Enterprise Compliance Today

How to aggregate risk in an Enterprise Risk Management (ERM) system

Posted by Greg Carroll on Sat, Nov 09, 2013 @ 09:18 AM

Without aggregation, ERM loses any meaning and purpose. (see Why Aggregate Risk in ERM) So if accepting the need to aggregate risk, both from business units to group and between diverse natures of risk, how do you aggregate risks?

watch as a video blogWatch as a video...


Neural Network

Aggregating risks based of corporate objective measurements, horizontally & vertically, thru neural networking provides a powerful decision making tool

Have a look at how FastTrack can help you acheive a truly proactive ERMERM

Even after our recent webinar series on “Mastering 21st Century Enterprise Risk Management”, there continues to be confusion around how to aggregate risk in an Enterprise Risk Management (ERM) system.  Therefore some risk managers are now advocating that risks cannot be aggregated, but without aggregation ERM loses any meaning and purpose.  So if accepting the need to aggregate risk, both from business units to group and between diverse natures of risk, the basic question of how to aggregate risks returns.

Just recently again, someone tried to put forward the idea of averaging exposures as a consolidation technique. 

There are NO circumstances you would want to do this! It’s like having one foot in boiling water and one in ice, on average, you’re perfectly comfortable. This stems from the common practice of using un-representative risk matrix modeling to evaluate risk exposure. They were essentially designed for their ease of use, not their effectiveness. The 2013 Milliman research report on OpRisk found that “Basic risk indicators and standard formula are ultimately a very blunt tool”. That is the current common practice of rating characteristics with 2 dimensional probability-consequences risk matrix, which is then aggregated to produce a close to meaningless value, although better than nothing, has little relation to the real world risk.

Further, the concept of evaluating a risk as an absolute value in isolation to its environment and timeline is just not realistic. The probability of someone falling and hurting themselves may be low normally, but will increase drastically if they have been working long hours, there is condensation on the floor, or they have a previous history. So a single risk factor misrepresents the real exposure. So we need to move to Scenario Analysis for mapping risk causes, drivers, and outcomes and drop the old risk matrix.

Within an Enterprise Risk Management system, contrary to the common practice, risks need to be grouped by their nature directly related to business strategies and business objectives. Instead of process or control focused, risk outcomes have to be tightly coupled to corporate objectives to allow for the meaningful aggregation over disparate operations and natures of risk.  

Evaluating the risk outcomes in terms of capital, contribution, metric tons, or man-days lost, allows for the simple aggregation of a financial, safety and reputational risk into a useable value. Conversely, it also allows executives to understand the importance and value of specific risk controls by their impact on business objectives.  Approaching risk aggregation from this perspective allows staff and management to comprehend the true concept and purpose of aggregating risk and therefore the objectives of an Enterprise Risk Management system.

I'm a strong advocate for interconnectivity in risk management and the use of Bayesian networks to apply likelihoods. Apart from specialised software (like FastTrack), there are a number of Excel add-ins for Neural Networks to map interconnectivity to which you can then add Bayesian inference. On each node in the Neural Map you can estimate its contributing factor to related nodes e.g. the unit price has a 30% contribution to sales volume. This reduces complexity by only focusing on the direct relationship and not the overall affect.

Risk is not a discrete value because uncertainty cannot be discrete. Unfortunately risk is commonly incorrectly portrayed as a discrete value in a “Risk Matrix” or “Heat Map”. Rather, it is a range of possibilities best represented as a Normal Distribution (or similar) curve. However, more important than its current position on the curve is its direction, either improving or worsening. 

We can identify this by preparing a number of scenario analyses for each corporately significant risk event, linking items from our risk inventory into possible scenarios based on how they impact on one another e.g. a drop in exchange rate increases unit price, which decreases sales volume, increasing inventory holding, impacting our ROI objective. We then develop multiple scenarios for best case, most likely, and worst case.  Better still, also include ‘getting better’ and ‘getting worse’ scenarios.  

Within our scenarios, for each item we can specify its likelihood and pickup its effect on the next component in the scenario from our Neural Network. Then using Bayesian modelling we can not only predict the overall outcome on our objective but also the effect of any individual movement of any factor within the scenario.

Final aggregation is then achieved by again creating a Bayesian network of the favoured outcomes from each scenario event, for an Objective.  Yes, this means the aggregate risk is conditional on the combination of which scenario outcomes are selected, but isn’t that the real world. Aggregating risks based of corporate objective measurements, both horizontally as well as vertically, thru a Bayesian network, applying compounding conditional probabilities to handle complex interrelationships, provides a invaluable decision making tool for management.

Putting it all together

•          Link risks back to strategic business objectives and quantify the risk in terms of their measured effect on the business objective.

•          Map a Neural network of interrelationships to quantify contributing factors

•          Define Scenario Analyses to identify potential risk events, states, and possible outcomes.

•          Use Bayesian modelling to calculate both the severity and likelihood of risks, drivers and outcomes

•          Aggregate both horizontally and vertical using the measure of the effect on the business objective.

For those unfamiliar some of the above techniques, refer to my book which gives a step-by-step guide to designing a true ERM system.

Get Modern

Aggregation of risk is just one factor you need to reassess if you are serious about implementing an effective Enterprise Risk Management system.  Other issues include risk culture and attitude, resilience, environmental scanning to identify changes in causes and drivers and triggers for proactive real-time re-evaluation of risk profiles, are included in my book “Mastering 21st Century Enterprise Risk Management” available from Amazon and the www.fasttrack365.com website.


Related articles you may be interested in:


ERMRisk Management Data Sheet
How Fast Track provides truly proactive ERM


FastTrack 3min ERM Demo
Shows FastTrack's Enterprise Risk management (ERM) software delivers a comprehensive real time ISO 31000 solution for large enterprises.

hero-productguide-180x172.pngFastTrack Product Guide
Technical specifications, pricing, and more.

Tags: corporate governance, risk aggregation, risk management