Another overlooked risk assessment problem
Following up on last week’s post, there is one major problem that I haven’t talked about before.
Too many want to quantify every risk in dollars (or other currency) as if they were equal. But they are not.
Maybe they avoid the trap of multiplying one possible impact by its likelihood. (That is wrong for several reasons, discussed elsewhere.)
But they still come up with some number of dollars for the level of risk that is not comparable to other sources of risk and cannot be aggregated with other risks and opportunities to develop the big picture necessary for decision-making.
The easiest situation to illustrate this is:
- Risk A: The risk that one or more major customers will not issue orders at the anticipated level is assessed with a number based on the potential revenue
- Risk B: The risk that gas prices will risk and increase the cost of both purchased materials and related freight; this is assessed with a number based on the potential change in cost.
These are not the same dollars.
How about this one?
- Risk C: The risk that a lawsuit will result in a verdict against the company, causing the company to have to make a massive payment (even if the lawsuit is settled). This time, the dollars are cash
Then there are these:
- Risk D: A product quality defect might lead to a loss of revenue and an increase in cost until it is resolved and customer claims settled. This could take as long as two months. Maybe the dollars are profit dollars this time.
- Risk E: The emergence of a new competitor could also lead to a loss of revenue, but this time the loss is prolonged and could even be permanent.
Or there’s this variation on Risk C:
- Risk C2: The risk that a lawsuit could result in continuing payments over ten years.
Even if the loss in C2 is discounted to present value, there is a huge cash flow difference that could be serious.
It is usually easier to handle a loss or payment that is spread over time than one that has to be paid immediately.
While some of these issues could be addressed by assessing every source of risk based on earnings (i.e., instead of revenue or cost), that doesn’t take into account:
- The ability of the organization to sustain the impact,
- The time it would take to detect (in some cases) and address the impacts, or
- The fact that it doesn’t make sense to assess risks like safety and compliance purely in dollar terms.
This is why I believe that risk should be assessed in terms of the potential effect on the achievement of specific enterprise objectives. Isn’t this what COSO ERM and ISO 31000 [should] say?
When the potential effect is assessed this way, it can be compared to other sources of risk and opportunity and included with others to develop the big picture for decision-making.
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Not an issue for a quant, never even come across this to be an issue. We assess risks not as X but as F(X), so cashflow@risk or npv@risk then can compare apples to apples and on top of that there are plenty of uses for just quantifying losses for a single standalone risk
It should be, Alex. We should talk!
Why do you think it should be? I meant it was solved ages ago and no longer an issue for a quant. It hasn’t been an issue for so long that I never even come across it being an issue
I think I explained in the post, but we need to talk
True Norman. There is an approach in which “a dollar is a dollar is a dollar”. This is about as flawed as it is simple.
There are huge differences between losing a dollar of revenue or adding a dollar of costs, let alone a dollar of cash-flow. If the amount is the same, lost revenue may be “bad”, lost profit may be “very serious” and lost cash flow the cause of illiquidity and bankruptcy.
It is a rookie mistake to think of these as “one and the same” and one no adept risk manager should ever fall into.
Agree that risks should be analyzed and prioritized in light of the effect on achieving objectives. A dollar of lost profit may translate into ten dollars of lost revenue. We also should not lose sight of how we describe a risk: the same risk may have a high-likelihood of a low-impact, a low-likelihood of a high-impact, and many points in between. Many business risks (i.e., those for which scant data exist, unlike auto accidents or worker safety incidents) can have many equally valid likelihood-impact pairs. This is where the art and science of risk management merge.
There is obviously a relationship between revenues, costs, and profits. So what exactly is the challenge?
The challenge is that people are assessing some risks using a dollar of revenue and others with a dollar of cost, and then comparing them.
In addition, a dollar of cash now is not the same as a dollar spread over several months. NPV doesn’t necessarily bridge the gap when cash flow is tight.