Article: Parameterized Risk Analysis 2.0
I. INTRODUCTION:
This article aims at discussing the effectiveness and suitability of applying a qualitative model (Parameterized Risk Analysis 2.0) in risk management in order to supplement quantitative models in some specific situations, comparing the basic advantages and disadvantages of each modelin accordance with a specific situation.
The methodology applied in this case study was the Parameterized Risk Analysis 2.0, which has been carrying out in a Brazilian company for more than 4 years in a roll.
- SUPPORTING IDEAS:
The effectiveness of applying a specific qualitative model (Parameterized Risk Analysis 2.0) in risk management to supplement quantitative models is particularly important for the insurance industry in some cases well known as fat tail or when they do not have a reliable statistic base or for risk managers in general due to the lack of track record in regular companies or the lack of enough data to apply statistics models. In both cases, there is a lot of demand to use qualitative models, no matter from which industry the demand comes from.
The Instituto Brasileiro de Governança Corporativa (Brazilian Institute of Corporative Governance) entices companies to employ qualitative methods to assess their risks instead of using qunatitative ones. Therefore, there is a huge demand for a robust qualitative model to complement the traditional quantitative models employed traditionally in some areas.
- GOALS:
The main goal in this article is to prove the effectiveness of a specific qualitive methodology (Parameterized Risk Analysis 2.0) for risk managersand underwriters (when are not able to apply quantitative models to deal withsome specific risks).
Other goals refers how this methodology is applied to:
- identify risks
- identify vulnerability in protective systems
- establish a clear cause-effect relationship between protective systems and expected losses
- mitigate and to control risks
- establish a clear limit between quantitative and qualitative model (Parameterized Risk Analysis 2.0)applied in the main phases of a risk management process
II.LITERATURE REVIEW:
This study is supported by some specific research lines:
- Qualitative models and methodologies:
- Parameterized Risk Analysis 2.0:
- Manual Prático do Planejamento e da Gestão de Riscos
(José A. Guagliardi, Nelson Ricardo F. da Silva e Roberto C. Ribeiro)
- Manual Prático da Gestão de Riscos e Seguros
(José A. Guagliardi, Nelson Ricardo F. da Silva, Alfredo Chaia e José L. Júnior)
- COSO and COSO ERM Manuals: Comission of Sponsoring Organization
- Harvard Methodology:
- Booklet from HBS Executive Course: Risk Management Course (Robert Kaplan/Anette Mike)
- Quantitative models and methodologies:
- Risk Quantitative Decision Making Process Method
(Alexandre Bess)
III.METODOLOGIA:
The methodology applied to test the model consists of a practical case study implemented in a Brazilian Company (Logistics Operator) during 4 years and a 80-hour course (a 40-hour focused training and a 40-hour practical case solution) with several executives from different industries with different background (marketing, finance, risk management, operations etc) and having different seniority levels. They were splited in 8 groups and they applied the methodlogy in 8 different companies.
The methodology was taught to them step by step taking into consideration the main concepts in risk management and making comparison between the model analysed (Parameterized Risk Analysis 2.0) and COSO / COSO ERM methodology as well as alerting the key points where quantitative models are more suitable and how to use the methodology to accommodate these models (quantitative ones).
The experiment end up with the groups presenting a practical work (composed of a quick business analysis, risk identification, risk assessment, vulnerability assessment, risk mitigation recommendations and key process control actions). These executives gave their feedbacks during the entire course and specially during this presentation. Furthermore, they were formally interviewed after the course.
Another valuable source of information was the interviewing process led by the research team with executives from the company in which the methodology (Parameterized Risk Analysis 2.0) has been carried out for more than 4 years. Some key executives were interviewed and passed their impressions and concerness referring to the risk management process implemented in the researched company.
After collecting all this information, the material was scrutinized by some risk managers, risk consultants and insurance professionals to come to a robust and a clear conclusion.
The main conclusions in this study comes from this process.
IV.FINDINGS:
Methodology Overview:
Parameterized Risk Analysis 2.0 methodology is a four-step methodology that is based on the principle of balancing risk level with protective system effectiveness level. The main concept behind the methodology is to be able to measure the risk level, contrastingagainst the level of effectiveness on the protective systems in order to balance them and to reduce the possibility of a risky event occurs by employing a suitable level of resources to mitigate it.
The four phases to implement the methodology are: Business Awareness, Risk Analysis, Vulnerability Analysis and Risk Mitigation.
The first phase focus on uderstanding the business and to define which are really critical risks for the business.
The second phase sets out to assess the critical risks in terms of likelihood and impacts. The likelihood is a likelihood estimation based on qualitative models obtained by defyning variables and classifying them in accordance with classification boards. The impacts are assessed in a similar way.
The third phase aims at measuring the level of effectiveness in the protective system sets linked to each risk. This phase provides a gap analysis of the protective systems and establishes a Vulnerability Indexto each protective system.
The fourth phase refers to the Risk Mitigation Process. Based on some analysis (Risk Analysis, Vulnerability Analysis, process analysis etc), the risk manager is able to define a clear mitigation plan to reduce the risk factors and the level of vulnerability in order to keep the risk under control in accordance with an acceptable limit.
Phase 1: Business Awareness
This phase aims at understanding which kind of business the organization makes and its grand strategy in order to be able to have a clear idea about which type of risks can affect itskey success factors, its strategic goals, its value proposition and its mission. Based on this information, the risk manager is able to define the critical risks thatcan affect the organization and to produce a critical risk list. There are some ways to get inputs and insights to define these risks:
- to interview executives
- to interview the counsil members
- to interview staff in critical functions
- to analyse the Canvas Business Model
- to analyse business plans
- to analyse the company´s BSC
- to analyse the company´s balance sheet
- to analyse market reports
- to analyse critical KPIs
- to analyse other financial documents
- to analyse past losses
- to analyse specialized reports
Normally, the only quantitative model appyiedin this phase refers to past losses analysis. It is very difficult to apply statistics when we are discussing strategy in a broad sense. The most common way to estimate the strategy assertivenessis based on specialists´ opinions.
The case study did not take into consideration statistics tools in this phase except for analysing the main operational losses. The main reason to not use statistics tools is the lack of track record. Furthermore,risks linked to fail in strategy is not too easy to be assessed quantitatively. Most of the time they are based in hypotesis of fail.
The main deliverable in this phase is the Critical Risks List. This list contains the risk that will be considered critical to the organisation and will be in the risk management plan to be managed by the risk managemnt department. This list will be the base for the next phases.
The Parameterized Risk Analysis 2.0 Method performs similar to other methods (COSO, COSO ERM, ISO 31.000and Haravard Risk Management Method) in this phase. However, the main difference is it integrates features from the previous ones in a single framework. The method follows similar procedures to understand strategy and to understand the contex by interviewing executives and analysisng data like COSO or ISO 31.000, but it also gives similar attention that the Harvad Method gives to analyse BSC andlinking risks to strategic objectives as well.
Referring to strategic risks, the quantitative models are not able to deal very well with these issues. We can rarely find some statistics about some specific startegic risks. Normally, making predictions of these risks involves a lot of specialists opinion following qualitative models.
Phase 2: Risk Analysis
This phase is characterized by defining measures toassess risks in terms of likelihood (chances to happen)and impact(tangible and intangible consequences). The main deliverable in this phase is the Risk Matrix. A matrix where risks are ploted considering their impacts and theirestimated likelihood.
The first step is to define the critical variables that can influence a specific risk event to happen. They are crutial to define the formula to be applied to measure a specific risk event considering its impact and its likelihood.
The Parameterized Risk Analysis 2.0 admits to have different variables (and as a consequence diferent formulas) to measure different types of risks. This is an approach that is different from the approach used by some largest consulting companies. Normally, they apply a single model, considering the same variables to measure all types of risks. Therefore, this kind of single model causes more distortions to assess risks. It is impossible to assume that a risk of a reactor explosionis influenced by the same variables of a risk of financial liquidity.
To assess impact, Parameterized Risk Analysis 2.0 adopts (normally) the following variables to assess the impact´s consequences of a specific risk:
Variable / Sub-variables / Indicators / What does it measure ?Financial Loss / - EBTDA
- Acid Test / Cover Ratio / How harmful is the impact in terms of financial loss
- Impacts on EBTDA
- Impacts on Financial Liquidity
Image / - Credibility
- Extension / How much the risk event impacts image
- Impacts on credibility
- Extension in media
Recovery / - Function
- Substitution (Chageability) / How much time is needed to recovery from a risk event
- Impacts on the main function (makes impossible to accomplish the mission due to the loss)
- Difficulty to substitute the loss
Law / - Impacts due to break laws or regulations
Referring to impact assessment, Parameterized Risk Analysis 2.0 adopts a qualitative approach in order to make easier to capture intangible variables such as impactson company´s image. Normally, quantitative models are not able to capture this variable or the costs to do so is prohibitive.
The Parameterized Risk Analysis 2.0 employs classification boards toassess eachvariable in 1 or 2 steps, dependson the sistuation. Each board classifies in 5 level (very low, low, middle, high and very high) each variable. The weights defined in the formula come from Delphi Panel studies carried out by specialists (risk managers, risk engineers, underwriters etc). See the example below taking into consideration 2 variables (Law and Image):
Example 1: Variable Law
This variable refers to the impact of the risk event assessed has over law implications such as fines or even a formal prohibition by court of continuing in business. Law was assessed applying a single step process, utilizing the classification board below:
Impact Classification Board: Variable Legal (L)Escale / Points
Very High / 5
High / 4
Medium / 3
Low / 2
Very Low / 1
The chosen number is substituted in the formula afterward.
Example 2: Variable Image
This variable refers to the impact of the risk event assessed has over the organisation´s image, taking into consideration its credibility and the extension of the risk event in the mass media means. Therofore, this variable (image) is assessed by measuring two sub-variables (credibility and extension).
Image was assessed applying a two-step process, utilizing the classification boards below:
- First Step
This step consists of classifying the sub-variables (credibility and extension)
Sub-variable Credibility (C)
Impact Classification Board: Variable Image (I)Sub-variable Credibility (C)
Escale / Points
Very High / 5
High / 4
Medium / 3
Low / 2
Very Low / 1
This sub-variables defines how much the organizsation´s credibility is affected by the risk event.
Sub-variable Extension (E)
Impact Classification Board: Variable Image (I)Sub-variable Extension (E)
Escale / Points
Very High / Globally / 5
High / Nationally / 4
Medium / Regionally / 3
Low / Locally / 2
Very Low / Individually / 1
This sub-variables defines which scale the risk event will be explored, how much people will know about the fact.
- Second Step
This step consists of calculating the variable Image based on its sub-variables results. The results obtained from the sub-variables´classification are multiplied between themselves and the generated result is substituted in the Image´s variable classification board, depicted below:
Variable Classification Board: Imagem (I)Escala / Results from
Credibility x Extension / Points
Very High / 20 – 25 / 5
High / 16 – 19,99 / 4
Medium / 9 – 15,99 / 3
Low / 4 – 8,99 / 2
Very Low / 1 – 3,99 / 1
The points obtained from the Image´s classification board is substituted in the Impact Quantificationformula afterwards.
The basic formula to define the impact is:
IQ = / FL x 2 + R x 3 + I x 3 + L x 210
The values obtained by classisfying each variable should be substituted in the impact formula. The basic formula covers the most types of risks. However, some variables can not make sense for some risks and the formula has to be adjusted in these cases. Sometimes, it is necessary to create new variables and their classification boards.
To assess estimated likelihood, Parameterized Risk Analysis 2.0 adopts (normally) the following variables to assess the likelihood´s consequences of a specific risk:
Variable / Sub-variables / Indicators / What does it measure ?Event History (EH) / - Loss History
- Specialist analysis / Compare the supposed risk event against past loss events caused by this type of risk (against Market benchmarking or statistics bases)
Exposition (Ep) / - Static risk: value involved
- Dynamic Risk:
Frequency of exposition / How much exposition is to the threat
- how big is the amount of Money involved
- how many times occurs a risky operation
Attractiveness (At) / - How much the type of the product or the operation can atrack threats and increase the risk level
Social Environment (SE) / - How the external environment influences the chances to happen a risk event
Geographic Environment (GE) / - How the geography can affect a risk event
Vulnerability Index / - Material Resources
- Intellectual Capital
- Rules & Procedures
- Management Capacity
-Organisational Culture / - How the protective systems can affect a risk event
In fact, the Parameterized Risk Analysis 2.0 is not able to measure likelihood due to not employ statistics. Nevertheless,it can estimate likelihood. The formula below shows how the methodology defines likelihhod estimations:
LE = EH x Ep x SE x At X GE x VI x 100
5^N
The formula is exponencial because the factors in the equation are variables that multiply among themselves. The relationship is not an additional one, but the variables potentialize among themselves by multiplying. If we consider the variables Event History and Exposition to define the Likelihood Estimation of a specific risk event, we can clearly perceive their relationship occurs by multiplying themselves. The Event Historyrefers to the general chance of a risk event to occur such as the probability of stealing a car in a specific city based on local statistics data from this area. Exposition refers to how often the car is exposed to the risk, how many times the car is on the streets close to its possible threats.
The equation multiplies by 100 in order to obtain a number multiple of one-hundred to pass the same idea of probability.
The fluctuating formulas admit different variables to measure each risk and the 2 level of board classification makes this methodology much more precise than the traditional qualitative methods. Contrasting to qunatitative methods, to define the impact level this methodology takesinto consideration variables such as image and legal making more holistic its assessing process.
Another point to be considered is the fact that the level of the protective systems effectiveness (Vulnerability Index – VI) are considered to calculate the Estimated Likelihood (EL), being one of the fews methodologies to do so.
It worths to state Vulnerability Index (the protective systems effectiveness) is the only variable that depends exclusevely on the risk managers´actions to improve it. As a consequence, the mathematical model establishes a clear relationship between the level of the protective systems effectiveness andthe Estimated Likelihood, leading risk managers to make correct decisions in terms of prioritizing investments in protective systems.
The exponential formula to calculate the Estimated Likelihood is more accurate than the linear ones that are constantly employed by some consulting companies. The effectiveness of this formula referring to the risk behaviour can be analysed and confirmed by contrasting simulationsof a risk event data calculated by several qualitative models against each other and contrast all of them against a quantitative model in order to define their accurance level (as long as you have a reliable data bank referring to the risk event considered). The most practicalwaytodo so is the company´s risk management carry out his analysis (employing qualitative models) and contrats the results against the analysis carried out by the insurances´ underwriters(employing quantitative models).
Furthermore, the methodology is very useful to calculate risks in some cases in which are impossible to apply quantitative models.Applying quantitative models to define effectiveness of a specific protective device or to measure how much a specific device is effective to reduce a specific risk is almost impossible in a practical way (considering the fact we have a lot of devices dealing with several risks at the same time to do so and having different levels of effectiveness when they are applied alone and combined).