Author: Gregory M Carroll
How to Aggregate Risk Part 1 - The Framework
As ISO 31000 specifies that risk is the measure of the uncertainty on an organisation’s objectives, it is the effect on the objectives that counts.
How to Aggregate Risk in ERM
In this three part series I will cover how to Aggregate Risk to achieve true Enterprise Risk Management. This is critical to understand the uncertainty in achieving your business objectives.
- Part 1 – The Framework: What you need to have in place to allow risk aggregation;
- Part 2 – The Math: How to use Bayesian mathematics to automate causal maps and aggregate the effect of multiple risks on your business objectives;
- Part 3 – Case Study: I will look at an eight (8) year case study of the success of these techniques compared to traditional forecasting methods.
Risk Aggregation Framework
In both my books “Mastering 21st Century Enterprise Risk Management” and “Risk Intelligence – How AI can transform Risk Management”, I covered why it is essential that you aggregate risks in an ERM. To paraphrase, business is a complex system where everything affect everything else. As ISO 31000 defines risk as the measure of uncertainty on an organisation’s objectives, it is the effect on the objectives that counts.
The outcome of any objective is subject to multiple contributing factors. Each factor, in turn, has its own level of uncertainty, or risk. Therefore, to ascertain the level of uncertainty in an objective, as required by ISO 31000, you have to aggregate the uncertainty embodied in all its contributing factors. However, you cannot aggregate the contributing risks by simply summing the contributing risks. There is an established mathematically method for aggregating risk. It is “Bayesian Joint and Conditional Probabilities”.
Risk Aggregation Methodology
Before I go through this technique, let me go through the risk management framework that needs to exist to enable the aggregation of risk.
- First, objectives must be quantified in measurable units such as dollars or tonnes. Not qualitative statements like “improve” or “seek”. Not just percentages, e.g. convert % to $.
For example, the objective of “maximise airport’s operating hours” needs to be expressed in a specific number of hours. This is so the cost or benefit of any change can justify the actions to mitigate or exploit any change.
- Identify what can cause an objective to move up or down. These event are the source of uncertainty (risk events).
For example, airport’s operating hours are contingent on such factors as weather, demand, staffing levels, and government restrictions. Weather events may include fog, storms, or smoke. Demand can move up or down based on economic conditions, airline usage, and facilities utilisation. Etc., etc.
- Develop a list of the contributing factors (risk drivers) for each risk event and how they interconnect (casual map).
For example, “fog” as a risk event. Fog is the product of a number of environmental conditions. These might include level of recent rainfall, temperature, and pressure gradient. They have different causes but interconnect in their effect on fog, which can close down the airport.
- Choose indicators (KRIs) that measure movement of each risk driver. These metrics are what I refer to as Risk Influences.
For example, local rainfall has to be sufficient to cause fog, and rainfall is dependent on time of year and environmental cycle, like “El Nino”. This gives us two risk influences of “Time of Year” and “El Nino” for the risk driver “Rainfall”. The level of rainfall in any month is conditional of both.
- For each risk influencer, collect its historical movements to build its distribution. This will give you a curve, mean, and standard deviation. There are a number of Excel add-ins that can do this from raw data. It is important to ascertain both the shift and tail of the distributions. If historical evidence is not available, get a subject expert’s opinion.
Historical data is readily available on rainfall and weather cycles in the public domain. Data can be downloaded into Excel spreadsheets. Even with you only have a relatively small amount of historical data, you can use Excel add-ins to generate their probability distribution curves.
In Part 2 – The Math, I will cover the fundamentals of the last three steps of the framework. These are:
- Perform Monte Carlo simulations sampling from the probability distributions generated above, to ascertain its likely effect and contribution to the objective (scenario analysis).
- Convert the scenario analysis into a Bayesian Decision Network to calculate the combined effect of the influences on all the drivers to arrive at the level of risk of that risk event.
- Finally, aggregate the contributing sources of risk on the objective. You can also use Bayesian Joint and Conditional Probabilities to arrive at a probability distribution of the effect. This gives the value at risk in terms of the business objective.
The framework allows you to update any risk driver network by adding new actual readings (evidence) for individual risk influences. This is done by using the Bayes rule to alter its probability distribution function (PDF). It results in each driver’s sampling distribution becoming more and more accurate with time.
By repeating the above process periodically, you will identify if there is a major shift in a risk metric. A major shift may indicate a substantial change to the risk of achieving an objective. What constitutes substantial change for a risk driver can be set by putting a “collar” range on the driver.
In the next article I will give a simple description of how Bayesian maths works, and tools to automate the math.
For more information on SMART Objective Management, the use of the Delphi process to identify and map risk event, performing scenario analysis on risk drivers and influences, and techniques for developing causal maps, I refer to my book “Mastering 21st Century Enterprise Risk Management” available in both ebook and print formats. For more on generating risk collars using unsupervised machine learning, to identify substantial change, see my second book “Risk Intelligence – How AI can transform Risk Management”.
Pingback: How Machine Learning Predict in Simple Terms • AI Insights