Enterprise risk management : modern approaches to balancing risk and reward [2 ed.] 9783658335236, 3658335238

Citation preview

Stefan Hunziker

Enterprise Risk Management Modern Approaches to Balancing Risk and Reward Second Edition

Enterprise Risk Management

Stefan Hunziker

Enterprise Risk Management Modern Approaches to Balancing Risk and Reward 2nd edition

Stefan Hunziker Rotkreuz, Switzerland

ISBN 978-3-658-33522-9 ISBN 978-3-658-33523-6  (eBook) https://doi.org/10.1007/978-3-658-33523-6 © Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2021 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. Responsible Editor: Vivien Bender This Springer Gabler imprint is published by the registered company Springer Fachmedien Wiesbaden GmbH part of Springer Nature. The registered company address is: Abraham-Lincoln-Str. 46, 65189 Wiesbaden, Germany

Preface to the Second Edition

Only three years have passed since I wrote the first edition of Enterprise Risk Management—Modern Approaches to Balancing Risk and Reward. Meanwhile, the world has changed dramatically with the COVID-19 pandemic surfacing at the end of 2019. I wondered if I had addressed this specific risk in my own book that was published before COVID-19. Therefore, I searched for the term “pandemic”. To my own surprise, I only spotted one text passage containing “pandemic situation” in chapter 2.1.2. This paragraph discusses attribute substitution. It often causes inaccurate (risk) assessments of emotional themes such as dread risks (e.g. terrorism, plane crash, pandemic situation). Indeed, we have been dealing with a very emotional crisis exposing our minds to several risk assessment biases. I decided to discuss some more biases relevant to the current pandemic in the second edition of this textbook. I am honoured that I have received much positive feedback since my first edition was published. I am happy when risk professionals follow some of my practical tips and suggestions. I have also received many valuable comments from ERM professionals, consultants, managers, professors, and my own students. I cordially thank each of these contributors. ERM is evolving and the current pandemic is presenting a new risk management challenge. Therefore, it is the right time to revise the contents of the book and to make amendments where appropriate and useful. I have completely reviewed this second edition. I hope that I spotted and corrected most of the clerical errors that I made in the first edition (more found than I expected, to be honest). Furthermore, I updated a few references and I added some current content on ERM developments. I included more examples about the COVID-19 pandemic. The crisis had been present when I worked on the second edition. I am very thrilled about the interest my book on modern ERM has received from both the academic and the practitioner community. Stefan Hunziker

v

Preface to the First Edition

Now more than ever, students, junior staff, instructors, managers and decision-makers have to understand the value-creating aspect of modern Enterprise Risk Management (ERM). Welcome to the world of enterprise risk management (ERM), one of the most popular and misunderstood of today’s important business topics. It is not very complex. It is not very expensive. It does add value. We just have to get it right. Until recently, we have been getting it wrong (Hampton 2009, p. vii).

This is a quote from Professor Hampton, director at St. Peters’ College and former director of the Risk and Insurance Management Society (RIMS). His statement is representative of what still applies to many companies today. ERM is considered an expensive and unprofitable “business inhibitor”. Traditionally, it does only embrace a few areas of the company (in many cases the finance department). There is no comprehensive companywide management of all risk categories in a consistent framework. Risk management is often an independent stand-alone process, which is not linked to decision-making. In this way, traditional risk management is unable to generate any benefits and unnecessarily ties up resources in the company. A positive risk culture, which considers information provided by risk management as being supportive of management, is often wishful thinking. Modern risk management aims to be a strategic management tool that creates value for the company. In order for the risk manager to be welcomed at the strategy table, a rethinking from traditional risk management to modern ERM is required.

Didactic Philosophy and Learning Goals Amongst others, ERM is a powerful tool that enhances a manager’s and the board’s ability to make better decisions under uncertainty. Pure learning of ERM definitions, theories, and techniques by heart is much less important for students than being able to apply relevant ERM concepts to practical situations. For this reason, Enterprise Risk Management—Modern Approaches to Balancing Risk and Reward embraces theory, vii

viii

Preface to the First Edition

concepts, and practical examples so that students get a sound understanding of how ERM can be implemented in practice. I encourage students to make use of the offered learning materials at the very end of each chapter. The content of Enterprise Risk Management—Modern Approaches to Balancing Risk and Reward applies to all business sectors, including non-profit, service, selling, manufacturing, retail, and administrative situations. The focus of the textbook is on improving decision-making in uncertain situations. It does not address operational risk management or internal controls at very low organisational levels. My goal is to encourage students to apply modern approaches to good ERM and to link ERM to decision-making processes. Students and risk professionals begin their understanding of why ERM matters in today’s complex business environment. They progress to questions of how to assess risks and opportunities with consistent and effective assessment techniques. In addition, we discuss how to create a risk culture that enables effective ERM. To support the student’s learning success, my approach is to introduce accessible concepts. I complement them with practical examples from diverse companies. The textbook has been developed for training and further education at the university level in German-speaking countries. Yet, it is also of high practical relevance. Based on concrete cases of medium-sized and large companies, we transfer concepts presented in Enterprise Risk Management—Modern Approaches to Balancing Risk and Reward of ERM into practice. It serves students and practitioners alike as a source of ideas on how ERM can generate value for all stakeholders. I address theoretical and psychological findings relevant to decisions under uncertainty.

Acknowledgements

I have received many valuable comments and suggestions for this textbook during the last few years from ERM professionals, consultants, managers, and professors. I cordially thank each of these contributors. In addition, I wish to thank the following people and institutions: • Mr Marcel Fallegger, CMA, CSCA, Lucerne School of Business. Besides his subject matter expertise, he supported me in all administrative matters. • Lucerne School of Business for its financial support. • Springer Gabler. All colleagues from the editorial, production, and marketing departments for their great support in making this textbook possible. • My relatives, for their patience and understanding of the many “write-related absences”. Finally, students in my graduate and undergraduate classes on Enterprise Risk Management have inspired me to write this textbook. They contributed many thoughtful ideas. Stefan Hunziker

ix

Contents

1 Introducing ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Why ERM Matters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Definition of ERM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Risk Definition in the ERM Approach. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4 ERM Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.5 Challenges to ERM Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2 Countering Biases in Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.1 Motivational Biases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.1 Affect Heuristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.1.2 Attribute Substitution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.1.3 Confirmation Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.1.4 Desirability of Options and Choice . . . . . . . . . . . . . . . . . . . . . . . . 22 2.1.5 Optimism. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.1.6 Transparency Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.2 Cognitive Biases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.2.1 Anchoring Bias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.2.2 Availability Bias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.2.3 Dissonance Bias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.4 Zero Risk Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.2.5 Conjunction Fallacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2.6 Conservatism Bias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.2.7 Endowment and Status Quo Bias. . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.2.8 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.2.9 Gambler’s Fallacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.3 Group-Specific Biases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.3.1 Authority Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.3.2 Conformity Bias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.3.3 Groupthink. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 xi

xii

Contents

2.3.4 Hidden Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.3.5 Social Loafing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3 Creating Value Through ERM Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.1 Balance Rationality with Intuition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.2 Embrace Uncertainty Governance as Part of ERM. . . . . . . . . . . . . . . . . . . 55 3.3 Collect Risk Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.3.1 Identify Sources, Events and Impacts of All Risks . . . . . . . . . . . . 58 3.3.2 Develop an Effective and Structured Risk Identification Approach. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.3.3 Identify Risks Enterprise-Wide . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.3.4 Treat Business and Decision Problems not as True Risks. . . . . . . 62 3.3.5 Don’t Let Reputation Risk Fool You . . . . . . . . . . . . . . . . . . . . . . . 64 3.3.6 Focus on Management Assumptions. . . . . . . . . . . . . . . . . . . . . . . 67 3.3.7 Conduct One-On-One Interviews with Key Stakeholders. . . . . . . 79 3.3.8 Complement with Traditional Risk Identification. . . . . . . . . . . . . 85 3.4 Assess Key Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 3.4.1 Identify Key Risk Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 3.4.2 Quantify Key Risk Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 3.4.3 Support Decision-Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 3.4.4 Differentiate Between Decisions and Outcomes. . . . . . . . . . . . . . 116 3.4.5 Overcome the Regulatory Risk Management Approach . . . . . . . . 117 3.4.6 Overcome the Separation of Risk Analysis and Decision-Making. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 3.4.7 Assess Impact on Relevant Objectives. . . . . . . . . . . . . . . . . . . . . . 119 3.4.8 Avoid Pseudo-Risk Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . 121 3.4.9 Develop Useful Risk Appetite Statements. . . . . . . . . . . . . . . . . . . 123 3.4.10 Make Uncertainties Transparent and Comprehensible. . . . . . . . . . 129 3.4.11 Exploit the Full Decision-Making Potential of ERM. . . . . . . . . . . 134 3.4.12 Align ERM with Business Planning. . . . . . . . . . . . . . . . . . . . . . . . 137 3.4.13 Replace Standard Risk Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . 142 3.4.14 Disclose Risks Appropriately. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 3.5 Assess and Improve ERM Quality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 3.5.1 Test ERM Effectiveness Appropriately . . . . . . . . . . . . . . . . . . . . . 150 3.5.2 Increase ERM Maturity Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 4 Setting up Enterprise Risk Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 4.1 Comply with Laws and Check Relevant Governance Codes. . . . . . . . . . . . 167 4.2 Consider ERM-Frameworks Thoughtfully . . . . . . . . . . . . . . . . . . . . . . . . . 170 4.2.1 Motivation for Risk Management Standards. . . . . . . . . . . . . . . . . 170 4.2.2 ISO 31000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Contents

xiii

4.2.3 COSO ERM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 4.2.4 Similarities and Differences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 4.2.5 Limitations of ERM Frameworks. . . . . . . . . . . . . . . . . . . . . . . . . . 177 4.3 Develop a Sound Risk Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 4.3.1 Risk Policy and Corporate Strategy. . . . . . . . . . . . . . . . . . . . . . . . 178 4.3.2 Risk Policy as the Basis for Dealing with Risks . . . . . . . . . . . . . . 180 4.3.3 Limitations of Risk Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 4.4 Enhance Risk Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 4.4.1 Relate Risk Culture to Corporate Culture . . . . . . . . . . . . . . . . . . . 185 4.4.2 Understand How Risk Culture Evolves. . . . . . . . . . . . . . . . . . . . . 189 4.4.3 Increase Risk Culture Maturity Level . . . . . . . . . . . . . . . . . . . . . . 190 4.5 Organise ERM Properly. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 4.5.1 Does a Best-Practice ERM Organisation Exist? . . . . . . . . . . . . . . 198 4.5.2 ERM Organisation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 4.5.3 Some Thoughts on Roles and Responsibilities . . . . . . . . . . . . . . . 202 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 5 Looking at Trends in ERM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 5.1 Emerging Digital Risks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 5.1.1 Impact of Disruptive Technologies. . . . . . . . . . . . . . . . . . . . . . . . . 210 5.1.2 Digital Risk Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 5.2 Digitization of ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 5.3 Using Multiple Sources of Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 5.4 Increasing Demand for Analytic Skill Sets. . . . . . . . . . . . . . . . . . . . . . . . . 222 5.5 Increasingly Sophisticated Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . 225 5.6 Networked Economy and Collective ERM. . . . . . . . . . . . . . . . . . . . . . . . . 227 5.7 Improving ERM Skills. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

1

Introducing ERM

Abstract

Enterprise Risk Management (ERM) is an enterprise-wide process to identify, assess, and manage all key risks. The goal is to generate value for all stakeholders. Based on this definition, the chapter explains which key success criteria constitute modern risk management. We learn what needs to be paid special attention to in practice to exploit the potential of ERM to create value. In particular, we discuss that financial risks are not the most important risk category in most industrial companies. Further, positive risk culture is supported if historically grown “risk silos” can be overcome. Risk managers need to establish a uniform ERM language across the company. Companies need to understand ERM as a self-evident part of the strategy development, strategy execution, and decision-making. Then, ERM is capable to unfold its value-generating potential.

Learning Goals When you have finished studying this chapter, you should be able to: • • • • •

Define the term ERM and its key attributes Contrast ERM with traditional risk management Explain which characteristics distinguish the term risk in the ERM approach Explain why ERM is important to support decision-making processes Describe the main challenges of ERM

© Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2021 S. Hunziker, Enterprise Risk Management, https://doi.org/10.1007/978-3-658-33523-6_1

1

2

1  Introducing ERM

1.1 Why ERM Matters Many, if not all corporate activities are linked to uncertainties of future developments. These developments can result in either new threats or opportunities. The volatile nature of markets (e.g. for raw materials) and business environments (e.g. regulatory changes, behaviour of competitors) poses a great challenge to the existence and success of companies. The growing complexity and dynamics of the context in which companies nowadays operate has caused a relentless increase in the level of risk in all areas of corporate management. As a result, the practice of risk management has enforced itself gradually in many sectors and industries, and across different company sizes (Verbano and Venturini 2013). Risk management within corporations has gone through various stages starting in the post-World War II times. At that time, risk management was uncoordinated with a strong focus on the mitigation of financial risk. This was done with insurance and derivative instruments to protect the company against financial loss. A more holistic approach has emerged in the 1990s. This advanced approach is rather intended to achieve coordinated management of all significant risk sources a company might be exposed to (McShane et al. 2011; Mishkin and Eakins 2018). The concept of Enterprise Risk Management (ERM) has emerged in the early 1990s as a programme that manages the total risk exposure in one integrated and comprehensive tool (Hampton 2015, p. 18). Clearly, one of the main advocates of ERM adoption in the 1990s has been the release of the COSO Framework in 2004 (Committee of Sponsoring Organizations of the Treadway Commission) “Enterprise Risk Management—Integrated Framework” (COSO 2004). In the 2000s, risk management became even more important mainly due to negative events with high public awareness such as September 11th, corporate accounting fraud and the financial crisis. Although ERM was a much-debated business topic in the 2000s, there has also been severe critique. In particular, the financial crisis in 2008 and 2009 resulted in many corporate failures and bankruptcies. Many started to question the effectiveness of ERM programmes. Critics brought forward the argument that the effectiveness of ERM had not yet been proven. Thus, ERM implementation slowed down shortly after the financial crisis (Hoyt and Liebenberg 2011, p. 796). In the meantime, most of the criticism has fortunately faded. Specifically, over the last couple of years, the perspective on ERM has changed. Many organisations have recently implemented policies and processes. They started to apply modern ERM practices. The main reason for that is that ERM has evolved as a management tool. It is no longer seen as a pure regulatory need to prevent negative events. In fact, academics and risk professionals appreciate ERM as a value-adding function (Lam 2017, pp. 34–37). Various empirical studies (e.g. Smithson and Simkins 2005; Hoyt and Liebenberg 2011; Eckles et al. 2014) have been undertaken. Most of these studies confirm that companies with ERM systems in place have a higher company value than nonERM companies. Ultimately, from a very modern perspective, value creation is the sole

1.1  Why ERM Matters

3

reason for implementing an ERM programme. This is also the best answer to the “why risk management”-question from an economic point of view. If ERM consumes more resources than the value it creates, companies should refrain from implementing it. To be more concrete, the most important features of modern ERM that contribute to the value creation are briefly introduced. First, ERM facilitates value creation if it is linked or built into to the decision-making processes. Decisions in turn affect the prosperity of an organisation. ERM creates value by allowing firms to gain a more optimised risk-return trade-off of their decisions. A commonly misunderstood characteristic of ERM is that the goal of risk management is to minimise total risk exposure. Yet, ERM is about determining the ideal level of risk to maximise value. Some risks might be taken to exploit opportunities and hence to create a higher return (Romeike 2018, p. 14). Thus, a key reason why to deal with ERM is improved decision quality. ERM considers and balances the upside and downside potential of each decision. It provides a more rational basis for decisions. A second key reason for implementing ERM is to gain a comprehensive view of all risks, opportunities, and their respective interdependencies. This enables the senior management and the board to oversee total risk exposure and its potential effect on business goals. The availability of transparent and fully quantified risk exposures offers new opportunities for effective strategic decision-making. It promotes risk-taking, which is in line with the corresponding risk appetite (Farrell and Gallagher 2014, pp. 628–629). Moreover, risk aggregation enables the management of residual risks rather than dealing with single independent risks. Companies adopting aggregation techniques may benefit from a risk diversification effect. They can take advantage of natural risk hedges. Thus, only a few remaining risks needs to be managed. This is a more efficient and effective way than dealing with every single risk independently (McShane et al. 2011). Besides, ERM has recently been observed to be of great benefit to organisations because it has led to: • • • • • •

Stabilised earnings which improve shareholder’s value; Decreased cost of capital via improved ratings from credit rating agencies; Better exploitation of equity (risk) capital; Lessened dynamics in stock price, which also improves shareholder’s value; Boosted investors’ confidence (still a much-debated and controversial topic); Enhanced competitive advantage through the identification of significant risks that can be actively managed.

So far, we keep in mind that ERM can add value to the company. If somebody asks you why a firm should deal with ERM, your very first answer must be “value creation through higher decision quality”. Before we can embark on our journey into the concrete process of ERM implementation, we have to define ERM. In particular, we need to clarify the often-misunderstood term “risk”.

4

1  Introducing ERM

1.2 Definition of ERM In theory, a vast amount of ERM definitions is available, but many of these descriptions comprise similar aspects. Hampton (2015) states that the ERM concept is a comprehensive and complex system that concerns major areas of a company. For this reason, many definitions of ERM exist (p. 19). To prevent getting lost in the many definitions, it makes sense to have a closer look at the two most well-known risk management frameworks. They were published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the International Organization for Standardization (ISO). Both frameworks have been updated in 2017 (COSO) and 2018 (ISO). According to the COSO ERM Framework, ERM is defined as: The culture, capabilities, and practices, integrated with strategy-setting and its execution that organizations rely on to manage risk in creating, preserving, and realizing value. (COSO 2017, p. 10)

As we notice, COSO puts emphasis not only on the capabilities, techniques, and tools but also on the very important cultural aspects. Many risk professionals have argued that cultural aspects are perhaps even more relevant for an effective risk management than the implementation of ERM techniques per se (Levy et al. 2010, p. 2; Vazquez 2014, p. 10). The second aspect of COSO’s ERM definition stands out. It must be integrated with strategy-setting and its execution. Thus, COSO stipulates that ERM should be linked to business goals to create value. This is in line with our main reason of “why ERM” (see Sect. 1.1). Also ISO promotes a modern, integrated risk management approach. Yet, the term ERM is not mentioned at all in the guidelines. In contrast to COSO, ISO defines risk management as: …coordinated activities to direct and control an organization with regard to risk. (ISO 31000:2018, p. 1)

ISO does not explicitly link risk management to value creation. It specifies the purpose of risk management in the principles section as the creation and protection of value. This is quite similar to COSO’s approach (ISO 2018, p. 2). In addition, ISO states that culture affects all aspects of risk management what is again in line with COSO’s view on ERM. Overall, both definitions represent a sound basis for modern ERM as they both promote the link between ERM and value creation. As such, both definitions perfectly serve the purpose of the textbook at hand and we could stop discussing approaches. For the sake of not relying only on definitions created by risk frameworks and standards, here are a few others that do not fundamentally deviate from COSO and ISO. The Risk Management Society (RIMS) for example defines ERM as. …a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (Hopkin 2017, p. 53)

1.3  Risk Definition in the ERM Approach

5

This definition puts emphasis on the aspect of having a unified and integrated approach. The separate management of individual risks is abandoned and risks are treated holistically throughout the whole organisation (Hopkin 2017, p. 98; Segal 2011, p. 3). Again, in line with the two former ones, the reference of the link to the company’s goals is obvious. This is similarly confirmed by Segal (2011, p. 3) and by Hunziker (2018, p. 2) who describe that modern ERM is a comprehensive approach to identify, evaluate, manage, and disclose important risks to increase company value. Based on the previous discussion, the following definition is best suited:  ERM embraces enterprise-wide coordinated activities by which companies identify, assess, manage, and report all key risks to create value for the firm. At this point, we conclude that many ERM definitions have been published. We find ERM definitions by consultants, risk professionals, agencies, and legislative bodies. Modern definitions of ERM postulate a company-wide (i.e. in all areas and across all risk categories) identification, assessment, and management of risks. Also, ERM needs to establish a strong link to the strategy, business goals, decisions, and value creation.

1.3 Risk Definition in the ERM Approach In practice, companies often expect that ERM inevitably leads to the management of hundreds or even thousands of risks. This was particularly the case in the US after COSO ERM was released in 2004. Companies showed a great deal of scepticism about ERM. They feared that ERM might be nothing else but an extended task that ties up many resources. Since the COSO ERM framework is generally based on the COSO framework for Internal Control, firms felt confirmed by that. Yet, ERM does not aim to assess, manage, and monitor all risks identified by a company. ERM has a different focus and addresses only so-called key risks. A risk can evolve to a key risk over time or it is being considered as a key risk by the time of its first assessment. We define a key risk as a risk that exceeds a significance threshold set by the company. Such risks affect one or several business objectives and impact company value or any other financial benchmark. Let us consider the following example: Example

The Swiss company FarAway AG operating in the travel industry markets holiday trips in Switzerland in business unit A and holiday trips to the euro zone in business unit B, mainly Germany and Austria. The risk register includes the following two risks, among others:

6

1  Introducing ERM

• petty cash theft • entry of a new competitor As a financial benchmark, FarAway AG defined an acceptable lower bound of 8% EBIT margin for the next business year (excepted EBIT margin is 10%). After a first risk assessment, the following worst-case scenarios for both risk look as follows: • petty cash theft, worst case   −0.01% on expected EBIT margin (=9.99% after risk impact) • loss of market share, worst case − 4% on expected EBIT margin (=6% after risk impact) Based on that simple analysis, FarAway AG concluded that petty cash theft is currently no key risk and thus not included in the further ERM process, instead put on a watch list. In contrast, FarAway AG considers loss of market share as a key risk due to the severe threat it poses on the financial goals. We conclude that ERM will never have to deal with several hundred or thousands of risks. This can be the case while maintaining an internal control system of a large company. ERM requires meaningful criteria to differentiate between key risks and risks that are stored in a database. This database serves as a “watch list” and these risks are not included in the ERM model. Practical experience shows that many traditional risk management systems fail because of their complexity. This holds true regardless of the size and industry of a company. Any attempt to incorporate and manage all risks instead of focusing on key risks leads to a failure of ERM. Another challenge in defining risk is the fact that managers tend to think about the (financial) impacts of risks. These considerations are clearly important, but not enough. To develop effective risk strategies, we need to know the sources (causes) of each risk. The relevant question to define risks effectively must be as follows. How can we prevent a risk from occurring so that it does not have any financial impact? The answer is to create a plausible story, embedded in a cause-effect chain. The cause at the very beginning of that story is the starting point. Risk causes are the basis for discussing effective risk mitigation strategies. ◄ Let us consider again our practical example: Example

FarAway AG identified and assessed the key risk “loss of market share”. The worst case is a loss of − 4% EBIT margin. The Chief Financial Officer (CFO) of FarAway AG claimed that he needs to classify this risk as a financial risk due to its significant impact on the financial performance. In a meeting with the risk manager, however,

1.3  Risk Definition in the ERM Approach

7

he learned that every risk is to be categorised by its source rather than its impact to develop preventive risk mitigation measures. The Chief Risk Officer (CRO) together with the CFO created a simplified causeeffect chain for that specific key risk: Due to missing a timely tracking of new trends and customer needs in the travel industry, the competitors may gain a competitive advantage over FarAway AG with new and innovative offers. This may lead to less customer satisfaction of our customer base and to less new customers. In turn, this has a negative impact on our revenues and so leads to a loss of 4% EBIT margin in a worst-case scenario. The CRO showed understanding and agreed to change that risk from the financial category to the strategic risk category. “Now we can think of preventive measures”, he suggested. Thirdly, it is obvious that many risks can have both an upside potential (opportunity) and a downside potential (risk), possibly to varying degrees. Yet, the term risk is traditionally interpreted as something bad. Questions such as “what can go wrong?” and “what is at stake?” are the focus in many risk management workshops. The assessment of potential impacts and the corresponding probabilities is still prevailing in practice (Hampton 2009, pp. 4–5). The following figure illustrates the modern approach to defining risk as a possible positive and/or negative deviation of an expected outcome. This understanding of risk is crucial for a realistic assessment of the total risk exposure at the company-wide level.

Upside potential of all key risks Key risks business unit A

Key risks business unit B

Currencies

Market entry

Fire Customer needs

Customer needs Suppliers

Debtors

Downside potential of all key risks

Fig. 1.1  Risk in the ERM approach. (Based on Hunziker 2018, p. 11)

IT failure

8

1  Introducing ERM

Looking at Fig. 1.1, it becomes clear that different risks involve different upside and downside potentials. For example, the debtor default risk and the IT failure risk do not have a symmetrical risk/opportunity distribution but are downside-oriented (unrewarded risks). Therefore, the early recognition of changing customer needs or market entry with new products can become a strategic competitive advantage with disproportionate potential opportunities (rewarded risks with an expected positive outcome). To decide which risk strategy is adequate for each risk, an ERM model deals with various positive and negative scenarios. Risk scenarios must cover the best case and the worst case at both ends of the possible ranges. Let us assume a company only takes into account the negative scenarios of all risks in its ERM model. This would sum up to a severe overvaluation of the risk exposure. This is because the positive scenarios (opportunities) and their diversification effects on entity level are not considered in the risk assessment. ◄ The following example illustrates risk balancing between two business areas. It shows how ERM can help create value for the company. Example

The Swiss travel company FarAway AG identified the risk of an unexpected change in the CHF/€ currency pair as another key risk. The news from the Swiss National Bank (SNB) on January 15, 2015, that the minimum exchange rate of CHF 1.20 per euro would be raised hit the company unexpectedly. The minimum price was introduced at a time of strong overvaluation of the Swiss franc and great uncertainty on the financial markets. The aim of this temporary measure was to protect the Swiss economy from financial loss. One reason for the SNB’s move was that the overvaluation had been somewhat generally reduced since the introduction of the minimum price and companies had been able to adjust to this new situation (SNB 2015). The impact of the appreciation of the CHF against the euro was twofold: business unit A lost around 20% of sales in 2015, as fewer holidays were booked in “expensive” Switzerland. Yet, the company recorded a significant 10% increase in sales in the important euro business. If both effects are offset against each other, this has a net positive impact at a company-wide level. Traditional risk management would have significantly overestimated this risk. Only the negative impact from business unit A would have been included in the risk assessment (Hunziker 2018, p. 12–13). ◄ We conclude that the term “risk” in the modern ERM approach must be understood as an enabler to seize opportunities. It compares the opportunities and the downside risk associated with a business goal or a strategic option. In addition, dependencies between risks must be identified and communication about risks must be promoted. If the risk term is defined in this way (deviation from expected), ERM leads to better decisions. Decision quality increases because decisions are evaluated more rationally and realistically.

1.4 ERM Frameworks

9

1.4 ERM Frameworks There are many options for the practical implementation of ERM. Companies have recently increased their ERM activities and developed approaches by themselves. In addition, consulting and auditing firms, and standards bodies have published many ERM guidelines. Specialised expert teams and rating agencies included ERM as a specific assessment criterion into their rating systems (Hoyt and Liebenberg 2011, p. 795). As COSO ERM (2017) and ISO 31000:2018 are by far the best-known and most widely used aids to implement ERM, we will focus on these two frameworks. We have to answer the following two questions: • Which of these two frameworks is better suited for a modern ERM implementation? • What is the relationship between this textbook and the COSO ERM/ISO 31,000 frameworks? The answer to the first question is not quite straightforward and needs some elaboration. The following brief assessment of the two frameworks is only related to the recently updated versions of COSO ERM 2017 and ISO 31,000:2018. The two frameworks lag behind the extant research on proper risk management. To date no empirical studies on whether the two standards actually work in practice, i.e. create value for companies, are available. In light of the fact that ISO:31000 and COSO ERM have existed many years, I could not find any empirical evidence that companies have successfully implemented COSO ERM or ISO:31000. Both frameworks postulate a strong link between ERM and business goals. Yet, they both offer a different approach to the “story of risk management”. ISO 31000 is much shorter and contains only 16 pages. It starts with core risk management definitions. ISO recommends examining and understanding the external and internal context such as mission, vision, strategy, and the complexity of networks and dependencies (ISO 2018, p. 6). In contrast, COSO ERM is written in much more detail and contains about 110 pages without appendices. It aims to gain a sound understanding of corporate strategies as a starting point for ERM implementation. In addition, a risk analysis must be aligned with the corresponding strategies. Moreover, COSO released in 2018 a supplement to its framework. The compendium includes many practical examples for implementing their 20 principles of the COSO ERM framework. These supplements also focus on the link between ERM, strategy, and value creation. Many practitioners have been criticizing COSO ERM as too extensive, only top-down oriented, too lengthy, and too “prescriptive”. To understand this, we need to know who developed COSO ERM. The main contributors to the framework are large US accounting and auditing associations. They share a common interest in a rather complianceoriented ERM approach. These bodies emphasise the importance of internal control and internal auditing. Yet, ISO 31000 is much more generic in nature. As a result, it can be used to support both a top-down and bottom-up approach to ERM.

10

1  Introducing ERM

To answer the first question: Neither COSO ERM nor ISO 31000 cover all modern ERM topics in a way companies can easily implement. Yet, both frameworks support a modern, value-creating view of ERM (see also Sect. 1.2). They can be used complementarily. They complement each other in many areas, are considered mature, holistic, and largely consistent. Yet, my readers should note that such frameworks generally reflect the consensus. Thus, they are valid for “average companies”. Innovations hardly find their way into ERM frameworks. This is because innovations do not gain majority support. Thus, every risk professional should be aware of both frameworks. They are helpful guidelines and can support a sound ERM implementation. To answer the second question: Neither COSO ERM nor ISO 31000 reflect all relevant topics in this textbook. Alternatively, to put it differently: Both frameworks cannot replace the textbook at hand. Where appropriate, the two frameworks are referenced and examples are discussed. At this point, we note that both frameworks do support the paradigm of modern, value-creating risk management. To give the reader an impression of how this book differs from the recommendations of the frameworks, a few examples are discussed below (Hunziker 2018, pp. 6–7): • Both frameworks emphasise the importance of the connection to strategic management. Yet, it remains unclear how the economic benefit (i.e. the value contribution) can be justified or measured in practice. Because many companies (still) do not acknowledge the benefits of ERM enough, this is very crucial. • ISO 31000 and COSO ERM do not manage to establish a practical link between risk appetite and decision-making processes. Risk appetite is a concrete statement of what types of risks (or the amount of uncertainty) a company accepts to achieve its business goals. ISO and COSO struggle to explain how a company can discuss and set its “risk appetite”. First, the statements on risk appetite made by COSO are rather confusing and unrealistic. COSO ERM suggests that companies can phrase very simple, qualitative risk appetite statements. An example is “we do not accept serious risks that could endanger our strategy”. These statements are useless for decision-makers. They cannot be broken down into concrete recommendations for action at lower organisational levels. Risk appetite statements are often not reflected in the decisions that impact business goals on a daily basis. Thus, such risk appetite statements are not actionable. • ISO 31000:2018 does not use the term risk appetite at all. Instead, the phrase “risk criteria” is used. “The organization should specify the amount and type of risk that it may or may not take, relative to goals. It should also define criteria to evaluate the significance of risk and to support decision-making processes” (ISO 2018, p. 10). As the term, risk appetite is well-known by most organisations and annual reports frequently contain risk appetite statements, guidance on how to concretely set risk appetite would be helpful (IRM 2018, p. 11). • Risk identification should also include a scanning process of the external environment. Yet, COSO ERM is strongly internally focused. Many risks are neglected if

1.5 Challenges to ERM Implementation

11

no external screening (competitors, trends, legal developments, international market developments, etc.) is carried out. Moreover, COSO ERM ignores the so-called “black swan” events. These risks feature a very low probability of occurrence and a high potential for negative impact. • COSO uses the term “risk event” throughout the framework. By definition, a risk event can become acute. Yet, there are many risks that manifest themselves slowly, sometimes over months or even years (e.g. changes in customer needs). These socalled emerging risks cannot be reflected in “risk events”. Besides, the downside risk (what can go wrong?) dominates COSO’s view on risk. This can lead to a significant overestimation of the business risk if opportunities are excluded from the risk assessment. • Practitioners may find ISO 31000 too generic. They might consider the efforts required to define and develop their own ERM framework too time-consuming, too costly, and not enough supported by the framework. We appreciate both frameworks as valuable sources for modern ERM implementation. Both frameworks lack the incorporation of well-accepted empirical evidence on methods, approaches, and techniques in risk management. Thus, the textbook at hand aims to contribute to closing some of these gaps.

1.5 Challenges to ERM Implementation Although we now know the main benefits of modern ERM, the potential is not yet being exploited in practice. Risk management is still perceived as a regulatory need without significant benefit. There are various reasons for this (Segal 2011, pp. 28–31). Historically grown risk silos in the company must be eliminated. Risks have been managed by assigning risk responsibilities to specific business unit leaders. For example, the CFO manages risks related to the organisation’s financial risks (interest rates, liquidity, currencies). The Chief Operating Officer (COO) deals with risks in his or her area of responsibility, e.g. production and distribution. The Chief Information Officer (CIO) is responsible for cyber risks and IT failure risks, and so on. Each of these functional leaders is charged with managing risks related to their key areas of responsibility. Each “silo leader” is responsible for identifying, assessing, and managing risks within their silo (Beasley 2016, p. 1). ERM language and techniques have grown consistently within these silos, but not across the various silos. This often impedes the assessment of the enterprise-wide risk exposures. This is due to inconsistencies of the diverse assessment techniques applied in the risk silos. The “E” in the term ERM requires an enterprise-wide risk assessment. Yet, in practice, some business areas or support functions may not be considered relevant enough from a company perspective. They appear financially unimportant. We can compare this to the audit profession approach. Companies might apply a similar concept of materiality

12

1  Introducing ERM

in planning and performing ERM activities. Very often, the scope of ERM projects is defined according to certain significance thresholds. For example, a company could assess the relative contribution (economic relevance) of each business area to the overall company performance. For reasons of resource constraints, ERM processes are then often not implemented in the areas defined as less important. This can undermine the effectiveness of an ERM. A risk can originate, for example, in rather unobtrusive, stable, and smaller business areas and may impact the company as a whole later on. Many companies focus on financial risk management and financial risks. This can be explained, among other things, by the recent financial crisis (global phenomenon) and currency crisis (i.e. in Switzerland due to the strong Swiss franc). From an ERM perspective, the following question arises. Are financial risks of the highest priority for all companies? Of course, the management of financial risks is important. However, for most non-financial companies, financial risks represent only a (very) small part of the risk exposure. Many studies show that strategic risks have by far the greatest impact on company value, followed by operational risks (e.g. Smit and Trigeorgis 2004). Thus, non-financial companies can identify the most significant risks in the context of the corporate strategy. Risk and opportunities of technological change, the digitization of business models, changing customer needs, growing competition, and wrong decisions in strategic project prioritization are more important than financial risks (e.g. interest rates or currencies). In addition, many practitioners and consultants believe that strategic and operational risks cannot be quantified. Yet, only the quantification of all risk categories allows a meaningful prioritization, assessment, and management of uncertainties. The wellknown techniques of financial risk management cannot be easily transferred to other risk categories. That is why quantification of other risks does rarely happen. In addition, other arguments are brought forward against risk quantification. For example, missing historical data, complexity of risks, non-applicability of stochastic models, and spurious accuracy. Other approaches, such as scenario analyses or Failure Mode and Effects Analysis (FMEA), which draw on human intuition and subject matter expertise, are not or too less used. Finally, the training and professional experience of many risk managers is another challenge to ERM. The backgrounds and experiences of risk managers (or the person in charge of risk management) influences ERM implementation. For example, risk managers with predominant experience in the financial industry, equipped with training in mathematics, statistics, and quantitative risk modelling, focus more on financial risks than on strategic risks. With these challenges in mind, we proceed with the next chapter. It outlines the topic of how to counter motivational, cognitive, and group-specific biases in risk analysis. A great deal of empirical evidence already exists on these biases. Yet, cognitive and motivational biases are still often neglected in the practical application of ERM.

1.5  Challenges to ERM Implementation

13

Key Aspects to Remember Define the term ERM and its key attributes ERM is an enterprise-wide coordinated process. Companies identify, assess, and manage all key risks to create value for all stakeholders. Thus, an up-to-date ERM approach addresses risks in all business areas and across all risk categories. It considers the aggregated impact of those risks as an interrelated risk portfolio on business goals. Contrast ERM with traditional risk management Unlike ERM, many traditional risk management approaches fail. This is because of their complexity, their silo approach and their attempt to manage too many risks at the same. Moreover, risks are commonly interpreted as “what can go wrong”. Thus, diversification effects of upside risk potentials are neglected. ERM enables an enterprise-wide risk assessment with a consistent “ERM language”. This language is understood across the company. Moreover, ERM is linked to decision-making and increases decision quality. Explain which characteristics distinguish the term risk in the ERM approach In the ERM approach, the strategic, operational, and financial causes of risks are relevant for the development of effective risk mitigation strategies. It is crucial not to confuse cause with impact. By definition, risks can both have an upside potential (better than expected) and downside potential (worse than expected). Thus, risk assessments deal with scenario development. Scenarios cover the sources and impacts of specific risks. Good risk assessments result in realistic “quantified uncertainty ranges”. These ranges include the worst and best case scenarios of each risk. Explain why ERM is important to support decision-making An integrated ERM approach enables decision-makers to include risk/return-considerations in their judgements. Companies need to consider aggregated risk exposures and contrast them with risk appetite. This makes it clear whether a company takes too few risks and misses promising strategic opportunities (and vice versa). Companies must understand how to manage their risk exposures. Successful ERM results in lower borrowing costs from better ratings, higher company value through better decisions, and greater capital efficiency. Describe the main challenges for ERM implementation ERM emerged as an important business topic in practice. Yet, major challenges still pose a threat to successful ERM implementation. A stronger focus on strategic risks is required. Many important risk sources spring from strategic choices and strategy implementation. All risks must be consistently quantified to enable prioritization and evaluation. In addition, the background and experience of risk managers determine the success of an ERM programme. A sound ERM has to cover all relevant business areas of the company, even allegedly unimportant ones.

14

1  Introducing ERM

Critical Thinking Questions 1. Why is it important to differentiate between risk and uncertainty? 2. What role do cultural aspects play for the success and value creation of ERM? 3. What types of risks have an asymmetric risk distribution? 4. What is the main purpose of the 2017 updated COSO ERM Framework? To what extent does the framework meet these intentions? 5. Why is it considered difficult to quantify strategic and operational risks?

References Beasley, M. S. (2016). What is Enterprise Risk Management? Poole College of Management, Enterprise Risk Management Initiative, 1–6. Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2017). Enterprise Risk Management – Integrating with Strategy and Performance. Jersey City, NJ: AICPA. Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004). Enterprise Risk Management –Integrated Framework. Jersey City, NJ: AICPA. Eckles, D. L., Hoyt, R. E., & Miller, S. M. (2014). The impact of enterprise risk management on the marginal cost of reducing risk: Evidence from the insurance industry. Journal of Banking & Finance, 43 (C), 247–261. Farrell, M., & Gallagher, R. (2014). The Value Implications of Enterprise Risk Management Maturity. The Journal of Risk and Insurance, 82 (3), 625–657. Hampton, J. J. (2015). Fundamentals of Enterprise Risk Management. How top companies assess risk, manage exposure, and seize opportunity (2nd Ed.). New York: American Management Association. Hampton, J. J. (2009). Fundamentals of Enterprise Risk Management. How top companies assess risk, manage exposure, and seize opportunity. New York: American Management Association. Hopkin, P. (2017). Fundamentals or Risk Management. Understanding, evaluating, and implementing effective risk management (4th Ed.). London: Kogan Page. Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. The Journal of Risk and Insurance, 78 (4), 795–822. Hunziker, S. (2018). Erfolgskriterien von Enterprise Risk Management in der praktischen Umsetzung. In S. Hunziker & J. O. Meissner (Eds.), Ganzheitliches Chancen- und Risikomanagement. Interdisziplinäre und praxisnahe Konzepte (pp. 1–28). Wiesbaden: Springer Gabler. Institute of Risk Management (IRM) (2018). A Risk Practitioners Guide to ISO 31000: 2018. London: IRM. ISO (2018). ISO 31000:2018 – Risk management Guidelines. Geneva, Switzerland: ISO. Lam, J. (2017). Implementing Enterprise Risk Management. From Methods to Applications. New Jersey: John Wiley & Sons. Levy, C., Lamarre, E., & Twining, J. (2010). Taking control of organizational risk culture. McKinsey Working Papers on Risk. McShane, M. K., Nair, A., & Rustambekov E. (2011). Does Enterprise Risk Management Increase Firm Value? Journal of Accounting, Auditing and Finance, 26 (4), 641–658. Mishkin, F. S., & Eakins, S. G. (2018). Financial Markets and Institutions (9th Ed.). Harlow, UK: Pearson.

References

15

Romeike, F. (2018). Risikomanagement. Wiesbaden: Springer Gabler. Segal, S. (2011). Corporate Value of Enterprise Risk Management: The Next Step in Business Management. New Jersey: John Wiley & Sons, Inc. Smit, H. T. J., & Trigeorgis, L. (2004). Strategic Investment – Real Options and Games. Princeton: Princeton University Press. Smithson, C., & Simkins, B. J. (2005). Does Risk Management Add Value? A Survey of the Evidence. Journal of Applied Corporate Finance, 17 (3), 8–17. Schweizerische Nationalbank (SNB) (2015). Medienmitteilung: Nationalbank hebt Mindestkurs auf und senkt Zins auf -0,75%. Zürich. Vazquez, R. (2014). Five steps to a risk-savvy culture. Risk Management, 61 (9), 10–11. Verbano, C., & Venturini, K. (2013). Managing Risks in SMEs: A Literature Review and Research Agenda. Journal of Technology Management & Innovation, 8 (3), 186–197.

2

Countering Biases in Risk Analysis

Abstract

Many risk management programmes in companies are not as effective as they could or should be. This is due to many overlooked factors, such as motivational and cognitive biases. The topic of biases, although much theoretical and empirical literature exists, is rarely addressed in ERM. Many studies show that mistakes made in risk identification and risk assessment distort results. Also, decisions drawn from the risk management process may be suboptimal. In the following, we discuss some of the most important biases in risk analysis. We introduce corresponding debiasing strategies.

Learning Objectives When you have finished studying this chapter, you should be able to: • • • • •

know the different biases in risk analysis understand the importance of biases in risk analysis recognise the need to counter biases throughout the risk process understand the limitations of debiasing strategies establish some real examples for your management and employees There is always an easy solution to every human problem — neat, plausible, and wrong. (Henry Louis Mencken)

Throughout the whole ERM process, it’s crucial to recognise that some risks are not caused by exogenous events. Rather, they are triggered by people’s behaviour and © Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2021 S. Hunziker, Enterprise Risk Management, https://doi.org/10.1007/978-3-658-33523-6_2

17

18

2  Countering Biases in Risk Analysis

choices. We have to use our intellectual capacity to question our future prospects and long-lived assumptions. For this reason, we can get the means to manage the real risks to which companies are exposed (Wolf 2012). As already explained, the primary goal of ERM is to increase decision quality by analysing opportunities and risks. Such risk analyses should make decision-making in companies more transparent. They help to present uncertainties more realistically. Yet, the input factors for risk analyses are subject to biases, as the decisions too. This means that risk analyses contribute to the quality of a decision only if risk managers are aware of the most important motivational, cognitive, and group-specific biases. Biases can be reduced by taking appropriate countermeasures. Identifying and quantifying risks are two of the most important ERM activities in which risk managers and related personnel engage. Behavioural decision research over the last 50 years has found that these two risk management process steps are prone to many motivational and cognitive biases. People overestimate some risks and their corresponding probabilities and underestimate others. Biases are an inherent challenge to all decisions and rooted in human behaviour. Thus, the question in ERM activities is not whether biases exist. Rather, it is how we can manage these distortions within the riskoriented decision-making. In the following, we make a distinction between cognitive and motivational biases. The former refers to false mental processes that lead to deviant behaviour from socially well-accepted normative principles. Yet, it is believed that this type of bias is important for evolutionary reasons. The latter include conscious or unconscious distortions of opinions due to different incentives. Such incentives are social pressure, organisational environment, and self-interest (Montibeller and von Winterfeldt 2015, p. 1230). Unfortunately, the vast amount of literature has only dealt with cognitive biases. Textbooks have neglected motivational biases which are harder to account for in ERM. Often in literature, motivational biases are mistakenly classified as cognitive biases. Some of the biases of both groups can be alleviated or amplified in group decisionmaking processes. To account for the importance of group-specific activities in ERM processes (e.g. risk management workshops), a separate chapter covers group-specific biases. After the introduction of each bias, we suggest what specific measures risk managers can apply. We also discuss how to counter or drop the negative effects. These procedures and attempts to counter cognitive and motivational biases are known as “debiasing techniques”.

2.1 Motivational Biases Let us first look at motivational biases. These biases are judgments that are influenced by the desirability or undesirability of events, consequences, outcomes, or decisions in a company. This includes, for example, the deliberate attempt by experts to provide optimistic forecasts for a preferred action or outcome. Another example is underestimating

2.1  Motivational Biases

19

the cost of a project to deliver bids that are more competitive. We present below selected motivational biases that are believed to impact risk analysis.

2.1.1 Affect Heuristics Affect heuristics are a sort of mental abbreviation. People make decisions that are influenced by their current emotions. Everyone’s personal affect (a psychological term for emotional reaction) plays a crucial role. Emotions influence all kinds of decisions, large and small ones. After all, it seems obvious that someone is more likely to take risks or try new things when he or she feels happy. Likewise, individuals are less likely to make difficult decisions when they are depressed. If someone relies on the “gut feeling” to make an important decision, then we can call this behaviour affect heuristics (Montibeller and von Winterfeldt 2015, p. 1235). Affect-based assessments are more pronounced when people do not have the resources or time to think. Rather than looking at risks and rewards independently, people with a negative attitude (e.g. towards an internationalization strategy of a company) may assess their benefits (opportunities) as low and their risks as high. This leads to a more negative risk–benefit correlation than would be observed under conditions without time pressure (Finucane et al. 2000). One study for example found that tobacco, alcohol, and food additives are all perceived as high-risk and low-reward topics. In contrast, X-rays, vaccines, and antibiotics are considered low-risk and high-reward (Fischhoff et al. 1978). The important aspect of this result is that the positions have always been classified as both low-risk and highreward (or vice versa). This holds true even if some positions are actually high-risk/highreward or low-risk/low-reward. This result occurs because smoking, drunkenness, and food additives trigger negative emotional reactions. Other activities trigger positive emotions. Thus, we do not really consider the true risks and opportunities. Rather, we automatically choose the more positive option (low risk and high reward) for concepts with positive associations. And, we do the opposite for those with negative associations (The Decision Lab n. d.). Various approaches can help to reduce the negative consequences of affect heuristics. Risk managers can check whether decision-makers focus too much on a single risk assessment proposal. They can bring critical decisions to a panel with alternative viewpoints. This enables sound discussions of risks and opportunities. In this way, it is possible to avoid underestimating the risks of an idea that somebody is very attached to. Companies can also use decision-making tools that allow various factors to be weighed and evaluated. As part of risk identification, risks and potential risk scenarios should be formulated as neutrally as possible. It may be necessary that different people with different backgrounds, interests and incentives assess the same risks. For example, an ERM committee can support this. Such a committee consists of specialists and experts from different divisions and business units. This leads to a

20

2  Countering Biases in Risk Analysis

well-founded risk assessment of risk sources and financial consequences. This way, we can gain more complete assessments as compared to individual risk assessments.

2.1.2 Attribute Substitution Attribute substitution is an attempt to solve a complex problem with a heuristic attribute that is a false substitution. People involved in risk analysis may substitute a difficult problem for an easier one and without being aware of it. Attribute substitution is a generic model that is applicable in many different areas and can be remembered. Attribute substitution is the collapse of attention from a broader, complex question to one that is narrower, but more easily answered (Smith and Bahill 2009, p. 2). Attribute substitution may take many forms. Examples include the substitution of an emotion such as fear. The problem of attribute substitution is that it often causes inaccurate (risk) assessments of emotional themes. Examples of such risks are the so-called dread risks (terrorism, plane crash, pandemic). For example, individuals are offered insurance against their own death in a terrorist attack while on a foreign trip. They are willing to pay more for it than they would for insurance that covers death of any kind on that trip. Although the latter risk obviously includes the former risk. Kahneman concludes that the attribute of fear is being substituted for an assessment of the total risk exposure of being abroad. People perceive the fear of a terrorist attack as a more significant risk than the fear of dying on a trip (Kahneman 2007). Kahneman and Frederick propose three conditions for attribute substitution (2002): • It is not expected that substitution will take place when answering factual questions. Such questions can be retrieved directly from memory or from current experiences. • An associated attribute is accessible. This is either because it is automatically assessed in normal perception or because it has been primed. • Substitution is not recognised and corrected by the reflective system. For example, when asked, a bat and a ball cost CHF 1.10 together. The racket costs CHF 1 more than the ball. How much does the ball cost? Many respondents erroneously answer with CHF 0.10. One explanation of attribute substitution is as follows. Instead of working out the sum, respondents split the sum of CHF 1.10 into a large and a small amount. This is easy to do. Whether they think this is the correct answer depends on whether they check the calculation with their reflective system. Unfortunately, no simple solution for the substitution attributes in the ERM process exists. It is important to become aware of the fact that people tend to substitute simpler but related risk assessments in place of more complex risk assessments. Examples of this bias can be presented to managers and decision-makers to show their own behaviour. Some suggestions made by Smith and Bahill (2009) in the context of ameliorating

2.1  Motivational Biases

21

attribute substitution in systems engineering can be adapted to risk analysis (pp. 15–16). We can counter the risk to replace a complex risk phenomenon with an easier one as follows. It is recommended to create risk analogies of greater complexity besides the current (easy) risk scenario. The idea behind this is that the development and discussion of risk analogies of greater complexity can be useful. They offer new perspectives on the same risk. Thus, this reduces the risk to come too quickly to a too simple, substituted solution. A second (partial) remedy of attribute substitution is to draw on subject matter experts in risk analysis processes. We characterize a subject matter expert through long-lasting practical experience. This experience impacts perceptual abilities, recognition skills and enables faster decision-making. Also, experts have stronger self-monitoring capabilities. These skills allow them to recognise when they make false and too easy judgements on risks. As Smith and Bahill (2009) point out, “such non-collapsing situational awareness should serve to prevent erroneous attribute substitution” (p. 16).

2.1.3 Confirmation Bias Confirmation bias is one of the most common cognitive biases for decision-makers. This type of bias tends to interpret information based on an earlier assumption rather than letting the data speak for itself (Wolf 2012). It shows the tendency to select and consider only (risk) information that confirms our existing beliefs and assessments. For example, suppose a manager believes that men will positively respond to a new service and sends surveys to men who have tested the service. Confirmation biases can lead him to interpret this survey in a way that confirms his preconceived notion. On an organisation-wide level, the data that underlie a decision process can be flawed. Without conscious, systematic probing, data selection is prone to confirmation bias (Baer et al. 2017). The confirmation bias can occur in different stages of the ERM process. For example, this bias is prevalent in the risk identification process. Here, we face the risk that only factors confirming an initial pre-selection will be taken into account. For example, managers confirm cyber risk exposure due to the high media presence. This is despite the fact that a company has no online presence at all and is already very well prepared when dealing with the Internet. The distortion can also occur during risk analysis and quantification. Once a risk manager has carried out an assessment, facts are sought that support it. As a manager or risk manager, it is a rare luxury to have all the relevant data before making an informed decision. More often, we have to deal with incomplete information, which leaves us open to confirmation bias. To avoid this trap, it is recommended to take some time before making important decisions. We have to ask ourselves what would have happened if we had made the opposite choice. One approach to counter that bias is to collect specific data to defend an opposite view of specific risk scenarios. Later, we compare it with the data that supported the first risk assessment. Next, risk managers can

22

2  Countering Biases in Risk Analysis

reassess the decision against the larger record. Still, the perspectives may be incomplete, but the risk assessment will be much more balanced (Redman 2017). To further reduce the confirmation bias, risk managers should review the following countermeasures. We recommend that different subject matter experts on the same topic are involved when making decisions on risks. For example, when it comes to probability assessments, it is worth having the same risk scenario assessed by different experts. It is also advisable to remove the time pressure from decisions. We should spend enough time on important risk/reward decisions. This holds true specifically for decisions that have considerable consequences on business goals. Finally, sound corporate culture may also be supportive of countering this bias. It enables different views and opinions to support critical engagement with risks.

2.1.4 Desirability of Options and Choice Desirability bias refers to the tendency to give desirable answers. Yet, we prefer answers that reflect true views in risk assessments. The distortion of responses due to this personality trait may become an important issue. This is the case when management discusses unwanted risks or risks that may jeopardise a project. If a person knows that he or she is being monitored, it is more likely that he or she will state the risks that are known or easy to manage. This distorts the risk-relevant data (Grinnell and Unrau 2018, p. 488). The bias leads to over- or underestimating of probabilities, consequences, values, and weights in a direction that favours the desired alternative (Montibeller and von Winterfeldt 2015, p. 1235). Precautions should be taken to mitigate the negative effects of the desirability of options. It helps (again) to involve different stakeholders in decision-making situations (Montibeller and von Winterfeldt 2015, p. 1235). With regard to ERM, risk managers can consult different opinions of experts from other departments or business units. Experts can also confirm the collected risk scenarios and associated risk data. It is advisable to put in place incentives and responsibilities that fundamentally reduce this bias. Those people who are responsible for achieving business goals are more focused on a comprehensive analysis of the risks. Besides, it is a crucial task to ask the right questions in the consciousness of this bias. Thus, suggestive questions should be avoided. It is also important to create a corporate culture in which risks can be (honestly) discussed. This includes ensuring that the disclosure of risks has no negative impact on employees. This means that the level (impact) of the risks would play only a minimal or no role when it comes to payment. Rather, companies need to assess the far-sighted management of accepted risks to pursue business goals. Presenting concrete examples of such biases at the beginning of a decision also increases awareness.

2.1  Motivational Biases

23

2.1.5 Optimism This cognitive bias occurs when the desirability of a result leads to an increase in entry expectations. It is often referred to as “wishful thinking” or “distortion of optimism”. The bias is particularly evident when people assess the impact or consequences of a risk scenario. It is the tendency to judge positive results too optimistically. Also, it means the tendency not to identify negative results or to not see them completely (Emmons et al. 2018, p. 58). Thus, unwanted optimism can lead to unnecessary risks being taken. For example, we usually underestimate the risk of being involved in a car accident or falling ill. At the same time, we expect to live longer than is indicated by reliable data. We also think that we are more successful in our job than we are (Sharot 2011, p. R941). The same distortion we also see in everyday business or in projects. Many large projects are budgeted far too low because decision-makers face an optimism bias. This often has negative financial consequences. Despite this, some of today’s elementary buildings would hardly have been realised if cost truth had prevailed right from the start. So, this distortion can also have positive effects. The following factors make the optimism bias more likely to occur (Cherry 2018a). • Infrequent risk scenarios are more likely to be influenced by the distortion of optimism. People tend to think that they are less likely to be affected by events such as floods just because they are usually not everyday events. • People experience the distortion of optimism more when they think that the events are under the direct control of the individual. It is not the case that people believe that things will work magically, they rather think that they have the skills and know-how to do so. • The distortion of optimism is more likely to occur when people perceive negative risk scenarios as unlikely. For example, if a person believes that companies rarely go bankrupt, they are often too optimistic about these specific risks. Research has shown that people who are anxious are less likely to be confronted with the optimism bias. It has also been found that experiencing certain risk events can reduce the distortion of optimism. Related to ERM, the occurrence and consequences of risk can thus reduce the value of experience and thus the optimism bias. After all, it is less likely to experience the bias if one compares one’s behaviour with that of others in decisionmaking situations. In this context, it can help to establish valuation rules and place hypothetical bets against the desired event (Montibeller and von Winterfeldt 2015, p. 1235). Researchers also have tried to help people reduce the distortion of optimism. Specifically, they recommended people healthy behaviours and reduce risky behaviours. Yet, they have found that reducing or eliminating this bias is indeed difficult. Attempts to reduce the optimism bias through measures such as educating participants about risk factors, encouraging them to consider risky examples, and educating subjects have led to little change (Cherry 2018a).

24

2  Countering Biases in Risk Analysis

In the context of risk analysis, the following approach might reduce the optimism bias. Like the previous biases, it is crucial to take an outside view on risk scenarios. This can be achieved by considering more perspectives of experts. One effective approach that supports this idea is called “prospective hindsight”. Participants of risk assessments imagine that a specific business goal has not been accomplished. Afterwards, they identify all possible risks of why this happened. This exercise enables people to identify risks and opportunities in their assessments that may not come to mind otherwise (see similar Singh and Ryvola 2018).

2.1.6 Transparency Bias Gleißner (2017) states that a transparent identification and presentation of risks is not always in the personal interest of each manager and decision-maker (p. 14). We can find various reasons for this that lead to both conscious and unconscious non-identification of risks. For example, we can assume that people who are prepared to take fraudulent (business-damaging) actions do not support complete transparency. They do not want past fraudulent actions to be uncovered, nor do they want such actions to be thwarted in the future. Furthermore, the transparent presentation of risks can weaken a manager’s own position. It is possible that some projects would be discontinued if all risks were presented transparently. If an employee or even a manager is dependent on a project and wants to advance his or her career with it, we may assume a conscious non-identification. But a lack of communication about the benefits of ERM can also lead to uncertainty on the part of employees, who consciously and unconsciously conceal risks. Increasing managers’ motivation to be accurate is a key remedy. This can be done by making them aware of potential biases, or by incentivizing them for the accuracy of their feedback. Rewards for accurate feedback on risks and rewards do not sound intuitive at first. The key idea here is to reward people to be more transparent and precise about risk, independent from the scale (impact) of the risk. Companies can offer training, bonuses, or other incentives for increasing transparency in risk assessments. If such incentive systems are established, superiors can also recognise who is reporting honestly and correctly. This may also help to increase visibility. Gamification might be a very promising approach to counter transparency bias. In fact, very little research on the relationship of game mechanisms and ERM transparency is available. Yet, motivating people to be transparent in risk assessments could be enhanced. Companies could award specific “transparency rewards”. Collecting points, unlocking new levels, receiving fictitious titles, and other approaches could play an important role. Internal and external leaderboards support these transparency efforts. In this context, it is important that companies put in place incentives not only at the individual level but also at the team and department level (Hossain and Li 2013).

2.2  Cognitive Biases

25

2.2 Cognitive Biases Cognitive biases are systematic errors in thinking that may affect input into decisions and judgments. From an evolutionary standpoint, these instincts provide mechanisms to make rapid decisions in important and complex situations. These decisions are based on before observed patterns (Rees 2015, p. 12). One must be careful not to confuse cognitive biases with logical fallacies. A logical fallacy is based on an error in a logical argument. Yet, cognitive biases are related to false thought processing. This often arises from challenges with attention, attribution, memory, or other mental stumbling blocks.

2.2.1 Anchoring Bias To arrive at a decision an individual often starts from an anchor number and then adjusts that number or estimate by correcting it up or down (Wolf 2012). A decision-maker must be careful not to use this as a shortcut that can lead to wrong decisions. People have the habit that they like to think automatically. Sometimes we avoid making decisions because it is too much of a burden. Anchoring could be an easy way to make decisions based on one piece of information. Decision-makers may focus on or give too much weight to one piece of information without considering other crucial factors. This can lead to serious mistakes (Friedman 2017). Information overload and lack of time make people more susceptible to anchoring. If there are no clear points of orientation available to decision-makers, they prefer to seek an anchor. Sometimes, no anchor is available. Then, decision-makers consider the first piece of information when figures, statistics, or other information is presented. Any projection of the future is to some extent based on historical data and also includes some anchoring. The balanced and conscious decision-making on risks and rewards is a centrepiece of ERM. Thus, it is important that risk-based decisions are not based on anchors that may bias risk perception and risk assessments. Example

Anchoring is not a curiosity only occurring in research laboratories. It can be as powerful in the real world. In an experiment conducted a few years ago, real estate agents were given the opportunity to assess the value of a house. This house was for sale. They visited the house and studied a comprehensive information brochure containing a price claim. Half of the brokers saw an asking price that was higher than the list price of the house; the other half saw one that was lower. Each broker expressed an opinion about a reasonable purchase price for the house. Also, they provided the lowest price at which they would sell the house if they were the owner.

26

2  Countering Biases in Risk Analysis

The research asked the estate agents about the factors that affected their judgment. The asking price was not one of these factors; the brokers were proud of their ability to ignore them. They claimed that price demands did not influence their answers, but they were wrong. The anchoring effect was 41%. In fact, knowledgeable practitioners were almost as vulnerable to anchor effects as students of business administration. Students’ index was 48% and they had no real estate experience. The only difference between the two groups was that the students admitted to having been influenced by the anchor. The professionals denied this influence (Kahneman 2012). Several measures are available to deal with anchoring. Risk managers can consider a specific reference point for information when preparing decisions. It may be essential to set an anchor based on current knowledge and financial goals. Yet, there must be a will to adapt it to changing circumstances. It is important to consider and discuss the underlying fundamental data and assumptions which led to a specific anchor. Also, risk managers must ensure that risk assessments remain flexible. They need to be open to new sources of information during workshops or interviews. They must be aware of that bias in risk analysis. In the best case, they do not provide interviewees with specific anchors before risk assessments. A skilled risk manager can ask relevant questions that can reveal a company’s anchoring behaviour. Are risk assessments carried out so that a discussion between different opinion leaders has led to consensus? Are risks assessed on a neutral basis without specifying anchor numbers or anchor data before the risk assessment? Are risks discussed with an advocate who argues against the first consensus in risk workshops? Taking into account these aspects may help to counter the anchoring bias (Kent Baker and Puttonen 2017, pp. 118–119). ◄

2.2.2 Availability Bias As suggested by Tversky and Kahneman (1973), a persistent cognitive bias that has special relevance for risk perception is known as availability. Leaning on frequently occurring (risk) events is an often applied shortcut when trying to predict the future and make decisions when faced with risk and uncertainty (Wolf 2012). Availability is also affected by many factors unrelated to the frequency of occurrence. An example of availability is the extent to which individuals are influenced by their memories and perceptions of past events in the discussion about (future) risks and opportunities. Due to the availability bias, many risk assessments are distorted. For example, we tend to overestimate the risk of earthquakes, thunderstorms, or fires. At the same time, we underestimate strategic or operational risks such as increasing customer complaints or systematic bottlenecks at the management level. Topics often covered by media and press are often much rarer as people think. Spectacular risks are much more present in our brains than the opposite.

2.2  Cognitive Biases

27

Example

Many people with access to the Internet, TV, or radio have read and heard a lot of information about the COVID-19 crisis. It is interesting to note how the negative and critical news influence people in their judgment. People start to change their minds about the severity of the crisis. A high amount of negative information stored in our brains affects how we assess the COVID-19 risk. We are able to easily retrieve this very negative information (high “availability”). This in turn tends to lead to a (too) pessimistic probability of a devastating outcome of the COVID-19 crisis. The availability bias may for example affect the board. As a rule, there is usually an intense discussion about what management presents, e.g. quarterly figures such as revenues and EBIT. More important topics such as a skilful product launch by the competition, increased employee turnover, or an unexpected change in customer behaviour are rarely discussed. Yet, these neglected topics can pose significant threats to the company, i.e. can become strategic risks. We can suggest the following points as countermeasures. It may be worth to offer basic courses and training on how probability estimates can be assessed not based on past events and experience. Providing counter-examples can also be used to show the effect of availability biases. In this context, risk managers can address the challenge of assessing risks prospectively instead of retrospectively. Risk managers can set high standards for “neutral thinking” in risk workshops. They can ask questions to uncover potential availability distortions as follows. What happened in the past? Has this risk occurred once or several times in the past? What type of risk mitigation has been performed after this risk? Is this risk still relevant in the future? In summary, we conclude that experts and risk manager who assess risks should pay attention to past information that flows into scenario development (Montibeller and von Winterfeldt 2015, p. 1233). Also, companies can consider different perspectives of various persons involved in risk assessments. A risk manager may form a team with different experiences and perspectives. This countermeasure itself will limit the distortion of availability as people usually question each other’s natural thinking. It can be worth considering also external perspectives that do not exist within the company. ◄

2.2.3 Dissonance Bias An incompatible opinion (e.g. risk assessment) with our existing way of thinking creates discomfort. Our minds cannot deal with contradictory ideas at the same time. This discomfort is called cognitive dissonance. The result is the urge to discredit or ignore information that does not fit the current way of thinking. Thus, it is conceivable that information about downside risk is ignored. This is because it contradicts the potential

28

2  Countering Biases in Risk Analysis

opportunities (rewards). Avoiding this dissonance can affect the quality of decisions under uncertainty. Cognitive dissonance in the workplace is unfortunately widespread. It is a major source of stress for professionals in organisational support functions such as risk management. We can find many examples and scenarios that can lead to cognitive dissonance. These examples range from inappropriate and poor leadership practices to tasks that are not consistent with procedures, norms, training, or personal values. If confronted with contradictory beliefs and practices and the pressure to tolerate them, these professionals often experience deep personal dissatisfaction (Celati 2004, p. 58). A first step in overcoming and eliminating dissonances is awareness. Risk managers are must address them in risk management workshops or interviews. Skilled risk managers can try to identify existing and potential dissonances. Role-playing exercises can create comfort and confidence, which in turn reduces dissonance. Another approach is asking trusted people to review their own actions and beliefs and suggest alternative courses. Successful risk managers seek feedback from others. They consider different opinions in risk assessments (Kent Baker and Puttonen 2017, p. 121).

2.2.4 Zero Risk Bias The zero risk bias describes individual’s preference for options to reduce small risk to zero over a greater reduction in larger risks. In other words, we tend to have a preference for the absolute certainty of a smaller benefit (i.e., complete elimination of risk) to the lesser certainty of receiving a larger benefit. We observe this bias by risk averse people and managers. Risk averse decision-makers prefer small benefits which can be realised to large ones which are less certain. For risk decision-makers, it is crucial having knowledge about this bias. Example

Scientists identified a risk-free bias in the responses to a questionnaire about a hypothetical cleaning scenario. The scenario involves two dangerous sites X and Y. X causes 8 cases of cancer and Y causes 4 cases annually. Respondents can choose among three remedies. Two options reduced the total number of cancer cases by 6. The third option reduced the number by 5 and completely eliminated the cases at site Y. While the latter option had the worst reduction, 42% of respondents rated it better than at least one of the other options. This conclusion was similar to an earlier economic study, which found that people were willing to bear high costs to cut a risk completely (Baron et al. 1993). This bias can occur at various stages in ERM, whenever we have to weigh options. To reduce the risk of a disaster from 5 to 0% (i.e. to completely exclude it), people would invest a lot more than they would to reduce it from 10 to 5%. This effect shows

2.2  Cognitive Biases

29

that people attach irrational importance to unlikely events. Particularly about risk mitigation efforts, this bias can have a considerable impact on costs. A general solution for zero risk bias is not known. It is essential to be aware that there is no such thing as complete security, i.e. zero risks. One way to reduce this bias is to avoid so-called “sure things” in utility elicitation and separate value from utility elicitation. It can also be useful to examine the relative risk attitude and to point out possible misinterpretations. In summary, it is often not ideal to completely drop one risk. Instead, a balanced risk portfolio that yields a greater aggregated relative risk reduction is more efficient and effective than focusing on full risk mitigation. ◄

2.2.5 Conjunction Fallacy People consider the conjunction (joint occurrence) of two risk events more likely than the constituent risk event. This holds true specifically if the probability assessment is based on a reference case similar to the conjunction. Conjunction errors occur when we assign a higher probability to a risk event with higher specificity. This violates the laws of probability. Consider the following example from tennis: • • • •

A: Roger Federer will win the game B: Roger Federer loses the first set C: Roger Federer will lose the first set, but win the match D: Roger Federer wins the first set, but loses the match

Different studies by Kahneman show that people arrange chances by contradicting the laws of logic and probability. Let us consider the tennis example. The critical points are B and C. B is the more comprehensive event and its probability must be higher than that of an event it contains. In contrast to logic, but not representativeness or plausibility, 72% of the respondents gave B a lower probability than C. Yet, the loss of the first set is by definition always a more likely event than the loss of the first set and victory in the game (Tentori et al. 2013). The following example rooted in the insurance industry further illustrates the conjunction fallacy. Example

Let us assume people are given the opportunity to take out air travel insurance shortly before the flight. In this case, they are willing to pay more for insurance covering terrorism than insurance covering any cause of death from air travel (including terrorism). Insurance that only covers terrorism should be worth less than insurance that covers terrorism and other risks (see Fig. 2.1). This effect can be explained by the imagination of humans. We can better imagine a particular risk event than broader,

30

2  Countering Biases in Risk Analysis

Terrorism insurance

Insurance for any cause of death

Insurance for causes of death other than terrorism

Fig. 2.1  Intersection example from the insurance industry

combined risk events. This leads to the fact that we are more likely to expect that concrete single event (Hubbard 2009, p. 100). ◄ In business, we are often prone to conjunctional errors because we face so much supportive context. For example, we hear rumours that company budgets are about to be cut. Or, that a senior executive in our department is considering leaving the company. We consider each of these events unlikely—perhaps a 33% chance of budget cuts and a 25% chance of the executive leaving. But if we hear both rumours at the same time, our intuition that both events will happen is pretty high—50% or more. To reduce conjunction fallacy, risk managers should illustrate the logic of joint probabilities with Venn diagrams. They need to provide concrete examples to participants of risk workshops or interviews. Employees need to understand the bias and its relevance to decision-making. Here is one approach to uncover the conjunction fallacy. We first assess each probability of both events. Then, we estimate the conditional probability of one event, given that the other event occurs. Let us assume a company faces important decisions that include several risk scenarios. Then, it is helpful to discuss the probabilities of these scenarios with several experts within and outside the company.

2.2.6 Conservatism Bias Conservatism bias is a mental process whereby people hold on to their previous views or predictions. This is done at the expense of accepting new information (Edwards 1982). Suppose a trader receives bad news about a company’s earnings. This news contradicts another profit estimate from the previous month. Decision-makers can take a conservational approach to minimise risks. Yet, this bias can result in lower profits. Avoiding bizarre and unhealthy risks should be the goal. At the same time, we should increase prudent risk-taking, which does not lead to greater risk exposures.

2.2  Cognitive Biases

31

For example, there is a tendency to overestimate the probability of low-probability, high-impact. At the same time, a conservative mindset may not take into account the reality that most operational risks are higher-probability risk scenarios. It is important to note that the conservatism bias seems to contradict the representativeness bias. The latter refers to an overreaction to new information. Yet, the distortion of conservatism refers to an underreaction to new information. Risk managers can easily reduce conservatism bias. They need to review new information to determine its value over previous beliefs. So, they seek unbiased advice. If new information is difficult to discover, verify, or explain, opinions by experts become more important. But, risk managers should analyse and review every new piece of information—it may reduce uncertainty. Another approach is to make the thinking process more flexible. This means that people need to learn to let go of previous beliefs. Specifically, when risk managers confront them with credible evidence that contradicts existing opinions. People ignore information because it is difficult to understand, such as math or statistics). In this case, risk managers must take the time to translate this information into “business language”. Also, they can involve experts who can help check these new pieces of information.

2.2.7 Endowment and Status Quo Bias Another type of cognitive bias is the status quo bias. People prefer things to stay the way they are, or that the current state remains the same. They ask to get paid more for an item they own than they are willing to pay for it when they do not own it. Their disutility for losing is greater than their utility for gaining the same amount (Montibeller and von Winterfeldt 2015, p. 1235). This distortion can affect human behaviour and is of interest in many areas of sociology, politics, and economics. The evidence from a large number of experimental studies demonstrates the endowment effect. In simple versions of such experiments, half of the participants received a particular object. For example, they got a lottery ticket, a chocolate bar, or a pen. The other half received equal monetary value. Participants are allowed to swap the object and the money, either with the experimenter or with each other. This depends on the particular experiment. Yet, the number of trades is usually lower than expected, and the vast majority of participants prefer to keep what they received. For instance, the pens were worth more money to those objects who started with pens than to those who started with money. This behaviour is usually regarded as a consequence of the effects of “loss aversion” and the “status quo” bias. In politics, the status quo bias is also often used to explain the conservative way of thinking. People who describe themselves as conservative tend to focus on preserving traditions and keeping things as they are. This avoids risks associated with change but also misses possible benefits that change could bring. Of course, as with many other

32

2  Countering Biases in Risk Analysis

cognitive distortions, the status quo bias has a benefit. Since it prevents people from taking risks, the bias provides some protection. Yet, risk avoidance can also have negative effects. This is the case when the alternatives offer more safety and benefit than the current state (Cherry 2018b). Debiasing endowment and the status quo are difficult in practice. Risk managers could explain that the status quo is not relevant for future decisions on risks and rewards. When for example discussing project risks, he or she can show that sunk costs should not play a role in the risk analysis and decisions (Montibeller and von Winterfeldt 2015, p. 1235).

2.2.8 Framing Framing effects mean that people’s response to information is influenced by how information is presented (Wolf 2012). We can reverse people’s preferences by appropriate information design. As in prospect theory, framing often comes in the form of profits or losses. This theory shows that a loss is perceived as more significant and thus more avoidable than an equal gain. In the hierarchy of choice architecture, a safe profit is preferred to a probable one and a probable loss to a safe loss. Decision-makers can phrase decisions in such a way that they highlight the positive or negative aspects of the same decision. Thus, they bring affect heuristics to the fore. The following example can illustrate the framing effect: Example

“Participants enjoyed a film of a traffic accident and then answered questions about the event, such as follows. About how fast were the cars going when they contacted each other? Other participants received the same information, except that the researcher replaced the verb ‘contacted’ by either ‘hit’, ‘bumped’, ‘collided’, or ‘smashed’. Even though all the participants watched the same film, the wording of the questions affected their answers. The speed estimates (in miles per hour) were 31, 34, 38, 39, and 41. One week later, the experimenters asked the participants whether they had seen broken glass at the accident site. Although the correct answer was ‘no,’ 32% of the participants who were given the ‘smashed’ condition said that they had. Hence, the wording of the question can influence their memory of the incident.” (Memon et al. 2003, p. 118). ◄ Risk managers can reduce framing effects by trying to “see through the frame”, or rather, to look at things more objectively. This task is difficult. People may have incentives “nudging” others in a certain direction or decision by the way they present information. For example, division managers try to convince the management of their successful

2.2  Cognitive Biases

33

projects. Or they introduce new risk mitigation measures. They do so by advertising and presenting them positively (Kent Baker and Puttonen 2017, p. 121). It seems important in this context that incentives exist not only at the individual level but also at the team and department level. Another option is to get a second opinion from a person who is not involved in the decision-making process. In most cases, the latter can look at the different options from a more neutral perspective. Finally, research shows that if people feel happy, framing effects can be reduced (Cassotti et al. 2012).

2.2.9 Gambler’s Fallacy Tversky and Kahneman introduced the gambler’s fallacy as a result of heuristic representativeness in the 1970s. It arises from the belief in the law of small numbers. Irrelevant information about the past is important to predict future events. If a random event has occurred several times, we tend to predict that it will occur less frequently in the future. Thus, the results balance out on average. This, we do not realise that small samples are often not representative of the population (Sun and Wang 2010, pp. 124– 125). This error must be taken into account in particular in risk analysis and risk scenario quantification. Gambler’s Fallacy and the hot hand fallacy are closely related but somewhat different. The hot hand fallacy refers to the phenomenon that past successful events (e.g. nonoccurrence of risks) will be continued because of past success. For example, because no risk occurred in the last three years, we are more likely to think that no risk will occur in the fourth year. The Gambler’s Fallacy applies in case we expect a reversal of the results, not for the continuation of a certain result. Today, a large number of risk decisions are influenced by data analysis. McCann (2014) noted that with the increasing dependence on data analysis results, players’ mistakes are becoming more and more apparent. For example, people tend to observe and identify certain patterns in data, even if the data contains only random events. To reduce Gambler’s Fallacy, it is advisable to impart basic statistical knowledge to employees. Managers who make important decisions need to know and understand statistical fundamentals. Knowledge about the probability logic and the independence of events can lead to better decisions. Risk managers can identify typical examples of mistakes and present them to management and employees (Montibeller and von Winterfeldt 2015, p. 1236).

2.2.9.1 Hindsight Bias Hindsight bias describes the tendency to perceive events that have already occurred as having been more predictable than they actually were before the events materialized. People overestimate their ability to predict past events. This holds true even if the outcome was completely unpredictable (Wolf 2012). The bias arises because it is difficult for people to separate what they currently know from past experience. Although

34

2  Countering Biases in Risk Analysis

hindsight bias is now widely accepted, researchers still discuss the underlying mechanisms. The problem with this bias is that we believe that the causes of past events were simpler than they actually were. Understanding this distortion is thus essential so that we can learn from our experiences and mistakes. Areas in decision-making that is very likely to be affected by hindsight bias are the control phase and the environmental scanning phase (Barnes 1984, p. 130). Typical examples of this bias refer to strategic decisions. For example, only a few companies in the media and clothing industries have relied on internet commerce. In the meantime, many traditional companies from these sectors have gone bankrupt. We may ask why these companies were not also relying on the internet. Yet, at the time of the strategic decision, it could not yet be foreseen that this would be the right decision. One way to deal with this bias is to admit that companies are susceptible to hindsight bias. Risk managers need to remind all employees that the future is unpredictable. People are not able to predict risk scenarios based on their past experiences. Risk managers should use objective data to complement risk assessments. Also, it may be worthwhile to review risk scenario assumptions with the support of (outside) experts. In summary, risk managers and decision-makers should weigh different alternatives against each other. They need to understand that situations change.

2.2.9.2 Outcome Bias We have to pay attention not to confuse hindsight bias with outcome bias. At first glance, these two biases seem to be quite similar. Closer examination reveals significant differences. The outcome bias is a cognitive distortion in evaluating the quality of a decision when the outcome of that decision is already known. Outcome bias is a challenge for risk managers. It leads people to repeat poor decisions based on outcomes rather than on the decision process applied to get this outcome. Outcome bias occurs when the same “behaviour produce[s] more ethical condemnation when it happen[s] to produce bad rather than good outcome, even if the outcome is determined by chance” (Gino et al. 2009, p. 2). It affects decision-makers and particularly risk managers. The quality of a risk assessment must be assessed at the time of the decision. In practice, yet, this correct procedure is not always rewarded. Decisions can be completely controlled and made by management. Yet, future risks that originate from these decisions are beyond the control or at least not fully controllable. Hindsight, management often uses insufficient, unclear risk analyses as excuses for poor results. This would only make sense if the decision did not cause any uncertainty. In most cases, this is an unrealistic assumption. The following example illustrates the outcome bias. Example

In the context of the COVID-19 crisis, it is an unrealistic assumption that all decisions cause certain outcomes. Thus risk managers need to develop risk scenarios that include all financial consequences. They must quantify all possible ­uncertainties

2.2  Cognitive Biases

35

attached to a specific decision. This information must be made available to the decision-maker at the time of the decision (and not afterwards). At the beginning of 2020, Switzerland and many other countries were hit by the COVID-19 pandemic. The Swiss government took action and enacted a lockdown in spring 2020. This decision was criticized by many business representatives, professional organisations, and members of the public. Many claimed the lockdown was disproportionate and COVID-19 was no worse than the normal flu. The opponents of the lockdown also referred to the low fatality rate in Switzerland. Have they been right and our government wrong? The proper approach to check the decision quality of the government is to look only at the information available at the time they acted. Thus, there is good news for the government. What did the government know at the time they made their lockdown decision? What were its goals with that decision? Did they consider the best available information to back their decision? At the time of the decision, we had known that the case fatality rate is roughly 1%, which is ten times higher than the normal seasonal flu. We have had experience of five near-miss pandemics in the first two decades of the twenty-first century with fatality rates of 10% or more (SARS, H5N1 influenza, MERS, H7N9, and Ebola). In each case, a slightly different version of the virus could have resulted in a global lockdown and similar economic disaster. In other words, we need to know facts that happened in the past to judge the decision quality. If we wait to learn how things turn out before assessing decision quality, we are prone to criticize the government for not having had a crystal ball (Kozyrkov 2020). Risk managers can help to overcome this bias. They need to assess past decisions, actions, and outcomes. It is important to explain why we need to focus on the decision rather than on the outcome. A few questions could support this: What reasons led to the decision? What kind of information did management have at that point? Did we apply a best-practice process to make the decision? Did we consult experts outside the organization? Did we use the best available information? Did we take the decision at the right time? Risk managers can support the evaluation of the decision process. They can contribute to the understanding of process versus outcome. If decisions lead to an unfavourable outcome, it can be useful to reanalyse them. This must be done from the decision maker's perspective at the time the decision was taken. Risk managers can support the assessment of the decision quality. They can suggest future decision analysis standards (Baron and Hershey 1988, p. 578). ◄

2.2.9.3 Overconfidence This bias describes the decision-maker’s overestimation of his or her own abilities. This can occur in the form of the overestimation of one’s own abilities and overestimation of one’s own knowledge. The overestimation of one’s own performance often occurs. For example, most drivers consider themselves to be better than average. Yet, it is not possible that more than half of the drivers are better than average. We use the term more often for the second form of overestimation. Decision-makers are overconfident with their own judgements. Yet, reality often holds larger uncertainty.

36

2  Countering Biases in Risk Analysis

Overconfidence often occurs in the form of providing too narrow intervals and ranges. People are confronted with difficult factual questions and asked for their answers. This is done by giving the best answer together with a 90% confidence interval. Because the given interval is often too narrow, the true value is often missed (Shefrin 2016, pp. 62–63). This phenomenon is also called “miscalibration”. Economist Philip Tetlock spent 20 years studying forecasts done by experts. These predictions refer to the economy, stock markets, wars, and other issues. He found the average expert did as well as random guessing or as he put it “as a dart-throwing chimpanzee”. Tetlock believes forecasting can be valid when considering a long list of conditions. These include humility, rigorous use of data and a ruthless vigilance for biases of all types. He believes it is possible to predict the future under certain circumstances. He claims that any intelligent, open-minded, and hardworking person can cultivate these skills. This is a challenge at the heart of the whole risk industry (Tetlock and Gardner 2015, p. 6). To overcome overconfidence bias some selected debiasing strategies can help. Risk managers should declare probability training obligatory for risk owners and decision-makers. Risk managers can start the risk assessment with extreme risk estimates (low and high). This procedure avoids central tendency anchors (Montibeller and von Winterfeldt 2015, p. 1233). They can develop counter-arguments that challenge the underlying values and assumptions. Also, it is a great idea to consider constructive criticism from trusted people. This can serve as a very important step to reduce overconfidence. Criticism is not always right. Yet, risks managers and risk owners get some food for thought to challenge their own risk perception.

2.2.9.4 Perceived Risks Psychologist Paul Slovic has dealt with the question of why opinions of risk experts differ from those of non-experts. Understanding these differences and the ability to articulate them is a critical skill that risk managers must have (Shefrin 2016, p. 56). Slovic points out that risk managers, when assessing risks, tend to focus more on specific variables such as expected death rates. He points out that non-experts rely more on intuitive risk assessments (risk perceptions). Yet, these can be very different from expert judgements. The risk perception of non-experts is influenced by two factors, dread risk, and unknown risk. Dread risk includes dread and many other considerations such as perceived lack of control, fatal consequences, catastrophic potential, and unequal distribution of costs and benefits. In the context of dread risk, he mentions serious events such as Chernobyl and Fukushima. Unknown risk is the lack of familiarity. This means that an activity or technology has new, unobservable, unknown, or delayed consequences. For example, the public assesses nuclear power as much riskier than risk experts. The difference can be attributed to both dread risk and unknown risk. Dread risk is very complex

2.2  Cognitive Biases

37

to deal with. In this context, perceived control is an important issue. Psychometric research shows that people tolerate voluntary risks (e.g. skiing) more than involuntary risks (e.g. food preservatives). Unknown risk is relevant because people are afraid of the unknown (Shefrin 2016, p. 58). Risk managers can handle perceived risk by using two different risk reduction strategies. The first strategy is to reduce uncertainty by seeking information. To achieve this, a company-wide information system is important. Such a system can collect objective risk information and make it available to employees. It also supports risk assessments by providing useful questions as follows. How often in 10 years will a major problem with a nuclear power value occur? How often will we have a supply bottleneck in the next 10 years? We can change the wrong risk perception only be with the necessary experience and the acquisition of knowledge. The second strategy is to reduce vulnerability by reducing risk exposure (Al-Shammari and Masri 2016, p. 248). Risk managers need to support risk owners with risk identification and risk assessment interviews. For inexperienced people, it is important to have a mentor (risk manager) who helps to assess risks more objectively.

2.2.9.5 Ambiguity Aversion Ambiguity aversion (uncertainty aversion), is rooted in decision theory. It means that people favour the known over the unknown. Ambiguous risk scenarios contain a larger degree of uncertainty than “known” risks. Both the outcome and the probability of the occurrence of that outcome are uncertain. As a consequence, the expected risk and reward too. For risk manager, this means that decision-makers tend to prefer known risks over unknown risks. For example, management needs to make a decision about two strategic choices. It is then more likely to choose the option with a known probability of success. This holds also true even if the known probability is very low. Ambiguity-averse management dislikes choices where the probabilities are unknown. This behaviour was empirically tested in an experiment known as the Ellsberg paradox. Let us assume there are two bags each with a mix of 100 red and black marbles. We ask a manager to pick a ball from one of two bags with the opportunity to win CHF 1000 if red is drawn. In one bag, the manager knows that 50% of the marbles are red and 50% are black. The mix of red and blue marbles in the second bag is unknown. Based on ambiguity aversion, the manager favours picking from the bag with the known marbles’ mix than from the one with the unknown mix (Ellsberg 1961). Researchers showed that ambiguity aversion is also present in practical decision-making situations. For example, people tend to avoid medical treatments if the risks associated with them are less known (Berger, et al. 2013). Also, ambiguity aversion helps to explain why many people are reluctant to take part in the stock market. One reason for this is that stock markets do not follow an ex-ante known risk distribution, rather they have unknown risks (Easley & O’Hara, 2009).

38

2  Countering Biases in Risk Analysis

2.2.9.6 Dread Risk Bias A dread risk is a risk event that can kill many people at once, such as a terrorist attack, a hurricane, a pandemic or an earthquake (Bodemer et al. 2013, p. 1). We define it as a “low-probability, high-impact” risk. Compared to other types of risk, people react very strongly to dread risks. For example, in the aftermath of the 9/11 terrorist attacks (dread risk), many Americans avoided air travel and drove by their cars instead. Yet, the risk of getting involved in a car accident is larger than the risk of an airplane terrorist attack. This also holds of dying in an airplane accident in general. People changed their minds about the safety of air travel, both in terms of risk perception and risk avoidance (Gigerenzer 2004, p. 1). Risk managers need to understand the reasons for this bias. Research shows that risk perception is highly dependent on the following three criteria. The degree of controllability, the catastrophic potential, and the severity of the consequences. Dread risks are in most cases beyond control, lead to many deaths, and cause severe human (and financial) impact (Slovic 1987). Another reason is that people lack statistical information to assess these risks (Gigerenzer et al. 2009). The COVID-19 pandemic as a “dread risk". The opposite of “dread risks” are socalled “continuous risks” (Bodemer et al. 2013, p. 1). The distinction between the two types of risk is based on the time horizon and the mortality per unit of time. The COVID19 crisis leads to many deaths within a short time. The same number is also reached (or overtrumped) by road traffic or incorrect medical treatments in hospitals over a much longer period of time (“continuous”). We perceive continuous risks much less spectacular. This leads to less media attention. A simple example makes this effect more tangible: Many people are more risk-averse towards social distancing. People fear the risk of a COVID-19 infection more than the risk of a car accident when driving to the mall. There is no silver bullet to counter the dread risk bias. It is important not to focus too much on these low-probability risks. In other words, often less prominent risks are more relevant to the company. Risk managers that are aware of the dread risk bias can challenge the relative importance of these risks. They can guide the discussion towards other risk types. 2.2.9.7 Normalcy Bias The normalcy bias is trappy. It causes people to be unprepared for pandemics, natural disasters, and catastrophes. This bias is well-known for disaster-risk prevention specialists. They use examples of this availability heuristic to show that we tend to assess our near term future based on our past experiences. People tend to resist disastrous events because their brains are not wired to simulate and project a normal environment. This can lead to underestimating the likelihood of an event and its impact. This, the normalcy bias is a coping mechanism that occurs when we attempt to recognize and manage very harmful risk events. Good examples for this are the COVID-19 crisis, earthquakes, and tsunamis. Most of the time, people live and manage “normal” situations or states. This in turn leads to too optimistic thinking that the normal situations will persist (Murata and Yoshimura 2015, p. 3901). Also, a demonstrative exhibition of this bias is to (publicly) doubt the legitimacy of a crisis by citing conspiracy theories.

2.3  Group-Specific Biases

39

Example

Switzerland has not faced any disastrous event since the financial crisis 2007/08 and the later recovery phase. This ongoing normality led to the belief that the probability a potential future crisis is very low. As a result, governments and companies prepared too little for future risks such as pandemics. Even though the World Economic Forum (WEF) lists it as top global risks in the WEF Global Risk Report. In normal times, people, governments, and companies invest little in risk management. Considerations about emergency plans and crisis management are hardly at the top of the management agenda. Even as the crisis reached Switzerland in the beginning of 2020, the probability to meet someone with an acute COVID-19 infection was very low. Normalcy bias led many Swiss citizens to believe there is no threat to them. Many would say “it won’t happen to me. That’s not a problem”. Ultimately, this bias impaired our decision-making during the pandemic. ◄ So far, we have recognized that the ERM landscape is burdened with psychological landmines. Risk assessments are susceptible to a wide range of psychological influences. The above-mentioned concepts are in the spotlight of every risk assessment. Some biases overlap in certain aspects because they address similar problems. Some cognitive biases need the inclusion of a group, whereas group situations can lead to many other biases. Reducing susceptibility to biases is a recurring task. The mitigation of biases in group work can only succeed in a suitable social environment. This means that management needs to foster a sound the risk culture (Shefrin 2016, pp. 68–69).

2.3 Group-Specific Biases At the collective level, the confirmation bias introduced in Sect. 2.1.3 is referred to as group-specific distortion. It occurs when a group aims to reach a consensus before making decisions. Group-based decisions have fundamental advantages that are particularly evident in the following points: • • • •

More information available Enriched discussion with different opinions and perspectives Improved accuracy and more creativity Higher acceptance of the decision

The relevant question is whether teams actually make better decisions than individuals do. The so-called group-specific biases must be considered. The time allowed for decision-making in groups can be so limited that the group may be in a hurry to make the wrong decisions. Risk managers have to make sure that they hear all views in risk management workshops.

40

2  Countering Biases in Risk Analysis

 Tip To integrate different views on the same risk scenario, it is necessary to adopt a critical attitude. Often the best decisions come from changing the way people think about problems and looking at them from different angles. “Six thinking hats” can help to look at problems from different perspectives. This is done one by one to avoid confusion from too many angles that overload your thinking. It is also a powerful decision-checking technique in group situations. Everybody examines the same situation from all perspectives (Manktelow 2005, pp. 86–87). Each “thinking hat” is a different way of thinking. These are explained below (de Bono 1999): • White hat: With this thinking hat, the focus is on the available data. We look at the information we have, analyse past trends, and see what we can learn. We look for gaps in our knowledge and try to close or take them into account. • Red hat: “Wearing” red hat, we look at problems with our intuition, gut reaction, and emotion. Also, we think about how others might react emotionally. We try to understand the answers from people who do not fully understand our reasoning. • Black hat: We use black hat thinking and consider the potentially negative results of a decision. We look at it carefully and defensively. We try to understand why it might not work. This is important because it shows the weaknesses in a plan. It allows us to eliminate them, change them, or create contingency plans to address them. Black hat thinking helps make our plans “harder” and more resilient. It can also help us to identify fatal errors and risks before we begin a course of action. This is one of the true benefits of this model. Many successful people get so used to thinking positively that they often cannot recognize problems in advance. As a result, they are not well prepared for difficulties. • Yellow hat: This hat helps us to think positively. It is an optimistic view that helps u to see all the benefits of the decision and the value in it. The yellow hat thinking helps us to go on when everything looks gloomy and difficult. • Green hat: The green hat stands for creativity. This is where we develop creative solutions to a problem. It is a freewheeling way of thinking with little criticism of ideas (we can try out a number of creative tools that will help us). • Blue hat: This hat represents process control. It is the hat worn, for example, by people who lead meetings. If they have difficulties because ideas dry up, they can direct the activity into green hat thinking. When emergency plans are needed, they will prompt the black hat to think.

2.3  Group-Specific Biases

41

One variant of this technique is to look at problems from the perspective of different professionals (e.g., doctors, architects, or sales managers) or different customers. Applied in this form, the six thinking hats concept can help to reduce or even prevent biases in many of the group situations described below.

2.3.1 Authority Bias This cognitive bias describes the tendency of people to overrate the opinion of a person of authority. They are also more easily influenced or persuaded by persons of authority. There are many examples of how this cognitive bias is used to influence consumer behaviour. These can be stock market tips from self-proclaimed financial experts or advertisements for toothbrushes that promote a unique cleaning result. This effect occurs also when people look like persons of authority. Conformity and compliance are embedded in a person’s psyche. Thus, it becomes a standard habit to accept any kind of commands coming from such a person. Unfortunately, we usually stop questioning these authorities. We often read articles that claim long-term health benefits associated with coffee, wine, or dark chocolate. Also, it seems that these results are based on extensive research. It may be worth to dig a little deeper and we may experience the following (Kamal 2018): • • • • •

This research could always be funded by these companies. The research could be done at an obscure university. The sample size can be much too small. All participants belong to a specific ethnic group. And many more.

Various debiasing strategies are available to reduce this distortion. It is helpful to build mutual trust. Employees are often more open if they are not monitored. If we strengthen corporate culture this way, employees will report risks and opportunities more transparently. Research has also shown that increasing psychological distance can help reduce bias. It might be not a good idea to discuss important decisions always in the same office. Researchers have found that telephone conversations and changes in premises reduce this bias (Milgram 1965). Risk managers can use suitable examples to draw the employees’ attention to that bias. Before the global financial crisis of 2007/2008, which was preceded by a phase of high growth, only a few voices were critical. Hardly any financial expert dared to comment on the critical developments. Yet, economic up and down cycles have always been part of economic action.

42

2  Countering Biases in Risk Analysis

2.3.2 Conformity Bias Humans are social beings. Ideas about risks that conflict with the group are not always welcome. Even if some risks are very important, people tend to contribute to stability and cooperation. Let us assume a decision-maker encounters both affirmative and conflicting evidence. His or her tendency is to overweight affirmative and to underweight conflicting evidence. Receiving affirmative evidence leads to confidence that we have appropriate evidence. The more affirmative evidence we gather, the more confident we become. Kelman (1958) distinguished between three different types of conformity (p. 53): • Compliance: This occurs when people exerts influence because they hope to achieve a positive response from another person or group. They assume induced behaviour because they expect to receive specific rewards or approvals. They also believe to avoid specific punishment or rejection by conformity. • Internalization: This occurs when an individual assumes influence because the content of the induced behaviour—the ideas and actions it consists of—is inherently rewarding. It adopts the induced behaviour because it is congruent with its value system. • Identification: This occurs when an individual assumes influence because he or she wants to establish or maintain a satisfying, self-defining relationship with another person or group. Example

A good example of the conformity bias is the experiment conducted by Asch (1956). He shows how group coercion can influence a person to such an extent that they judge an obviously false statement to be correct. Asch’s attempt was to ask for the length of several presented lines. The test persons were given a small card with a line printed on top and a selection of three more lines underneath. One of the three lower strokes was as long as the upper one, one longer, one shorter. The test subjects only had to name the line matching the upper line. Faced with this simple task alone, each subject gave the right answer. But then Asch brought the participants together in groups. Each group consisted of a test person and seven helpers, who Asch had instructed without the knowledge of the test persons. The helpers now began unanimously to give wrong answers. They called short strokes long, long strokes short. And the unsuspecting test subjects? They followed. The same test persons who had previously been able to correctly identify the lines in front of their eyes changed their minds. They now explained that strokes that ended after a few finger widths were longer than those that extended almost over the entire page. Not even one in four subjects managed to resist the nonsense of the helpers.

2.3  Group-Specific Biases

43

Asch (1956) explained the denial of reality with the fear of a dissenting opinion. In interviews, the test subjects said that they had doubted their own perception in the face of the helpers’ so convincingly delivered judgments. Others claimed to have noticed the other’s error but did not want to spoil the mood. Some test persons even confessed that they were basically convinced that something was wrong with them. ◄ Avoiding group risk workshops and conducting one-on-one interviews instead eliminates conformity. To counter conformity bias in workshops, risk managers can first collect anonymous feedback on each risk scenario. Additionally, risk managers can invite new experts into the group on a regular basis. Fresh people in risk management workshops do not yet feel the same pressure to adapt as other members. Also, outsiders will be unlikely to share the group’s acquired prejudices. Conflicts can even so arise in such a setting. Due to their outsider role, yet, they do not endanger cooperation within the team. Thus, no workshop participant has to stand against his own team. Also, no one needs to expect consequences that could endanger further cooperation with the risk manager (Clayton 2011, pp. 148–149). If people anonymously contribute to risk assessments, they feel much more comfortable. By doing so, risk managers thus elicit honest feedback from their participants. One way to support this is to use anonymous mailboxes as well as contact persons who are not considered direct superiors. Management must also set the right tone that this feedback is given high priority (Clayton 2011, p. 148). Last but not least, eliciting a second risk assessment besides the first consensus on risk can further reduce conformity bias.

2.3.3 Groupthink Groupthink is a certain way of thinking of people in a group (team, meeting, workshop, conference, and committee). In group thinking, the group tends to avoid conflicts or tries to minimise them and aims at reaching consensus. Yet, this consensus is usually not but based on adequate critical evaluation and analysis. Individual perspectives and individual creativity are lost, lateral thinking is often undesirable. It is not the case that the group members feel compelled—they rather feel very bound to the group and avoid getting into a conflict situation. People perceive the harmony of the group as more important than the development of realistic risk scenarios. This can indeed lead to people making unfavourable decisions (Kaba et al. 2016, pp. 403–404). There are several factors that can make groups susceptible to group thinking. First, a group might have a leader who advises members not to disagree. At the same time, the leader makes clear what he or she wants to do and hear. People are selfish. Many will seek opportunities in their own interests. They support the leader in a way that is consistent with their own goals. The leader might want to hear “yes”, not “yes, but” and certainly not “no”. It also encourages group thinking when the group is made up of

44

2  Countering Biases in Risk Analysis

members with similar backgrounds. As a result, confirmation and availability biases limit a relevant risk discussion (Shefrin 2016, p. 65). Groupthink has a special significance when it comes to risk decisions. It leads to “polarization”, i.e. the group dynamics strengthen the risk attitudes of the group members. Group polarization may occur when assessing risk scenarios in risk workshops. Groups tend to make extreme judgments during such workshops. This is particularly the case if the persons involved hold similar opinions before the meeting starts (Moscovici and Zavalloni 1969, pp. 125–135). Let us assume each participant of a risk workshop classifies a risk as a “high risk. The group discussion of that “high risk” can lead to an even higher assessment of the risk. Thus, there is the danger of under- and overestimation of risks through group discussions (Lermer et al. 2014, pp. 3–4). Example

One of the main causes of the Challenger Space Shuttle disaster in January 1986 is rooted in group thinking, i.e. the illusion of unanimity. The latter means that the group decision corresponds to the majority view. A precondition for such a bias is that the majority of opinions and individual judgements are unanimous. This group thinking bias results from the confirmation heuristic. We can explain this by the following three characteristics. Overestimation of the group, narrow-mindedness, and pressure to conform. These characteristics can distort the group’s decision in the wrong direction. The manufacturer of the O-ring (part of the Space Shuttle) has identified the risk of the O-ring malfunctioning in extreme cold. Yet, it agreed to launch the Challenger Space Shuttle because if the group thinking effect. Factors contributing to this irrational behaviour include direct pressure on dissidents (group members are under social pressure not to contradict the group consensus), self-censorship (doubts and deviations from the perceived group consensus are not accepted), and the illusion of unanimity. In the case of the Challenger Space Shuttle disaster, the group as a whole did not consider the manufacturer’s opinion. It was clear that the O-ring could not function in a very cold environment. Yet, the group did not conduct a full analysis of this opinion. This led to the critical disaster (Murata 2017, p. 400). ◄ Polarization occurs because group members reinforce each other’s judgements and suggestions. For example, one group member may propose a risky strategy. Other group members confirm why this would be a good idea. This can lead to increased risk appetite because group members feel comfortable with more risk-taking. In this case, the group accepts more risk than the individual would (Stangor 2014). Also, group members often only disclose information if it is supportive of the group thinking. This then leads to the confirmation of others in the group. Information that runs counter to this direction is withheld. The same applies to information that makes the discloser appear in a less favourable light (Shefrin 2016, p. 65).

2.3  Group-Specific Biases

45

To reduce the group thinking bias, risk managers should look for different personalities in a risk workshop. They need to establish a climate where group members know why it is important to question risks. It is also important that all group members follow certain rules to ensure a fair exchange of ideas and assessments. To achieve this, groups should be kept small (5–8 participants). It is also advisable to let the group members speak first, not a person of authority. This also includes reducing power imbalances, i.e. working with flat hierarchies in these teams. In this respect, it is advisable to provide channels for anonymous feedback. In doing so, individuals who recognise the overconfidence can express their opinion anonymously. Otherwise, participants may fear to be denounced as moaners and whingers. Another effective measure is to invite decision-makers to risk management workshops from other departments (Shefrin 2016, pp. 64–65). We recommend starting with the downside risk discussion first. In reverse order, opportunities may overshadow the downside risks. Thus, groups may discuss these risks too superficially. A devil’s advocate is helpful to challenge these opportunities. Besides the negative effects mentioned, it is clear that team decisions reflect the creativity of a large number of people. Such decisions are usually highly accepted (Shefrin 2016, p. 65).

2.3.4 Hidden Profile If risk managers facilitate risk workshops, group-specific biases may distort the ERM process. Groups rarely manage to exchange all available and relevant information on risks. This particularly affects information known only to individuals (Lermer et al. 2014, p. 2). This phenomenon is discussed under the term hidden profile and is based on the investigations of Stasser and Titus (1985). The two researchers formed groups of four students. They provided all individuals with convergent and divergent information. The students were to arrive at a correct result in groups of four with the help of the information received. Yet, this was only possible if all students shared all the information they received with the group. Though, most groups could not solve the hidden profile. Convergent information was exchanged and discussed. But divergent information often remained unmentioned (pp. 1467–1478). Researchers have been able to reproduce this bias in various other studies. Moskaliuk (2013) describes various strategies to counter this bias. Four of them are listed below: • Being aware of this bias as a risk manager. This creates the basic prerequisites for specifically avoiding the phenomenon of hidden profiles. • Avoid hierarchies. Especially people with low status tend to withhold their expertise. Thus, people with high status should first hold back with their own assessments. This gives all participants the opportunity to share their views with the group.

46

2  Countering Biases in Risk Analysis

• Search and collect first, then check information. This prevents information that might be significant from being devalued directly. • Making the expertise of those involved transparent. This makes it clear that different opinions can be expected on the basis of their specialist knowledge. Besides, the individual participants can be asked directly about their expert assessments. We can apply the first point to all cognitive biases mentioned. As risks need to be known to be managed, ERM specialists should be aware of psychological factors to reduce them. It is important to note that discussion and group leaders in particular should become aware of psychological factors. Because of their role, they have the necessary skills and power to steer the group in a goal-oriented manner. Also, avoiding hierarchies as a principle reduces other group-specific biases (Scherrer 2018). The third point tends to be present in ERM if the individual process steps are carried out separately. If we combine risk identification and risk assessment, the impact of cognitive biases might be very high. This prevents adequate risk identification and reduces the quality of the entire process. Thus, we need to identify risks first with cognitive biases in mind. A day later, we assess these identified risks. The last point suggested by Moskaliuk (2013) is a specific measure to counter hidden profiles (Scherrer 2018).

2.3.5 Social Loafing Lermer et al. (2014) describe that groups are less creative than individuals in identifying risks. Thus, risk identification in groups is not helpful (p. 1). A possible explanation for diminishing creativity is the Ringelmann effect or social loafing. Ringelmann discovered that the average pulling force of a person during tug-of-war decreases with the number of people involved in the pull. Yet, this effect was also proved in mental work activities (Leitl 2007). This is a kind of motivation deficit, which occurs above all when the performance of individuals is not apparent. It is important to remember that social loafing does not always happen. For example, Karau and Williams (1997) found that social loafing did not occur for a cohesive group. Their research also shows that people make greater efforts when they work with underperforming workers. According to Dobelli (2018), individual benefits should be made visible to reduce social loafing (p. 139). This can be done using various methods. Results of a study conducted by Lermer et al. (2014) suggest that risk managers better dispense brainstorming. Instead, they should apply the brainwriting technique. Possible risks are noted in writing by individual experts. To avoid the negative group effect as far as possible, they recommend avoiding a group context. Experts involved in brainwriting do not present their results to a group. They also recommend using a network of individual experts for risk identification purposes. These results are collected centrally and, if necessary, played back to the experts (pp. 2–3).

2.3  Group-Specific Biases

47

Key Aspects to Remember Know the different biases in risk analysis It is important to note that many risks are not caused by exogenous events. Rather, people’s behaviour and choices create them. Risk managers have to deal with motivational, cognitive, and group-specific biases. In the case of cognitive biases, people are usually not aware of many thinking errors. We can only address them through an in-depth analysis. This needs the corresponding skills of risk managers and decision-makers. Understand the importance of biases for risk analysis Biases are an important risk analysis topic. People make systematic errors in risk identification and risk assessments. Knowledge of biases and the measures taken to reduce them can help companies to carry out a more objective risk analysis. Most importantly, errors in risk identification due to biases can affect the whole ERM process. Recognise the need to mitigate biases throughout the risk process The mitigation of biases is an important issue. This can take place at various points in the assessment and decision-making process. One of the most important measures is to make risk owners aware of these biases. Risk managers can provide concrete examples of to risk owners and management. Also, the involvement of several perspectives or experts is often recommended. Finally, it can help to impart basic statistical knowledge to employees. Be familiar with the limitations of biases mitigation Risk managers cannot eliminate all biases. People are confronted with possible thinking traps on a daily basis. They cannot always be resolved without contradiction. Some biases can be revealed through group discussion, but at the same time, new biases are created by the group itself. Thus, risk managers should conduct a cost–benefit analysis with regard to countering biases. Have some easy to understand examples for your employees ready Theoretical knowledge about biases is the basis for recognizing them in practical situations. Companies are well-advised to disclose identified or committed errors of thought to a broad circle of decision-makers. This is one important way to improve decision quality. It helps if the risk manager can show some biases using concrete examples. Risk managers need to show how such biases influence risk decisions. They can do so by collecting and documenting past decisions processes. Critical Thinking Questions 1. How do motivational biases differ from cognitive biases? 2. What general measures can companies take to reduce cognitive biases?

48

2  Countering Biases in Risk Analysis

3. Under what conditions are group decisions preferable to individual decisions? 4. How can the concept of “six thinking hats” help to identify and avoid group-specific biases? 5. What role plays a positive risk culture in reducing cognitive biases?

References Al-Shammari, M., & Masri, H. (2016). Ethical and Social Perspectives on Global Business Interaction in Emerging Markets. Hershey, Pennsylvania: IGI Global. Asch, S. E. (1956). Studies of independence and conformity: I. A minority of one against a unanimous majority. Psychological Monographs, 70 (9), 1–70. Baer, T., Heiligtag, S., & Samandari, H. (2017). The business logic in debiasing. https://www.mckinsey.com/business-functions/risk/our-insights/the-business-logic-in-debiasing. Accessed 17 December 2018. Barnes, J. H. (1984). Cognitive Biases and Their Impact on Strategic Planning. Strategic Management Journal, 5 (2), 129–137. Baron, J., Hershey, J. C. (1988). Outcome Bias in Decision Evaluation. Journal of Personality and Social Psychology, 54 (2). 569–579. Baron, J., Gowda, R., & Kunreuther, H. (1993). Attitudes toward managing hazardous waste: What should be cleaned up and who should pay for it? Risk Analysis, 13, 183–192. https://doi. org/https://doi.org/10.1111/j.1539-6924.1993.tb01068.x. Berger, L., Bleichrodt, H., & Eeckhoudt, L. (2013). Treatment decisions under ambiguity. Journal of Health Economics, 32, 559–569. Bodemer, N., Ruggeri, A., & Galesic, M. (2013). When Dread Risks Are More Dreadful than Continuous Risks: Comparing Cumulative Population Losses over Time. PLS ONE, 8 (6), 1–6. Cassotti, M., Habib, M., Poirel, N., Aïte, A., Houdé, O., & Moutier, S. (2012). Positive emotional context eliminates the framing effect in decision-making. Emotion, 12 (5), 926–931. Celati, L. (2004). The Dark Side of Risk Management: How People Frame Decisions in Financial Markets. London: Prentice Hall. Cherry, K. (2018a). Understanding the Optimism Bias. AKA the Illusion of Invulnerability. https:// www.verywellmind.com/what-is-the-optimism-bias-2795031. Accessed 11 December 2018. Cherry, K. (2018b). How the Status Quo Bias Affects Your Decisions. https://www.verywellmind. com/status-quo-bias-psychological-definition-4065385. Accessed 11 December 2018. Clayton, M. (2011). Risk Happen: Managing risk and avoiding failure in buisness projects. London: Marshall Cavendish International. de Bono, E. (1999). Six thinking hats. Boston: Back Bay Book. Dobelli, R. (2018). Die Kunst des klaren Denkens. 52 Denkfehler, die Sie besser anderen überlassen. München: Deutscher Taschenbuch-Verlag. Easley, D., & O’Hara, M. (2009). Ambiguity and nonparticipation: the role of regulation. The Review of Financial Studies, 22(5), 1817–1843. Edwards, W. (1982). Conservatism in Human Information Processing (excerpted). In D. Kahneman, P. Slovic & A. Tversky (Eds.), Judgment under uncertainty: Heuristics and biases. Cambridge: Cambridge University Press. Ellsberg, D. (1961). Risk, ambiguity, and the savage axioms. The Quarterly Journal of Economics, 75 (4), 643–669.

References

49

Emmons, D. L., Mazzuchi, T. A., Sarkani, S., & Larsen, C. E. (2018). Mitigating cognitive biases in risk identification: Practitioner checklist for the aerospace sector. Defense Acquisition Research Journal, 25 (1), 52–93. Finucane, M. L., Alhakami, A., Slovic, P., & Johnson, S. M. (2000). The affect heuristic in judgments of risks and benefits. Journal of Behavioral Decision Making, 13 (1), 1–17. Fischhoff, B., Slovic, P., & Lichtenstein, S. (1978). Fault trees: Sensitivity of estimated failure probabilities to problem representation. Journal of Experimental Psychology: Human Perception and Performance, 4, 330–344. Friedman, H. H. (2017). Cognitive Biases that Interfere with Critical Thinking and Scientific Reasoning: A Course Module. SSRN Electronic Journal. http://dx.doi.org/https://doi. org/10.2139/ssrn.2958800. Gigerenzer, G. (2004). Dread risk, September 11, and fatal traffic accidents. Psychol. Sci. 15, 286–287 Gigerenzer. G., Mata, J., & Frank, R. (2009). Public knowledge of benefits of breast and prostate cancer screening in Europe. J Nat Cancer Inst, 101, 1216–1220. Gino, F., Moore, D. A., Bazerman, M. H. (2009). No harm, no foul: The outcome bias in ethical judgements. https://www.hbs.edu/faculty/Publication%20Files/08-080_1751f2c7-abe2-402b9959-1d8190ebf62a.pdf. Accessed 13 October 2020. Gleißner, W. (2017). Grundlagen des Risikomanagements. Mit fundierten Informationen zu besseren Entscheidungen (3rd Ed.). München: Verlag Franz Vahlen. Grinnell, R. M., & Unrau, Y. A. (2018). Social Work Research and Evaluation. Foundations of Evidence-Based Practice (11th Ed.). New York: Oxford University Press. Hossain, T., & Li, K. K. (2013). Crowding Out in the Labor Market: A Prosocial Setting Is Necessary. Management Science, 60 (5), 1148–1160. http://dx.doi.org/https://doi.org/10.1287/ mnsc.2013.1807. Hubbard, D. W. (2009). The failure of risk management. Why it’s broken and how to fix it. Hoboken, NJ: John Wiley & Sons Inc. Kaba, A., Wishart, I., Fraser, K., Coderre, S., & McLaughlin, K. (2016). Are we at risk of groupthink in our approach to teamwork interventions in health care? Medical Education, 50 (4), 400–408. Kahneman, D. (2007). Short Course in Thinking About Thinking. https://www.edge.org/3rd_culture/kahneman07/kahneman07_index.html. Kahneman, D. (2012). Schnelles Denken, langsames Denken (3rd Ed.). München: Siedler Verlag. Kahneman, D., & Frederick, S. (2002). Representativeness revisited: Attribute substitution in intuitive judgement. In T. Gilovich, D. Griffin & D. Kahneman (Eds.), Heuristics and biases: The psychology of intuitive judgment (pp. 49–81). Cambridge: Cambridge University Press. Kamal, P. (2018). How To Spot These Cognitive Biases To Make You Smarter. And Strategies To Make It Work For You. https://medium.com/@piyush2911/how-to-spot-these-cognitive-biasesto-make-you-smarter-4649a82b5a6c. Accessed 22 November 2018. Karau, S. J., & Williams, K. D. (1997). The effects of group cohesiveness on social loafing and social compensation. Group Dynamics: Theory, Research, and Practice, 1, 156–168. Kelman, H. C. (1958). Compliance, identification, and internalization: three processes of attitude change. Journal of Conflict Resolution, 2, 51–60. Kent Baker, H., & Puttonen, V. (2017). Investment Traps Exposed: Navigating Investor Mistakes and Behavioral Biases. Bingley, UK: Emerald Publishing. Kozyrkov, C. (2020). The problem with analyzing policy decisions in hindsight. https://medium. com/swlh/the-problem-with-analyzing-policy-decisions-in-hindsight-5f5632c6bc0b. Accessed 13 October 2020.

50

2  Countering Biases in Risk Analysis

Leitl, M. (2007). Social Loafing? Harvard Business Manager. https://www.harvardbusinessmanager.de/heft/artikel/a-622728.html. Accessed 20 November 2018. Lermer, E., Streicher, B., & Sachs, R. (2014). Psychologische Einflüsse II: Risikoeinschätzung in Gruppen. https://www.munichre.com/site/corpo-rate/get/documents_E399088179/mr/assetpool.shared/Documents/0_Corporate_Webs-ite/1_The_Group/Focus/Emerging-Risks/2013-09emerging-risk-discussion-paper-de.pdf. Accessed 20 November 2018. Manktelow, J. (2005). Mind Tools. Essential skills for an excellent career (4th Ed.). Swindon, UK: Mind Tools Ltd. McCann, D. (2014). 10 cognitive biases that can trip up finance. CFO.com. https://ww2.cfo.com/ forecasting/2014/05/10-cognitive-biases-can-trip-finance. Accessed 20 November 2018. Memon, A. A., Vrij, A., & Bull, R. (2003). Psychology and Law: Truthfulness, Accuracy and Credibility (2nd Ed.). Chichester: Wiley. Milgram, S. (1965). Some Conditions of Obedience and Disobedience to Authority. Human Relations, 18 (1), 57–76. Montibeller, G., & von Winterfeldt, D. (2015). Cognitive and motivational biases in decision and risk analysis. Risk Analysis, 35 (7), 1230–1251. Moscovici, S., & Zavalloni, M. (1969). The group as a polarizer of attitudes. Journal of Personality and Social Psychology, 12 (2), 125–135. Moskaliuk, J. (2013). Warum Gruppen falsch entscheiden. https://www.wissensdialoge.de/hidden_ profile. Accessed 20 November 2018. Murata, A. (2017). Cultural Difference and Cognitive Biases as a Trigger of Critical Crashes or Disasters – Evidence from Case Studies of Human Factors Analysis. Journal of Behavioral and Brain Science, 7, 399–415. https://doi.org/https://doi.org/10.4236/jbbs.2017.79029. Murata, A., Yoshimura, H. (2015). Statistics of a variety of cognitive biases in decision making in crucial accident analyses. Procedia Manufacturing 3, 3898 – 3905. Redman, T. C. (2017). Root Out Bias from Your Decision-Making Process. Harvard Business Review. https://hbr.org/2017/03/root-out-bias-from-your-decision-making-process. Accessed 11 December 2018. Rees, M. (2015). Business Risk and Simulation Modelling in Practice: Using Excel, VBA and @ RISK. Chichester: John Wiley & Sons. Scherrer, M. (2018). Menschlicher Faktor im Risikomanagement. Bachelor Thesis, Lucerne University of Applied Sciences and Arts. Sharot, T. (2011). The optimism bias. Current Biology, 21 (23), R941–R945. Shefrin, H. (2016). Behavioral Risk Management. Managing the Psychology That Drives Decisions and Influences Operational Risk. New York: Palgrave Macmillan. Singh, R., Ryvola R. (2018). Cognitive Biases in Climate Risk Management. https://reliefweb. int/sites/reliefweb.int/files/resources/RCRCCC%2Bcognitive%2Bbiases_5%2Bshortcuts.ppd. Accessed 18 January 2019. Slovic, P. (1987). Perception of risk. Science, 236, 280–285. Smith, E. D., & Bahill, A. T. (2009). Attribute Substitution in Systems Engineering. Systems Engineering (January 2009), 1–19. Stangor, C. (2014). Principles of Social Psychology – 1st International Edition. https://opentextbc. ca/socialpsychology/. Accessed 29 January 2019. Stasser, G., & Titus, W. (1985). Pooling of unshared information in group decision making: Biased information sampling during discussion. Journal of Personality and Social Psychology, 48 (6), 1467–1478. Sun, Y., & Wang, H. (2010). Gambler’s fallacy, hot hand belief, and the time of patterns. Judgment and Decision Making, 5 (2), 124–132.

References

51

Tentori, K., Crupi, V., & Russo, S. (2013). On the determinants of the conjunction fallacy: probability versus inductive confirmation. Journal of Experimental Psychology, 142 (1), 235–255. Tetlock, P. E., & Gardner, D. (2015). Superforecasting: The Art and Science of Prediction. New York: Crown Publishers. The Decision Lab (n. d.). Affect Heuristic. https://thedecisionlab.com/bias/affect-heuristic/. Accessed 11 December 2018. Tversky, A., & Kahneman, D. (1973). Availability: A heuristic for judging frequency and probability. Cognitive Psychology, 5 (2), 207–232. Wolf, R. F. (2012). How to Minimize Your Biases When Making Decisions. https://hbr. org/2012/09/how-to-minimize-your-biases-when. Accessed 21 November 2018.

3

Creating Value Through ERM Process

Abstract

This chapter takes you step-by-step through the ERM process. It presents practical challenges using concrete examples. Robust risk scenarios form the basis to challenge management intuition. They offer more rational information on risky decisions. Risk identification and risk assessment are important ERM steps. Yet, risk managers add value with risk-relevant information in decision-making processes. Also, meaningful risk reporting can support decision-making. We complete the chapter with some tips on continuous ERM improvement.

Learning Objectives When you have finished studying this chapter, you should be able to: • • • • • •

differentiate between intuition and rationality know how the ERM process works explain how ERM can add value to the company assess risks and develop quantified key risk scenarios on your own understand the importance of integrating risk information into decision-making assess the maturity level of an ERM programme

© Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2021 S. Hunziker, Enterprise Risk Management, https://doi.org/10.1007/978-3-658-33523-6_3

53

54

3  Creating Value Through ERM Process

3.1 Balance Rationality with Intuition In practice, decision-makers base their business decisions on both intuitive and rational input. Usually, this happens with different weights between them. Risk managers need to design ERM to reduce the intuition and increase the rational input into decision-making. It is clear that intuitive and qualitative approaches do not improve rational decision-making. Yet, risk management itself is prone to many well-known motivational and cognitive biases (Chap. 2). It relies often on informal, intuitive assessments. Such unstructured risk assessments comprise high portions of gut feel and professional experience. They suffer from transparent, objective decision criteria. Too, intuitive assessments often lack the consideration of diverse opinions within the company. These opinions could increase reliable risk assessments. Intuitive approaches in risk management and decision-making may be efficient under certain circumstances. Sometimes, well-experienced decisionmakers face frequent, insignificant, or urgent decisions. Indeed, intuitive decisions may be the best choice then (Rees 2015, p. 7). We have to pay attention to the use of the term “rational”. It may be misleading in the context of ERM. “Rational ERM” focuses on “accuracy of beliefs”. It embraces the best available information. Intuition leads to affective judgements. These judgements rely on non-conscious and rapid recognition of associations and patterns (Dane and Pratt 2007). In this context, a person or a group who has inaccurate beliefs does not act rationally. For example, a manager may believe the impact and probability of a specific risk is very low. This belief is rational if it considers all relevant information at hand. Also, it follows a linear, step-by-step, and analytical process that can explained ex post (Simon 1987). Thus, even best-practice rational ERM is prone to subjective and intuitive risk assessments. Yet, rational ERM aims at reducing subjectivity and intuition as far as possible. In this textbook, we define rational risk management as the approach to • decrease the impact of cognitive and motivational biases on risk assessments as much as possible • collect as much as possible relevant information (Dean and Sharfman 1996) • rely on structured, step-by-step risk analysis methods (e.g. scenario analysis) • assess and aggregate key risks • assess the effect of key risks on key metrics to identify interdependencies between risks • combine intuitive input (management judgement) with objective, data-based input where appropriate • increase transparency of decision criteria (make decisions reproducible) • apply rules which are known to analytically work (e.g. cause-effect analysis) • accept decisions that mainly base on intuition where appropriate. Cleary, in practice, intuition in decision-making processes overrides rational ERM many times. Let us assume that the results of a “rational risk analysis” contradicts the gut instinct of management or board. Yet, decisions are made anyway. They can argue

3.2  Embrace Uncertainty Governance …

55

that the risk analysis was wrong (e.g. too less data) or omitted relevant uncertainties. Decision-makers may think of other reasons to do without rational risk input. Creating “rationality” is time-consuming, costly, and may be considered too complex. Besides, our brain is not wired to conduct rational risk assessments. It prefers fast and intuitive decisions. Sometimes, intuition and rationality can create paradoxical tension. This is because the two approaches are different and inconsistent. Thus, their conjoint application may result in frustration. We can solve this tension in a suboptimal way. For example, a “rational” manager may disregard intuition because of its biases. He or she focuses only on rational and analytical procedures (Calabretta et al. 2016, p. 4). Management judgement cannot be fully replaced by the “best” rational decision-making tools. Complex and rare risk events cannot get fully captured by any formal risk analysis. They still need a considerable amount of intuition and judgement by the decision-maker. After all, rational risk analysis is designed to reduce well-known biases in risk analysis activities. It also supports an adequate balance between intuitive and rational decision-making. So, formal risk analysis can support decisions by developing reasonable quantitative risk scenarios. These must cover the full range of potential future outcomes. These outcomes allow us to challenge strategic management assumptions and to increase decision quality. Higher decision quality in turn can enhance performance (e.g. higher company value). It enables us to choose promising projects and investments. Also, it allows selecting more efficient risk measures (Rees 2015, p. 19).

3.2 Embrace Uncertainty Governance as Part of ERM Too often, we understand risk management as a regulatory approach with the goal to protect corporate value. Yet, this approach does not go far enough from a modern corporate governance perspective. Good corporate governance not only focuses on asset protection but also on increasing corporate value (Filatotchev et al. 2006). This need is in line with the modern ERM approach which is geared to increase corporate value. In traditional risk management, the focus is on securing processes and systems. The support of valuecreating decision-making rests with the management. In this traditional sense, risk management is not a very creative management tool. It is hardly concerned with the future development of the company. It essentially deals with the efficiency of established processes and projects. Also, it is positioned to comply with laws and regulations. Besides, traditional risk management tackles “well-known” risks with a sufficient data basis. Or, the company has enough experience to assess these risks with probabilities and impacts. This is often the case with financial risks. It is now clear that traditional risk management fails to support rare and complex decisions. For example, new projects are often excluded from traditional risk management. This is also the case for major product investments and acquisitions. The reason is that companies have methodological issues with this type of complexity. Complexity stands for high uncertainty about the probability of occurrence and impact. If these

56

3  Creating Value Through ERM Process

decisions turn out to be successful, they add company value. Value creation is the claim of modern ERM. How can we close this gap between traditional, value-preserving, and modern, value-enhancing ERM? One answer is that companies have to promote good uncertainty governance (see Casas i Klett 2008, pp. 26–30). What does that mean? We can make a basic distinction between the terms uncertainty and risk. In traditional risk management, we assume that risk and probabilities are measurable. This means that decision-makers have a priori knowledge of the distribution of probabilities, e.g. based on historical data. Thus, we qualify uncertainty as not measurable and subjective. It is not suitable as a rational decision criterion. Uncertainty governance is based on the theory of behavioural economics. The two famous authors and researchers Kahneman and Tversky introduced and developed it. It stipulates that subjective assessments in decision-making situations can be a misleading guide. As a result, decisions under uncertainty may become even more uncertain due to the human factor. This contradicts the main rule that risk management reduces the uncertainty of decisions. Does this mean that we should not make value-adding decisions from a risk management perspective? The following arguments argue in favour of this: • • • •

Lack of data to assess probabilities No previous experience with comparable decisions Human assessments are subject to different cognitive and motivational biases Outcomes are highly uncertain.

Certainly not. We need such decisions to create corporate value. Companies can't reject all possible value-creating projects and investments due to uncertainty. Missing a priori knowledge of probabilities of success does not mean that risk assessment is not possible. Such carefully prepared decisions can lead to high growth and added value. Thus, they are necessary. Can we reconcile this problem with the modern ERM approach? Are highly uncertain decisions with low probabilities of success compatible with risk management? The answer is yes. ERM can support the conscious handling of uncertainty, there is no contradiction. Modern ERM implies appropriate uncertainty governance. In principle, risk management can also be valuable in such complex decisions involving a high degree of uncertainty. Uncertainty governance also means that larger losses are accepted if the decision quality was high at the time the decision was taken. Modern ERM can make the following important contributions to enhancing the quality of decisions: • It is important to recognise and disclose that such decisions are risky. In the case of success, the company can make significant progress (to be defined depending on the company context). In the event of a loss, yet (e.g. product launch fails), the entire investment can become worthless. • With the methods of modern ERM, various plausible (e.g. very pessimistic) scenarios can be developed despite high uncertainty and lack of data. These scenarios show that the degree of uncertainty is high. One specific probability of occurrence cannot be

3.2  Embrace Uncertainty Governance …

57

assigned. A better way to deal with this is by using probability ranges. These ranges express the degree of uncertainty in numbers and increase transparency. • Modern ERM seeks to increase rationality by using measures to reduce cognitive and motivational biases (see Chap. 2). • Modern EMR focuses on the human being. Leadership qualities and human judgement are regarded as valuable sources of risk assessment and scenario development. Unlike Casas i Klett (2008), we do not consider risk management and uncertainty governance as two different corporate governance concepts. These concepts remain only different if we define risk management in its traditional sense. In this case, it is a regulatory monitoring instrument to protect company value and to ensure process and system efficiency. Yet, the boundaries dissolve when we talk about ERM. This approach combines the best available data and information for risk assessments. In some cases, large amounts of financial data allow simple probability calculations. In other cases, risk management enhances the decision quality of risky investments and projects. We can do this by using expert opinions to develop unbiased and plausible risk scenarios. Figure 3.1 summarises our understanding of risk management and uncertainty governance.

Modern ERM-Approach Traditional risk management

Uncertainty governance

Risk

Uncertainty

Data-driven, regulatory-driven

Protecting firm value

Corporate Governance

Securing and monitoring processes, systems

Subjective judgment of executives People-driven, creativitiy-driven

Increasing firm value

Fig. 3.1  Uncertainty governance as a part of ERM (adapted from Casas i Klett (2008))

58

3  Creating Value Through ERM Process

The figure draws on the basic considerations of Casas i Klett (2008), but has been adapted for the purpose of this textbook. We don’t understand uncertainty governance as an independent main concept, but as an integral part of modern ERM.

3.3 Collect Risk Scenarios Key risk identification is the very first and critical step in the ERM process. This is a continuous, enterprise-wide, and integrated process. Risk managers identify risks by source, for a certain timeframe, and for each of the different risk categories. The result of that step is a risk identification of all key risks. It is important that a risk manager is aware of the critical practical challenges before he or she kicks off the process.

3.3.1 Identify Sources, Events and Impacts of All Risks In risk assessments (personal interviews, risk workshops, or requests to fill in a template), many people tend to think about the (financial) consequences of risks first: What happens if a risk occurs? What impact does it have on my area of financial responsibility? What is the potential impact on liquidity due to excessive inventories? How are earnings affected due to bad debt losses? What costs are incurred with the development of new services? Obviously, every risk, independent of its source, has financial consequences. This is why it is often incorrectly categorised as a “financial risk”. People with a strong financial mindset like financial analysts and CFO’s are prone to that way of thinking about risks. Yet, from an ERM perspective, the identification of risk sources is far more relevant. Risk sources serve as the basis for the development of preventive risk measures. What may be the causes of a risk to occur? Where do we need to put in place preventive measures to reduce the financial impact? Such measures may relate to shortening storage periods, introducing debt recovery, and conducting market analyses. Thus, risk manager need to develop risk scenarios in the form of plausible stories. Risk managers need to think of so-called cause-effect chains. The cause at the beginning of such a risk scenario is often the starting point for defining effective risk mitigation strategies. For example, the risk of a rating downgrade is often found in the risk registers of companies funded with public debt. Yet, we see a ratings downgrade as a risk event that is embedded in a story of different causes and impacts. In this case, poor relations to the rating agency or a poorly executed strategy may be the sources of that risk. Of course, debt ratings determined by rating agencies may have a positive or negative impact on capital costs. Thus, this downgrade also leads to a financial impact (effect). An everyday life situation illustrates another example. With the help of a simple tool, the bow-tie technique, we can visualize such cause-effect scenarios (see Fig. 3.2). We can spot the risk events in the middle of the bow-tie diagram. An overtired taxi driver collides with stones on the motorway, skids, and overturns. The incident is recorded

59

3.3  Collect Risk Scenarios

Causes

Impact

Events

Tipping

Rocks on street Collision

Low visibility

Broken headlight

Sick driver

Obstacle overlooked

Driver fatigue

Car passenger injury

Compensation €

Media coverage

Regulatory breach

Taxi damage € Reputation impact Reduced revenues € Fines €

Fig. 3.2  Bow-tie analysis: separation of causes, events and effects (adapted from Protecht 2013)

by the media, which puts the taxi company in a bad light. Also, legal requirements are violated. The taxi driver did not have a sufficiently long recovery time before his drive. On the left side of the fly are possible causes listed that led to these incidents. The rockfall, the poor visibility due to rain and twilight, a broken headlight, and an overtired, sickly taxi driver are responsible for this collision. On the right part of the display, we can see the consequences of this accident. As we can easily recognise, the risk story always ends with financial losses. Thus, fines and deductibles of insurances become due. Because of the reputation damage, customers switch to a competitor, which leads to lower revenues (see similar Protecht 2013). The lessons learned from these two examples are clear. Although both risks lead to the negative financial impact, they are not financial risks. The causes of both risks lie in the operational and strategic environment. Risk managers need to categorise these risks accordingly. Otherwise, we confuse the sources and impacts of risks. Thus, we violate the consistency of the risk identification and risk categorization process.

3.3.2 Develop an Effective and Structured Risk Identification Approach In practice, many risk management systems lack a well-developed approach to risk identification. A failure of applying a structured risk identification process can lead to serious problems:

60

3  Creating Value Through ERM Process

• Risk identification is not linked to business objectives and created only for the sake of a risk inventory. • Relevant key risks with a major impact on business objectives are not identified. • Uncoordinated risk identification leads to higher costs and less credibility of the ERM programme. • Risk identification focuses too strong on operations and too less on strategy. This is the case only after management approved plans and strategies and made major decisions. • Relevant stakeholders of ERM are not involved, leading to lower acceptance of overall ERM. • Best available sources for risk information are neglected. • Risk identification is focused on internal risks. A sound environmental scanning process does not exist. ERM is a strategic management tool that has to deal with strategic risks and opportunities. We need to establish a systematic and “as complete as possible” risk identification process. Risk managers can support this by combining various tools. Also, they need to take into account external and internal perspectives. A clever risk identification filter differentiates between non-relevant and relevant risks. Non-relevant risks are excluded from later risk assessment process steps. The following paragraph is about effective risk identification. This important step creates a basis for credible, accepted ERM.

3.3.3 Identify Risks Enterprise-Wide Most companies have implemented “a kind of” enterprise risk management. Often, it is also declared as “ERM” in their annual reports. If we take a closer look, yet, risks are not always identified, assessed, and managed across the company. In some cases, business areas are completely excluded from risk analysis. Sometimes the focus is only on financial or operational risks. Sometimes only risks with internal sources are identified. There are five well-known reasons why companies fail to implement ERM enterprise-wide. These reasons are depicted in Fig. 3.3 and are described below (Segal 2011, pp. 25–27). 1. Profitable business unit: Companies are reluctant to conduct an in-depth risk analysis in very profitable business areas. These fast-growing areas may offset less profitable business units. Often, management perceives risk management as a “business barrier” because only the negative risk is addressed. This gives cause for concern that a thorough risk analysis could slow the growth and profits of the successful business unit. Thus, it may be that management implements ERM first in areas that are less critical to the company’s financial performance. 2. Excluded business unit: Often, risk management starts with a pilot project, e.g. with a first business unit. Afterwards, a step-by-step roll-out plan follows. Yet, this can

61

3.3  Collect Risk Scenarios

Board

Missing Strategic Focus

CEO

Excluded Business Unit

Division Product X

Division Product Y

Division Product Z

R&D

R&D

R&D

Marketing

Marketing

Marketing

Finance

Finance

Finance

Profitable Business Unit

Missing External Focus

Focus on Financial Risk

Fig. 3.3  Reasons not to implement ERM enterprise-wide

lead to a repeatedly delayed roll-out due to other priorities. The result is incomplete ERM implementation. In many companies, risk management is not a top priority on the management agenda. Often, scarce resources or profitable other projects are more important and urgent than ERM. 3. Missing strategic focus: The focus of risk management often lies on the operational area of the company. It is a paradox that the management of operational risks is equipped with high resources. Companies spend a lot of money on low-level, process risk management. They put in place comprehensive internal control systems. Yet, companies often lack a full integration of strategic risks into ERM. Also, ERM embraces less sophisticated methods and tools. For example, companies only use qualitative risk assessment techniques that are prone to many biases. Many studies show that strategic risks form the most important risk category for the non-financial industry (Segal 2011, p. 29). Often, companies suffer high losses due to the occurrence of strategic risks. Operational and financial risks, on average, account only for a small part of losses. We can identify three reasons why companies often fail at managing strategic risks appropriately. Companies often lack methodological knowledge of how strategic risks can be quantified. This means that the analysis is often conducted on an unstructured and qualitative level. Also, companies argue that strategic risks are too complex to be assessed and that no data is available. Besides, risk managers have only limited or no access to strategy documents. One reason for this is that risk managers are often not members of the executive board and thus not involved in strategic issues.

62

3  Creating Value Through ERM Process

4. Missing external focus: Experience shows that ERM often has a strong internal focus. This means that internal subject matter experts and risk owners identify primarily internal risk. This leads to a risk identification that captures risks internally (risk source is within the company). Many risk owners identify risks for their specific, internal area of responsibility. These risks are then aggregated and reported to management and board. A structured analysis of the environment to identify external risks often lacks. Simple tools such as PEST and 5-Forces are not used. Many significant risk sources emerge outside the company. ERM is not designed to accurately predict the future about political, economic, social, and technological developments. So it is with the corresponding risks and opportunities. Nobody owns a working crystal ball. Yet, an environmental scanning process can help to identify some potential risks and opportunities as early as possible. Risk managers can consider many sources for this. The WEF’s global risk report, surveys on emerging risks, professional journals, risk conferences, risk management associations, risk disclosures in annual reports or in SEC filings (Form 10-K), for example, can all help in this. 6. Financial risk focus: Risk management has evolved from insurance and financial risk management. We know many sophisticated quantitative risk assessment methods for more than half a century. To this day, many education and training programmes specialise in financial risk management. Many courses in the area of financial management also focus on risk management. Most often, the focus still lies on a narrow financial perspective. Today, we face the problem that many risk managers represent a finance-oriented mindset. Unfortunately, we cannot directly apply financial risk management techniques in strategic risk management. As a result, many risk management systems focus on the financial risk category. Missing knowledge and educational backgrounds of risk managers partially account for this.

3.3.4 Treat Business and Decision Problems not as True Risks It is clear that in many risk management workshops or in one-on-one interviews, risk managers not only identify true risks (see definition in Sect. 1.3). Many “risks” tend to address existing weaknesses or unfavourable conditions in the company (Rees 2015, p. 34). At the operational level, for example, we may face an inadequate and inefficient business process. A business line manager recognises a gap between reality and the expected efficiency level. This gap is often considered as a “business risk”. We can discuss a vast amount of measures on how to close this gap and to make the process more efficient again, e.g.: • • • •

Process re-design Assign accountability of the process to one single person Increase IT support of the process Focus on a few and most important key controls

3.3  Collect Risk Scenarios

63

• Reduce non-value-creating process activities (getting rid of activities that waste time and resources) • Outsource that specific process to increase efficiency. It is important for risk managers to know that the current low-efficiency level of a process per se is not a risk. It is rather a business problem. “True” risk must be in accordance with our risk definition. Risk is a deviation from plan or expectation. In this example, the risk is that the planned improvement actions do not have the desired effect on process efficiency. At a more strategic level, for example, the low growth rate of a new business area can pop up in a risk workshop. Again, we can take many potential actions to improve the growth rate to an expected or ideal level: • • • • • •

Watch the competitors Create a new marketing campaign Invest in talented people Increase social media activities Tone at the top: Communicate the importance of sales to all employees Develop new products or services.

The “true” risk here is not the weak growth rate per se. Again, rather the planned activities may not resolve the issue to a required or expected growth rate level. Of course, these business problems may be of great importance to the company. From a risk management perspective, we should exclude them from the further ERM process. The problems do already exist. These weaknesses do not represent risks that may materialise in the future. Yet, if risk managers put into place new measures to improve these business problems, new (real) risks may arise in the future. These risks represent the uncertainty attached to the effectiveness of the new measures in place. Another stumbling block of risk identification is the difference between decisions and risks. Again, in risk workshops, participants may identify risks in the form of pure decision issues. Let us consider the situation where a line manager faces an upcoming decision. She is concerned with the implementation of a new Enterprise Resource Planning (ERP)-system. She thinks that there is a risk that management rejects this IT-project for priority reasons. She assumes that the new ERP-system would improve the efficiency of many business processes. This would lead to a competitive advantage. From a risk management perspective, this is not a traditional risk. The reason is that this decision is controllable by the company. This means no unexpected or uncontrollable variability is associated with that decision. An easy test to assess if we face a decision problem or a true risk is to answer the following question. Does it make sense to assign a probability of occurrence to the “risk”? If the answer is “no” because the result is controllable by the company’s decision, then it is not a true risk. True risks have usually a variability attached to them even if management decides nothing at all. Decision problems only vary about

64

3  Creating Value Through ERM Process

the difference between the pre- and after decision state. Yet, they may be as crucial as “risks” for the success and the risk profile of a company (Rees 2015, pp. 34, 40). What can we conclude based on that distinction of risks and decision problems? Of course, we cannot ignore upcoming business decisions. In fact, we need to identify and classify them to decide what actions we may take. This could be either implementing risk measures or making a business decision. The lesson learned is not only to consider volatilities and probabilities to decide about mitigation measures. Also, it is critical to assess potential changes in the baseline values through the lens of different decision options (Rees 2015, pp. 40–41).

3.3.5 Don’t Let Reputation Risk Fool You An excellent reputation is crucial for most, if not all, companies. It enhances credibility, loyalty, attractiveness, and preference (Bunnenberg 2016). These attributes may have a positive impact on costs and revenues. For this reason, a company’s reputation is a valuable asset to manage. There is a broad consensus on the importance of reputation. Yet, we cannot find any consensus on the definition of reputation. According to Fleischer (2015), this is because the question of how reputation is created has not yet been answered. As long as there is uncertainty about what actually causes a good reputation, it cannot be defined (pp. 54–55). A reason for the lack of a broadly accepted definition lies in the decades of scholarly and academic discourse. The term found its way into many economic disciplines. This led to many different definitions. So far, it has not been possible to combine these approaches into an accepted definition across all economic disciplines (Kirstein 2009, p. 25). With this knowledge in mind, we agree in this textbook on a more recent, evaluation-oriented definition. The following definition focuses on a more evaluative approach, rather than on a perception-based one. It serves as a good basis for establishing a relationship to reputational risk. Corporate reputation may be understood as the observers’ collective judgements of a company based on the assessments of the financial, social, and environmental impacts attributed to the company over time (Barnett et al. 2006, pp. 34–36). Since the products and services of many companies hardly differ from each other, a large part of company value today is represented by intangible assets (Eccles et al. 2007). This, of course, includes also the value of a good reputation. Reputation has gained in importance and represents a central success driver of most companies. Particularly in today’s world, companies are regarded as “social organisations”. Companies have long since been viewed not only as economic and technical systems but must also create social acceptance and prestige. Today, economic success is a well-balanced mix of products and social acceptance (Buss 2007, p. 233). Globalisation and internationalisation reinforce the importance of a good reputation. These developments pose major challenges for companies. Specifically, in difficult times and during economic crises, media interest in stumbling companies is even

3.3  Collect Risk Scenarios

65

greater. Besides, the internet and social media can turn a local event into a national or even international affair. The boundaries between the inside and outside world dissolve. The pressure for transparency increases. Thus, reputation is becoming more important. Companies with a high reputation are more resilient to survive crises. Stakeholders perceive the company as less interchangeable (Hillmann 2011, p. 5). So far, we have learned that corporate reputation creates value. Companies have to protect or even expand it. Of course, everything that is valuable is also subject to the risk that this value could be harmed. At this point, we must link corporate reputation to reputational risk. It is the same as with the vast amount of definitions about reputation. No market standard has yet been established for a uniform definition of reputation risk (Deloitte 2015, p. 5). For our purposes, we define reputation risk as follows: Reputation risk is the risk of unexpected loss due to a change in the observers’ collective judgements of a company based on the assessments of the financial, social, and environmental impacts attributed to the company over time (based on the definition of corporate reputation by Barnett et al. 2006, pp. 34–36). Reputation risk is a very company-specific risk and varies depending on the product or service the company offers. Some companies are more susceptible and have to expect faster and larger losses of trust than others. For this reason, every company should assess reputation risks differently. Let us consider what the current literature learns us about what reputation risk is. We face disagreement on the definition and on the characteristics of reputation risk. As Roth (2015) points out, reputation risk is a so-called secondary risk with other, preceding risks occurring first. She identified three triggers that can cause reputation risk: • Non-compliance: Reputation risk can be triggered from non-participation in regulatory trends. For example if unlawful conduct becomes publicly known. Such primary risks can be a breach of tax law, a financial accounting scandal or disregard for environmental regulations (Sieler 2007, p. 6). • Unethical practices: Violations of ethical and moral rules also trigger reputation risk (Bunnenberg 2016). Such risks include fraud, corruption, and inhuman working conditions. • Event risks: Finally, unforeseeable events can also impact a company’s reputation. For example, preceding risks can be a hostile takeover bid, restructuring, or occupational accidents (Sieler 2007, p. 6). This understanding of reputation is found in companies that have already an ERM in place. These companies treat reputation risks as an extra dimension of impact. Other approaches to managing reputation risk are to consider it as a separate risk category. As such, reputation risk does not have to be related to other risk categories or it can even trigger subsequent risks (Chapelle 2015, p. 38; Romeike and Weissensteiner 2015, p. 20). For example, the subsequent risk of not having access to debt capital or problems in personnel recruitment can occur due to a bad reputation (Weissensteiner 2014,

66

3  Creating Value Through ERM Process

p. 35). We can find consensus in the literature that reputation risk management is very crucial. We acknowledge the enormous importance of a good reputation as an asset and as a competitive advantage. Risk managers need to integrate reputation risk must into the general ERM process. We have discussed the terms reputation and reputation risk. Now we can turn to the practical problems of reputation risk management. In most risk inventories, reputation risk is listed as one of the key risks. The problem with this is that reputation per se is not defined as risk. Let us consider the discussion above on the distinction between causes, events, and impacts. It becomes clear that reputation risks are not defined by its sources. Figure 3.4. depicts an example. We place reputation risk as an event in the middle of a risk scenario development using the bow-tie technique. First, we must identify potential sources that can lead to reputation risk. We find these sources often within the business operations risks. Such sources may be internal embezzlement, poor product quality, or the exploitation of employees. For example, these sources lead to criminal prosecution and/or high, negative media attention. These risks sources may cause a negative impact on reputation, which— in the worst case—can evolve into a strategic risk for the company. We also need to analyse the consequences of a reputation in detail. Reputation losses can lead to higher capital costs, lower revenues, and lower company value. The final impacts of reputation risk are always financial consequences. Thus, it is dangerous to consider reputation as an

Causes

Impact

Events

Non-compliance

Fines €

Prosecution Unethical practices Media coverage Hostile takeover bid Poor product quality

Fig. 3.4  Reputation risk

Reputation risk

Cost of capital €

Strategic risk

Reduced revenues €

Lower company value €

3.3  Collect Risk Scenarios

67

independent risk category. Reputation risk must be included in one or more risk scenarios. These scenarios embed reputation as a stopover effect along the way from sources to final impact. Reputation risks per se found in the company’s risk registers are useless. Reputation as a complex construct cannot be managed. To do so, we need to know the sources that impact reputation. It is no surprise that in many companies, reputation risk does not trigger concrete action. This is because reputation risk is not part of a causeand-effect analysis that enables management of that risk.

3.3.6 Focus on Management Assumptions This ERM textbook does not focus on strategy development and strategy implementation. For these topics, many very good standard textbooks are available (e.g. Barney and Hesterly 2006; Collis and Montgomery 2004). Yet, we cannot completely do without discussing explicit references to strategic management. A central concern of modern ERM is the integration of risk analysis into strategic activities. In this respect, we cannot separate risk management from strategic management. As such, we view the following explanations on strategic management from the risk management perspective. We discuss interfaces with strategic management. Our analysis focuses on how risk managers can add value to the classical strategic management processes. Specifically, we care about uncertain management assumptions. These serve as a promising basis for risk identification. One of the most crucial steps to put in place successful ERM is to understand the basic strategic risk assessment process. We need to clarify the roles and responsibilities of risk managers within strategic management. Strategic risk assessment resides with the management. It is an indispensable part of the strategic risk management responsibility. Strategic risk assessment is a systematic and ongoing process. Performing an initial strategic risk assessment is a useful activity for management and the board. It helps to identify risks that might impact strategic goals. This is a responsibility that cannot be delegated to lower hierarchical levels. Both the board and management need to understand the company’s strategy and the associated strategic risks. The following sections discuss the distinct steps of risk identification. Also, we will offer some solutions to practical challenges.

3.3.6.1 Start with Understanding the Business Strategy and Strategic Risk The development and promotion of strategic risk management is a key foundation to improve risk management effectiveness. We need to understand it as an integral part of the companies’ corporate governance (Frigo and Anderson 2009). Strategic risk management can add value to the company. It supports the analysis of the company’s strategic robustness. It challenges management assumptions and makes them transparent.

68

3  Creating Value Through ERM Process

It enables a proactive development of appropriate measures to counter strategic risks. It helps to identify risks that could jeopardise the achievement of strategic goals. Risk managers need to challenge all relevant strategic assumptions. They can use intuitive and rational techniques. Risk-oriented assumption analysis increases greatly the effectiveness of strategic risk management. Yet, from an ERM perspective, every risk manager needs a good understanding of the company’s strategy and business model. As a first step in the risk identification process, risk managers need to gain a good understanding of key business strategies. Also, this includes the identification of all underlying assumptions. Not all companies have well-developed and well-documented strategic plans and objectives at hand. Many companies apply a more informal way to set their strategic goals. Yet, surprisingly few companies are able to state their strategy and competitive advantage in a few sentences. Collis and Rukstad (2008) point out that “most executives cannot articulate the objective, scope, and advantage of their business in a simple statement. If they can’t, neither can anyone else” (p. 1). Very often, this basic precondition to conduct a strategic risk assessment is missing. Companies need to get an overview of key strategies and business objectives. This crucial step will also serve as the foundation to align risk management with strategic management. A useful approach that facilitates strategy formulation is suggested by Collis and Rukstad (2008). Companies often do not quantify strategic risks due to their high complexity, a lack of knowledge, and a lack of data. An average company does not have much experience with the same type of strategic risks over time. Strategic risks emerge abruptly and hit many companies only once in their life cycles. Also, it is challenging for companies to identify, interpret, assess, and prepare for such risks. These often low-probability and high-impact risks can escalate quickly. They leave companies confused and paralysed. In turn, companies get prone to strategic failures and errors (Deloitte 2017). Empirical evidence suggests that strategic risks are very critical to the company’s success. They may hinder companies to execute their strategy and to achieve strategic objectives (Frigo and Anderson 2011). Strategic risks can materialize in many forms. For example, companies may pursue an inappropriate strategy because they misjudge the demand for a new service. Even with the “correct” strategy, companies may fail to execute the strategy. Other strategic risks may be market trends, fast-changing customer trends, and disruptive innovation. For the latter strategic risk, we offer a good example below. Example

With disruptive innovation, a service or a product displaces established suppliers on the market. As a rule, the offer first penetrates the lower market segment with simple applications and then rapidly gains market share. Companies tend to innovate faster than customer needs evolve (e.g. from CD to DVD to Blueray). As a result, services and products come onto the market that are too expensive and demanding for many people. But they serve the higher levels of their markets and the customers who always want the best alternative. As the margins in these sub-markets are high, the companies achieve a high level of profitability.

3.3  Collect Risk Scenarios

69

Yet, this mechanism for success opens the door to “disruptive innovations” in the lower market segments (e.g. streaming services). Disruptive in this context means addressing new consumers who could not afford a service or product before. Disruptive companies often start with low margins, small target markets, and simple products compared to existing solutions (see, for example, the price of a song on Spotify). Such “disruptive companies” may pose a strategic risk for an established company. Due to the low margins, they are unattractive for established companies that focus on the upper market segment. This creates space at the lower end for disruptive competitors. Some examples of disruptive innovation, which can lead to disruptive innovation risk for established companies, include (see Clayton Christensen n. d.): Disruptor

Disruptee

Smartphones

Cellular phones

Discount retailers

Full-service department stores

Retail medical clinics

Traditional doctor’s offices

Streaming service

Compact disc

3D printing

Lathes and milling machines

Cloud computing

On-premises

Mini mills

Integrated steel mills

◄ We find an interesting approach to classify sources of strategic risks in one of the very rare papers on strategic risks. Slywotzky and Drzik (2005) developed seven major strategic risk areas. In each of these risk areas, different types of strategic risks may arise: • Industry risk (margin squeeze, rising R&D or capital expenditure costs, overcapacity, commoditization, deregulation, increased power among suppliers, extreme businesscycle volatility), • Technology risk (shift in technology, patent expiration, processes that become obsolete), • Brand risk (erosion, collapse), • Competitor risk (emerging global rivals, gradual market-share gainer, one-of-a-kind competitor), • Customer risk (customer priority shift, increasing customer power, overreliance on a few customers) • Project risk (R&D, IT, business development or M&A failure) • Stagnation risk (flat or declining volume and weak pipeline). This paper by Slywotzky and Drzik (2005) does not improve strategic risk management in companies per se. We can use it to challenge our own strategic environment.

70

3  Creating Value Through ERM Process

It supports strategic risk identification as it helps to ask the right questions in risk workshops. So far, we have gained a good grasp of the company’s strategy and the term strategic risk. Risk managers can now advance to the next step on their journey to identify all key risks.

3.3.6.2 Collect All Management Assumptions In practice, many companies face the challenge to identify their most relevant risks. Very few ERM textbooks offer techniques and methods for focused, strategy-related risk identification. The very first step of an effective risk identification process is to collect all management assumptions (Sidorenko and Demidenko 2017, p. 86). Risk managers need to identify assumptions in strategy documents, financial projection plans, and budgets. Some of these assumptions are explicitly stated in these documents. For example, risk managers can find information about expected economic growth, expected foreign exchange developments, and expected increase in customers. Other assumptions are more implicit. Risk managers need to seek out them by asking the right questions to management. The goal is to collect all assumptions underlying the company’s strategy and objectives. This step provides also the opportunity to question key individuals’ assumptions. Risk managers can challenge potential emerging strategic risks. They can scrutinise critical assumptions about developments in the technological, political, social, and economic environment. For example, they analyse expectations about currencies, market growth, customer behavior, and regulatory frameworks. Risk managers can make valuable contributions. They provide a more rational perspective on these assumptions. Most of these management assumptions about the company’s future success are of strategic nature. These assumptions relate to the strategy development and strategy implementation process. It is thus of crucial importance that appropriate attention is paid to strategic risk management. The analysis of strategic management assumptions starts with strategic objectives. We need to break down them into operational objectives and key performance indicators (KPIs). In larger companies, strategic objectives are already present in the form of measurable targets. They serve as a good basis for risk managers to undertake a thorough risk analysis. It is of crucial importance that risk managers have access to the strategy documents, the financial projection plan, the business plan, and the budget. The documents allow the first assessment of many management assumptions (Sidorenko and Demidenko 2017, pp. 8–9). Unfortunately, not all risk managers have access to this information. This impedes an effective risk analysis. An often-underestimated issue to translate strategic goals into measurable, action-oriented criteria. Luckily, many strategic management tools cover these interfaces between strategy and operations. One of the well-known tools is the Balanced Scorecard (BSC). It comprises many structural similarities and interfaces with ERM. How does the structure of the BSC look like? It is a planning, management control, and information tool. Thus, it provides an appropriate basis for challenging management assumptions on a more tactical level.

3.3  Collect Risk Scenarios

71

Both ERM and BSC are designed for achieving strategic goals. Both management tools consider the strategy from an enterprise-wide perspective. They focus on almost all (risk) areas and their critical value drivers. One of the main advantages of the BSC is the recommended maximum amount of key measures (“twenty is plenty “). These specific target values are derived from strategic goals. These measures are subject to many uncertainties that need a thorough risk analysis (Hunziker et al. 2018, p. 55). For example, one measure could read as “our revenues are expected to grow faster than that of the strongest competitor to foster our market position”. Let us make a concrete example of how a measurable target based on the BSC can serve as a basis to identify assumptions and risks. Figure 3.5 shows the financial perspective of a balanced scorecard from a ski and hiking company. Within this perspective, several tactical performance indicators have been defined. One of these relates to the sales target. The company aims to achieve a 10% increase in sales compared to the previous year. The least acceptable limit is 6%. We now need to subject the sales target to an assumption analysis. This means that risk managers have to identify all uncertain assumptions for the three product groups. Ski, Skiwear, and Hiking can have a positive or negative impact on the achievement of this target. Such uncertain assumptions are as follows. Expected impact of a marketing campaign, expected inflation rate, expected competitor behavior, and expected weather conditions. From an ERM perspective, all these assumptions represent risks. These uncertainties are volatile. Risk managers need to collect and analyse them as a part of the risk identification process step.

Finance Strategic Target

Key Figure

Unit

Bottom Tolerance

Target Figure

Increase return on investment

Return on Investment

%

20.00

30.00

Increase revenue

Increase of revenue compared to previous year

%

12.00

20.00

Increase contribution margin

Average contribution margin per customer

$

140.00

180.00

Improve cash flow

Average cash flow

$

40,000.00

50,000.00

Skiwear

Skis

Hiking gear

Identification of management assumptions

-

Customer acquisition (marketing campaign) + 10 % Stable exchange rates No new competitor No inflation Good to very good snow conditions

-

Customer acquisition + 5 % Stable exchange rates No new competitor No inflation Good weather conditions

Management assumptions = Uncertainties = Risk analysis

Fig. 3.5  Break down of strategic objectives

72

3  Creating Value Through ERM Process

3.3.6.3 Use Strategic Tools to Complement Assumption Analysis We have now analysed all management assumptions of strategic goals. Risk managers need to complement strategic risk identification. Although we have collected many important strategic assumptions, some may be still missing. For this purpose, we recommend using well-known strategic management tools. They offer a great way to analyse the business environment more thoroughly. In the following, we introduce some important and useful strategic management tools. They all support strategic risk identification. Remember our conclusion that, unfortunately, we cannot predict the future. Sometimes it is even very hard to foresee relevant trends. Yet, this does not mean that we should not develop critical risk scenarios. A careful analysis of the environment facilitates the anticipation of possible future conditions. It needs a good portion of creativity and leads to fruitful discussions. Despite the high degree of uncertainty, it is very crucial to think about possible future developments. Weak signals may slowly emerge in the environment. With the preparation of risk and chance scenarios, companies can better prepare for the future. A sound environmental scanning process contributes to effective emerging risk identification. Yet, such predictions based on environmental scanning have failed many times in practice. Often, abrupt and drastic changes are not included in the risk managers’ scenarios. A popular example was the US financial crisis in 2007 (Taleb 2007). We have more good news for risk managers. They can indeed contribute to the companies’ success. Companies need to scan the environment to get an understanding of external changes and trends. The results of this scanning process serves as a basis for developing risk measures. These measures, in turn, can support the company’s longevity and add to company value (Choo 1999, p. 21). We are now ready to supplement our assumption analysis of strategic objectives. This is done with a general environment analysis. We call this “environmental scanning”. The purpose of this activity is twofold. We can identify new risks that have been missed out in the assumption analysis. Also, we can enrich already identified risks with further information. This allows making risk scenarios more robust and credible. Choo (1999) suggests four different approaches to environmental scanning (p. 22). They all help companies to identify new trends and developments: 1. Undirected viewing (sensing). The aim of this first approach is to search the environment as broadly as possible for any unknown developments and trends. There are no clear guidelines for this kind of environmental analysis. It is not a question of tracking down and confirming ex-ante presumed developments or trends. Rather, companies try to gain a sense of possible weak signals or emerging developments. Undirected viewing is a process of detecting and viewing existing information in a completely unstructured way. 2. Conditioned viewing (sense-making). Compared to undirected viewing, a company may view information about pre-selected topics, concerns, or developments. Still,

3.3  Collect Risk Scenarios

73

this is a very unstructured procedure, but with a more pre-defined scope to look at the information within. The goal is to assess the potential impact of the pre-selected topics on the company in a cost-effective manner. Potential risks associated with the developments may be of high importance. In this case, the approach can be changed from conditioned viewing to searching for further information. We can achieve this with the next two steps. 3. Informal search (learning): A company searches for further information to get a better grasp of the issue or trend at hand. For example, a potentially very negative risk scenario needs a deeper understanding. We decide to assess it more accurately and to plan the next queries. Informal at this stage means in an unstructured manner and with limited resources. The goal of this step is to collect enough information to decide if a specific risk scenario needs to be monitored or not. Risk managers may recommend to putting in place risk measures to counter specific risks. Before the management decides upon, a more formal search may be required. This leads us to the last step. 4. Formal search (deciding). This last approach aims at finding information in a structured and planned manner. The goal of this fourth approach is to get as much information as needed to decide on a specific course of action. Such a decision could be to implement a preventive risk measure. Preventive risk measures are designed to be effective before a risk event occurs. They reduce the probability of occurrence. Examples include standards, employee training, procedures, encryption, and physical barriers. Formal searches are fine in granularity and more time-consuming. They are intended to serve as a basis for acting and deciding. The challenge for companies is to find a balance between more limited, well-structured, and less limited, unstructured approaches. If the focus is too strong on undirected viewing, it can become very expensive. The result can be negative, which is not finding decision-relevant information. Moreover, with this method, the amount of data becomes large and confusing. Companies may adopt a too structured and too narrowly limited analysis. In this case, they face the threat that relevant trends and risks will not be identified at all (Andersen and Winther Schrøder 2010, p. 148). In essence, there is no best practice about how such an analysis of the environment should be carried out. Risk managers can consider and combine many established strategic management tools. This can be a promising approach. We need to distinguish between general environmental risks, industrial risks, and company-specific risks. For all these three layers, corresponding tools are available. Many very valuable basic strategic management textbooks have been published. This is why we introduce only a few very helpful tools in this textbook. Structured Analysis of Competitive Climate Porter’s five forces model (1980) is a well-known and typical framework to conduct a comprehensive industry analysis. Different forces impact the attractiveness of a specific industry. Examples are changing customer preferences, new product developments,

74

3  Creating Value Through ERM Process

industry regulations, process innovations, and many more. Furthermore, Porter’s framework is a great way to assess companies’ strategies. It also enables the assessment of the moves of existing and potential competitors. This allows a thorough analysis of potential consequences for the company. The following example shows the results of a practical application of the five forces model. Industry threats and opportunities in ski manufacturing

An analysis of the profit dynamics in the industry can benefit from Porter’s five forces model. The model makes assessments about the industry’s attractiveness based on the effect of five key forces, namely: (1) the threat of new entrants; (2) the bargaining power of buyers; (3) the bargaining power of suppliers; (4) the threat of substitute products or services; and (5) the intensity of competition in the industry. Each of these forces is examined below. 1. The risk of new competitors is rather low. The production of skis is utility-intensive, which requires a considerable initial investment. Besides, established competitors have a know-how advantage. Also, they maintain a very close connection to professional sport. There are smaller ski manufacturers that are pushing their way into the market. Yet, they only produce small quantities and meet a selected segment of premium customers. Finally, existing patents for innovative suppliers protect their products from being copied, e.g. a specific ski boot plate. 2. The consumer has high bargaining power. We can illustrate this by the high discounts granted on newer models in the second part of the ski season. Accessories such as ski bindings and ski pieces can be combined almost at will. This means that the consumer is not tied to a single brand (see, for example, the coffee capsule market). We should not neglect that skis are durable. We may postpone our purchase decision by one or more years. After all, it is easy to change suppliers. 3. Suppliers have only limited bargaining power. Many of the input materials are standard products and are offered by a large number of companies. Since ski manufacturers usually buy large quantities. Suppliers are often prepared to make certain concessions. These are standard products with little potential for differentiation. Thus, companies set a market price that includes only a small margin. 4. We may consider ski touring, snowboarding, or sledding as direct substitutes for skiing. Many other ski sports such as cross-country skiing, snowshoeing or iceskating serve as possible alternatives. The risk of substitution is high. Yet, consumers often commit themselves to one or more winter sports at a young age and remain loyal to them in the long term. 5. The market is dominated by large suppliers such as Rossignol, Atomic, Salomon, Völkl, and Head. The intensity of competition in the ski industry is high and the products are similar in many respects. The intensity of the market is reflected in the fact that every year many new and revised models are placed on the market. ◄

3.3  Collect Risk Scenarios

75

Interestingly, Porter’s five forces model, in particular, has not established itself well in practice. This is, for example, in great contrast to the SWOT analysis. Grundy (2006) recognises several reasons for this: • • • • • •

The model is abstract and very analytical. The language is technical and focused on microeconomics. The practical implications are not easy to recognize. The model is difficult to deploy in practice. The logic of the model is not straightforward. The five forces cannot be easily transferred to the company context (p. 214).

This example is an impressive demonstration of the gap between science and practice. Interestingly, many decision-makers know the model from their education, but never use it in practice later. Well-tested, concrete checklists published in professional journals lack. This is a major reason why Porter’s five forces are barely adopted in practice. Although it was already published in 1979, it has not yet reached practical acceptance. SWOT analysis, on the other hand, is used by many companies. Yet, SWOT analysis does not offer concrete guidance on how to analyze the strategic environment. A literature review uncovers one exception about Porter’s five forces. Dobbs (2014) developed guidelines for applying the five forces. He published a set of industry analysis templates that guide companies through a comprehensive assessment. Ironically, these practicable templates were published in an academic journal. It is doubtful whether this publication made it onto the desks of decision-makers. To sum up, the contribution of Porter’s model to the business environment analysis is very high. If the model is somewhat adapted and more “practical”, it can be very useful for strategic risk and opportunity identification. Besides all criticism and limitations of this model, it is one of the most important strategic management tools. It enables the assessment of the forces determining the profitability of industry (see Grundy 2006, p. 215), One aspect of the discussion about the practical relevance of Porter’s five forces model is its dependence on other strategic management tools. On this, Grundy (2006) published a very valuable and practical contribution. He shows how competitive forces can be embedded as a puzzle piece in a superordinate strategic analysis model. He recommends combining Porter’s five forces model with another very popular strategic management tool named PEST analysis. The acronym PEST refers to political, economic, socio-economic, and technological factors. With this tool, companies are able to assess the general environmental risks. These risks comprise many exogenous factors outside the control of corporate. It is a useful tool to conduct a strategic risk analysis. It provides a broad overview of the most important macro-environmental factors to analyse. Several variants have emerged over time. One of the most well-known enhancements is PESTEL which includes environmental and legal factors. We illustrate an example of how the results of a PEST analysis could look like below.

76

3  Creating Value Through ERM Process Drivers of change in ski manufacturing

Political issues: Many safety regulations also apply to ski manufacturers and sportswear manufacturers. High tariffs on individual product groups may reduce the attractiveness of individual overseas sales markets. Environmental associations are more critical of mass tourism in high alpine areas. This may also reduce the attractiveness of skiing. Economic issues: As the number of skier days tends to decrease due to global warming, more skis are hired instead of bought. It is also to be expected that only high-altitude ski resorts will be profitable in the long term. Lower-lying ski resorts close to conurbations are thus likely to disappear more and more. Global growth markets like China, Russia, and India), will increase the demand for skis, clothing, and accessories. The market is seasonal and saturated. Especially in spring, consumers expect high discounts. Social issues: Urbanization is increasing more and more. The possibilities for leisure activities are becoming more diverse. Skiing competes with leisure activities that are less weather-dependent. The aging of the population can act as a brake on growth. In general, Western Europe is skeptical about mass tourism in ski resorts. One example refers to the intensive snowmaking for slopes. Technology issues: The spread of the Internet offers a detailed price comparison between ski and ski equipment manufacturers. Besides, various factors, such as the Internet, are driving the need for individual products. Yet, there are no signs of any disruptive manufacturing processes or materials. The demand for sustainably manufactured skis is likely to increase. ◄ The growth drivers act as a link pin between the environmental analysis (PEST) and the industry analysis. If, for example, the environment changes unfavourably, this can lead to growth brakes. This in turn makes specific industry forces more relevant (Grundy 2006, p. 217). Figure 3.6 depicts a sort of “onion model” which begins with a PEST analysis and ends with the analysis of the own company in the competitive environment. This onion model can improve the identification of potential key risks. SWOT Analysis (Andrews 1971) A company can apply a SWOT analysis to conduct strategic analysis. It helps to identify strengths and weaknesses in the internal company environment. Also, it supports the analysis of opportunities and threats in the external environment. It is probably the most well-known strategic analysis tool in theory and practice. The outcome of this strategic analysis can help to identify strategic risk factors. Especially for SMEs, the use of a SWOT analysis is helpful. It is a very straightforward tool that incorporates internal and external (uncertain) developments. Besides, the SWOT analysis links relevant problem areas with the corresponding business objectives. In the following, we illustrate a simple SWOT analysis of a ski manufacturer.

77

3.3  Collect Risk Scenarios

Technological change

Growth driver

Political change

Current customers & competitors

New substitutes

Life cycle of own industry

New entrants

Bargaining power of customers

Life cycle of own industry

Bargaining power of suppliers Social change

Economic change

Fig. 3.6  Competitive mapping (adapted from Grundy 2006, p. 217)

Results of a SWOT Analysis (ski manufacturer) Strengths

Weaknesses

• Qualified and long-standing employees who know the processes and products • Existing customer base that appreciates the quality of the brand • Own sales channels that reduce dependence on intermediary trade • Financially less dependent on lenders

• Lower economies of scale compared to larger competitors • Awareness strongly limited to Western European area • Strong focus on alpine skiing, little experience in the touring ski and snowboard market • Strong focus on functionality and less known for high quality designs

Opportunities

Threats

•D  igitization of the ski product and its accessories •N  ew overseas markets with high growth potential • I ndividualization of products (skis, ski boots, bindings, etc.) •P  roximity to the Ski World Cup to benefit from partnerships and feedback

• Quality risk due to production in Eastern Europe • Global warming reduces number of snow kilometers on skis • Strategic wrongly assessed attractiveness of skiing • Entry of a new competitor in the near premium or premium segment

Return Driven Strategy Framework (Frigo and Anderson 2011). We can apply this framework to analyse the components of a company’s strategy. It also provides an opportunity to see how different elements of the strategy are linked together and drive value creation. Furthermore, it offers a perspective on the identification of risk areas in the strategy. The return driven strategy framework has been applied as an

78

3  Creating Value Through ERM Process

effective strategic management tool. It consists of eleven core tenets and three foundations. In combination, they establish a hierarchy of interrelated activities. If companies follow these activities, it may lead to superior financial performance. Executives adopt this framework to test strategies. Also, they use it to identify risk areas as part of the company’s strategic risk assessment. VRIO Framework (Barney 2002) and Value-Chain Analysis (Porter 1985). The application of these tools supports the company to deal with endogenous risk factors. These are caused by the company’s processes, people, and technological systems. Risks such as “inability to observe and react to market changes”, “operational disruptions” and “technological breakdowns” are included as well (Andersen and Winther Schrøder 2010).

3.3.6.4 Risk Identification: Mission Accomplished? Strategic management tools, such as the classic SWOT analysis, are very valuable tools. They all support the identification and discussion of relevant strategic developments. They offer guidance to analyse the environment in a structured manner. These tools are essential for any risk manager. Here we have another advantage of applying such tools. They can build bridges (linguistic and cultural) between corporate management and risk management. These tools were developed from strategic management. Yet, most of them are accepted and known to many in practice. Also, these tools are linked to long-term plans. This is opposed to many other tools focusing on short-term, operational issues. It thus makes sense for risk managers to make use of these strategic management tools as well. Yet, the process of risk identification is not yet complete in the sense of ERM. We illustrate this with the example of the SWOT analysis: • The results are classified into opportunities, threats, strengths, and weaknesses. As we have learned, weaknesses and strengths are not risks. We deal with existing conditions. • Opportunities and threats have not yet been classified or prioritised. From an ERM perspective, this is an insufficient state. At this point, it is still unclear what potential impact they can have on the company’s objectives. • It is not yet clear how probable the individual opportunities and threats will materialise in the future. • Often, the degree of abstractness in a SWOT analysis is too high. Opportunities and threats exist in keyword form. It is unclear which concrete scenarios are meant. Each opportunity can have several scenarios with different probabilities. From an ERM perspective, we need concrete, plausible and comprehensible scenarios. SWOT serves at best as a basis for this next step. • SWOT analysis focuses on strategic risk factors. Operational and financial risks are in most cases excluded. They need to be identified with other tools and techniques.

3.3  Collect Risk Scenarios

79

• A SWOT analysis may be conducted with all relevant stakeholders of an ERM programme. It included management and board level. Still, it does not include enterprise-wide information. This means that management overlooks some strategic risks. A SWOT analysis must be complemented by other important subject matter experts. They may be internal or external to the company. • Group-specific biases (Sect. 2.3) may pose a significant threat for transparent, objective, and comprehensive risk identification by the means of SWOT analysis. The next step in risk identification is to conduct qualitative interviews with key stakeholders. This step complements the former activities. So far, we have challenged management assumptions and used strategic management tools.

3.3.7 Conduct One-On-One Interviews with Key Stakeholders How can we proceed in practice with effective risk identification? Who needs to be involved? Moreover, how does the risk manager need to prepare? Let us assume we face an initial ERM implementation. We recommend that management, preferably the Chief Executive Officer (CEO), inform about the relevance of the new ERM. The “tone at the top” is very important. It exhibits management commitment towards ERM. This needs to be noticeable enterprise-wide.

3.3.7.1 Prefer Interviews Over Templates and Surveys In practice, it is evident that ready-made templates do not work. They are indeed costeffective and standardized. It is tempting to query risks via e-mail. Unfortunately, this procedure is very prevalent in practice. The main reasons why one-on-one interviews are preferable to sending templates are the following: • Low involvement and commitment by the recipients • Often not taken very seriously because recipients do not know exactly what is happening to their information. • The necessary time is often not spent on it. As a rule, such templates are filled out quickly and with low priority. • There is a high risk that last year’s list will be copied and that only a few creative thoughts will flow into risk identification. • The risk manager cannot be asked any questions. The recipient fills in “something” to the best of his knowledge and belief. • The risk manager cannot guide the development of complex scenarios. It may not be possible to reduce relevant cognitive or motivational biases in this way. Figure 3.7 shows an example of a simple template used in this or a similar way for risk identification purposes. In the next years after ERM implementation, the template will be

80

3  Creating Value Through ERM Process RISK MANAGEMENT TEMPLATE

Risk Owner:

Business Unit: Date: ID

Risk Title

Risk Impact

Probability of Occurence

Risk Map Area

Medium

Low

High

Medium

Low

Low

Risk Description

Risk Category

Historic Data

Risk Sources

Risk Interdependencies

Mitigation in Place

Effectiveness of Mitigation

Risk Owner

Fig. 3.7  Example of a risk management template

sent again. Risk managers request that risk owners update it and add new risks if necessary. In this textbook, we will do without this approach and show a more effective and beneficial approach. The use of one-on-one interviews to complement risk identification is a very important step for the following reasons: • The involvement of employees, department heads, team leaders and others creates greater acceptance for ERM. • Personal interviews prevent the “not-invented-here” syndrome. Decisions about new ERM measures are better accepted if employees are involved in the decision-making process. • Risks that have not yet been identified (specifically more operational risks) can be identified. Not all risks are covered by the assumption analysis and strategic environment analysis. • The involvement of specific experts (e.g. internal audit, external audit, and external specialists) on specific topics offers a further perspective. • The interviews with various ERM stakeholders allow several perspectives on the same risk. This triggers discussion in the case of divergent opinions. Risk managers face very often-ambiguous information. After this advance information, the risk manager must consider with whom he or she would like to conduct the interviews. The goal must be to get the most representative (risk) view possible of the entire company. We have already discussed the hurdles and challenges that may arise in Sect. 3.3.2.

3.3.7.2 Select and Inform Interviewees Carefully Since interviews are resource-intensive, it is important to carefully select the interviewees. Who can bring in which risk perspective to represent a specific area of expertise, a business area, or a cross-sectional function? As a rule, only a few interviews are enough to get a company-wide risk profile. Irrespective of the company size, experience has shown that 10 to 20 interviews may be enough in most cases.

81

3.3  Collect Risk Scenarios

Board/AC

Head IA

3 Division Managers

Expert with Experience

Internal Audit

Management

2 Board Members

CEO/CFO/ CRO/CTO

Division Product X

Division Product Y

Division Product Z

R&D

R&D

R&D

Marketing

Marketing

Marketing

Finance

Finance

Expert with Experience

Expert with Finance Experience

Fig. 3.8  Enterprise-wide risk perspectives

Figure 3.8 shows an example of a company that conducts 13 interviews to enable company-wide risk identification. As can be seen from the organisation chart, different hierarchy levels are represented. From the operative business, the risk manager has selected three experts. They have a particularly high level of industry knowledge. Thus, they can contribute valuable information to possible industry risks. Internal audit can provide valuable information based on their audit activities. Board members can add to the strategic risk analysis, too. They can assess environmental risks or industry-specific risks. Once we have identified the relevant experts, we need to inform them in advance about the upcoming interviews. It is important that this information contain the following elements: • Purpose of ERM. For example, companies adopt ERM to enhance company value and to improve decision quality. • Relevance of experts for an effective ERM. Experts contribute with valuable experience to risk assessments. • Information handling. Who receives the interview information? What happens with this information? What is reported back to the expert? What kind of consequences may the interviewee expect? • Importance of interviews. We invite interviewees to be honest and transparent. We may think about incentives that promote truthful answers. • Interview procedure. Interviewees need to know the duration of the interview and if they got recorded or not. They need information in advance about the types of questions. For example, risk managers may ask them to identify the five most important risks. Also, interviewees are asked to develop very pessimistic scenarios with the help of the risk manager. • Acknowledging and reaffirming that the expert is part of the successful business development.

82

3  Creating Value Through ERM Process

The next step is now to arrange individual appointments with the experts. It is important to allow enough time for the meeting, especially for the very first one. Experience shows that, as a rule, too little time is available for more detailed discussions of individual risk scenarios. The time factor often leads to hasty decisions and poorly reflected risk assessments.

3.3.7.3 Elicit Feedback on Major Risks During the interviews, the risk managers must pay attention to the individual biases. They need to minimise biases through skillful conversation (2). Experience shows that interviews should focus on the identification of three or five major risks. The principle of “relevance over quantity” applies here. Risks managers could also elicit feedback on the 10 most important risks. Yet, there is a danger that focus is on some irrelevant risks. Thus, focusing on key risks is a success factor of an effective risk interview. If possible, risks managers should record all interviews. Also, we recommend conducting these crucial interviews face-to-face. This allows the risk manager to concentrate on the conversation. Also, it is easier to interpret non-verbal language. After the interview, risks managers transcribe the recordings in detail. This assures that no important information is lost. To support a structured conversation, risk managers can make use of the bow-tie technique. A sheet of paper depicting a bow-tie diagram serves as thought support in risk identification. This makes it easier to think thoroughly through the scenarios. This enables a discussion of risk causes, risk events, and risk impacts. Figure 3.9 illustrates a corresponding template. We recommend using it in the risk interviews. Risk managers introduce the scenario analysis before the interview starts. They point to the causes, events, and impacts during the conversation. 3.3.7.4 Focus on Plausible Stories, not on Numbers As part of risk identification, we need to develop risk scenarios that are as plausible and complete. They need to represent the possible range of uncertainty. Risk identification interviews should start by developing very pessimistic scenarios. Does this not contradict the modern approach according to which ERM can create value for the company? Should we not develop very optimistic, value-creating scenarios first? The answer in both cases is no. We justify this as follows: • It goes without saying that management must know all the scenarios that can endanger the existence of a company. These are scenarios that can lead a company into over-indebtedness or illiquidity. • Moreover, companies need to assess the effect of such negative scenarios on relevant performance indicators anyway. We need to understand how EBIT or company value is affected in the worst case. This creates a basis for decision-making on how to deal with these risks. • If management discusses opportunities first, this can have a “euphoric” overshadowing effect. This means that downside risks are then given too little weight and

3.3  Collect Risk Scenarios

83

Causes

Impact

-

Events

-

-

Fig. 3.9  Bow-Tie documents for interviews

discussed too little in the later discussion. It is thus always worth starting with the negative scenarios first. • As a rule, we use scenario development to represent all possible future realities in the form of a “risk distribution”. This requires an equal assessment of pessimistic and optimistic scenarios. The risk manager should ensure that risk scenarios are developed as complete as possible. Complete in this context means: • Are there one or more causes that lead to the risk event? We should not limit ourselves too quickly to the first, plausible cause. • Are these causes independent of each other or do they lead to the risk event in combination? If the causes are independent, two different risks have been identified. • Are there causes of the causes? The “why” should be asked until the origin of the cause has been found. Preventive measures are the best way to manage risk. • What are the sequences of the risk event? Does this event trigger a follow-up risk? If so, should we incorporate it into this scenario? Correlations with other risks can already be integrated via smart scenario development.

84

3  Creating Value Through ERM Process

• Are there short- and long-term consequences? It is well known that particularly strategic risks may arise abruptly, but have an impact over several years. These effects must be taken into account in scenarios. • Besides, we must consider the financial impact of the risk scenarios. They can have an impact on different line items in the financial plan. • Risk scenarios should be as debiased as possible. For example, risk managers have to ensure that no hindsight biases are effective. The past is a poor predictor of the future. Risk scenarios need to be developed prospectively. In this stage of the ERM process, as already mentioned, we need to discuss the three to five most important risks. Besides the very pessimistic scenarios, we should also consider very optimistic scenarios (best cases). We can distinguish two options: • For many operational (event) risks, we cannot find any optimistic scenario. Recall our risk definition. We define risk as an unexpected deviation from our goals and plans. This holds true in the case where the plan anticipates that no risk occurs. For example, the risk of a flood catastrophe is not included in the financial plan. This is because the probability of occurrence is very low. Thus, the optimistic risk scenario represents the case that no flood catastrophe occurs. A flood risk scenario that adds company value is rather unrealistic. • With strategic and many financial risks, there are credible risk scenarios that can turn out better than expected. These are usually so-called distribution risks, which can assume several or many realities. For example, let us look at a very optimistic scenario. Despite a competitor entering the market, we can strengthen our market position. The competitor fails and our company emerges stronger from this situation. There is a good reason that we strive to capture also very positive risk scenarios. By this, we can gain an initial overview of the ratio between so-called rewarded and unrewarded risks. Unrewarded risks are risk events that do not offer any upside potential. These include many operational risks such as flooding, fire, and machine breakdown. As a rule, it is not worth bearing these risks. In contrast, rewarded risks are generally associated with potential opportunities. Strategic or financial risks commonly contain also upside potentials. This procedure provides an initial indication of how to deal with the different types of risks. Some are more likely to be avoided or minimized. Others are taken deliberately to exploit potential strategic opportunities. This is important to link risk management with value-based management. Up to this stage, we have now collected three to five potential risks from each subject matter expert. These risks are available in the form of very pessimistic scenarios. Where appropriate, risk managers and interviewees also developed very optimistic scenarios. All scenarios have been thought through. The use of the bow-tie technique supported scenario development. For all risk scenarios, we prepared information about the causes and financial impacts. To assess financial impacts, we used consistent financial

3.3  Collect Risk Scenarios

85

performance indicators. These may be EBIT, cash flow, equity, or company value. We seek to make risk identification a consistent and high-quality process. To achieve this, we need to observe the following important aspects: The following points in risk identification must be considered: • Risk managers should only collect as much information as necessary. This means a fully thought-out scenario per risk with an initial rough estimate of the financial impact is fine. • We develop risk scenarios on a net basis. This means that all existing risk mitigation measures should be included in the scenario development. Gross risks are “pseudo risks” and prevent (or overestimate) a realistic risk assessment. • It must be clear what the financial impact refers to, e.g. EBIT, free cash flow, or company value. We use performance measures consistently so that risk scenarios can be compared at later stages. • An assessment of the probability of occurrence is not yet necessary at this point. All key risks are “rare” events. Frequency losses that can often occur with a high probability (such as process risks) are generally not key risks. Thus, companies must select potential key risks only based on loss potential. They need to know the absolute loss potential of each risk, regardless of the probability of occurrence. Diluting the real risk by calculating the expected value is dangerous and misleading. • Quality over quantity: As a rule, few, but relevant risks should be recorded completely.

3.3.8 Complement with Traditional Risk Identification We can usually identify the most relevant risks with assumption analysis and qualitative interviews. This means risks are decision-relevant and have a reference to specific business objectives. Of course, there are many other risk identification methods that can be useful as a supplement. Yet, these methods often refer to rather an operational risk management, which is not ERM. This textbook focuses on strategy-relevant, company-wide risk management. For this reason, it does not present individual risk identification methods in a comprehensive way. In the following, we introduce a few techniques that are practice-oriented. These techniques can contribute to supplementing the ERM process.

3.3.8.1 Conduct Risk Workshops Carefully Workshops bring risk experts from different functions and hierarchical levels together. The goal of such workshops is to exploit the collective knowledge of the group. They support to develop or complete a list of risks related to the company’s strategy and the corresponding business objectives (COSO 2017, p. 70). Risk workshops are a very popular instrument to discuss and collect risk scenarios in practice. Yet, many of them fail to produce reliable and relevant risk information. Apart from the well-known biases to counter in group meetings (see 2), other common organisational key aspects are often neglected.

86

3  Creating Value Through ERM Process

Risk managers should be familiar with current risk policies, risk appetite statements, risk exposures, and all other risk-related guidelines. Next, a sound preparation of a risk workshop is crucial. Ideally, the risk manager contacts all participants of the workshop in advance to inform about the key goals of the meeting. These goals comprise the identification of relevant risks that might have an impact on the company’s strategy. Workshops usually take more time than planned. It is important to allow enough time for the workshop. Otherwise, decisions could be driven by a lack of time rather than by appropriate reasons. Moreover, risk managers should facilitate effective discussion by booking an appropriate meeting room. Online risk workshops are much more difficult to conduct. This has been shown, for example, during the COVID-19 crisis. There are further principles to be observed in video conferences. For example, that all participants have their camera turned on. It is important, particularly in online meetings, to keep the number of attendees in risk workshops low. More than 8 to 10 attendees allow better hiding in the group (social loafing). Also, larger groups make it challenging to facilitate an efficient discussion. It might be helpful to provide all attendees with an overview of possible risk areas before the risk workshop. This promotes creative thinking and prevents thinking blockades. To start with a blank sheet is not the best idea to promote creativity. An example of such a risk area sheet is provided in Fig. 3.10. Besides the sharing of the risk areas, risk managers can provide the latest version of risk analysis performed. For example, they deliver the latest document on strategic management assumptions. This promotes the relevant discussions right from the beginning of the workshop. It is preferable over starting with a blank risk identification sheet. Ecology

Procurement

Production

Sales

indicators

indicators

indicators

indicators

• environmental sustainability • of the products • of the additives • of the production processes

• • • • •

prices conditions supply volume quality level punctuality of suppliers • size of order • order routes

• • • • • • •

• new orders • backlog • order/purchase behaviour • price/program policy of the competition • image of own and competitor products • complaints rates

Macroeconomics

Demography

Politics

Technology

indicators

indicators

indicators

indicators

• • • • •

• • • •

• • • •

• innovations • development of materials • trends of change in production and process technology

• environmental trends

interest rates exchange rates economic indices union wage level money supply

population growth demographic structure human resources unemployment rate

component diversity occupancy rate inventories reject rate output change setup times setup costs

law preparation political parties political stability election results

Fig. 3.10  Example of possible risk areas (adapted from Diederichs 2013)

3.3  Collect Risk Scenarios

87

At the very start of the workshop, the risk manager briefly introduces the state of the ERM process. Attendees need to understand the objectives of the workshop. Also, it is important that risk managers appreciate them as risk experts. The introduction should also address the planned time schedule and give an outlook on the next steps after the risk workshop. During the discussions, the risk manager acts as a facilitator and should be a neutral moderator. The crucial part is to counter specific group biases. For example, it is important to start discussing risks before opportunities. Also, risks managers should elicit a second opinion on every risk assessment. A great way to do so is having somebody to play devil’s advocate. Finally, risk managers must explain the difference between business issues and risks. The role of a moderator can be very challenging. In the following, a few key aspects are to be taken into account: • Keep a close eye on time management. Focus on high-level risk scenario development. Detailed risk analysis including discussing risk mitigation options is very timeconsuming. It could be done afterward by later interviews with risk owners. • Make sure that risks are described enough specific. Develop plausible stories. Start with risk causes. • Guide the discussions to external (environmental) risk identification. Usually, the focus lies too much on internal business issues rather than on external, emerging risks. • Avoid risk management jargon. Use business language to increase credibility and acceptance. Do not ask for probabilities of risks, there is no need to do so at this stage of the ERM process. • Do not get into details more than what is needed. As a facilitator, the task of the risk manager is to lead participants through a process of group knowledge capturing. • Make sure attendees understand the concept of uncertainty. This is not a single number, rather a range that expresses the degree of uncertainty. Usually, participants are reluctant to guess at specific numbers. • Follow the rules for brainstorming. Risk managers must not evaluate any idea. The goal is to collect everything first. The discussion of any risks will follow later. • For brainstorming to be effective, create a diverse workshop group. The group should cover different areas of business. Invite external subject matter experts if useful. • Appreciate all contributions to risk identification. It is important to create an atmosphere where no answer is wrong. Risk managers should promote disagreement. This can enrich the perspectives of existing risk assessments. • Prepare some good examples of well-developed risk scenarios. Explain the differences between sources, events, and impacts. • If you think that an appropriate amount of risk scenarios have been developed, switch to the next process step. Risk managers should summarise all the ideas from the participants into a structured form. Now we can point to risks with much disparity. This can be done in a coffee or lunch break. After the break, the risk manager shares his or her summary with the participants to start the follow-up session. The aim of this

88

3  Creating Value Through ERM Process

follow-up session is to reach some degree of consensus on the risk sources. Also, we need an overview of the (financial) impact of each risk. • At the end of the workshop, explain in detail what happens with all the collected risk scenarios. Risk managers should share the results of the workshops in a comprehensible way with all participants. In summary, risk workshops can be a useful complement to the analysis of management assumptions. But only if we adhere to the above-described success criteria. In practice, certain biases dominate so that risk workshops become obsolete. If relied on as the sole instrument for identifying risks, they can even do more harm than good. Also, risk managers must be highly skilled at moderating such risk workshops.

3.3.8.2 Consider Process-Based Risk Identification ERM should not be the driver for process management in the company, there are more rational reasons. Yet, if a company has already visualised its processes (e.g. ISO 9001), these can be a useful basis for complementing risk identification. We need to state that process analyses barely produce strategy-relevant risks. In the context of an internal control system, process-based risk identification can be a very reasonable procedure. An internal control system is primarily designed for providing process assurance. The first step is to consider which processes should be subjected to a risk analysis based on relevant criteria (scoping). We can do this based on quantitative or qualitative criteria. Quantitative criteria refer to balance sheet and income statement items. Qualitative criteria may be process complexity, importance, and criticality. Once we have selected the processes, we can proceed with a risk-based analysis of the individual process activities. An example of such an analysis is shown in Fig. 3.11. With the help of risk managers, process owners can analyse “what can go wrong-questions” in the individual process activities. So, we can identify potential process weaknesses. If a corresponding effective process control lacks, this indicates a potential risk. 3.3.8.3 Use Risk Checklists with Caution Checklists contain the knowledge of other institutions such as risk management associations, universities or consultants. It is very tempting to use risk checklists that are as comprehensive as possible. This makes risk identification significantly faster and more cost-effective. Besides, experience from other companies in the same industry can be used. We can supplement such checklists with further, company-specific risks. It appears that checklists are actually an ideal instrument for risk identification. Yet, this also entails significant disadvantages: • Checklists prevent your own thinking or creativity. Risk identification thus quickly degenerates into a ticking-off exercise. • Checklists are incomplete, specifically, company-specific risks are not appropriately covered

89

3.3  Collect Risk Scenarios order intake

x





material shortfall

demand generated

+ What can go wrong?

material availability check

special order

o

purchase order

What can go wrong?

incoming goods control positive

fabrication special order



quality control negative

What can go wrong?

incoming goods control

What can go wrong?

x

feedback

incoming goods control negative

return goods

quality control

x



goods delivery

capacity planning

+ What can go wrong?

order placement

quality control positive

rework

o warehousing

Fig. 3.11  Process-based risk analysis

• Many risks on the checklist are not relevant and may thus distract from actual risks. • Checklists only show negative risks, upside potential is not taken into account. • Checklists do not establish a direct reference to business objectives. • Strategic risks can hardly be found on a checklist because they are very company-specific • Checklists do not always define risks consistently according to sources. Often we find a mix between causes, events, and impacts. Risk checklists should never be solely used to identify risks. If a company decides to use checklists, it should be used as a supplement. It may be consulted after the assumption analysis and qualitative interviews have been carried out. Such checklists have not to be confused with predefined risk categories. It may make sense, for example, to predefine risk categories for all interviewees in qualitative interviews. This is even very helpful to achieve a certain consistency in the identification process. Risk categories have a higher level of aggregation than concrete, individual risks. They are more comparable to risk areas, e.g. strategic, operational, and financial risks are three broad risk areas. Currency fluctuations of the CHF/EUR currency pair are a concrete risk within the category

90

3  Creating Value Through ERM Process

Meaningful presetting for workshops / interviews

Single risks

Risk Category

Risk Subcategory

Risk Checklist

Risk Present?

Financial

Market

Currency risk … …

 YES  NO  YES  NO  YES  NO

Strategic

Supply Chain

Delivery interruption … …

 YES  NO  YES  NO  YES  NO

Strategic

Rivalry

Market entry of competitor … …

 YES  NO  YES  NO  YES  NO

Operational

HR

Untrained staff … …

 YES  NO  YES  NO  YES  NO

«Ticking-off exercise»

Fig. 3.12  Risk categories vs risk checklist

“financial risks”. Figure 3.12 shows the difference between a risk checklist and a meaningful presetting for risk workshops and risk interviews. These broad risk categories support the identification of relevant risks.

3.3.8.4 Try Fault Tree Analysis (FTA) for Critical Processes and Systems Fault tree analysis (FTA) has its roots in the aerospace and reactor technology sectors. It is mainly used in complex, safety–critical processes and systems. The method was first used in 1961 to investigate a missile launching system. It is used both to search for potential sources of error and to optimise and assess safety. The aim of FTA is the systematic identification of all possible failure combinations. These are understood as causes that lead to a given result. This includes the creation of a graphical system model in which the undesirable situation is at the top. All possible sources of error are at the base and are linked with Boolean operators. Following this rather general definition of the FTA, we attempt to establish a link to business risk and quality management. An example of this is product reliability. We focus on that part of the integrated product lifecycle where manufacturing companies have little impact on products. This corresponds to the period shortly after the market launch. At this stage, it will become apparent to what extent the products contribute to satisfying customer needs. If an error occurs here, this can have serious consequences for the company. Product defects and the associated risks are thus already recognised in the development cycle. This happens either in the planning phase or at the latest in the test phase. The test phase is used to assess all risks and functionalities of the prototypes that will be produced. Within the framework of product reliability, the FTA is of considerable importance. As an analytical instrument. it allows a structured identification of productrelated risks.

3.3  Collect Risk Scenarios

91

In the first phase of the FTA, the aim is to identify as many causes as possible based on an identified problem. These causes are then depicted in a cause system. A so-called fault tree is used in the FTA to represent the cause system. The fault tree is a top-down analysis technique. It is a method in which, starting from an identified problem or risk, causes are gradually linked to the causes of causes. This is done until the cause system has been mapped as completely as possible. Two main groups of symbols of the FTA can be distinguished: Events (labelled symbols) and logical links (unlabelled symbols). In the top-down procedure, the risk event “engine of a machine cannot be stopped” (risk to be analysed—also called top event) is assumed and all possible causes (“emergency stop switch system” and “alternative power supply for engine”) and causes of the causes (“switch 1 fails” and “switch 2 fails”) for this risk are displayed. The FTA searches for groups of events (so-called cut sets) that cause the top event to occur. The more events in such a cut set, the less likely it is that the top event will occur. This means that risk managers search specifically for so-called minimal cut sets, that is, for groups of events that have as few individual events as possible. To put it simply, minimal cut sets are the most likely constellations for a top event to occur. Of course, the fault trees are much more complex in practice than in the example above. Thus, there are special software packages that make it possible to analyse the error trees especially with regard to the cut sets (Rautenstrauch and Hunziker 2011).

3.3.8.5 Prevent Costly Errors with Failure Mode and Effects Analysis (FMEA) The FMEA was developed by NASA in parallel to the FTA in the 1960s and was used for the first time in the Apollo programme. The method was later widely used in the automotive industry through power plant construction. Meanwhile, the FMEA is used for the development of new products, the use of new production processes, products with safety requirements, changes to the product, material or process, changes in the conditions of use of known products, complaints and requirements by the customer. In contrast to FTA—which is a representative of top-down instruments—Failure Mode and Effects Analysis (FMEA) is one of the bottom-up analysis forms. FMEA and FTA are related instruments that complement each other and, in combination, have their greatest effect on risk identification. The FTA examines which product components could cause a given error or risk situation (top event). Instead, the FMEA tries to find out what type of error or risk is triggered by the given product components. Within the framework of quality management, the FMEA is thus used to minimise the risk arising from the occurrence of errors. Potential errors in systems, designs, and processes are analysed and measures defined to detect them as early as possible. The FMEA is motivated by the knowledge of the connection between the costs of eliminating faults and the time of their discovery. As a rule of thumb, the so-called rule of ten1 is often mentioned, which states that the costs increase tenfold from one process step to the next. For this reason, FMEA follows the idea of preventive error prevention. It helps to avoid later detection or correction.

92

3  Creating Value Through ERM Process

Depending on the different hierarchy levels of the application of an FMEA, the FMEA is classified into three subgroups. The classic distinction is based on a system FMEA (product concept), a design FMEA (examination of products for weak points in design or layout), and a process FMEA (manufacturing process). The findings from the investigation at the system level serve as the basis for the design FMEA. These results flow into the considerations at the process level. As a result of cause and effect, a hierarchical shift results for the different FMEA types, in which the error cause becomes the error type and the error type becomes the error effect in the later investigation. To create an FMEA, a team is formed within the company. It consists of employees from all departments concerned. This allows ensuring a common view from different perspectives. An important role in this process is played by the team leader, who must bring all results together and then document them. The team will use an FMEA form to answer the following questions: • • • •

Where can an error occur? How does the error manifest itself or how does it occur? What kind of error sequence can occur? Why can the error occur?

The following is a brief explanation of the individual steps involved in answering the above questions. In the first step, the system (product) is delimited and described. This results in a division into individual system elements (end products, assemblies and components) and the determination of the individual interfaces between the elements. In the later error analysis, potential errors are assigned to the individual system elements. These are defined as restrictions or non-performance of system functions. The central result of the analysis of the error sequence is the effect of the error on the end-user of the product. In the final step of the analysis, all causes that could lead to the described error are described. Then measures to avoid or detect the individual errors and their causes are listed. In the later risk assessment, we can discuss the probability of occurrence, the significance of the consequences and the probability of detecting the individual faults. Risk managers can calculate the evaluation of errors using the risk priority number. The probability of occurrence multiplied by the significance of consequences multiplied by the probability of discovery. Some problems with this approach are discussed in Sect. 3.4.1.4. If the risk priority figure exceeds a threshold value defined within the company, countermeasures are to be taken. Such measures should aim at error prevention instead of error detection. Finally, the effectiveness of the individual measures to reduce errors is to be assessed. The risk priority number before improvement is compared with the risk priority number of the improved system (Rautenstrauch and Hunziker 2011).

3.4  Assess Key Risk Scenarios

93

3.4 Assess Key Risk Scenarios One of the most challenging steps in the ERM process is to develop appropriate criteria to differentiate between key risks and all other risks (Rees 2015, p. 36). To carry out this important step, we need to recall what a key risk is—and what happens to all other risks. It is obvious that applying the wrong selection criteria can lead to a more or less false understanding of the current risk exposure. First, it is important to understand that ERM is concerned with risks and opportunities. These may have a relevant impact on the achievement of objectives. In many companies, financial performance is the most important measure. Financial performance represents the degree of short- and long-term goal achievement. Finally, the company’s financial situation is of crucial importance for its long-term existence. Thus, the assessment of a risk in terms of its impact on financial targets must be an important criterion for most companies. Should risks that do not exceed a certain small loss potential be excluded from the further analysis? The answer depends on the perspective. From an ERM point of view, it is necessary to define clever filters so that only relevant risks are subjected to a detailed, more complex assessment. Risk quantification and simulation based on key risks are much more cost-efficient and less complex. To set up and keep an ERM effective, we need to limit the amount of managed risks. The selection of a few, relevant risks is decisive about whether ERM systems can be managed in practice. Otherwise, ERM will not survive in the long term due to its complexity and high costs. The flexibility and strategic orientation of ERM systems for ad hoc decision support is a key success factor.

We should not delete risks that are filtered out from a key risk perspective. These risks could become key risks over time, so they need to be monitored and reassessed. It is thus important to store all risks in a database and to create a kind of a “watch list”. Yet, these “watch-list” risks may be relevant from an operational risk management perspective. It depends on whether a company runs operational risk management besides ERM. If so, t companies can manage these risks decentrally and coordinate them with other assurance functions (e.g. internal control systems). Focusing on key risks has a major caveat. It may lead to an underestimation of the current risk exposure if many “minor” risks are excluded from further risk analysis. Also, the relative importance of a risk does not include the relative relevance of possible risk measures. For less important risks, we may find simple and cost-effective measures to eliminate them. There is no reason not thinking about risk mitigation even for small or unimportant risks. This in turn can reduce the company’s risk exposure. So, it may be the case that risks being considered unimportant can trigger other risks. If so, they may accumulate to relevant risks due to their risk interdependencies.

94

3  Creating Value Through ERM Process

One-on-one Interviews

Management assumption analysis

Traditional risk identification

Risk universe

Filter I

Filter II Filter III

Key risks

Fig. 3.13  Application of smart filters to create a key risk list

Figure 3.13 shows the basic challenge of this ERM process step. After having collected risks (uncertainties) from various sources, they have to be consistently assessed for further prioritization. Companies may apply different filters to select key risks from the “risk universe”. Risk managers have to create a key risk list for further risk analysis. This means that the next step is quantitative scenario development.

3.4.1 Identify Key Risk Scenarios In the following, we discuss some filters critically. The first two filters aim to exclude “fake” risks. This concerns unrealistic scenarios against which no meaningful measures can be taken. Nevertheless, as already mentioned in Sect. 3.3.4, pure decision-making problems that are entirely within the control of the company must be recorded in a separate list. The two next selection criteria describe filters that are very common in practice. Yet, we should keep in mind that some filters for risk prioritisation could do more harm than good. Subsequently, we explain a simple but very useful filter for creating a key risk list at this stage of the ERM process.

3.4  Assess Key Risk Scenarios

95

3.4.1.1 Exclude Unrealistic, Devastating Risks We have to ensure that ERM remains credible and stakeholders take it seriously. Thus, we must not include unrealistic, irrelevant risks in the key risk list. Yet, the question of how to distinguish realistic and unrealistic risk is not so easy to answer. Let us assume a very bad risk scenario that can be devastating for all projects and all business areas of a company. Besides, this risk scenario affects all companies in a specific industry, in a country, or even worldwide. Let us label it “Aliens take over world domination”. Such a scenario is untrustworthy. It is purely speculative. No consensus among experts can be found. Also, the alien invasion has a very low probability of occurrence. No company can prepare for this event nor can it implement measures to minimise the impact to a reasonable level. We can identify other, similar implausible risk scenarios. For example, risks that make life on earth impossible, e.g. a devastating meteorite impact, deadly global diseases, global cyberwar, robotic takeover of mankind, World War III, a fundamental shift of the political system from a democracy to dictatorship. If we like to assess the risk exposures between projects, business areas, and strategic options in a company, such unrealistic scenarios must be excluded in all risk analyses. We talked about unrealistic, devastating risks that may affect an entire economy or even the global economy. These types of risks should not be confused with very rare, company-specific risks. For such risks, companies can often indeed prepare and put in place preventive risk measures. These very rare, but plausible risks may “only” affect individual business areas in certain regions. They may “only” affect some, but not all strategic initiatives. An example of a plausible, very rare, and very pessimistic risk scenario is a flood disaster risk. This risk may occur in a certain region where the company has a production site for a specific product. This product is only produced at this facility. Even if this risk is very rare (e.g. 0.005% annual probability), but has a destructive impact (production site is completely destroyed), it must be included in the risk analysis for the following reasons (Rees 2015, p. 38): • The risk is manageable to a certain degree. It can be insured, for example, and preventive measures (protective walls, early warning systems, redundant production sites) can be put in place. • The risk is a realistic, but rare, scenario. There is a broad consensus that it will happen at some point in the future. • The risk has a company-specific impact. A company may be disadvantaged relative to its competitors when it occurs (e.g. loss of market share). • The risk affects one product line only. This makes it riskier than other product lines, everything else held constant. Also, a company can manage it with some effort in case it occurs. Thus, the existence of the company is not at stake.

96

3  Creating Value Through ERM Process

3.4.1.2 Separate Pure Management Action Items In Sect. 3.3.4 we discussed the differences between decision problems and real risks. Now we are enough advanced in the ERM-process that we have to consider pure decision-making problems. These can also have an impact on the risk exposure (pre- and post-decision risk exposure). Must risk managers exclude decision issues from their risk identification process? One could argue that such decisions should be left to the responsibility of management. If so, we don’t need to make a choice about risk prioritization at this point. Yet, the answer is clearly no. One of the crucial steps to improve ERM effectiveness is to be aware of decision problems. We need to understand how they relate to traditional risks (Rees 2015, pp. 34–35, 40–41). Next, risk managers should develop a process or a scheme to enable the comparison between decision problems and risks. Recall that risks have uncertainty attached. From a risk assessment perspective, this distinction is crucial. Risk managers must differentiate between controllable decisions and uncertainty (risks). Later risk models based on key risks need to capture both elements. A best-practice ERM approach is to display pre- and post-decision values for all types of decisions. This may be a decision about a risk measure to reduce the probability of occurrence of a specific risk. Also, it can be a management decision that only impacts the baseline expectation (plan), but does not add uncertainty. ERM is not designed to record, evaluate, and report pure decision-making problems in a holistic manner. Yet, risk management workshops and interviews may address such aspects. It thus makes sense for the risk manager to record these in a structured manner and make them available to decision-makers. Pure decision-making problems do not have to be subjected to a more in-depth, quantitative scenario analysis. It also does not make sense to assign different probabilities for these decisions. As we learned before, such decision problems lie in the full control of management. It is obvious that decision problems do not match the definition of “uncertainty”. Thus, we cannot include them in a classical risk model. But, they also have an impact on financial performance. We can assess that impact similarly to real risks. In contrast to the quantitative risk scenario analysis of risks, however, we do not assess potential deviations from plans and goals. Decisions may affect the expected values themselves. We will learn more about this difference in the chapter on risk quantification. 3.4.1.3 Avoid Risk Maps as Selection Criterion A commonly used approach for risk assessment and later risk prioritisation is the risk map (or heat map). It serves as visualised communication aid for corporate risk reporting. It often forms the basis for decision-making and prioritising risks. Based on this prioritisation process, risk managers can derive corresponding risk mitigation measures (Hunziker and Rautenstrauch 2015). Many consulting firms and business schools recommend this approach as a central risk assessment tool. Many international organisations that publish standards and frameworks for risk management, such as COSO II, National Institute of Standards & Technology (NIST) or CobIT, also recommend this risk map

3.4  Assess Key Risk Scenarios

97

approach. In practice, it is the most widely used tool for risk assessment and risk prioritization (Hubbard 2009, pp. 120–121). In principle, risk in the risk map is assessed as a product of the probability of occurrence and impact-on-occurrence (probability-impact matrices). Risk maps use a kind of scoring system based on ordinal scales. This means that relative gradations are made on the basis of a value range of e.g. 1–5, where 1 is classified as “very low impact” and 5 as “catastrophic impact”. We can find also other gradations with value ranges from 1–3 to 1–10 in practice. It is assumed that the distances between the individual values are equal, i.e. a risk with a score 3 is assessed as three times more serious than a risk with a value of 1. Figure 3.14 shows an example of a risk map as it is often used in practice. Caution is needed when using such risk prioritization instruments. Risk management experts such as Cox (2008) or Hubbard (2009) even describe them as useless or counterproductive. They conclude that risk maps can lead to wrong decisions. The following problems with risk maps must be taken into account when using them. Some can be reduced or eliminated by certain measures; others are inherent in the instrument. The use of risk maps is very simple. In the risk map illustrated in Fig. 3.14, the risks must be assigned to one of the nine fields, which need a rough relative assessment of the probability of occurrence and the impact. Colour gradations are often used, whereby the risks in the red fields at the top right are assessed as “unacceptable”. Red risks require priority treatment, i.e. risk reduction measures must be defined. The orange fields contain “critical risks”, although it is often not clear whether there is a need for action. “Orange

Probability of occurrence

high

yellow

red

red

medium

green

yellow

red

low

green

green

yellow

low

medium

high

Impact €

Fig. 3.14  Risk map

98

3  Creating Value Through ERM Process

risks” are less urgent than “red risks”. Also, it can mean that orange risks are tolerated, but closely monitored. Yet, the colouring fails to provide a realistic assessment of the risk. The red fields at the top right can be described as pseudo risks (or phantom risks, see Samad-Khan 2005, p. 3). It is not possible that there are business risks that threaten companies with a very high frequency. Thus, in practice, real “red risks” at the top right barely exist. The focus of risk maps is often risk prioritisation about an average value, i.e. expected value. This equals a probability-weighted impact. Averaging such risks may lead to serious false risk assessments. This in turn may lower decision quality significantly. For example, an expected value of the impact of raw material price volatility may be close to zero. Yet, the upside and downside potential (e.g. on a 95% confidence interval) of price volatility is important for decision-makers. Here, we may face the expected value problem again. A risk with a very small probability of occurrence and a devastating impacton-occurrence does not necessarily fall into the “red area” of the risk map. In the best case, the scales of the risk map are stored with quantitative values (e.g. “low” with an annual probability of occurrence of 1–20% and an extent of damage of 0–50,000 €). In the worst case, the verbal risk assessment is not linked to any quantitative values. Studies have shown that verbal, subjective scales such as “low” to “high” or “unlikely” to “very likely” are “translated” by people into divergent percentages, which can make the classification in one of the fields almost unusable (Budescu et al. 2009). Subjective scales are further subject to many cognitive biases. Hubbard and Evans (2010) state that individual experiences, overconfidence, confirmation bias, and optimism bias may impact the assessment of probability and impact. Risk matrices display discrete categories of impact and probability. Thus, the resolution is defined by the number of categories. Cox (2008) concludes that the limited resolution is an inherent disadvantage of risk matrices. In this sense, the selected scales in risk maps are too “compressed”. For example, two different risks have annual probabilities of 0.5% and 19%. In the above example, both risks are “compressed” to the value 1 (“low”), although both probabilities differ considerably (risk occurs once every 5 years or once every 200 years). The same applies to the assessment of the impact. The multiplication of both variables into one expected value leads to further compression of the information. Thus, we face very inaccurate (or dangerous) risk assessments. Furthermore, the correct risk definition is violated in the application of risk maps. The application of a risk map assumes that risk can be described by one probability of occurrence and one single impact. That means that risk either occurs or it does not occur. Moreover, when it occurs, it always does so with the same probability. For the majority of risks, this probability description is not appropriate or wrong. We can illustrate this by the following examples. Interest rates changes or currency pairs changes can occur with any number of possible values (see the concept of volatility), but not every change is equally probable. Such risks cannot be treated as “risk events” and thus cannot be deducted from the risk map. Here, for example, volatility (fluctuation) would have to be depicted using many estimated scenarios. Many operational risks, such as a machine

3.4  Assess Key Risk Scenarios

99

breakdown, can also be poorly described as a single risk event. Several consequences flowing from a machine breakdown are conceivable. Furthermore, the risk map only displays the “negative risk”. Upside potentials (opportunities) are ignored in most cases. Further, risk interdependencies are also ignored by the risk map. Let us consider two risks that are both assessed as “medium” risks. For example, these two risks could be “fire causes damage in a warehouse” and “loss of personnel interrupts production process”. If these two risks occur simultaneously due to a hurricane, we cannot treat them as two independent events. A risk map is not suitable to analyse and depict such risk interdependencies. Also, risk maps reflect challenges that are indirectly related to the instrument itself. For example, we observe different practices for assessing the final impact of a risk event. Three possibilities are applied in practice (Duijm 2015): • The impact is represented by a risk event causing the worst case scenario and the corresponding probability of that event. • The impact is represented by the most likely consequences (e.g. based on average of past losses, similar to an expectation value) and the corresponding probability is the probability that the most likely event occurs. • The impact is represented by different impact scenarios, each may be in another impact category of the risk map and the corresponding probabilities are the probabilities that each of those scenarios occur. Obviously, each of those possibilities may lead to different risk assessments. Bearing this in mind, we can draw the following conclusions. Possibility 1 may lead to overly conservative outcomes. Other, less pessimistic scenarios are neglected. Possibility 2 violates our definition of risk. Risk is a deviation from expected, the “representative” impact is quite similar to the expected value. Thus, we may underestimate true risk. Companies may face overly optimistic impact assessments. Option 3 is preferable to the other possibilities. It enables addressing different realistic scenarios of the same risk event. Yet, this may lead to many entries in the risk map if we combine several events with several scenarios (Duijm 2015).

3.4.1.4 Avoid Expected Values as Selection Criterion As discussed, in risk maps, the individual risks are generally assessed according to the probability of occurrence and impact. Risks are visually represented as expected loss in the matrix. The beauty of that approach is its simplicity and understandability in practice. We have discussed that the expected values of individual risks have considerable limitations. Yet, some reasons justify the use of expectation values. They have meaningful applications if used correctly. In the following, we discuss some advantages. The tangibility and calculation of expected values are simple. The two variables “probability of occurrence” and “impact” can be derived from historical data or from expert judgments. Quantifying the individual risks with probabilities and financial impact is essential. This is a precondition for later risk aggregation of individual risks.

100

3  Creating Value Through ERM Process

We can calculate risk exposures of individual business areas to add them up to enterprise-wide risk exposure. If we group risks in risk classes like “small, medium, and large”, we are not able to assess or aggregate them in later stages. A further advantage of calculating expected values lies in the option of pooling individual risks. This enables the assessment of risk exposures at different corporate levels. Expected values are additive. It is mathematically correct to add expected values. The sum of the expected values of individual risks equals the expected value of the overall risk exposure. For example, it may make sense to assess the effectiveness of risk mitigation measures over time. For example, this can be done on the basis of the risk exposure of individual business units. Thus, expected values may be a useful risk measure. This is true if the primary goal of risk management is to assess the effectiveness of risk mitigation measures. Effectiveness in this case means that expected losses (sum of all expected values of the individual risks) are smaller than, for example, in the previous business year. Yet, the expected value in its strict sense is not a risk measure. The reason for this claim is fairly simple. We need to recall again the definition of “risk”. Risks are unexpected, random deviations from planned values. Though, this is in complete contradiction to the risk measure “expected value”. The expected value of risk is neither unpredictable nor random. It is “known” and thus violates our risk definition. From a risk management perspective, the expected (i.e. “known”) loss is not the most suitable selection criterion. So, potential unexpected deviations are far more relevant. Risk managers are interested in the loss distribution around the expected value. In particular, expectation values underestimate the worst-case scenario. The expected value provides an indication of the average losses over an infinite period of time. From a company’s perspective, yet, it is of no interest whether it could bear the losses on average. Rather, the worst deviations from the expected loss that could cause a company to become insolvent are essential. We illustrate this by a simple numerical example. The two risks X (probability of occurrence of 1% and impact of EUR 10,000,000) and Y (probability of occurrence of 50% and impact of EUR 200,000) have the same expected value of EUR 100,000. Yet, if risk X occurs, the impact is significantly higher than of risk Y. Thus, it makes no sense to conclude that a company survives on average in the long run. The expected value underestimates the relevance of rare, but high-impact risks. For risks with the same expected value, the risk map suggests that decision-makers behave in a risk-neutral way. In practice, risk neutrality is hardly present. Decisionmakers care whether they can generate a profit opportunity (loss possibility) of, for example, EUR 10,000,000 with 1% probability or EUR 200,000 with 50% probability Thus, companies mainly behave risk-averse in decision-making processes, not risk-neutral as expected values imply (e.g. Jonkman et al. 2003). What do we learn from this insight? In fact, it is very astounding how prevalent expectation values are in practice. They still serve as a major decision criterion for risk selection or risk prioritization. As this is such a crucial aspect to understand, we summarise the lessons learned in the following box.

3.4  Assess Key Risk Scenarios

101

The expected value is not a suitable measure for the selection of key risks. It is not possible to identify risks that could threaten the survival of the company. The multiplication of the probability of occurrence and impact seems simple at first. It is tempting to use the resulting value to prioritize risks. Unfortunately, this method does not increase decision quality. Often the opposite is the case. Expected values contradict our risk definition in the ERM approach.

3.4.1.5 Prefer Impact Over Probability In practice, the probability of occurrence of a risk is an indicator used to distinguish between important and unimportant risks. As we have learned, it is often used to calculate expected values. The consideration of both the probability of occurrence and the impact is one of the most widespread approaches for prioritizing risks. This holds true specifically for the non-financial industry. We have discussed the disadvantages of expected values in detail in the previous paragraph. At this point, we question whether it makes sense to consider the probability of occurrence as a criterion to select individual key risks. Often, we can note that in practice very rare risks with a very high impact are not defined as key risks. In risk maps, the “relevance line” is set so that very rare risks are never positioned in the “red area”. Is this a legitimate procedure? In the following, we offer a few thoughts that shed critical light on probability as a filter criterion. It is important that decision-makers are aware of all the risks that can have a significant impact on the company’s objectives. This provides the basis for the management to fulfil its risk-related responsibility. From a regulatory perspective, companies need to address all risks that may threaten the existence of the company. It is irrelevant how high the probabilities of occurrence are for these critical risks. It is important to assess whether the company is prepared in the event of a risk occurrence or whether measures need to be taken if necessary. Of course, management still can accept a significant, but rare risk. If so, it is a well-informed, conscious decision to accept a key risk. This decision may be based on the fact that a risk is in line with the risk appetite or it owns a large upside potential that justifies bearing this risk. If we use probabilities as filters, it can happen that the management is not even aware of these low-probability, high-impact risks. Thus, very serious blind spots may arise. In the worst case, rare risks with a high impact are not included in the risk reporting and thus not discussed at the management level. In the case of a risk occurrence, it is of little use to the management to refer to the rarity of an event. This may even lead to a breach of duty. We conclude that it is crucial to discuss all high-impact risks, irrespective of their probability of occurrence. Besides, it is very difficult to assess probabilities. Depending on the assessment technique, this can lead to completely different key risks. People find it difficult to guess at probabilities. In practice, it poses a huge challenge to estimate probabilities for risks companies have no or few experiences with. This holds true specifically for strategic risks. Risk owners often claim that is not possible to attach a probability to complex strategic uncertainties. An example illustrates this challenge. Depending on the assigned probability of the risk that a new competitor appears on the market, it may become a key risk or not. For example, a company sets the filter in a risk map at the 5% probability

102

3  Creating Value Through ERM Process

level for the next year. If a board member assesses this risk a bit lower at 3%, it falls below the threshold. Thus, it is not reported and discussed as a key risk. Yet, this probability of 3% is difficult to verify. It could also be 7% or 10%. Other probabilities can also be considered plausible. We can mitigate this problem by assessing and reporting the impact and the probability separately. This allows us to rank key risks based on impacts. The probabilities serve as extra information. Probabilities can be discussed but are not an equally weighted selection criterion. We illustrate a third reason why the probability of occurrence is not a good selection criterion by the following example. Let us assume our key risk list contains 25 risks. The risk manager analyses the selected risk scenarios and concludes that each key risk scenario has a very low probability. For the sake of simplicity, we assume that all risks have an equal estimated probability of occurrence of 1% (p). In other words, each risk is expected only once in a hundred years. Are we confident that none of the top risks will occur next year? Can we inform our board that there will be no unpleasant surprises next year due to the very low probabilities? Let us assume that the 25 (N) top risks are uncorrelated. This assumption may be quite realistic. Risk interdependencies are already incorporated during individual scenario developments. What is the probability that at least one of the rare risks will occur next year? The math is as follows: 1-(1-p)N. If we use our figures (p = 1%; N = 25), we calculate a probability of 22.2%. This value is high and is underestimated in traditional risk management that is based on individual risk assessments (e.g. by means of risk maps). If we extend the time horizon to e.g. 5 years (according to the achievement of the strategic objectives), this probability already increases to 71.5%. In the long term, rare risks are thus very much to be expected. The lesson here is that very low probability-risks should not be excluded from the key risk selection process. At this point, it is crucial to understand that probabilities in the ERM approach are still relevant. We need probabilities to assess the impact of several risks on a particular business goal. For the selection of key risks, we need smart filters. These filters include individual small-probability and high-impact risks for more detailed risk quantification. We recommend that the key risk list is primarily based on the impact criterion. Probabilities of risks may be included in the risk assessment as extra information, if available.

3.4.1.6 Distinguish Between Key and Non Key Risks We have reached the culmination of the first and important process step of risk identification. We remember that the aim was to create an overview of key risks. This list is the first important outcome, which is then subjected to a quantitative scenario assessment in the next step. The assessments of the individual impacts are to be deemed provisional. They have only helped us to distinguish between key risks and non-key risks (Segal 2011, pp. 151–152). The following figure shows a corresponding procedure. It shows an excerpt of the pessimistic risk scenarios of a company in relation to the defined EBIT target. The expected EBIT amounts to EUR 5 million. All significant deviations from the plan are

103

3.4  Assess Key Risk Scenarios

RScen1

EBIT Budget (5,000,0000 €)

RScen2 RScen3

RScen4

RScen5 RScen6

4-

-1 m€

-1.5 m€ Threshold (3,000,0000 €)

3-

-2 m€

2-

-3 m€ Key Risk -3.5 m€ Key Risk

10-1 -

-6 m€ Key Risk

Fig. 3.15  Key risk scenarios (adapted from Segal (2011))

thus of interest, which is in line with our risk definition. If a risk scenario has a loss potential higher than EUR 2 million, it is taken into account in further risk analysis. It is thus included in the key risk list. As you can see from the chart, probabilities of occurrence are missing. If we have collected the probabilities, we can consider them as a supplement to the individual risk scenarios. In our approach to risk identification, we have refrained from collecting probabilities. These will only become relevant in the later quantitative risk scenario development Fig. 3.15. Remember that we have to populate a risk database with all non-key risks to develop a so-called “watch-list”. This list can be provided as a supporting tool for operational risk management or internal control systems. Besides, all non-key risks will be monitored on a regular basis to recognise emerging key risks as early as possible. We assume that only a few watch-list risks will qualify as key risks at later points in the future. Still, business models can change quite quickly. For example, we observe changes in customer needs. Some risks related to customer needs to be deemed minor last year can become strategy-relevant this year. At this point, it is important to note that the key risk list per se is not yet an instrument relevant to decision-making. One could say that in traditional risk management such a list is often the key result of the risk management process. From a modern ERM perspective, we understand this list as a database in which risks are collected and adjusted over

104

3  Creating Value Through ERM Process

time. Only the later quantification of the individual risk scenarios and the integration into decision-making processes provide the desired added value of ERM. The mere creation of a key risk list as the basis for risk reporting to management and the board does not provide any added value. The risks on this list are isolated individual risk assessments that are not (yet) linked to decisions.

3.4.2 Quantify Key Risk Scenarios The next step in the ERM process is a quantitative risk assessment of all key risk scenarios. Its aim is to reflect the uncertainty associated with key risks as holistically and realistically as possible. Only quantification makes a meaningful comparison of different risks and opportunities possible. Yet, we need to clear up a misunderstanding at this point. The goal of risk quantification is not to predict the precise truth about the future. We are fully aware that this is not possible. By applying appropriate assessment techniques, we can express uncertainty more objectively than will ever be possible with qualitative methods. Thus, it is not a question of producing illusory precisions. Rather, we look for “ranges of uncertainty” based on plausible quantitative risk scenarios. As discussed, ERM must assess all risks, independent of their source, with the same care. In particular, strategic risks are often not quantified in practice. Practitioners may claim that the complexity of risks and a lack of data impede quantitative risk assessments. Yet, this translates to the following important statement: An indication of ERM maturity is to check if all risks are quantified, irrespective of their sources. Often, traditional risk management systems apply risk quantification only for financial risks. In this case, ERM fails in making reasonable statements about risk exposures. This in turn impedes the supporting role of ERM in risk-oriented decision-making. We recommended adopting assessment techniques that allow quantification of all risks.

The problems of pure qualitative risk assessments are manifold. We have addressed some in previous paragraphs. Yet, it is also important to note that quantitative assessment methods are not per se superior to qualitative techniques. They do not generate better results due to their higher “mathematical accuracy”. In practice, quantitative models are often incomplete and neglect relevant risks. This is true for most strategic risks where data availability is scarce. Paradoxically, operational risks at lower hierarchical levels and financial risks are quantified with more state-of-the-art stochastic methods. Hubbard (2009) calls this observation in practice a “risk paradox”. Relevant, strategic risks are often assessed by qualitative, simple scoring methods. Yet, operational low-level risks are more included in quantitative risk models (p. 174). Furthermore, data quality is crucial for the quality of the quantitative analysis. The financial crisis has shown that models based on classical financial market theory cannot withstand reality. Extremely rare, but devastating scenarios have been regularly

3.4  Assess Key Risk Scenarios

105

underestimated (so-called tail risks). Stochastic models need a sound data basis. That is often not the case with strategic and operational risks. As a consequence, either unrealistic scenarios are estimated or some risks are completely ignored. Also, we question whether complex stochastic models are applied correctly in practice. These “black box” models are often difficult to communicate with decision-makers. Often, they cannot be understood without appropriate know-how (Hunziker 2018, pp. 18–19). The critical question now is, which approach must we present in this textbook on risk quantification? There are many good textbooks on stochastic risk modelling available. Yet, the procedures and approaches recommended in these books do not (at least not yet) seem to prevail in the non-financial industry. From a practical point of view, this can have several reasons. Some of them are partially wrong: • Stochastic risk modelling is reserved for the financial industry. The methods are not transferable one-to-one to non-financial risks. • The procedure is considered too complex. We may be content with simpler methods that are easier to understand (e.g. qualitative risk management). • Data is missing. Appropriate risk models cannot be developed. • The maintenance of such models is often considered too complex. • The benefits of quantitative approaches are called into question. It is claimed that models are fundamentally wrong. The image of quantitative risk models has suffered at the latest since the financial crisis. • The basic assumptions of normalised returns are increasingly criticized. Corresponding statistical distributions no longer correspond to reality. Two questions at this point arise: What information should risk quantification be based on? Should we quantify stochastic or deterministic risk distributions? Risk quantification is based on the principle of using the best available information, depending on the risk category. The best available information can be historical data as input for financial risk assessments. Opinions of subject matter experts can be the best available information in the area of strategic risks. Thus, we recommend combining different data sources within the scenario quantification approach. Pure stochastic modelling as input for risk simulation is not used for the reasons discussed. Subject matter experts who are “closest to the risk” in the company are included in the risk assessments. A properly performed risk quantification leads to more reliable (tail) risk scenarios than a pure stochastic assessment. Most notably if historical data is incomplete or scarce. Risk managers play a crucial role in this process step. They facilitate risk quantification. For example, risk managers skillfully develop quantitative risk scenarios with board members, business heads, divisional heads, and department heads. Also, a deterministic risk assessment approach that uses expert judgements supports the acceptance of ERM. Relying solely on pure stochastic (black box) models does not foster a good risk culture.

106

3  Creating Value Through ERM Process

In the following, we discuss why quantitative risk models still matter. We introduce an approach to develop quantified risk scenarios. Also, we learn how to (not) add single risks that have a simultaneous impact on business goals.

3.4.2.1 Why Risk Quantification Matters As already touched on, criticism of risk modelling has increased in recent years. There is now a long list of counterarguments why companies should not use quantitative risk models. Yet, it remains to be clarified what might be better alternatives. Unfortunately, there are no such alternatives as we learn in this textbook. An excerpt of the opponent’s list of why risk models could fail are listed here: • The past has shown that risk models are wrong. So are they in the future. • There is no or too little data available for such models. The quality of the models is thus poor. • Nobody understands risk models, in the best case the risk manager him- or herself. • Risk quantification and later risk aggregation produce false accuracies. Thus, a qualitative evaluation must be better. • Risk models fail due to effort and complexity. • Human experience and intuition are stronger than risk modelling. • Garbage in, garbage out as a killer argument. Let us have a closer look at the above arguments. Opponents of risk models sometimes have false ideas about what they can or cannot do. At this point, we would like to clarify this and argue that there are currently no approaches superior to risk modelling (Rees 2015, pp. 91–92). First, we need to consider why a company should deal with risk models at all. Quantitative risk models deal with expectations about the future that cannot be perfectly understood or anticipated. This is simply because the future is uncertain. If this uncertainty did not exist (e.g. about the net present value of a strategic project), risk models could be ignored. If a company is not willing to develop meaningful assumptions about risk causes and risk interdependencies in the form of scenarios, risk models do not make sense either. They do not replace the skills of developing realistic assumptions of how the future might unfold. Today, we are aware that risk models are a simplification of reality. Sometimes models represent even an oversimplification. Quantified risk assessments are never accurate or only coincidentally correct. Again, this is because they deal with the future. They reflect opinions and assessments of subject matter experts. Sometimes, models make use of historical data where available. In this sense, the killer argument that all quantitative risk models are wrong by definition is correct. Yet, companies should accept that results of risk assessment interviews or workshops might be very fruitful. The process of creating a quantitative risk model is often more useful than the outcome per se. With this process, risk managers can question assumptions and get new views and ideas. We may identify emerging risks and assess them

3.4  Assess Key Risk Scenarios

107

thoroughly. Quantification sometimes requires uncomfortable transparency. Yet, this transparency is much more important as a basis for discussion than qualitative assessments. Verbal scales can even add uncertainty and lead to an illusion of consensus. Figures and percentages are not subject to interpretation. No matter whether they are wrong or correct, they are the better basis for fruitful risk assessments. Hiding or concealing vaguely formulated risk assessments is no longer possible. Management consensus is now represented in the quantified risk model. This model serves as an important decision-making basis. It promotes further discussions about the model assumptions and risk appetite confrontation. A model output that is implausible to management also reveals that something with the assumptions about the future is wrong. For example, let us assume we analyse a risk model that displays all uncertainty linked to strategic options. This could be decisions about new market entries or the launch of a new product line. A risk simulation result showing only positive, profitable scenarios needs a closer look. It may be that negative deviations from expectations are not yet reflected in the model. We can link ERM to value-based management only if quantified risk scenarios are available. Integration of ERM into strategic planning, budget processes, or other decisions is enabled if we set a common ground. This is the connection with financial performance management. Qualitative risk management fails in this case. Quantitative multi-scenario planning credibly reveals risk and opportunity impacts on goals. Obviously, qualitative risk management is not relevant in this context. The risk scenario quantification offers transparency. This promotes a sound discussion, prioritization, and comparison with other risks. It also supports the identification of risk interdependencies and objective-based risk aggregation. It forces companies to think thoroughly through a risk scenario. The plausibility of the scenario can be checked with quantification. If we assess risks only verbally, the underlying scenario development is carried imprecisely and too broadly. Peter Drucker is credited with one of the most important quotes in business management. “If you can’t measure it, you can’t improve it.” This quote is also true for ERM. Often, companies are reluctant to express uncertainty underlying business objectives quantitatively. This impedes risk-based decision-making.

In summary, we conclude that modern ERM is only possible based on quantitative risk assessments. Risk quantification is only a small but crucial part of the ERM puzzle. Properly understood and applied, risk quantification creates the best possible discussion about uncertainty. Incorrectly applied, it leads to little credibility and a high potential for frustration. In practice, it is all about reducing these hurdles. We can support this with success stories of companies that benefit from quantitative risk management. Risk quantification outside the financial industry is not yet well-accepted. It is even demonised in practice. It is a well-researched subject area that has been waiting for years to diffuse into practice. We encourage students and risk professionals to advocate this approach in their professional careers.

108

3  Creating Value Through ERM Process

3.4.2.2 Develop Quantitative Key Risk Scenarios At this point, it makes sense to clarify how we define quantitative scenario development. In particular, we have a look at the differences between this approach and other risk assessment techniques. Some of these techniques are used in risk management, but also in common corporate planning and budgeting. First, we differentiate quantitative risk analysis from simple sensitivity analyses. Sensitivity analysis is prevalent in budgeting processes. In practice, we see financial plans and budgets that are supplemented with a pessimistic and optimistic “risk” scenario. For example, the lower bound is set to 90% of the target value, the upper bound is set to 110% of the target value. In this sense, a kind of risk analysis has been already performed. Although such simple sensitivity analyses have their legitimacy, they are subject to some disadvantages from an ERM point of view (Rees 2015, p. 89): • Very pessimistic or very optimistic scenarios (extreme values) are often not incorporated. Thus, such plans cover only a part of the entire risk distribution. • Usually, no probability assumptions are included in sensitivity analyses. Thus, no comparisons can be made with the risk appetite statements. Also, no probabilistic risk aggregation can be performed. It remains unclear how much uncertainty is attached to different scenarios. • It is not clear if the lower and upper bounds (sensitivities) comprise only true risks. Maybe the plan could be optimised by simple management decisions. • The expected value of the plan is unknown. Expectation values usually differ from the most probable outcome (which is the plan). • The different risk sources that may impact the plan are not fully known. They are separately identified and recorded. We have argued that sensitivity analyses are no substitute for genuine risk quantification. Now we need to address the traditional risk quantification approach. As discussed, the two measures probability and impact often form the basis for risk quantification. Several problems are attached to that simple procedure. The majority of the risks cannot be described as “single risk events”. For example, it is obvious that risks such as interest rate change, oil price fluctuations, fluctuations in sales, market entry of competitors, and many more can have different consequences. Even risks that are supposedly considered as a binary risk in practice (either risk event occurs or not) are more complex. The risk of a machine breakdown can manifest in different states. For example, only one machine breaks down for a very limited time with minor consequences. Alternatively, several machines have a more severe defect at the same time which leads to production downtimes. These different states are called “risk scenarios”. The basic idea with scenario development is to produce a robust and reliable range of the most relevant possible future states of the same risk. Often, it is not realistic to define only one state of a risk, assuming risk has exactly one probability of occurrence and exactly one

3.4  Assess Key Risk Scenarios

109

impact. Thus, we need to develop so-called “risk distributions”. These deterministic scenarios cover very pessimistic, but also very optimistic future states. For each scenario, we develop one probability of occurrence.

Another reason why we need to quantify all future risk states, independent of their source, is due to integration purposes. In order for risk management and corporate planning to be integrated, a common ground must be found, i.e. risks must be quantified. We have to integrate risk management with corporate planning. This means that we link risk scenarios with financial plans. This enables that plan deviation caused by risks can be made transparent and visible. Next, management discusses these deviations and decides upon. A deviation may be accepted if is within risk appetite or if the corresponding upside potential is high. On the other hand, it is managed toward an acceptable level in the case the risk appetite is exceeded. In other words, quantitative risk scenarios support decision-making processes. As mentioned, risk scenario analysis is a practical, highly effective tool to conduct risk assessments. It supports the identification of cause-and-effect chains when thinking through individual scenarios. Thus, it incorporates interdependencies (correlations) with other risks. For example, a volcanic eruption scenario leads to an economic downturn that in turn leads to a loss of sales. This scenario reduces free cash flow in the year 201X. The question at this point is “how many risk scenarios per risk do we have to develop to produce a robust risk distribution”? The answer is not straightforward and is related to our deterministic risk assessment approach. Let us assume that we assess the risk of a new competitor entering the market. We have already captured the very pessimistic scenario as part of the risk identification process. It has been assessed with a rough loss potential. It qualified as a key risk and is considered for detailed quantitative risk scenario development. The following example is the result of an interview with a strategic management representative. It illustrates a very pessimistic, quantified risk scenario. The scenario comprises a probability of occurrence and a financial consequence (EBIT amount in EUR). Example

Mr Grob (risk manager) and Ms Frozen (strategic management representative) developed during the risk quantification interview the following very pessimistic risk scenario. Next year, a new competitor will enter the market that can take market shares of up to 40% from us next year and 20% the year after next. Currently, our innovative products are in the development phase. After three years, our new products will enable us to push this competitor out of the market. Based on my industry experience, this can happen with a probability of 3%. We may lose 40% and 20% of the market share in the next and the year after the next. This leads to a cumulated negative impact on revenues (EUR -5 million). But, we face also a positive impact on costs (less personnel needed, EUR + 1 million). Ultimately, the EBIT of this product line is reduced by EUR 4 million. ◄

110

3  Creating Value Through ERM Process

The next step is to quantify the very optimistic scenario in the same way. Three different quantified scenarios are then available: • Very pessimistic scenario (probability of occurrence