Читать книгу Business Risk and Simulation Modelling in Practice - Rees Michael - Страница 11
Part I
An Introduction to Risk Assessment – Its Uses, Processes, Approaches, Benefits and Challenges
CHAPTER 1
The Context and Uses of Risk Assessment
1.3 Key Drivers of the Need for Formalised Risk Assessment in Business Contexts
ОглавлениеGenerally, risk assessment will be useful where there is a significant level of investment (i.e. non-reversible commitments in money, time, resources or reputation), and where there is inherent uncertainty (as there usually is in any future situation). More specifically, the key drivers of the need for formalised risk assessment in business contexts include:
• The complexity of typical projects.
• The size and scale of the decisions, in terms of financial and other resource commitments.
• To provide support to the procedures required to identify and authorise mitigation actions, or to change project structures, and to assign responsibilities for executing the required measures.
• Corporate governance requirements, both in a formal sense relating to specific guidelines or regulations, and in the sense of optimising executive management and decision-making, i.e. to make decisions that are the best ones that can be made, are not just adequate, and create some competitive advantage.
• The frequent need to support decisions with quantified analysis.
• The need to be able to reflect risk tolerances in decision-making and in business portfolio design, and to be able to compare projects of different risk profiles.
These are discussed individually below.
1.3.1 Complexity
Clearly, as projects become more complex, the potential increases as informal or intuitive risk assessment processes become inadequate, with risks overlooked or underestimated. On the other hand, in some cases, an intuitive awareness that one may be underestimating risks may – in the absence of a more formalised process – be overcompensated by planning with excessive contingency or pessimism; this can also be detrimental (discussed further in Chapters 4 and 5).
The notion of complexity may take several forms:
• Technical complexity, or the level of specialist knowledge required. A business project will often involve issues of a technical nature that cannot be fully understood, dealt with or mitigated without the involvement of experts.
• Organisational complexity. The cross-functional nature of many business projects means that one must rely on inputs from a wide variety of people of different expertise. In some cases, there may also be third-party resources, contractors, partners or government departments involved.
• Interactions. Even where individual risks are identified and managed reasonably well using informal approaches, the possible effects of a large number of risks on the key aggregate metrics of project success (cost, time, quality, etc.) are hard to estimate by purely intuitive methods; this is even more the case when there are interdependencies between them, such as the knock-on effects on other project tasks if one particular activity is delayed. Such interactions can easily be overlooked, but – even where identified – their existence can make it more challenging to develop an understanding of the aggregate impacts of risks, and to correctly assess the value of various mitigation measures. Formal processes and the appropriate tools can help to address such issues in a more robust and transparent manner.
• Lack of previous experience with certain key elements. The more experience with similar situations one already has, the less is the level of complexity: if all elements of a project were essentially identical to those in many other already-implemented projects, then prior experience should be invaluable in designing projects and optimising their risk profile. On the other hand, where a project has non-standard components (e.g. in terms of technical, product, geographic, legal, regulatory, environment, team resources, or the requirement for the involvement for a wider than usual set of organisational departments), then there is a higher likelihood that it contains risks that may be overlooked or underestimated. Even where previous experience exists, an excessive reliance on it can have pitfalls because:
• The time and place are different, and contextual circumstances are likely to have changed in some way.
• The fact that risks did not materialise in earlier projects does not mean that they (the same or similar items) cannot happen in similar current projects.
• It is easy to underestimate new factors that may be involved, unless proper consideration is given to trying to identify them. For example, a company may have successfully launched a new product in one European country and then finds that its launch in another country fails due to cultural, legal or local regulatory requirements that could have been anticipated and mitigated with a more formal assessment, including research and information gathering.
1.3.2 Scale
In practice, larger projects are typically more complex (or risky) than smaller ones, although this does not need to be the case, at least in theory. In addition, where a project is large (even if it is apparently “simple”, such as the undertaking of a major construction project using a prefabricated template), then the consequences of the materialisation of an unforeseen risk may be too large to be absorbed within the available budget, whereas similar risks in smaller projects could be absorbed without undue attention. In this sense, of course, the concept of scale is a relative one, depending on the context and organisation concerned.
1.3.3 Authority and Responsibility to Identify and Execute Risk-Response Measures
Measures to respond to risk can include changes to project scope, structures, deliverables, timelines, budgets, targets and objectives. In many personal situations, the individual concerned can make decisions related to such topics without reference to others. In contrast, in organisations and businesses (and in some personal situations) such actions would almost always require authorisation from others, typically from more senior management. In addition, project collaborators within the organisation, as well as third parties (external agencies, contractors, etc.), may also be impacted by any changes. Therefore, significant communication, negotiation and coordination are often required. Indeed, even fairly simple or common-sense risk measures may require significant analysis in order to prepare the groundwork for formal authorisation processes. The particular contexts in which this is mostly likely include:
• If the benefits of risk-response actions are “external” or highly asymmetric, such as where the costs of risk mitigation are borne by one department, but the benefits may accrue to another department or project.
• If changes are required to organisational processes, budgets, targets, timelines, quality or other performance indicators, or to contractual or other relationships with third parties.
• If the identification of risks may potentially expose issues of a political or motivational nature, for example if problems are uncovered that should have already been addressed within normal work, or if a lack of expertise capability or competence would be highlighted.
In such contexts, formalised risk assessment processes will support the activities of a project team by creating robustness in the analysis, in the assessment of the cost–benefit trade-offs, and will increase objectivity and transparency.
1.3.4 Corporate Governance Guidelines
There is an increasing requirement for decisions within businesses to be supported by formal governance processes, particularly in publicly-quoted (listed) companies, where management is ultimately responsible to shareholders, and not to themselves. One may think of governance issues in two categories:
• Mandated governance requirements and guidelines.
• Processes that enhance general organisational effectiveness and competitive advantage (see later).
A complete description of published governance guidelines is beyond the scope of this text: their focus is typically on structured frameworks and processes to manage risk (especially operational risk) and less on the details of modelling issues and associated challenges. Here, we simply highlight a few examples from various contexts; the interested reader can no doubt easily find others by general internet or other searches:
• The UK Combined Code on Corporate Governance. This sets out standards of good practice in relation to Board leadership and effectiveness, remuneration, accountability and relations with shareholders. Certain listed companies are required to explain in their annual report and accounts how they have applied the Code. The Code includes the following (June 2010 edition):
• “Every company should be headed by an effective Board, which is collectively responsible for the success of the company … The Board's role is to provide entrepreneurial leadership within a framework of prudent and effective controls which enables risk to be assessed and managed …”
• “The Board should be supplied in a timely manner with information in the form and of a quality appropriate to enable it to discharge its duties. All directors should … regularly update and refresh their skills and knowledge.”
• “The Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The Board should maintain sound risk management and internal control systems.”
• The Corporate Governance Council of the Australian Stock Exchange publishes Corporate Governance Principles and Recommendations (or Principles), of which Principle 7 concerns recognising and managing risk. Selected sections (2nd edition, 2010) state:
• “Risk management is the culture, processes and structures that are directed towards taking advantage of potential opportunities while managing potential adverse effects.”
• “Companies should establish policies for the oversight and management of material business risks and disclose a summary of those policies.”
• “The Board should require management to design and implement the risk management and internal control system to manage the company's material business risks and report to it on whether those risks are being managed effectively. The Board should disclose that management has reported … the effectiveness of the company's management of its material business risks.”
• The Sarbanes–Oxley Act (2002) requires management to certify the accuracy of financial information of companies listed on US exchanges. The guidelines cover issues relating to risk assessment and internal controls, rather than management decision-making.
• A number of other organisations have provided guidelines, recommendations and standards relating to risk assessment and its methods. A few examples include:
• The International Organization for Standardization (ISO) has published ISO 31000 Risk Management – Principles and Guidelines and 31010 Risk Management – Risk Assessment Techniques. The British Standards Institution (BSI) has published BS 31200:2012 Risk Management: Code of practice and guidance for the implementation of BS ISO 31000, and other works.
• The Institute of Risk Management (IRM), the Association of Insurance and Risk Managers (AIRMIC), Alarm (the Public Risk Management Association) the Federation of European Risk Management Associates (FERMA) and the Committee of Sponsoring Organizations (COSO) each regularly publishes documents, such as COSO Enterprise Risk Management – Integrated Framework. Each provides guidance on risk management processes and controls for management. The PRMIA (Professional Risk Managers' International Association) also publishes on a number of similar topics.
1.3.5 General Organisational Effectiveness and the Creation of Competitive Advantage
Of course, organisations will not succeed simply by following mandated guidelines: of utmost importance is the ability to create, identify and exploit opportunities that are aligned with strategy, create value and have some competitive differentiation. According to financial theory, in efficient markets, higher risks should be associated with higher returns only where such risks cannot be reduced economically efficiently or diversified away: the taking of risk per se is not rewarded. In contrast to many personal situations (for which the making of an “adequately good” decision is usually sufficient) organisations exposed to high levels of competition will need to perform to a superior standard, and to create opportunities, structure projects and make decisions that are (close to) the best possible ones available.
Formalised risk assessment can support effectiveness in these areas in several ways:
• Supporting the consideration of a full range of decision options.
• Helping to ensure that the opportunities being considered are value-creative and structured optimally.
• Ensuring that decisions are supported by robust rational analysis and data, and are appropriately transparent.
• Ensuring more transparent trade-offs and appropriate risk tolerances in decision-making.
• Reducing biases in analysis and in decision-making.
• Ensuring that project execution risks are appropriately considered within decision evaluation processes, as well as within the detailed implementation projects.
1.3.6 Quantification Requirements
Businesses almost always require that important decisions are supported with fairly detailed quantitative analysis. Risk assessment can be used to support this in many ways:
• Reflecting the reality that the situation inherently contains risk and uncertainty.
• Providing a structured process to ensure that all relevant factors are included in the analysis and quantitative model.
• Understanding the range of possible outcomes, and generating an understanding of how likely a particular (e.g. “base”) case is to be achieved, and what modifications are required (e.g. to targets, inclusion of contingencies, implementation of risk-response measures, or development of new structural options).
• Enhancing the ability to compare projects with different risk profiles, and to support the development of optimal business portfolios.
• Allowing risk tolerances to be made explicit, reflected in decision-making and to be done in a way that is aligned with organisational objectives (see below for further discussion).
• Increasing transparency, reducing biases and supporting the achievement of the appropriate balance between intuition and rationality in decision-making.
1.3.7 Reflecting Risk Tolerances in Decisions and in Business Design
Robust decision-making in business contexts requires a consideration of risk tolerances:
• Corporate governance. Shareholder demands for appropriate risk taking (to create rewards for equity investors by taking appropriate risk) need to be reflected in decision-making and in project selection: in theory (and practice), some companies should be more risk seeking than others, but it would seem difficult for a company to appropriately manage its risk profile without knowing and measuring (quantitatively) how much risk is being taken. Instead, very often, such processes remain intuitive, non-transparent and elusive, and are likely to be suboptimal.
• Consistency. Without a formal consideration of risk tolerances, a decision that would be authorised on one occasion may not be authorised on another. Thus, in one instance a project that is high risk/high reward may be favoured over a lower risk/lower reward one, whereas in similar circumstances on another occasion the reverse would be the case. This may be due to the presentation or framing of the decision, or to short-term inconsistencies and fluctuating optimism or pessimism that occur in day-to-day behaviours when formal processes are not put in place.
• Business portfolio optimisation. Most businesses can be considered as portfolios of components (e.g. customers, geographies, projects or products). As such, there is an optimisation aspect to the appropriate business design and strategic choices, with an optimal portfolio consisting of a combination of components with different profiles, so that some elements balance out against others.
Given these drivers, the application of a formalised risk analysis process in many business situations is likely to create significant benefits in terms of the quality of the final decision.