The credit and financial crises have proved that looking at risk management through the rearview mirrors is dangerous. Since then, organizations – especially banks and financial services institutions – recommend adopting a forward-looking approach to risk management. Organizations of all sizes now want to assess and aggregate risks across various processes, business lines, and risk types using multiple methods.
The process of identifying the impact of various risks on a business requires the ability to aggregate risks both vertically and horizontally. A robust aggregation mechanism enables risk officers not only to understand the total risk exposure, but to also make risk-aware decisions and define risk treatment plans that are in line with their organization’s risk appetite definitions.
Why Should You Aggregate Risks?
Managing risks across a large enterprise can be a challenge. The process of identifying the impact of multiple risks on an organization requires the ability to aggregate risks at multiple levels. The basic goal of risk aggregation is to collect several risks in order to arrive at a total risk exposure for all or a part of an organization. Risk aggregation allows grouping of similar risks from different perspectives to provide a complete picture of risk across the enterprise.
Basel Committee on Banking Supervision (BCBS) points out the need for risk aggregation in banking and financial services sectors as below:
“Naturally, the organization of risk management functions varies across firms. In some firms, risk management is a highly centralized function where the dedicated risk management function exercises substantial authority. In other firms, particularly in the insurance sector, local business units with a limited risk profile retain substantially greater autonomy over significant risk management decisions. Moreover, even in some firms with a bias toward centralized risk-management decision-making, the key decisions are made by a senior management committee, rather than by the risk management function itself. The organizational infrastructure of risk management decision-making varies considerably across firms, and it is difficult to conclude that any single approach is becoming dominant.”
Additionally, companies follow different organizational structures to support their nature of business. Some organizations might group risks as per organizational structure while others might group them by legal entities, geographical structure, processes, products or risk categories. Risks can be present at multiple levels within an organization. Risk owners at each level would want to easily identify their exposure as against the total exposure at enterprise level. There could be common risks between two functions or locations. Stakeholders at each level would want to view aggregated level of risk exposure for specific risks or risk types, for example, External Fraud, Attrition etc. This can be useful for monitoring changes in risk profile over time. Risk owners at various levels would want to look at top risks at their levels and take necessary actions to mitigate them. They would also want to easily identify if any risk or a group of risks are approaching risk appetite limits or have already breached those limits. To facilitate all these, organizations have to adopt risk aggregation methodologies that suits their risk management approach and business strategy.
Risk aggregation at multiple levels and also at enterprise level helps risk leaders understand the root cause of risks and take meaningful, remedial actions. Slicing and dicing of risk data by aggregating at different levels enables risk owners and organizations to make risk-based decisions and take advantage of market movements and conditions.
Key Challenges While Aggregating Risks:
- Data Collection: Collection, quality, and applicability of data are a major challenge while rating and scoring risks. In the absence of a tool, data may be residing in multiple scattered locations. Collating this data is not only time consuming, but also affects the outcome if not collated properly.
- Managing different criticality threshold limits: Risks are at different threshold limits based on their criticality. For example, a risk rated very high by a business unit may not have the same threshold limit assigned by another business unit or at an enterprise level, making it a medium or low risk. Considering this, there may be multiple thresholds e.g. financial, reputational etc. across an intersection of different hierarchies making the challenge further complicated. Hence, using the simple average method to aggregate risk may not give an accurate picture of risk exposure.
- Combination of qualitative and quantitative data: A majority of the information is qualitative making it difficult to come to an exact risk score.
MetricStream’s Risk Aggregation Functionality To Solve These Challenges
MetricStream provides capabilities to manage an organization’s entire risk management requirement from risk identification to risk assessment, control evaluation, risk treatment, and risk and control continuous evaluation and reporting.
Given below are some of the core capabilities for risk assessment and aggregation:
- Access advanced tools for planning, scheduling, and performing risk assessments at all levels to collect all relevant information about each risk, and once the assessments are complete, route the results for review and approval.
- Perform assessments easily with a simple and intuitive user interface.
- Enable both top-down and bottom-up approaches to risk assessments.
- Easily configure rules to calculate risk scores. Define multiple parameters to collect information such as likelihood, impact, severity, velocity etc.
- Manage simple assessments by rating a risk, or advanced assessments using multiple factors and advanced risk scoring to meet variations in the risk assessment methodology across business units, regions, and products.
- Add or delete risks and controls while performing an assessment.
- Assess the overall control environment based on multiple factors.
- Define the logic for computing inherent and residual risk scores and analyze them through heat maps.
- Aggregate the scores based on averages, worst-case scenarios (maximum), or best-case scenarios (minimum).
- Aggregate risk scores using weighted average method where weights can be given to multiple dimensions including organization, objective, product, process, assessable item or risk hierarchy for improved and accurate risk visibility.
- Easily configurable workflows that supports users to take necessary actions against risks that require immediate effect or preventive actions or are minor concerns. Review and respond accordingly.
- Enable continuous monitoring with real-time update of risk scores and underlying workflows.
As risk continues to permeate through all levels of an organization, being able to gain a holistic view of risks will help build resilience and profitability. Risk aggregation could be a key pivot on which better risk-aware decisions can be made across the lines of the business, propelling organizations towards accelerated performance, thriving on risk.