Читать книгу The Failure of Risk Management - Douglas W. Hubbard - Страница 27

The Aon, Protiviti, and EIU surveys all asked respondents about their biggest risks. Of course, any survey about the perception regarding the biggest risks are probably transient, but here is the current snapshot.

Exhibit 2.1 summarizes the top five risks in each of these surveys. All three surveys were different but note that there is a bit more agreement between Aon and Protiviti than either of those have with EIU. This may be because EIU was asking specifically about risks in the next twelve months and the other two organizations didn't specify a time frame. Perhaps the EIU respondents felt that these risks were more relevant in the very near term.

These risk-ranking surveys have been taking place for many years and will probably go on for the foreseeable future but we should also ask how organizations determined these risks were their main concerns. On that question, these three surveys did not get into many specifics. That is where the HDR/KPMG surveys tried to fill the gap. Armed with all of this research, here is what we found:

EXHIBIT 2.1 Current Top Risks According to Three Surveys

Protiviti	Aon	EIU
Disruptive technologies	Damage to reputation	Weak demand
Internal resistance to change	Economic slowdown	Market instability within own industry
Cyber threats	Increasing competition	Difficulty raising financing
Regulatory changes	Regulatory changes	Labor (skills shortage, strikes, etc.)
Timely identification and escalation of risks	Cyber threats	Exchange rate fluctuation

 Respondents would mostly say their methods are “formal:” The 2017 Aon study found that 60 percent state they have adopted formal or partially formal approaches to risk management. The share that say they have a formalized risk management approach goes up with the size of the firm—96 percent of firms with revenue over $10 billion say they use a formalized approach. About 70 percent overall would claim to have a formal or partially formal approach.

 Formal mostly means “qualitative procedure” not quantitative: The HDR/KPMG survey found that what these $10 billion firms mean by formal is mostly (74 percent) a qualitative ranking or scoring method, perhaps using a form of the qualitative risk matrix. This is about the same for companies under that revenue threshold (78 percent). Only 16 percent of firms with revenue over $10 billion (and 20 percent of firms of all sizes) say they use quantitative methods—that is, they use explicit probabilities derived from mathematical and empirical methods using tools such as simulations and tools familiar to actuaries, statisticians, or quantitative risk analysts. Of those who use quantitative methods, the most common is Monte Carlo simulations (85 percent) followed by statistical analysis of historical data (77 percent). Less common are methods such as Bayesian statistics (56 percent) or utility theory (17 percent).

 There are obstacles to the adoption of quantitative methods, but adoption is feasible: In the 2007 Protiviti survey, 57 percent said they quantify risks “to the fullest extent possible,” up from 41 percent in 2006. Because, as we noted, only 20 percent of all firms use some form of actual probabilistic methods, it would seem that most respondents in the Protiviti survey would not consider these methods possible. In fact, our survey found that 42 percent said an obstacle to the adoption of quantitative methods was “skepticism about the practicality and effectiveness.” Yet our survey showed that those who use quantitative methods such as simulations and statistical methods come from a variety of industries and company sizes. Even though quantitative methods are common in some industries (finance, insurance, etc.), the users outside of those industries are arguably as diverse as the users of qualitative methods. Apparently, there will be active users of these methods in the same industries and contexts where there are also skeptics.

These surveys agree with my personal experience on some key points. I see that most organizations who say they follow a formal method are merely saying they follow a defined procedure. Whether that defined procedure is based on mathematically and scientifically sound principles—what has been measured to work—is another question altogether. (More on that later.) Exhibit 2.2 provides a summary of what risk assessment methods are used, according to the HDR/KPMG survey.

Each of the categories in exhibit 2.2 contains many specific variations. So, let's dive into each of them in more detail.

EXHIBIT 2.2 Summary of Risk Assessment Methods Used According to the HDR/KPMG Survey

Method	Percentage of Respondents Using
Risk matrix based on a standard (ISO, NIST, etc.)	14
Internally developed risk matrix	27
Other qualitative scoring or ranking method	32
Probabilistic methods (e.g., math based including, simulations, statistical empirical methods, etc.)	20
Everything else (including expert intuition and various auditing methods)	7