Enterprise Risk Management

Risk mapping is a commonly used tool by companies to identify and prioritize the risks associated with their business activities. Regardless of how you might structure the frequency/severity, likelihood/impact scales used for your risk mapping activities, how do you determine the intersection points or zones that make up ratings for your assessment? Do you apply a scientific methodology to your process? Do you ultimately make your best educated guess? Or do you simply try to arrange the colors in an optically pleasing manner? ------------------------------- ERM Development Committee Please be sure to visit the Enterprise Risk Management (ERM) Center of Excellence for tools and resources to assist you create a robust ERM program within your organization. -------------------------------

In our case, risk results that are delivered to the executive dashboard are grouped on a 1 to 5 scale with the coloring of 0-.99 Minimal (Gray);1.0-1.99 Green (Low); 2.0-2.99 Medium (Yellow); 3.0-3.99 (Orange); 4.0-5.0 Critical (Red). The relationship of these values to dollar impact and likelihood is documented and the correlation occurs mathematically behind the scenes. We produce dashboard results that reflect this scale for inherent risk impact and likelihood and residual risk impact and likelihood. Marshall Toburen SVP & Ops Risk Manager UMB Financial Corporation Kansas City, MO
Original Message----- Sent: September 7, 2006 10:37 Subject: Risk Mapping Risk mapping is a commonly used tool by companies to identify and prioritize the risks associated with their business activities. Regardless of how you might structure the frequency/severity, likelihood/impact scales used for your risk mapping activities, how do you determine the intersection points or zones that make up ratings for your assessment? Do you apply a scientific methodology to your process? Do you ultimately make your best educated guess? Or do you simply try to arrange the colors in an optically pleasing manner? ------------------------------- ERM Development Committee Please be sure to visit the Enterprise Risk Management (ERM) Center of Excellence for tools and resources to assist you create a robust ERM program within your organization. -------------------------------

Risk maps, while useful have some major drawbacks. One is that they are not usually absolutely quantitative, but rather qaulitative. Likewise, any threshold (or risk appetite) is not built on solid quantifications (usually) and so is a guess. There are some limited circumstances in which one has hard numbers with which to calculate the appetite and exposure, but I will assume that we are talking about risks outside of the pure financial realm. The biggest problem with risk maps is that they tend to inflame extant decision biases. If one looks at the body of work of Daniel Kahneman and Amos Tversky (that won them the Nobel in Economics in 2002) then it is very clear that decisions around risk can become very irrational depending upon how they are framed. One way to cause this is to show only the downside of an outcome -- which is what the risk map does. The risk map is primarily to demonstrate the relative ranking of the risks. But in order to use it to make a decision regarding risk, one must introduce a more balanced perspective by also including rewards and positive outcomes. Another alternative to using this type of map which we have developed is to use the framework designed by the Stanford Strategic Decisions group. They have worked in conjunction with Kahneman to develop a framework that corrects for the decision biases (and some of their work can be viewed at www.sdg.com) So to answer the original question and end my personal digression, it is not of any use to try to set the parameters in question except in very limited circumstances. Regards, ------------------------------- Beaumont Vance Sun Microsystems Inc. Senior Risk Manager -------------------------------
Original Message----- Sent: September 7, 2006 10:37 Subject: Risk Mapping Risk mapping is a commonly used tool by companies to identify and prioritize the risks associated with their business activities. Regardless of how you might structure the frequency/severity, likelihood/impact scales used for your risk mapping activities, how do you determine the intersection points or zones that make up ratings for your assessment? Do you apply a scientific methodology to your process? Do you ultimately make your best educated guess? Or do you simply try to arrange the colors in an optically pleasing manner? ------------------------------- ERM Development Committee Please be sure to visit the Enterprise Risk Management (ERM) Center of Excellence for tools and resources to assist you create a robust ERM program within your organization. -------------------------------