Risk Management and Simulation

We have observed that making evaluations on a purely qualitative scale and then simply multiplying them by the probability of occurrence and potential damages no longer suffices for many companies. More organizations are taking the route of quantitative evaluations, sometimes even over multiple observation periods and usually in preparation for various types of simulations.

A simulation, in this context, means testing different what-if analyses at random until a most likely variant stands as a result. When it comes to simulation, Monte Carlo is typically the method of choice, with the objective to aggregate each evaluated expected value of the individual risks into a statement on the total risk situation and determine which value will be achieved with a 95% probability. One request that we often receive is the ability to apply different distributions and account for dependencies among the risks. At this point, a first discussion often ensues with the business departments to define correlation and causality as well as the underlying reasons for this requirement.

Most requirements revolve around analytic capabilities and visualization forms. Over time, for example, the idea to link the aggregated effects with the respective positions in planning or the consolidated annual financial statements often takes root. Another common request is to determine the percentage of a certain risk category in comparison to the total result. Relevant graphical visualizations such as distribution curves or a tornado chart are also listed among the functional requirements.

We could have implemented all of these requirements in the past. Instead, we opted to make these changes within our core product, the BIC GRC Solutions (formerly risk2value) in order to provide faster, easier responses to these and other client requests in the future.

We now support the complete process of risk management – from quantitative evaluations and simulation, to aggregations and input, to activity optimization – fully integrated and directly within the BIC GRC Solutions. The following components are planned for use:

1. Template for quantitative risk evaluation

• Evaluating the probability of occurrence
  • Selecting from a predefined list
  • Defining a percentage value
•  Evaluating the damage
  • Minimal damage
  • Expected damage
  • Maximum damage
• Defining the distribution function
  • Selecting from predefined distributions in a list
  • Making a groupwide decision for a distribution

2. Template for recording actions

• Evaluating damage reduction
  • Selecting from a predefined list
  • Defining a percentage value
• Evaluating the effect
  • By probability of occurrence
  • By minimal damage
  • By expected damage
  • By maximum damage
•  Evaluating the costs
  • Initial costs
  • Running costs

3. Methods for aggregating individual risks into a total risk position in R

• Open code for statistics and graphics (available in SQL)
• Standard language for statistical problems in both business and science
• Developed exclusively by GBTEC

4. Methods for correlating risks

• Objective: Defining a value (-1 to 1) that measures the relationship level of the risk to the aggregated result
• Determining the risks that cause the highest percentage of the aggregated result

5. Methods to determine actions by weighing their costs and benefits

• Solving an optimization problem
• Objective: Minimizing the costs of the actions without letting the total risk position (e.g. p95) exceed the defined value

The first experiences from client projects confirm a strong acceptance for our new approach. Our clients have been highly satisfied thus far with both the fulfillment of functional requirements as well as the calculation speed and analyzability.

The benefits of quantitative methods are easy to summarize:

• They are certainly more accurate because refined methods have replaced the trivial usage of a normal distribution, the multiplication of the probabilities of occurrence by the damage assessment, and the mere summation of risks within a category.
• They are certainly more accurate because refined methods have replaced the trivial usage of a normal distribution, the multiplication of the probabilities of occurrence by the damage assessment, and the mere summation of risks within a category
• In an era of unlimited computer capacities, the calculation time to run almost any simulation is relatively short
• The results of this simulation make it possible to view different options, courses of action and possible consequences within the decision-making process.
• This can increase the transparency among dependencies and cause-effect chains among the individual risks and actions.
• Data visualizations make correlations visible and intuitively grab the attention of management.
• In particular, the methods for action optimization can be used to rank which actions make the most sense based on their costs and benefits.

Nonetheless, there is still good reason for doubts and skepticism. This is fueled by a few reported cases in which the quantitative methods were ultimately pulled at the end. In these instances, however, there was simply too much debate regarding the accuracy and interpretation of the methodological/mathematical/statistical approach and confusion surrounding the individual results. That obviously leaves even less time to discuss ways to deal with future risks.

That brings me back to where I started. In my opinion, the slow development to quantitative-driven methods is the logical result of the overall improvements in the maturity of risk management throughout a company. The respective maturity level is just as critical now as it was in the past, and all initiatives for the further development of risk management must be well planned and implemented in the right dosage.