7 de enero de 2022

The metarisk series (II), risk (bad) behaviour

 

Now that we agree on what is a more accurate risk definition, so behind the name there is a meaning, let’s try to deep dive on risks features. We know that in a very simplistic way all the risks a combination of likelihood and impact, you can apply that to a security breach, a compliance risk with the last regulation or to the risk of running out of battery in your smartphone before coming back home. Probably we all agree that there are many kind of risks, for instance many risk managers split between financial and non-financial ones, which may make us wonder what is the impact for a business if there is no financial impact, but let’s assume that it’s a way to separate different risks and activities. In the same way than operational risk and information risk are different branches of the same thing, it is just a way of specialization, so we deal with the complexity of each category in a better way.

So looking at the risk categories we may argue for eons about how many are there and each department should use to keep his activities under control. Risk categories are not that interesting to me so I will assume that we have the right list and no elephant is missing in your assessment. Let’s talk instead about risk behaviour, to understand this attribute we need to think twice about the impact  that this risk is creating to me. Let’s see some examples:

Case 1: Customer calls lost per minute waiting in the call centre:


This seems quite linear… so the more minutes, the more customer calls lost. Ok, no rocket-science.

Case 2: Financial penalties per low, medium and high deviations with a regulation (you name it).


Well now the picture is changing… is this a ladder? Do we have thresholds?

Case 3: Nº of servers unavailable until service lost… or Russian roulette:


This is kind of binary risk. I guess that Taleb put the example of the turkey in a Thanksgiving day. 0 risk for 364 days, happy life, all is sweet until we reach the ‘breaking’ point…

Case 4: Earthquakes:

Frequency (earthquakes x year) Vs Intensity (Ritcher scale), just in case that my drawing is not clear, this is logarithmic.

Case 5: Millions (€) lost per day with payment services down or…  Impact of an undetected security breach in a core banking systems per day or… The the wheat and chessboard problem (or how a King lost his kingdom).


This is an interesting one and is based on a geometric progression. Red line represents the bankrupt point. By the way, if you don’t remember the wheat fable just a picture to visualise it:


Case 6: Impact of personal data breach (millions of records x millions of €, 62% variance).


In the real world there is a myriad of scenarios, probabilities and potential outcomes so this risk behaviour seems quite ‘natural’, it’s a geometric dispersion. What does it mean exactly? It’s just that there is an infinite number of scenarios that may happen, in many of them we are out of business or death or we just fail in achieve whatever we want. It depends on the risk, the important thing is to know the limits and to recognise this pattern in whatever we are measuring / analysing / giving a professional judgement.

Case 7: Risk correlation


Risk C (yellow) as exponential combination of Risk A and B. Increase in inflation > 3%, increase in unemployment and poverty rate.

Ahhh, this is easy, you may think. It’s clear that there are interdependencies in some cases, we live in a complex world after all.

Citrigroup CEO (January 2008):

Our financial results this quarter are clearly unacceptable. Our poor performance was driven primarily by two factors significant write-downs and losses on our sub-prime direct exposures in fixed income markets, and a large increase in credit costs in our U.S. consumer loan portfolio”.

The sub-prime crisis is a great example of how correlations may be missing (or hidden by greed) sometimes.

Case 830 years mortgage earnings or expected loss in case of customer bankruptcy in the first 5 years (risk upside):


Yes, i know that this should not be here, but there are many risk managers that like to see to the ‘upside’ or the benefits of certain risks, this happens specially in the portfolio management or taking some investing decisions. Investors & traders should look usually at the risk asymmetry, so there is much more upside than downside in whatever they invest on (commodities, securities, etc.). Potentially, any company or country may go bankrupt, actually the lifespan of SP500 companies is getting smaller. 

I don’t agree that we should talk about ‘positive’ risk within ‘risk management’ functions, these functions are designed to deal and prevent risks, impacts, anything that may jeopardise the business. But business or intelligence departments may put the opportunities next to the impacts of business decisions, knowing that they have to look at them to keep the risk under control. Risks and opportunities (benefits) are everyday occurrences of laypeople, as discussed in the previous post there is a potential risk and benefit in almost any activity and we are wired to deal with it. However, it's of the uttermost importance to remember that the asymmetry between the risk and benefit shall be considered and measured (the more important the decision, the more accurate the assessment).

Risk properties summary:

Know that we know a little bit more about risks lets recap:

·      Events with one or more occurrences, with several causes and several consequences.

·       Risks are events with a likelihood.

·       They happen in the future, not in the past.

·       Depending on the behaviour of the risk, the events have an Impact:

o   Linear.

o   Binary.

o   Ladder scale.

o   Logarithmic.

o   Geometric progression.

o   Geometric dispersion.

o   Etc.

·       Risks are independent or correlated.

·     Risk and benefits are asymmetric and we need to analyse that (if they are symmetric, where is the business?

And yes, they may be grouped in categories as a way to specialise and deal with them within public or private organizations.

Now that we settled the foundations of what risk is and what do we mean when we talk about likelihood, impact or behaviour, we can start to talk about the metarisk, so the risk of risk functions getting this wrong.

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-i-can-we-agree-on.html

https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-ii-risk-bad.html


0 comentarios: