In addition to the discussions summarized in previous posts, the participants at OpenPages Executive ERM Forum discussed risk quantification for operational risk and compliance. Some interesting ideas surfaced during the discussion.
First, participants agreed that the objective of quantification is for relative sizing and prioritization. In other words, you need to be able to relate the relative severity of a compliance risk in one division to an operational risk in another. This helps allocate resources to the right risks in the business.
It’s Easy Being Green
A key challenge that participants discussed was the surfacing of bad news. One participant described their company’s risk rating methodology in which risk are presented in management reports as red/yellow/green. One quarter, a risk report went up through a change of approval, with the risks “getting greener” at each level of approval, because of a reluctance to surface bad news.
One way to address this problem is to have a scale that relates to an external benchmark. One participant discussed ranking capability in relation to either other business units or competitors. You can use objective evidence to back up, or challenge, the rankings in this scale.
Of course, all measurement has to be done in relation to tolerance, which for many companies is difficult to quantify. In many cases, boards don’t have an inherent sense of risk tolerance so management has to give the board specific examples that helps frame the discussion around tolerance. The issue of tolerance when discussed in relation to compliance is a difficult one, and when the general council’s office is involved, the conversation is typically short, as there’s no real tolerance for non-compliance from a legal perspective. Further, some organizations are even concerned about having the discussion in the first place. One executive noted the differences between US and UK law on this topic, where boards in the UK can refer to discussions about risks as evidence of their discharging their governance responsibilities, whereas in the US boards don’t want to be liable for having discussed, but not fully mitigated, a realized risk.
The airline industry was referenced as one in which zero tolerance has to be the goal, as it’s clearly not acceptable to manage against, say, 1 crash per year or even every 10 years. The question become how much do you spend to mitigate the risk of ever having a crash. This led to a discussion of catastrophic events and the notional amount at risk for being in business.
One participant had an interesting perspective on how boards can think about tolerance. Investors build out their portfolios to reflect their risk/reward profile. They invest in particular companies because of the risk/reward characteristics of that particular company. Boards should always ask, “Are we taking the kinds of risks that are priced in by our investors?” In other words, are we following our stated strategy? Framing the discussion in this light puts a different perspective on risk exposure.
In all, it was a very informative discussion.