than one would think, because all the relevant technical aids are available in a spreadsheet-based form that is not difficult to use.
An example is shown in Exhibit 13.6 to demonstrate the logic of risk aggregation using two risks. In the example, the two risks lead to only four possible combined outcomes. In practice there will be a number of risks and each will have range of outcomes. Combining these together cannot be done manually, but cheap spreadsheet-based models are commercially available and these are not difficult to use.
Risks That Can Have Large Impacts
A company board of directors might ask whether any of the risks being considered by the risk managers might materialize in an extreme form, so that the existence of the organization was put at risk. Most risks have limited impact. For example, they may be limited by the value of the asset whose loss they represent; others can have a large impact, but with a correspondingly small probability. The extreme value parts of such risks tend to be risk-management blind spots and are often ignored because they might occur, say, once in 200 years or less. However, most companies will have a number of such risks, so that in aggregate they can be important, as many cases demonstrate. The problem in analyzing such risks revolves around the lack of data because there may have been no occurrences of the risk in living memory. However, a body of theoretical work has been done to analyze these situations statistically. This work was pioneered by Emil Gumbel, who in the 1950s showed that you can construct a statistical distribution (the Gumbel distribution) to represent the extreme-value “tail” of many risks (see Gumbel 1935, 1958). This was later generalized to include more risks by the introduction of the Generalized Extreme Value (GEV) distribution. This surprising result that all tails have similar shapes, and the intrinsic importance of the topic, has resulted in a body of research that is too mathematical to be covered here. A good introductory text in this area, giving many examples, is Reiss and Thomas (2001). Other references are Embrechts (1997) and Coles (2001). See Box 13.6.
In this way the average cost (often called the “expected loss”) of each risk can be easily calculated. They can be simply added up to get the average cost for the whole organization.
AGGREGATING PROBABILITIES AND IMPACTS
In order to calculate what might happen in a particular year, say the next one, we need to enumerate the combinations of possibilities.
The table gives the distribution of combined impacts for the year. For example, there is a 12.5 percent probability of a combined loss of £40,000, but on the other hand a 37.5 percent probability of no loss at all. This illustrates that in practice it is more important to know the distribution of out-turns than it is to know the average cost of the risks.
Exhibit 13.6.A Adding Expected Losses
| Then the average cost of Risk A over a number of years will be 25% of £30,000 per year or | £7,500 per year |
| and the average cost of Risk B over a number of years will be 50% of £10,000 per year or | £5,000 per year |
| So the average cost of both risks together over a number of years will be | £12,500 per year |
Exhibit 13.6.B Calculating the Distribution of Combined Impacts
| RISK A | RISK B | Combined Risks A and B | ||||||
| Happens? | Probability (%) | Impact (£) | Happens? | Probability (%) | Impact (£) | Probability | Impact (£) | |
| Yes | 25 | 30,000 | Yes | 50 | 10,000 | 12.5 | 40,000 | |
| Yes | 25 | 30,000 | No | 50 | — | 12.5 | 30,000 | |
| No | 75 | — | Yes | 50 | — | 37.5 | 10,000 | |
| No | 75 | — | No | 50 | — | 37.5 | — | |
Exhibit 13.7 Medium-Term Total Corporate Risk of a Housing Association (Prior to Risk-Management Actions)
In practice there are many risks in an organization’s risk profile and it would be impossible to do this analysis by hand.
TOTAL CORPORATE RISK: AN ILLUSTRATION
The total corporate risk faced by a company is not a single loss outcome. There is a wide possible range of outcomes that can be illustrated in the form of a distribution graph. This is also known as a cumulative probability distribution.
Exhibit 13.7 shows the risk distribution for a British housing association, calculated over a three-year planning period. By looking at the graph it can be seen that the median loss for the association, which maintains about 10,000 homes, is £2.4m over the planning period, as seen from the 50 percent (0.5) probability level on the graph. This justifies a vigorous program of risk management. It can be seen that there is an 80 percent chance that the association will have a loss of less than £3.3m over the planning period, and therefore a 20 percent chance the loss will be more than this. On the other hand, there is only a 20 percent chance that the association will have a loss of less than £1.4m over the planning period, so there is a large 80 percent probability that the loss will exceed this level.
Information of this type is crucial in setting the risk strategy and appetite for a company, and in deciding what level of contingency should be included in the business plan.
In the case concerned, a thorough risk-reduction program was implemented, and the total corporate risk was cut back by more than one-half.
INCORPORATING RISK QUANTIFICATION IN THE BUSINESS PLANNING PROCESS
It is good practice to use the business plan (excluding any general contingencies) as the basis for the evaluation of risks, so that the risk-management process can be integrated into the organization’s normal planning and control mechanisms.
If the level of quantification in the risk-assessment process is based on the High/Medium/Low classification, it is not possible to aggregate the risks accurately. The consideration of risk in the business planning process must then be based on the analysis of individual risks using sensitivity analysis as explained further below.
On the other hand, if the quantification of an organization’s top risks has been done accurately, for example by estimating probability distributions for each of these risks, paying due attention to the shapes of the tails of these distributions, and allowing for any correlations between them, then it is possible to aggregate the organization’s risks into a total organization risk profile. If all the risks are measured against the baseline performance shown in the organization’s business plan, then the above profile will represent the risk profile of the business plan.
This analysis can then be used as the basis for any general contingencies included in the plan. For example, the level of contingency might be chosen such that there is a 75 percent chance that the financial performance assumed in the plan will be met.
Similarly, the extremes of the distribution of a “Worst Case Financial Scenario” can be evaluated. The result can be compared with the company’s financial covenants, and help in confirming its financial security.
These considerations will confirm the ability of a risk management action program to drive down the total corporate risk to lower levels.
It follows that a company’s risk management strategy should be closely related to and consistent with its overall strategy. In particular, the overall strategy should not conflict with the risk appetite of the organization. The risk appetite might be set in the risk management strategy statement as limiting the total amount of risk taken so that it does not exceed agreed-upon quantified limits.
SENSITIVITIES AND SCENARIOS
As part of business-planning analysis, it is important for the management and the board of directors to understand the way in which the plan depends on critical assumptions. Many companies use the information collected in the risk management system to calculate the sensitivity of the plan to changes in individual key assumptions, both in financial terms and in terms of failure to meet other targets.
The results of the analysis are usually expressed as the effect of a unit change in an assumption (for example, a 1 percent increase in interest rates). This begs the question of just how likely it is that a 1 percent change will happen. It is helpful to supplement this information by taking a view as to how much the interest rates could increase, at a given level of probability, and to calculate the impact of this. For example, it may be the view of the financial markets that there is a 10 percent chance that the average interest rates over a company’s business planning period could be more than, say, 1.5 percent than the rates assumed. The sensitivity calculation would show that if this happened, the impact on the company would be, say, £2m.
Once a set of sensitivities has been calculated for the key planning uncertainties, it is possible to combine them to calculate the robustness of the plan to particular self-consistent combinations of assumption changes, or scenarios. This process, though time-consuming, is useful in building up the confidence of management in the robustness of the plan. By making a careful choice of scenarios to be evaluated, the planning team can, at the same time, consider how they would adjust their plans in the eventuality that each of the scenarios materializes. Some possible plans might be more flexible than others and might be preferred for this reason.
Many organizations use spreadsheet models to hold their planning data. Often some of the key assumptions underlying the plan, for example those concerning inflation and interest rates, are represented explicitly in particular cells of the spreadsheet. By putting probability distributions rather than single values into these cells and then running a Monte Carlo simulation it is possible to obtain a probability distribution showing the sensitivity of the plan to likely combinations of these key planning assumptions.
It is also helpful to set up early warning systems to detect changes from plan assumptions (see Box 13.7).
To summarize, the reliability of the business-planning process can be significantly enhanced by the incorporation of risk quantification techniques.
CONCLUSION
This chapter discusses the four alternative approaches of an organization’s quantification of risk. The choice depends on the organization’s circumstances and capabilities. The chapter also presents a method for quantifying the total amount of risk in an organization’s business plan. The members of the board need to feel that they have adequately assessed the risk and that the residual risk, after reduction measures and controls, is acceptable.
NOTES
REFERENCES
Abbate D., Farkas, W., and Gourier, E. 2008. Operational risk quantification using extreme value theory and copulas: From theory to practice. SSRN (July).
Australia Standards. 2004. AS/NZS 4360 risk management.
Coles, S. 2001. An introduction to statistical modeling of extreme values. London, UK: Springer-Verlag.
Condamin L., Louisot, J-P., and Naim, P. 2006. Risk quantification: Management, diagnosis and hedging. New York: John Wiley & Sons.
COSO. 2004. Enterprise risk management—Integrated framework executive summary.
Embrechts P., Kluppelberg, C., and Mikosch, T. 1997. Modelling extreme values for insurance and finance. Berlin, Germany: Springer-Verlag.
Embrechts P., McNeil, A., and Straumann, D. 2002. Correlation and dependence in risk management properties and pitfalls. Risk management: Value at risk and beyond, M.A.H. Dempster, ed. (2002b). 176–223.
Garlick A. 2007. Estimating risk, a management approach. Gower (July).
Gumbel B. 1935. Les valeurs extrêmes des distributions statistiques. Annales de l’Institut Henri Poincaré, 5, 115–158.
Gumbel B. 1958. Statistics of extremes. New York: Columbia University Press.
Hargreaves J., and Mikes, A. 2001. The Quantification of Risk. The Housing Corporation.
Hubbard D. 2007. How to measure anything: Finding the value of intangibles in business. Hoboken, NJ: John Wiley & Sons.
Kahnerman D., Slovic, P., and Tversky, A. 1982. Judgement under uncertainty: Heuristics and biases. Cambridge, UK: Cambridge University Press.
Marrison C. 2002. The fundamentals of risk measurement. New York: McGraw-Hill.
Moeller R. 2007. COSO enterprise risk management. Hoboken, NJ: John Wiley & Sons.
Reiss, R-D., and Thomas, M. 2001. Statistical analysis of extreme values. 2nd ed. Basel, Switzerland: Birkhauser.
Slovic P., Ed. 2000. The perception of risk. London, UK: EarthscanLtd.
Slovic P., Fischhoff, B., and Lichtenstein, S. 1982. Why study risk perception? Risk Analysis 2 (2): 83–93.
Tversky A., and Kahneman, D. 1974. Judgment under uncertainty: Heuristics and biases. Science 185 (4157) (September): 1124–1131.
ABOUT THE AUTHOR
Following a mathematics degree at Cambridge University and six years KPMG strategy consultancy experience, John Hargreaves took up a series of financial positions including periods as the Financial Controller of National Freight, a stint running Shell’s central financial and management accounting and planning systems, and three years as the Finance Director of London Underground.
Since 1991 John has specialized in risk management, initially as Corporate Finance Director of Barclays Bank where he was responsible for introducing risk management systems following the last United Kingdom depression.
In 1996 he became Managing Director of Hargreaves Risk and Strategy, which has clients in the housing, banking, oil, and transport sectors. The consultancy has implemented risk management systems in about 60 organizations.
John is a leading expert on the quantification of risks. He has conducted research over a number of years on the risk profile of the U.K. social housing sector, initially through study of client risk maps but also through analysis of the risks that occurred in a sample of 41 companies. This knowledge was used in 2005 in the design of the sector’s highly successful risk-related regulatory system.
John is also an authority on the relationship between risk management and strategy, and for 15 years has run a course on Strategic Management for an MSc program at the London School of Economics.