Episode 6 (part 2) of the GBTEC GRC podcast deals with the topic “Aggregation, added value of quantitative methods and outlook.” Frank Romeike, Managing Partner at RiskNET, provides interesting insights combining theory and real-world examples. The episode was hosted by Claudia Howe, GRC Competence Lead at GBTEC Austria (formerly avedos).
Digitalization is affecting more than just the private lives of every single person. It is affecting every single business process. This generates masses of data, which opens new opportunities for risk management – for example, through the use of early warning indicators. To process this data, however, the responsible individuals must have a certain level of analytical competency. Linking up historical data with expert knowledge is an effective way for companies to generate business value. Merely transferring past assumptions 1:1 into the future, however, is unserious at best. Frank Romeike illustrates this point with the following example: An international aluminum company wanted to know how the price for this metal would develop in the future. Creativity techniques posed a whole line of reasons for the price development. Yet there were only few drivers influencing the current price. If these drivers are known, they can be anticipated in the future. A serious analysis is conducted based on the range and expected value.
Most risk managers – oftentimes without even knowing it – work with a distribution function known as binomial distribution. That is tricky because it is often applied to risks that are not binomially distributed and, therefore, cannot be described with a probability of occurrence and extent of damage. The risks related to the price of aluminum, for example, are defined by the existence of a band of fluctuation. A price that fluctuates by 30 % poses a higher risk than at a rate of 5 %. Romeike uses scenario evaluations (best, realistic, worse cases) in risk assessments. He also talks about heuristics in this context.
- Simple heuristics makes a classification between discrete and steady-state results:
- Discrete means that there are individual, tangible references. Costs, for example, could be € 500,000, € 1,000,000 or € 1,500,000.
- Steady-state results cover a certain range, such as: best case – worse case.
- Another heuristic explains if a statement is symmetric or asymmetric. Does the same spread exist on both the opportunity and risk sides? Are there extreme scenarios?
The cycle typically ends with a summary report that categorizes the reported risks. There are two different forms:
- Consolidation: Risks are summarized in clusters, for example: strategic or financial risks.
- Aggregation: Dependencies among risks are included as well. A true aggregation requires the use of quantitative methods.
One question that often arises is what tangible benefits companies can obtain from quantitative risk management. One important aspect is the higher level of acceptance within the C-suite. Some still believe that executives would not understand qualitative methods. This, of course, is inaccurate because more and more companies are being driven by quantitative performance metrics (e.g. capital costs, return on equity, EBIT). The task is to make a risk adjustment for each metric that executives uses in their day-to-day work.
Quantitative methods also generate business value through the assessment of risk tolerance based on risk exposure. Scenarios that threaten a company’s existence cannot be recognized early enough using a qualitative approach. The advantage of quantitative methods is that they include a business impact analysis which assesses the effect of risks on earnings metrics (e.g. EBIT). According to Romeike, that is exactly what executives want to know – and not if a risk is assessed as being “high”.
The issue of liability also plays a crucial role. If a wrong decision has been made, a managing director must prove that he or she came to this conclusion based on a solid base of information.
Last but not least, quantitative risk management can actually be … fun. This conclusion, which was made at the RiskNET Summit, didn’t come from Romeike, but rather a DAX corporation, which is currently forging along the path to a higher level of risk maturity.
The first episode of GBTECs GRC Podcasts was broadcasted in February 2019. This series focuses on all aspects of integrated GRC, enterprise risk management, internal control systems and information security management. Today, 7 episodes are now available and can be streamed on leading platforms such as Soundcloud, Spotify and Apple Podcast.