Now that we agree on what is a more accurate risk definition, so behind
the name there is a meaning, let’s try to deep dive on risks features. We know
that in a very simplistic way all the risks a combination of likelihood and
impact, you can apply that to a security breach, a compliance risk with the
last regulation or to the risk of running out of battery in your smartphone before
coming back home. Probably we all agree that there are many kind of risks, for
instance many risk managers split between financial and non-financial ones,
which may make us wonder what is the impact for a business if there is no
financial impact, but let’s assume that it’s a way to separate different risks
and activities. In the same way than operational risk and information risk are
different branches of the same thing, it is just a way of specialization, so we
deal with the complexity of each category in a better way.
So looking at the risk categories we may argue for eons about how many
are there and each department should use to keep his activities under control.
Risk categories are not that interesting to me so I will assume that we have the
right list and no elephant is missing in your assessment. Let’s talk instead about
risk behaviour, to understand this attribute we need to think twice about the
impact that this risk is creating to me.
Let’s see some examples:
Case 1: Customer calls lost per minute waiting in the
call centre:
Case 2: Financial penalties per low, medium and high
deviations with a regulation (you name it).
Case 3: Nº
of servers unavailable until service lost… or Russian roulette:
This is kind of binary risk. I guess that Taleb
put the example of the turkey in a Thanksgiving day. 0 risk for 364 days, happy
life, all is sweet until we reach the ‘breaking’ point…
Case 4:
Earthquakes:
Frequency (earthquakes x year) Vs Intensity (Ritcher scale), just in
case that my drawing is not clear, this is logarithmic.
Case 5: Millions (€) lost per day with payment
services down or… Impact of an
undetected security breach in a core banking systems per day or… The the wheat and
chessboard problem (or how a King lost his kingdom).
This is an interesting one and is based on a geometric progression. Red
line represents the bankrupt point. By the way, if you don’t remember the wheat
fable just a picture to visualise it:
Case 6: Impact of personal data breach (millions of
records x millions of €, 62% variance).
In the real world there is a myriad of scenarios, probabilities and
potential outcomes so this risk behaviour seems quite ‘natural’, it’s a
geometric dispersion. What does it mean exactly? It’s just that there is an
infinite number of scenarios that may happen, in many of them we are out of
business or death or we just fail in achieve whatever we want. It depends
on the risk, the important thing is to know the limits and to recognise this
pattern in whatever we are measuring / analysing / giving a professional
judgement.
Case 7: Risk
correlation
Risk C (yellow) as exponential combination of Risk A and B. Increase in inflation > 3%, increase in unemployment and poverty rate.
Ahhh, this is easy, you may think. It’s clear that there are
interdependencies in some cases, we live in a complex world after all.
Citrigroup CEO (January 2008):
“Our financial results
this quarter are clearly unacceptable. Our poor performance was driven
primarily by two factors significant write-downs and losses on our sub-prime
direct exposures in fixed income markets, and a large increase in credit costs
in our U.S. consumer loan portfolio”.
The sub-prime crisis is a great example of how correlations may be missing
(or hidden by greed) sometimes.
Case 8: 30 years mortgage earnings or expected loss in case of customer bankruptcy in the first 5 years (risk upside):
Yes, i know that this should not be here, but there are many risk managers that like to see to the ‘upside’ or the benefits of certain risks, this happens specially in the portfolio management or taking some investing decisions. Investors & traders should look usually at the risk asymmetry, so there is much more upside than downside in whatever they invest on (commodities, securities, etc.). Potentially, any company or country may go bankrupt, actually the lifespan of SP500 companies is getting smaller.
I don’t agree that we should talk about ‘positive’ risk within ‘risk management’ functions, these functions are designed to deal and prevent risks, impacts, anything that may jeopardise the business. But business or intelligence departments may put the opportunities next to the impacts of business decisions, knowing that they have to look at them to keep the risk under control. Risks and opportunities (benefits) are everyday occurrences of laypeople, as discussed in the previous post there is a potential risk and benefit in almost any activity and we are wired to deal with it. However, it's of the uttermost importance to remember that the asymmetry between the risk and benefit shall be considered and measured (the more important the decision, the more accurate the assessment).
Risk properties summary:
Know that we know a little bit more about risks lets recap:
· Events with one or more occurrences, with several causes and several consequences.
· Risks are events with a likelihood.
· They happen in the future, not in the past.
· Depending on the behaviour of the risk, the events have an Impact:
o Linear.
o Binary.
o Ladder scale.
o Logarithmic.
o Geometric progression.
o Geometric dispersion.
o Etc.
· Risks are
independent orcorrelated.
· Risk and benefits are asymmetric and we need to
analyse that (if they are symmetric, where is the business?
And yes, they may be grouped in categories as a way to specialise and deal with them within public or private organizations.
Now that we settled the foundations of what risk is and what do we mean
when we talk about likelihood, impact or behaviour, we can start to talk about
the metarisk, so the risk of risk functions getting this wrong.
https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-i-can-we-agree-on.html
https://todoesseguro.blogspot.com/2022/01/the-metarisk-series-ii-risk-bad.html
0 comentarios:
Publicar un comentario