So far, we have been concerned with defining risk and with answering two questions: what types of risk and how much risk is an organisation exposed to?
In this context, risk can be described as an uncertain future outcome that will improve or worsen the organisation’s position. Risk can be expressed in probabilities of an upside or a downside outcome.
Risk management is the process whereby an organisation assesses the types and degrees of risk to which the business is exposed, the effects of those exposures and then formulates a risk mitigation strategy. The process as we have described it can be broken down into five stages:
- Stage 1: Identify risk exposures
- Stage 2: Measure and estimate risk exposures
- Stage 3: Assess effects of exposures
- Stage 4: Form a risk mitigation strategy
- Stage 5: Evaluate performance.
The major risk categories include market, credit, liquidity, operational, legal and regulatory, business, strategic and reputational.
There are two main ways of thinking about the possible results of risk exposure: either by focusing on the expected return method or upon possible outcome versus return. Expected return can be calculated by estimating the total of every outcome multiplied by its probability. This then allows the organisation to accept avoidable risk only if the expected return is positive. It also allows the organisation to choose the option with the highest expected return and to avoid, where possible, catastrophic outcomes.
This expected return analysis leads to the collection of data on:
- why the organisation is exposed and whether the risk is avoidable
- the size of the risk – graded perhaps from 1 to 10 (an exercise that is admittedly difficult if you are solely relying on qualitative assessments)
- the warnings of possible catastrophic outcomes
- the costs of accepting or avoiding risks
- the identification of links to other risks.
The allocation of risk capacity can then be done by ranking risks as follows:
- risk unavoidable except by ceasing non-core activity
- avoidable risk, core activities
- avoidable risk, non-core activities
- selectable risk.
We now turn to examine in some detail one of the risks faced by all organisations – operational risk.