The definition of threats is important here. The last sector to consider is the lower left-hand quadrant, which summarizes threats with relatively lower likelihoods and severities – at least over our defined time horizon. Are we, for example, more concerned about the high-probability/low-severity events (upper left-hand quadrant) or the low-probability/high-severity event (lower right-hand quadrant)? Prioritization of our second-tier efforts depends on the relative weighting of likelihood and severity. Most of our risk mitigation efforts should be focused here. Items in the upper right-hand quadrant summarize threats with both high probability and high severity. When we examine the chart, our priorities are obvious. Once we assign probabilities and severities to each of our risks, the fourth and final step is to construct a chart mapping one against the other, as illustrated in the example below: In this case, we might survey subject matter experts or use simulation tools to approximate probabilities and severities, with the understanding that the confidence bands around our assumptions may be quite wide. Solar flares or cyberattacks could be known risks to our business operations, but the probability and severity of these events occurring within our specified time horizon may be unknown, given few – if any – historical episodes. On the other hand, some risk assessments are purely qualitative in nature. We might then refine these assumptions further based on recent trends and models that account for other factors, such as ocean temperatures or El Niño effects. These may be quantitatively based by looking at history.įor example, we might look at the historical frequency and severity of hurricanes within a particular geography as a starting point with a statistical grounding. The third step in the RMA process involves assigning likelihoods and severities to each of our identified risks. The global financial crisis and the COVID-19 pandemic taught us that it is better to err on the side of constructing an exhaustive list rather than commit an error of omission. At this stage, the objective is simply to collect as many ideas as possible, as opposed to ranking their importance. This can be informed by consulting both internal and external surveys of staff, customers and other stakeholders. Having established the scope and time horizon, the next step is risk identification. economy over the next eight quarters – an exercise I run through with my economist colleagues each month. For the purposes of exposition, let’s consider developing a risk matrix for the U.S. The potential threats we identify may vary considerably if we are looking out over the next day or month versus the next year or decade. For example, focusing exclusively on the risk that an individual home’s property value could decline may cause us to focus too much on idiosyncratic factors – such as the color of the walls – while ignoring broader drivers of demand – such as migration into or out of the local area. The narrower the focus, the more precise and actionable the risks we identify.Ī narrow a scope, however, may give us tunnel vision. This involves a consideration of tradeoffs. The first and most important step to create a risk matrix is defining scope, with respect to both subject matter and time horizon. The universality of the RMA allows us to apply it equally to complex systems, such as the global macro-economy, and to more micro subjects, such as a specific product, service or process. It’s a great starting point for not only organizing our own thoughts around risk, but also for illustrating priorities to others in an easily accessible, graphic fashion. The risk matrix approach (RMA) is one of the most effective tools for prioritizing threats. Indeed, a risk manager’s most significant contribution is often prioritizing threats as they seek to keep their organizations from acting rashly and flying off the proverbial rails. One of the key tasks of the financial risk manager, as one on my colleagues eloquently put it, is to “help people to worry more intelligently.” In part, the risk management field addresses our biological shortcomings, as the human mind is prone to extrapolate small changes to cataclysmic extremes.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |