Directrix Article

A Risk by any other name is a … Risk?

A Risk by any other name is a … Risk?

A look at the challenges faced with terminology in risk management

by Stefan Swanepoel

We are all familiar with the Shakespearean origin of the comment used to derive the title, but unlike Romeo, modern-day companies tend to have much less leeway when it comes to descriptive terms, especially when they relate to compliance with good corporate governance standards.

One of the challenges in the rapid development in the risk management field has been related to standardised and accepted definitions. In some cases definitions used throughout the industry have intuitive meaning and the definitions applied by various practitioners are similar in meaning.

Conversely, there are definitions used in the industry that are not standardised nor do they facilitate mathematical derivation or quantification, even though these approaches are implied or mentioned in the definitions.

As a general contextualisation, many risk management projects conducted over the years for a variety of clients have highlighted one important concept – most exercises can relatively easily be categorised under one of two questions – “How much does it cost?” or “How much can I afford?”.

The first question generally relates to risks and their nature (distribution, expected value, volatility etc.) and the second generally relates to the resources available to manage the risks.

As an example, many risk control measures affects the answer to the first question as they impact on the nature of the risks. Now, the concept of cost and affordability can easily be expanded to encompass non-financial costs, although the majority of focus outside Health and Safety concerns is generally of some financial nature.

With specific regard to the area of ability or willingness to retain risk, the intuitive approach is that this concept generally resorts under “How much can I afford?”. Sticking to the financial side, the ability to retain risk naturally lends itself to some form of financial capacity, which is strictly independent of the exact nature the risk, although there is admittedly a myriad of contingent and dependent influences.

To complicate matters even further for listed South African companies with international operations or listings in particular, there is the issue of conflicting requirements. Below is the definition of Risk Appetite in both brief and (literally) expanded form from ISO 31000 as well as per the Report on Corporate Governance by the King Committee (King III).

ISO 31000

Brief Definition

Amount and type of risk that an organization is prepared to pursue, retain or take.

Expanded Definition

Amount and type of risk (deviation from the expected — positive and/or negative of uncertainty on objectives (such as financial, health and safety, and environmental goals, applying at different levels such as strategic, organization-wide, project, product and process) often characterized by reference to potential events (non-)occurrence(s) or (no) change(s) of a particular set of circumstances, with several causes – “incident/accident”, including consequence-less events) and consequences (outcome of an event affecting objectives as a single consequence or range of consequences potentially escalating through knock-on effects, being either certain or uncertain and having potential positive and/or negative qualitative and/or quantitative effects on objectives), or a combination of these. a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (chance or general probability, whether defined, measured or determined objectively or subjectively in general terms or mathematically (e.g. probability or frequency over given time period), of something happening) of occurrence that an organization is prepared to pursue, retain or take.

King III

Brief Definition

The level of residual risk that the company is prepared or willing to accept without further mitigation action being put in place, or the amount of risk company is willing to accept in pursuit of value.

Expanded Definition

The level of residual risk (the level of risk - uncertain future events (occurrence of a particular set of circumstances, certain or uncertain as a single occurrence or a series of occurrences with the probability (extent to which the event is likely to occur or degrees of belief about probability, chosen as classes or ranks) or frequency (the property of an event occurring at intervals) associated with the event being estimable for a given period of time) that could influence, both in a negative and a positive manner, the achievement of the company’s objectives as a combination of the probability of an event and its consequence or a condition in which the possibility of loss exists or in some situations arising from the possibility of deviation from the expected outcome or event, including events such as failing to capture business opportunities when pursuing strategic and operational objectives as much as a threat that something bad will happen - remaining after risk treatment) that the company is prepared or willing to accept, determined on an individual risk basis and varying from risk to risk without further mitigation action being put in place, or the amount of risk company is willing to accept in pursuit of value.

Although very cumbersome, both expansions serve to demonstrate the level of complexity inherent in the few definitions already out there. Both definitions consider both the nature of the risks and the ability to retain the risks, effectively making it a composite result. Therefore, a company having derived its risk appetite would have to have answered both questions.

In addition, there are significant differences in specific parts of the definition. Specifically:

  • Residual Risk: ISO 31000 does not make specific distinction between residual risk and risk whereas King III does. Although the ISO definition could be viewed as implying the same, it is not explicitly stated and cannot therefore necessarily be assumed.
  • Individual Risk Basis: King III specifically refers to risk appetite as developed from an individual risk assessment basis and being applied individually to various risks. ISO 31000 does not appear to make this distinction other than to refer to the amount and type. This does imply some distinction between the various risks but not explicitly to the same degree. Neither address the issue of risk retention optimisation and dependencies explicitly, which can have a significant impact on decisions.
  • Pursuit of Value: King III provides a single potential source of motivation for the setting of the Risk Appetite – the pursuit of value, indicating that other considerations not related to the pursuit of value should be excluded.

However, King III does address in some form the collective financial ability to retain or absorb risk in specifying the term Risk Bearing Capacity (RBC).

Risk Bearing Capacity

Risk Bearing Capacity is a monetary value prediction of the company’s ability to endure losses and the effect such losses may have on the company’s value and /or its ability to continue with its activities and is used as a yardstick, measuring the maximum loss the company can endure, without exposing it to the point where its existence and survival is under threat, given an equivalent loss.

Although, on the surface, this appears to address the other side of the coin (How much can I afford? ), the focus is entirely different. Whereas the Risk Appetite definition is focused on risk costs related to the pursuit of value, the RBC focuses on company survival – definitely not business-as-usual or going-concern.

Although the maximum amount that a company can forfeit and survive is a critical element in the overall risk management framework, it does not assist in determining the value of risk that can be retained on an on-going basis without impeding the ability to operate.

In addition, the term Risk Bearing Capacity has been used in other contexts with different definitions several years prior to the issue of King III. Does this necessarily invalidate any other definitions?

The key to definitions is that they should clarify, rather than confuse; break concepts down into manageable components rather than confound. Clear thinking and analytical approaches are required in order for risk management to fulfil its promise to businesses. Irrespective of the labels we put on things, we need to ensure we are in the same forest before we start cutting down trees.

Although a measure of flexibility and principle-based direction is always welcome, it will remain important to consider the potential impact before committing to specific definitions that can have a significant impact on business.