Showing posts with label responding to risk. Show all posts
Showing posts with label responding to risk. Show all posts

Wednesday, 2 December 2015

Risk Management

Risk refers to the likelihood that your assets will decrease in value.

Risk is unique in that it applies to the probability of losses occurring, and the potential value of those losses.

In finance, risk is considered a type of cost.

All decisions you make have some degree of inherent risk.

Inaction too often has the greatest amount of risk, so rather than becoming paralysed by attempting to avoid all risk, look at it as a type of cost that allows you to calculate whether a financial decision will reap greater benefits that the potential losses and to compare the available options.

There are a variety of different ways to:

  • avoid risk,
  • reduce risk, or 
  • even share risk.


Each of the above has a price.

By calculating the cost-value of specific risks, it becomes possible to determine whether any of the tools available for managing risk are financially viable and are themselves an appropriate risk.

Risk management is a critical part of financial success.

You should explore:

  • the different types of financial risk, 
  • the ways in which risk is measured and 
  • how to effectively manage the amount of risk to which you are exposed.



Additional notes

Ways to avoid risk:  diversification and appropriate use of derivatives
Ways to share risk:  insurance

In the end, the best tool you have available to you in limiting the costs associated with risk is simple due diligence.
  • Do your research, make decisions which make sense to you and keep watching so you know when that decision doesn't make sense anymore.
  • If someone's credibility is in question, risk mitigation can come in forms as simple as asking for a nonrefundable down-payment, just as banks will sometimes ask for collateral before issuing loans.
  • Preparing for losses can be as simple as keeping enough funds available in a liquid form so you can pay your bills until you regain your losses.  
  • The duration of your exposure to losses can be shortened by ensuring you always have an exit strategy - before you commit to a decision, develop a way to undo it in a worst-case scenario.

Like most things, you get out of risk management that you put into it, and as the amount of potential risk increases, so should your intolerance for sloppy risk management.


Monday, 23 November 2009

Responding to risks: Summary

There are several possible responses to risk, ranging from tolerating to eliminating.

The right response to risk depends on the specific situation and also our calculations of probability and impact.

Transferring and insuring against risk involve others in risks, to the benefit of the business; the trade-off is increased costs.

Managing risks well depends on sharing information, clear responsibilities and consistency of approach.

Sunday, 22 November 2009

Responding to risks: Insuring risks

Insuring risks is similar to transferring them, but rather than asking another company to tkae action if a risk occurs, you ask them to financially compensate you for its occurrence.

As with transferring, the company will want payment for taking on the risk in this way.  This is familair concept from everyday life, where we have to insure our household goods, cars and mortgage repayments against a number of downside risks, from theft and accident to death.

Business also invest in many types of insurance, including public liability, employer's liability and so on.

Insurance is often a good response to operational risks.  It is particualrly appropriate for low-probability downsides with hugely significant impacts, such as a fire at the workplace.

Responding to risks: Transferring risks

Transferring is the concept of placing risks with those outside the business who are best placed to manage them. 

Typically, this means using another company to take on a business process that you do not wish to carry out in-house, or are unable to do yourself.  There are benefits in terms of reducing the probability and impact of downsides and also in-house effort in managing the risk, but there will be a cost - people will want paying for taking on risks.

Risks can be transferred in different ways:
  • formally:  on a contractual basis (e.g. IT service agreement), or through some other written agreement
  • informally:  through discussions and meetings, on a basis of trust
  • tacitly:  through assumption, perhaps based on precedent or simply beliefs.

Tacit risk transfer is generally not beneficial - it often represents a situation where one party has wrongly assumed that the other one will take an action or respond to a situation.  To prevent problems like this, you need share all information on the risk with the potential transferee:  its nature, probability and likely impact (on both parties); what you will pay them to take it on, why you want to transfer it and so on.

Payment for taking on risks will be more realistic when there is frank and realistic discussion of probabilities, impacts and costs.  Lack of communication may prompt the party taking on the risk to overcharge in order to cover themselves against the unexpected, or factors tha have not been clarified.

Responding to risks: Hedging risks

Hedging means taking additional risks that offset other risks, so that if the downside impact of one risk occurs, it is (in theory) balanced by the upside impact of the other risk. 

An example would be betting an equal sum on both sides in a sporting fixture - whatever the outcome, you cannot lose.  In investment or business, a 'perfect' hedge (one where the different outcomes are perfectly balanced) is practically impossible. A contractor can partially hedge his material cost prices of his contract with an advance order with the manufacturer for future delivery.

Hedging isn'tjust an approach to business or investment risk.  We engage in many trivial hedging behaviours all the time in our everyday lives - in any situation where we wish to avoid the risk of commitment.  When we hedge in everyday life, we set up alternatives for ourselves that will minimise the negative impact on us if things don't work out.  Consider the planning of a Friday night out.  We might make tentative plans to go out with one group of friends, but remain open to other offers.  After all, a better offer might come along - with a higher probability of positive impact (more enjoyment).  We are 'hedging our bets'.

Responding to risks: Concentrating risks

Concentrating risks is the opposite of diversifying - it means deliberately 'putting all your eggs in one basket'.  The effect is opposite too:  it increases the severity of potential impacts, but reduces management overheads, variables, unknown factors and dependencies.

An example of concentrating risk would be assigning a single person to a project full time, rather than assigning a small team part time. 
The time and cost of running the project might well be reduced, and the project might well be reduced, and the project may be run in a more coherent way, but there is a risk that the key individual will move on, damaging the chances of delivery.

The equivalent in financial terms is investing heavily in one or two stocks or products that you believe are sound, rather than spreading risk around because you are less sure of your market knowledge.

Concentrating risk depends for its success on the skill and knowledge of decision makers.  With fewer chances to correct mistakes, people need to get it right first time.

Responding to risks: Diversifying risks

Diversifying is about 'spreading risk around' - reducing your potential exposure by not having all eggs in one basket.  It reduces potential negative impact, but this normally results in extra costs.

Diversification can be a good tactic where there are problems in keeping the risk 'in one place', perhaps because there is a big potential downside.  For example, printers are dependent on paper suppliers to keep their operations running.  By setting up many suppliers for this commodity, they make it more likely that they will be able to get cover from another supplier if one can't delviver, thus reducing the potential downside risk of running out of paper.  (They also reap a number of side benefits, such as the opportunity to benchmark the prices of different suppliers, gain information about suppliers, find out about different ways of handling their orders and transactions and so on.)

However, there's always a downside.  There will be more administrative work in handling a large number of suppliers, and more management decisions to be made about which one will be used in each case; is price the only factor, or is the commercial relationship important too?

Diversification is also a good strategy for managing financial risk.  Investment vehicles that give investors the chance to invest in a range of companies offer those with little stock market knowledge a way to invest with reduced risk of exposure to market volatility in comparison with direct investment in a singloe company.

The key to diversification is keeping the different risks as separate from each other as possible, or reducing interdependencies between them.  No amount of diversification will protect against a worldwide recession, but investing in different economies around the world will offset the risk of a downturn in any particular one of them.

In a project contex, diversification can improve the chances of success.  Suppose a project has a 0.8 (80%) probability of failure.  It follows that the probability of success is 0.2 920%) - not particularly good.  Perhaps it is a speculative research and development project aimed at creating a new product.

But what if we ran two such projects?  The probability of both failing is 0.8 x 0.8 = 0.64 (64%) .  And if we ran three, the probability of ALL THREE  failing would be 0.8 x 0.8 x0.8 = 0.512 (51.2%), making the probability of having at LEAST ONE success nearly 50% (0.488 or 48.8%).  As we add more and more projects, the chances of success in at least one case steadily increases.  With 20 projects, our chances of having one success are 0.99 (99%) - we would be almost certain to succeed in one of the 20 projects. 

Diversifying risk through multiple projects:

Probabiltiy of total failure -----  Probability of single success                          
Run a single project
80% (0.8) ---- 20% (0.2)
Run two projects
64% (0.8x0.8) ---- 36% (0.36)
Run three projects
51.2% (0.8x0.8x0.8) ---- 48.8% (0.488)
Run 20 projects
1% (0.8^20) ---- 99% (0.99)

This illustrates how diversification can improve the chances of success, although at a price.  Running 20 projects will be much more expensive than running one.  But it may be that 20 modest projects, each researching a different potential product, are a better way forward than a single 'all or nothing' project puttting lots of resource into a single product.

An important point to remember is that the 'winners' must pay for the 'losers' if you choose to go for diversification.  The business must be able to afford to take all these risks, with all their respective potential downsides, and be confident that there is no risk of bankruptcy as a result.

Responding to risks: Minimising risks

If you choose to minimise a risk, you accept that it can't be eliminated, but take action to reduce its probability or negative impact (or both).  Minimising probability means taking actions so that a negative outcome is less likely to occur; minimising impact means taking actions so that the consequences will be less severe if a negative outcome does occur. 

We can see this in action by considering our own lifestyle choices.  By choosing a healthy diet and exercising well, we minimise the probability of health problems in later life.  By taking out health insurance, we hope to minimise the impact if they do occur.  Clearly, we could do both these things - minimising both probability and impact as a result.  How much action we take to minimise a risk, and the kind of actions we favour, depends on our own priorities, plus (as always) our assessment of probability and impact.  If our past medical history suggested we were more at risk from health problems, we might be more motivated to take action.

A parallel from business would be typical responses to operational risks.  Employees should be protected from physical harm wherever possible (minimising probability), but the employer is also obliged to have systems in place to deal with injuries should they occur (minimising impact).

Another example of minimising impact is double redundancy in computer systems.  Here an entire duplicate system is created and maintained, so that it can take over in the event of malfunction.  This hugely reduces the potential impact (though not the probability) of crucial data systems going offline; there is of course a trade-off in terms of cost.  This is often the case: in general, the more you reduce impact, the more cost is involved.  The business might choose to instate a repair contract with an IT service company instead, but this would not provide the same reduction of impact as the double-redundancy system.

Responding to risks: Tolerating risks

Your assessment of probability and/or impact may lead you to the conclusion that is is acceptable to tolerate a risk.  Such a decision is likely to be based on one (or both) of these two perceptions:
  • the probability of the downside is so low that it can be ignored
  • the impact of the downside would be so insignificant that it can be ignored.

If you are satisfied that one or both of these is true, a decision to tolerate the risk may well be the right one.

By making the choice to tolerate a risk, you are basically saying that you will do whatever is necessary to recover from a downside when it occurs, but nothing to prepare for it in advance.  However, this decision clearly rests on your understanding of probability and impact.  If you cannot be certain of probability, you may not be on safe ground tolerating the risk of a downside.

We have seen how impacts can often be quantified in financial terms, so that they can be compared to each other.  If you tolerate a risk, the business needs to be financially prepared to sustain the impact of its occurrence.

For example, if there is a risk that one in every hundred units made in a factory will be defective, but changing the manufacturing process is prohibitively expensive, the risk may be tolerated.  But the business needs to be sure that the waste resulting  from this decision to tolerate a risk will not damage its profits.  A decision might be taken to increase the selling price of the item, or sacrifice some profit margin, to offset the cost of the risk occurring.

Responding to risks: Eliminating risks

Clearly, if a risk has potentially negative consequences, then eliminating it is the best alternative. Given the choice, we would like to live without the potential for downsides to occur.

In business terms, this is clearly the most desirable action to take - it reduces management effort both now and in the future if you don't have to worry about a particular risk any more.  However, this is seldom possible - few risks can be eliminated completely, and some risk is going to be present in nearly every business situation.,

The key to considering elimination is the risk profile.  As we've seen, any risk that involves a fatal downside is a strong candidate for elimination, since the occurrence of the downside, however low its probability, is totally unacceptable. 

We would not choose to play a dice game that might bankrupt us.  In business terms this might equate to changing manufacturing processes that endangered people's lives in some wqay.  However unlikely the outcome, it would not be acceptable simply to tolerate the risk. 

Eliminating a risk may involve doing things in completely new ways.  If significant business change is involved in getting rid of a risk, you may need to consider what new risks will be created as a result.

Responding to risks

Responding to risks - the actions you can take once you've identified a risk and understood its probability and impact.

There are usually risks that cannot be avoided in business, no matter what alternative we choose.  Our decisions therefore focus on how we will respond to them, rather than trying to avoid them.   Responses to risk will vary from business to business and from risk to risk, but they tend to fall into one of these categories:
  • eliminating
  • tolerating
  • minimising
  • diversifying
  • concentrating
  • hedging
  • transferring
  • insuring
Deciding which of these responses is appropriate in any given situation requires careful analysis of the risk in terms of probability, impact and potential outcomes (expected values).

Getting it right

Whatever approach you choose to the risks you face, there are central themes to risk management that have to be in place for it to be successful.

Effective decision making and risk management are based on understanding, information and consistency.  It is vital that everyone involved is working from a shared idea of the significance of the risks facing the business, the probability of them occurring and the actions that they need to take in order to minimise downsides (or maximise upsides).

Here are some questions to ask in key areas to assess your risk management capabilities:

understanding operational risk:
  • are the risks that can arise in key business process understood?
  • are the implications of choosing or creating particular new processes understood?
  • are the impacts of operational risk understood, in terms of their immediate impact and also any potential impacts at higher levels?

understanding strategic risk:
  • are decision makers aware of the strategic risks facing the business?
  • are the implications of 'doing nothing' or continuing along the present course understood?
  • has 'business as usual' been examined in the same way as a 'risky' new direction would be?
  • have the risks implied simply by entering or remaining in a particular market been examined?

understanding probability:
  • have probabilities been quantified in a consistent way, that allows for comparison?
  • what evidence is there to support estimates of probability?
  • where there is uncertainty, has this been understood and acknowledged by decision makers?
  • is there shared understanding of the subjectivity involved in probability calculations?

understanding impact:
  • have impacts been quantified wherever possible, to allow for comparison?
  • is it clear where risks might impact on more than one area of the business?
  • is there the potential for risks to have interdependencies, making the occurrence of two or more risks together more significant?
  • are the different levels of impact understood (operations, strategy, financial, cultural)?

information:
  • documenting:  how will risks, responses and results be documented?  what proceducres will be used for recording the actions taken to manage risks and their results?
  • sharing:  how will information on risks and the success (or otherwise) of particular response be disseminated throughout the business, to avoid duplication of effort?
  • communicating:  who owns key information? who does it need to reach in order to support decisions on risk? what are the best media, formats and techniques for communicating?

clear roles and responsibilities:
  • whose responsibility is each risk? who 'owns' it by default?
  • who has enough authority and/or information to take a decision on how risks will be managed?
  • who will take action to manage the risk?  who will become its new 'owner'?

reporting and monitoring:
  • who needs to know what, and when?
  • what is the best medium or channel to provide information on risks, such that those who need to take decisions have the information they need in a format they will find conducive?

consistency of approach:
  • if similar risks occur in different parts of the business, is the response the same?
  • could risks easily be aggregated across the business if this kind of concentration brought benefits?

consistency of analysis:
  • where possible, are risks assessed using standard, objective criteria, or at least those that are agreed by all within the business?

consistency of tools and techniques:
  • where decision-making tools are used, are they used in a consistent way across departments and teams?
  • is there a genuine shared perspective on risks that affect different groups?

consistency of terminology:
  • are risks described in terms that allow meaningful comparison and evaluation across the business?
  • are common terms used with the same sense throught the business?
  • are there any aspects that need to be quantified, or made less subjective, to allow for more focused discussion between those involved?