Webinar: Why are there SO MANY risk assessment methodologies?
We’ll explore that very question during our webinar as we focus on:
1) The purpose of assessing risks
2) Various methodologies
3) Strengths and weaknesses of particular methods
4) How to choose a methodology that’s the most relevant to your business
3. Housekeeping
• The slides for this event will be distributed
afterwards
• The webinar recording will be archived on
easy2comply website
• Q&A at the end
Confidential
4. Webinar Focus
• Purpose of Assessing Risks
• Different Methodologies
• Strengths and Weaknesses
• How to Choose?
Confidential
5. Risk: A Definition
• Possibility of loss or
injury
• Someone or something
that creates a hazard
• Chance of loss to the subject matter of an insurance
contract
• Chance that an investment will lose value
• Potential that a chosen action will lead to an
undesirable outcome
Confidential
6. Risk versus Uncertainty
• Uncertainty is where there are different outcomes
• Risk is your potential exposure to those outcomes
• We can be uncertain about the winner of a contest,
but unless we have some personal stake in it, we
have no risk
• Risk Assessment is
therefore subjective
November 2008: Viewed and Bauer came right down to the line in the Melbourne Cup
Confidential
7. Types of Risks
Examples of
• Market Risk Financial Risks
• Credit Risk Note: We’re not referring to
financial assessment
• Liquidity Risk methodologies but to types of
risk whose nature is financial
• Strategic Risk Examples of Non-
Financial Risks
• Operational Risk
• Business Risk
• IT Risk
Confidential
8. Purpose of Risk Assessment
• To gain a sense of the “size” of the risks
• To prioritise based on our analysis
• To determine a course of action (controls) as
needed
Confidential
9. Webinar Focus
• Purpose of Assessing Risks
• Different Assessment Methodologies
• Strengths and Weaknesses
• How to Choose?
Confidential
11. Scorecards
• Purpose is to attain an overall score for the
risk
– Questions broken into sections
– Each question has a score
– Each section has an overall score
Score: 1
Score: 3
Score: 2
Overall Score: 6
Confidential
12. Questionnaires
• Purpose is to attain a set of descriptive
information about the risk
• Questions and Answers
• Don’t necessarily generate a score; yield
information
Confidential
13. Risk Squares
• Impact and Likelihood
1. What is the impact of this risk to
the ________?
2. How likely is this risk to occur?
• Risk score generated by
multiplying two values
• Variables:
– The scale
– The values
– Odd vs. Even
Confidential
16. Financial Valuation
• How do we get to a $ value instead of “just” a
number?
• Need to understand purpose of valuation
– Prioritisation
– “Real” valuation
• What’s the difference?
• Parameters we could use:
– Direct history
– Insurance data
– Management insight
Confidential
17. Don’t Kid Yourself
• History is history; the future is something else
• Financial valuations are generally no less
reliable than other measures
• How do we aggregate them?
• Do the numbers make sense?
Confidential
18. Scenario Analysis
• Top-down approach to identify major risk
scenarios
• Will use heavy combination of subjective and
objective data
• Incorporates many people into the process
• Single scenario:
– Real history
– Insurance coverage
– Overall control environment
– Ownership
– Potential loss expression
– “Other” impacts Confidential
19. Top-Down vs. Bottom-Up
• Different purposes
• Scenarios at top level are generally strategic
• Risks at lower level are generally for business
management
• Need to find a way to link them
Confidential
20. Linking the Data Together
• Generate the risk S1 S2 S3 S4 S5
scenarios
• Use them as part of
the risk classification
• Allow business to R1 R2 R3 R4 R5
identify their own risks R6 R7 R8 R9 R10
• Map low-level risks to R11 R12 R13 R14 R15
the higher-level
scenarios
Confidential
21. Linking the Data Together
• Ensures that business S1 S2 S3 S4 S5
has freedom to think
out of the box
• Gives executive
management a view on R1 R2 R3 R4 R5
how risk scenarios are R6 R7 R8 R9 R10
expressed throughout R11 R12 R13 R14 R15
the business
Confidential
22. Risk Surveys
• Collaborative approach
• Sit round a table, or via teleconference, and
everyone has an opinion
• Lots of input
Confidential
23. Webinar Focus
• Purpose of Assessing Risks
• Different Assessment Methodologies
• Strengths and Weaknesses
• How to Choose?
Confidential
24. Common Factors
• All approaches have a fundamental common
theme
Identify Assess Respond
• Methodology choice is very personal
Confidential
25. How do we Identify Risks?
• Do we let them tell us what their risks are?
• Do we tell people what their risks are?
• How do we stop “the lost pencil” effect?
Blank Sheet Templates
Confidential
26. The Blank Sheet Approach
• Business identifies their own
risks
• Based on their own
knowledge and
understanding
• Accountability and
responsibility for the
process
• Submit the data back to
central team
Confidential
27. The Template Approach
• Risk department build
template
• Pre-defined risks
• Business asked to assess
the risks
• Submit the data back to
the risk team
• Allows for standardization
Confidential
28. Strengths and Weaknesses
• Template Approach
• We never create the opportunity for creativity
• We never reinforce ownership (“not my risks”)
• Blank Sheet Approach
• Too much creativity / lacks balance
• Difficult to compare and aggregate
• Too much work (“I don’t have time for this”)
Confidential
29. Which is the “Worst” Risk?
Risk
Impact
R1 R2 R3 R4 R5 R6 R7 R8 R9
Confidential
30. Webinar Focus
• Purpose of Assessing Risks
• Different Assessment Methodologies
• Strengths and Weaknesses
• How to Choose?
Confidential
31. Remember the Purpose
• To gain a sense of the “size” of the risks
• To prioritise based on our analysis
• Most important thing is to have a
standardised approach and the ability to
compare
• Don’t spend months choosing a methodology
– get something that is sensible and is
practical
• Don’t be nervous to amend it over time
Confidential
32. How do we Respond to Risks?
• Risk Assessment gives us our opportunity to
respond accordingly
– Accept / Tolerate
– Mitigate / Add Controls
– Insure
– Review
Confidential
