Académique Documents
Professionnel Documents
Culture Documents
Define risk appetite and explain the role of risk appetite in corporate governance.
Describe considerations a firm must make in determining its risk appetite, and explain
how an organizations risk appetite can differ for various risk factors.
Differentiate between risk appetite and risk tolerance, and explain how an organization can align its risk tolerance to its risk appetite.
Explain how an organization can develop, communicate, monitor and update its
risk appetite.
2.
Compare impact, likelihood, vulnerability, and speed of onset of potential risk events
and explain how a scale can be created to assess these four factors with respect to
specific potential risk events.
Identify examples of actions a firm can take to reduce its vulnerability to specific
risk events.
Describe methods to capture interactions between risk factors, including risk interaction maps and the bow-tie diagram.
Explain how a risk hierarchy can be created to rank and prioritize risks.
Explain the use of heat maps and MARCI (Mitigate, Assure, Redeploy, and Cumulative
Impact) charts in aggregating, comparing, and prioritizing risks faced by a firm.
2014
3.
4.
Differentiate between key performance indicators (KPIs) and key risk indicators (KRIs).
Explain considerations and challenges faced by a firm in the process of developing KRIs.
Robert Bea, Ian Mitroff, Daniel Farber, Howard Foster and Karlene H. Roberts. A New
Approach to Risk: The Implications of E3. (Palgrave Macmillan 2009).
Explain why human error may be overlooked in risk assessment and why engineering
analyses often underestimate the probability of a system failure.
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
C o m m i t t e e
o f
S p o n s o r i n g
O r g a n i z a t i o n s
o f
t h e
T r e a d w a y
C o m m i s s i o n
E n ter p r i se
R i s k
M a n a g eme n t
Understanding and
Communicating Risk Appetite
By
Dr. Larry Rittenberg and Frank Martens
www.co s o.o rg
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Authors
Dr. Larry Rittenberg
Ernst & Young Professor of Accounting
University of Wisconsin-Madison School of Business
Frank Martens
Director, PricewaterhouseCoopers (PwC)
Larry E. Rittenberg
COSO Chair - Emeritus
Chuck E. Landes
American Institute of CPAs (AICPA)
Richard F. Chambers
The Institute of Internal Auditors
Jeff C. Thomson
Institute of Management Accountants
Marie N. Hollein
Financial Executives International
Preface
This project was commissioned by COSO, which is dedicated to providing thought leadership
through the development of comprehensive frameworks and guidance on enterprise risk
management, internal control, and fraud deterrence designed to improve organizational
performance and governance and to reduce the extent of fraud in organizations. COSO is a
private sector initiative, jointly sponsored and funded by the following organizations:
www.co s o.o rg
www.co s o.o rg
E n ter p r i se
R i s k
M a n a g eme n t
Understanding and
Communicating Risk Appetite
Research Commissioned by
January 2012
Copyright 2012, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1 2 3 4 5 6 7 8 9 0 PIP 198765432
All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or
by any means without written permission. For information regarding licensing and reprint permissions please contact the
American Institute of Certified Public Accountants, licensing and permissions agent for COSO copyrighted materials.
Direct all inquiries to copyright@aicpa.org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd.,
Durham, NC 27707. Telephone inquiries may be directed to 888-777-7707.
www.co s o.o rg
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite | iii
Content Outline
Page
Executive Summary
Overview
11
15
18
20
Roles
21
Summary of Considerations
23
About COSO
24
24
www.co s o.o rg
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
Executive Summary
Organizations encounter risk every day as they pursue their
objectives. In conducting appropriate oversight, management
and the board must deal with a fundamental question: How
much risk is acceptable in pursuing these objectives? Added
to this, regulators and other oversight bodies are calling
for better descriptions of organizations risk management
processes, including oversight by the board.
This thought leadership document is one of a series
of papers, sponsored by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO), to
help organizations implement enterprise risk management
(ERM). The COSO document Enterprise Risk Management
Integrated Framework explicitly states that organizations
must embrace risk in pursuing their goals. The key is to
understand how much risk they are willing to accept.
Further, how should an organization decide how much
risk it is willing to accept? To what extent should the risks
accepted mirror stakeholders objectives and attitudes
towards risk? How does an organization ensure that
its units are operating within bounds that represent the
organizations appetite for specific kinds of risk?
Risk appetite is the amount of risk, on a broad level,
an organization is willing to accept in pursuit of value.
Each organization pursues various objectives to add
value and should broadly understand the risk it is
willing to undertake in doing so.
www.co s o.o rg
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Can It Be Done?
Develop/
Revise
Risk
Appetite
Monitor
www.co s o.o rg
Communicate
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
Overview
Risk Appetite Is an Integral
Part of Enterprise Risk Management
COSOs Enterprise Risk Management Integrated
Framework defines risk appetite as follows:
The amount of risk, on a broad level, an entity is willing
to accept in pursuit of value. It reflects the entitys risk
management philosophy, and in turn influences the
entitys culture and operating style. Risk appetite
guides resource allocation. Risk appetite [assists the
organization] in aligning the organization, people, and
processes in [designing the] infrastructure necessary to
effectively respond to and monitor risks.1
This definition raises some important points. Risk appetite
is strategic and is related to the pursuit of
organizational objectives;
forms an integral part of corporate governance;
guides the allocation of resources;
www.co s o.o rg
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Exhibit 1
Overview of Considerations Affecting Risk Appetite
Existing
Risk Profile
Risk
Capacity
Risk
Tolerance
Attitudes
Towards Risk
www.co s o.o rg
Determination
of
Risk
Appetite
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
One major problem that led to the current financial crisis was
that although objectives had been created, there was no
articulation of risk appetite or identification of those
responsible when risks were incurred.
Exhibit 2
Interrelationship of Strategy, Management Decisions, and Risk Appetite
Sets strategic
goal and
objectives
Formulates
strategies
Strategy 1
Strategy 2
Strategy 3
...
Establishes
operations,
compliance,
and reporting
objectives
Makes decisions
on how to manage
risks relating to
the achievement
of objectives
Considers risk appetite in setting of strategies, objectives, and how to manage risks
www.co s o.o rg
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Exhibit 3
Link to
Objectives
Facilitate
Monitoring of Risk
Facilitate
Alignment
Operations
Decisions
Time Frame,
Portfolio of Projects
Risk
Appetite
Determine
Acceptable Risk
Tolerances
People, Process,
Infrastructure
State With
Sufficient Precision
Communicate,
Monitor, Adjust
Specific
Objectives
www.co s o.o rg
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite | 7
www.co s o.o rg
8 | Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
www.co s o.o rg
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
Exhibit 4
Acceptable
Not Acceptable
Increased
costs due to
incompatibility
with legacy
computer
systems
Reduced
security of IT
Reduced
teaching
reputation
Reduced
research
reputation
www.co s o.o rg
10 | Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
www.co s o.o rg
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite | 11
Exhibit 5
Management
sets
OBJECTIVES
www.co s o.o rg
12 | Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
www.co s o.o rg
Operations Tolerances
Near zero risk tolerance for product defects
Low risk tolerance for sourcing products that fail to
meet the companys quality standards
Low, but not zero, risk tolerance for meeting customer
orders on time, and a very low tolerance for failing to
meet demands within x number of days
High risk tolerance for potential failure in pursuing
research that will enable the companys product to
better control, and increase the efficiency of, energy use
Reporting Tolerances
Low risk tolerance concerning the quality, timing, and
accessibility of data needed to run the business
Very low risk tolerance concerning the possibility of
significant or material deficiencies in internal control
A low risk tolerance related to financial reporting quality
(timeliness, transparency, GAAP, etc.)
Compliance Tolerances
Near zero risk tolerance for violations of regulatory
requirements or the companys code of ethics
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite | 13
The idea behind the risk tolerances is that if the university falls
below any of the measures, corrective action will take place.
Corrections will come not from adjusting the risk appetite but
from reassessing the risk appetite and the strategies the
university has implemented in the context of the risk appetite.
www.co s o.o rg
14
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Risk Tolerance
www.co s o.o rg
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
15
Develop/
Revise
Risk
Appetite
Monitor
Communicate
www.co s o.o rg
16
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Exhibit 6
Questions to Facilitate Discussion of Risk Appetite at Management and Board Level
1. On a scale of 1 to 10, with 1 being the lowest, describe what you believe the organizations overall risk
appetite has been and what you think it should be. Explain any differences between what you perceive it
has been and what you believe it should be. Relate this to your number one strategic goal.
2. Various operations help an organization achieve its objectives. Using the categories below, or other
categories consistent with the organizations operations, rate the desired risk appetite related to the
following (rating can be broad, such as high, medium, or low, or precise, such as specific metrics that
should not be exceeded):
a. Meeting customer requirements
b. Employee health and safety
c. Environmental responsibility
d. Financial reporting
e. Operational performance
f. Regulatory compliance
g. Shareholder expectations
h. Strategic initiatives / growth targets
As you rate each category, indicate areas where you believe the organization is taking either too much or
too little risk in pursuing its objectives.
3. How would you rate the effectiveness of the organizations process for identifying, assessing, managing,
and reporting risks in relation to the overall risk appetite? What are the major areas for improvement?
4. Are managements strategies communicated sufficiently for there to be meaningful discussion of risk
appetite in pursuit of those strategies, both at the broad organizational level and at the operational level,
and for consistency to be analyzed?
5. How satisfied are you that the board is providing effective oversight of the risk appetite through its
governance process? This includes board committees and/or the board itself to help set the appetite and
to monitor over time that management is adhering to the overall risk appetite in pursuit of value.
6. Whom do you see as more accepting of risk, or more willing to take risks to meet the goals of the organization?
a. Management
b. Board
c. Management and board have similar levels of acceptable risk
7. Does the organization motivate management (senior management and operational management) to take higher
than desired risks because of the compensation plans in place? If yes, how do you believe the compensation plans
should be modified to bring approaches for generating high performance within the risk appetite?
8. What do you believe the organization should do?
a. Reduce its risk appetite
b. Increase its risk appetite
c. Make no change
9. Do you believe there are risks considered to be above the organizations existing risk appetite that need to
be reduced? In other words, are there areas where the risk appetite, as currently used, is too low?
10. What risks over the past five years were, in your view, above the organizations risk appetite? Were the risks
understood when a strategy was developed? How could management have communicated its risk appetite
so that the board could both (a) evaluate the risk appetite and (b) provide proper oversight? How could
management have communicated its risk appetite so as to hold operational units to actions consistent with
the risk appetite?
www.co s o.o rg
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
17
www.co s o.o rg
18
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Develop/
Revise
Risk
Appetite
Monitor
Communicate
www.co s o.o rg
1
Likely
Unlikely
Almost certain
Insignicant 4
Catastrophic
High
Major
Risk
Moderate
Appetite
Minor
2
Likely
Insignicant 4
Almost certain
Catastrophic
Low
Major
Risk
Moderate
Appetite
Minor
Possible
Unlikely
Possible
Almost never
Almost never
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
ce
ian
ng
Co
pl
rti
po
Re
Op
er
at
io
ic
ns
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Subsidiary
Business Unit
Division
Entity-Level
ra
te
g
Categories of Risk
The third option is to communicate appetite for categories
of risk. Some organizations use broad, generic risk
categories, such as economic, environmental, political,
personnel, or technology, in their risk appetite statements.
Others use more tailored risk categories that apply to their
field. For example, a company in information processing
may group risks related to system availability, data security
and privacy, system scalability, system design, and
release management.
St
19
www.co s o.o rg
20
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
www.co s o.o rg
Develop/
Revise
Risk
Appetite
Monitor
Communicate
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
21
Roles
It is managements role to develop the risk appetite and
to obtain the boards agreement that the risk appetite is
suitable for the organization. We believe that the board
is in place to oversee management and to monitor the
broader risk management process, including whether the
organization is adhering to its stated risk appetite. Any
board, serving any organization of any size or structure (forprofit, not-for-profit, private), has a fiduciary responsibility to
question managements development and implementation of
a risk appetite and to require changes if it believes the risk
appetite is either badly communicated or inconsistent with
shareholder values.
Board Oversight
Management
Develop/
Revise
Risk
Appetite
Monitor
Communicate
www.co s o.o rg
22
| Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
Exhibit 7
Board and Management Responsibilities
1. Management establishes risk appetite: An organization cannot know how well it is managing risk unless it
establishes ranges of acceptable risk it can take in pursuit of its objectives. In doing so, management must
effectively and clearly communicate:
a. Goals and objectives
b. Strategies
c. Metrics (to know whether objectives are being achieved)
d. Relevant time periods for pursuing the objectives
e. Ranges of risk the organization is willing to take in pursuing the objectives
2. Board oversees risk appetite: Oversight of the risk appetite (or acceptable ranges of acceptable risk)
should be considered at the board level in conjunction with the senior management team.
3. Applies throughout organization: Risk appetite needs to be applied regularly throughout all functional
units of the organization. Culture is important: the organization must work to build the boards view of risk
appetite into the organizational culture.
4. Aligns with stakeholders and managers: Because individuals are accountable for their results, every
organization needs a robust governance process to ensure that compensation and incentive systems are
aligned with the organizations objectives and are managed to fall within the organizations risk appetite.
5. Manages risks and risk appetite over time: Organizations need to understand that risk appetites
may change over time. Boards must be proactive on two levels:
a. Communicating their articulation of risk appetite
b. Monitoring organizational actions, processes, etc., to determine whether organizational activity has
strayed outside the organizations risk appetite
6. Monitors to ensure adherence to risk appetite: Adherence to an organizations risk appetite, as well as to
its risk management processes, should be monitored regularly. The results of the monitoring should be
reported to the audit committee and/or board and to the relevant members of executive management.
7. Supports culture: The tone at the top influences the culture of the organization. The tone can be either
positive or negative in ensuring that risks are managed within acceptable limits. Ideally, prudent risk taking
is built into the organizations culture in its public statement of core values.
8. Considers resources: It takes effort to operate within the organizations risk appetite. Resources must be
available and dedicated to operating within this appetite.
9. Communicates through strategies and objectives: Risk appetite is communicated effectively only if the
organization can clearly communicate its major strategies and objectives at both the global level and the
functional/operational level.
10. Clearly communicates how much risk the organization is willing to accept at all levels: Risk appetite and
risk tolerance are complementary concepts. They can be combined to determine acceptable ranges of risk
for the organization.
Risk appetite is developed by management and reviewed by the board. COSOs Enterprise Risk Management Integrated Framework
emphasizes the boards important role in overseeing risk management. Oversight should begin with a studied discussion
and review of managements articulation of risk appetite relative to the organizations strategies.
www.co s o.o rg
Thought Leadership in ERM | Enterprise Risk Management Understanding and Communicating Risk Appetite |
23
Summary of Considerations
The COSO Enterprise Risk Management Integrated
Framework sets out five principles related to risk appetite:
1. It is a guidepost in strategy setting.
2. It guides resource allocation.
3. It aligns organization, people, processes, and
infrastructure.
4. It reflects the entitys risk management philosophy
and influences the culture and operating style.
5. It is considered in strategy setting so that strategy
aligns with risk appetite.
Risk appetite does not exist in a vacuum; rather, it is an
integral part of an organizations strategies for achieving
objectives. The concept of risk appetite permeates all
organizations, from charities and governments to small
businesses and publicly traded corporations.
www.co s o.o rg
24 | Enterprise Risk Management Understanding and Communicating Risk Appetite | Thought Leadership in ERM
About COSO
Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control
and fraud deterrence. COSOs supporting organizations are The Institute of internal Auditors (IIA), the American Accounting
Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI),
and the Institute of Management Accountants (IMA).
Note to Readers
The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of
the information to specific situations should bedetermined through consultation with your professional adviser. This thought
paper represents the views of the authors only, and does not necessarily represent the views or professional advice of the
University of Wisconsin, PwC, or COSO.
www.co s o.o rg
C o m m i t t e e
o f
S p o n s o r i n g
O r g a n i z a t i o n s
o f
t h e
T r e a d w a y
C o m m i s s i o n
R I S K
A S S E S S M E N T
I N
P R A C T I C E
By
Deloitte & Touche LLP
Dr. Patchin Curtis | Mark Carey
The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to
specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute
for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.
Authors
Deloitte & Touche LLP
Principal Contributors
Dr. Patchin Curtis
Director,
Deloitte & Touche LLP
Mark Carey
Partner,
Deloitte & Touche LLP
Marie N. Hollein
Financial Executives International
Douglas F. Prawitt
American Accounting Association
Chuck E. Landes
American Institute of CPAs (AICPA)
Richard F. Chambers
The Institute of Internal Auditors
Sandra Richtermeyer
Institute of Management Accountants
Preface
This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), which is dedicated to providing thought leadership through the development of comprehensive
frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to
improve organizational performance and governance and to reduce the extent of fraud in organizations.
COSO is a private-sector initiative jointly sponsored and funded by the following organizations:
www.co s o.o rg
Research Commissioned by
October 2012
Copyright 2012, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1234567890 PIP 198765432
All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or
by any means without written permission. For information regarding licensing and reprint permissions please contact the
American Institute of Certified Public Accountants licensing and permissions agent for COSO copyrighted materials.
Direct all inquiries to copyright@aicpa.org or AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd.,
Durham, NC 27707. Telephone inquiries may be directed to 888-777-7707.
www.co s o.o rg
Contents
Page
Introduction
Assess Risks
12
Prioritize Risks
14
18
About COSO
19
19
www.co s o.o rg
Introduction
Value is a function of risk and return. Every decision
either increases, preserves, or erodes value. Given that
risk is integral to the pursuit of value, strategic-minded
enterprises do not strive to eliminate risk or even to
minimize it, a perspective that represents a critical change
from the traditional view of risk as something to avoid.
Rather, these enterprises seek to manage risk exposures
across all parts of their organizations so that, at any given
time, they incur just enough of the right kinds of riskno
more, no lessto effectively pursue strategic goals. This is
the sweet spot, or optimal risk-taking zone, referred to in
exhibit 1.
Thats why risk assessment is important. Its the way in
which enterprises get a handle on how significant each
risk is to the achievement of their overall goals.
Insufficient
Risk-Taking
Optimal
Risk-Taking
Excessive
Risk-Taking
Expected
Enterprise
Value
Sweet Spot
Risk Level
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Integrated
Framework, 2004.
1
www.co s o.o rg
Develop
Assessment
Criteria
Assess
Risks
Assess Risk
Interactions
www.co s o.o rg
Respond
to Risks
Prioritize
Risks
Impact
Impact (or consequence) refers to the extent to which a
risk event might affect the enterprise. Impact assessment
criteria may include financial, reputational, regulatory,
health, safety, security, environmental, employee,
customer, and operational impacts. Enterprises typically
define impact using a combination of these types of impact
considerations (as illustrated below), given that certain
risks may impact the enterprise financially while other
risks may have a greater impact to reputation or health and
safety. When assigning an impact rating to a risk, assign
the rating for the highest consequence anticipated. For
example, if any one of the criteria for a rating of 5 is met,
then the impact rating assigned is 5 even though other
criteria may fall lower in the scale.
www.co s o.o rg
Descriptor
Definition
5
Extreme
Financial loss of $X million or more3
International long-term negative media coverage; game-changing loss of
market share
Significant prosecution and fines, litigation including class actions,
incarceration of leadership
Significant injuries or fatalities to employees or third parties, such as
customers or vendors
Multiple senior leaders leave
4
Major
Financial loss of $X million up to $X million
National long-term negative media coverage; significant loss of market share
Report to regulator requiring major project for corrective action
Limited in-patient care required for employees or third parties, such as
customers or vendors
Some senior managers leave, high turnover of experienced staff, not
perceived as employer of choice
3
Moderate
Financial loss of $X million up to $X million
National short-term negative media coverage
Report of breach to regulator with immediate correction to be implemented
Out-patient medical treatment required for employees or third parties, such
as customers or vendors
Widespread staff morale problems and high turnover
2
Minor
1
Incidental
Financial impact is typically measured in terms of loss or gain, profitability or earnings, or capital.
www.co s o.o rg
Likelihood
Likelihood represents the possibility that a given event
will occur. Likelihood can be expressed using qualitative
terms (frequent, likely, possible, unlikely, rare), as a percent
probability, or as a frequency. When using numerical values,
whether a percentage or frequency, the relevant time period
should be specified such as annual frequency or the more
Annual Frequency
Descriptor
Definition
Probability
Descriptor
Definition
5
Frequent
Up to once in 2 years
or more
Almost
certain
4
Likely
Once in 2 years up to
once in 25 years
Likely
3
Possible
Once in 25 years up to
once in 50 years
Possible
2
Unlikely
Once in 50 years up
to once in 100 years
Unlikely
Rare
Rare
www.co s o.o rg
Vulnerability
Vulnerability refers to the susceptibility of the entity to a risk
event in terms of criteria related to the entitys preparedness,
agility, and adaptability. Vulnerability is related to impact
and likelihood. The more vulnerable the entity is to the risk,
the higher the impact will be should the event occur. If risk
responses including controls are not in place and operating
as designed, then the likelihood of an event increases.
Assessing vulnerability allows entities to gauge how well
theyre managing risks.
Descriptor
Definition
5
Very High
4
High
3
Medium
2
Low
Strategic options defined
Medium to high enterprise level/process level capabilities to address risks
Responses implemented and achieving objectives except under
extreme conditions
Contingency and crisis management plans in place, some rehearsals
1
Very Low
A real option is an option involving real, as opposed to financial, assets. Real assets include land, plant, and machinery.
Real option analysis uses option pricing theory to value capital investment opportunities. An example of a real option
would be the overbuilding of a facility to provide strategic flexibility in the event that demand were to increase faster
than production capacity.
4
www.co s o.o rg
Descriptor
Definition
Very High
High
Medium
Low
Very Low
www.co s o.o rg
Assess Risks
Risk assessment is often performed as a two-stage
process. An initial screening of the risks and opportunities
is performed using qualitative techniques followed by a
more quantitative treatment of the most important risks and
opportunities lending themselves to quantification (not all
risks are meaningfully quantifiable). Qualitative assessment
consists of assessing each risk and opportunity according
to descriptive scales as described in the previous section.
Quantitative analysis requires numerical values for both
impact and likelihood using data from a variety of sources.
Advantages
Disadvantages
Qualitative
Is relatively quick and easy
Provides rich information beyond
financial impact and likelihood such as
vulnerability, speed of onset, and
non-financial impacts such as health
and safety and reputation
Is easily understood by a large number
of employees who may not be trained
in sophisticated quantification
techniques
www.co s o.o rg
Surveys
Surveys are useful for large, complex, and geographically
distributed enterprises or where the culture suppresses
open communication. Survey results can be downloaded
into analytical tools allowing risks and opportunities to be
viewed by level (board members, executives, managers),
by business unit, by geography, or by risk category.
Surveys have drawbacks too. Response rates can be low.
If the survey is anonymous, it may be difficult to identify
information gaps. Quality of responses may be low if
respondents give survey questions superficial attention in
a rush to completion, or if they misunderstand something
and dont have the opportunity to ask clarifying questions.
But perhaps most of all, respondents dont benefit from
cross-functional discussions which enhance peoples
risk awareness and understanding, provide context and
information to support the risk ratings, and analyze risk
interactions across silos. For these reasons, surveys
should not be considered a substitute for workshops and
other techniques for in-depth analysis of key risks.
Benchmarking
Benchmarking is a collaborative process among a
group of entities. Benchmarking focuses on specific
events or processes, compares measures and results
using common metrics, and identifies improvement
opportunities. Data on events, processes, and measures
are developed to compare performance. Some companies
use benchmarking to assess the likelihood and impact
of potential events across an industry. Benchmarking
data are available from research organizations, industry
consortia, insurance companies and rating agencies,
government agencies, and regulatory and supervisory
bodies. For example, an oil field services company might
benchmark its safety risk using measures such as lost time
injuries using data for similar companies available from the
Bureau of Labor Statistics, the Occupational Health and
Safety Administration (OSHA), the American Petroleum
Institute (API), or others.
www.co s o.o rg
Scenario Analysis
Scenario analysis has long been recognized for its
usefulness in strategic planning. It is also useful for
assessing risks and tying them back to strategic objectives.
It entails defining one or more risk scenarios, detailing the
key assumptions (conditions or drivers) that determine
the severity of impact, and estimating the impact on a key
objective. In the example below, management wanted to
understand how earnings could be negatively impacted.
Scenario Analysis
Scenario Description
Detailed Assumptions
- $500
- $150
100% increase
Sustained for 3 months
Pass through 25% of cost increase
- $15
4) Technology shift
- $275
5) Competitive pressure
- $200
- $175
www.co s o.o rg
www.co s o.o rg
Supply Chain
Disruption
Customer
Preference Shift
Copper Price
Increase >25%
Work Stoppage
>1 Week
Economic
Downturn
Supplier
Consolidation
Local Competitor
Enters Market
New Substitutes
Available
Cost of Capital
Increase >5%
Tighter Emission
Standards
FCPA
Violation
Exchange Rate
Fluctuations
www.co s o.o rg
Exchange Rate
Fluctuations
FCPA
Violation
Tighter Emission
Standards
Cost of Capital
Increase >5%
New Substitutes
Available
Local Competitor
Enters Market
Supplier
Consolidation
Economic
Downturn
Work Stoppage
>1 Week
Copper Price
Increase >25%
Customer
Preference Shift
Risk
Supply Chain
Disruption
Risk
Consequences
Trigger
Event
Intermediate
Event
End
Event
Consequence
End Event
(Loss)
Trigger
Event
Intermediate
Event
End
Event
Consequence
End Event
(Loss)
Intermediate
Event
End
Event
Consequence
End Event
(Loss)
Intermediate
Event
End
Event
Consequence
End Event
(Loss)
Condition
Intermediate
Event
End
Event
Consequence
End Event
(Loss)
Condition
Intermediate
Event
End
Event
Consequence
End Event
(Loss)
Condition
Intermediate
Event
End
Event
Consequence
End Event
(Loss)
Risk
Note: The terms fault tree, event tree, and bow-tie diagram are sometimes used interchangeably.
www.co s o.o rg
Prioritize Risks
Once the risks have been assessed and their interactions
documented, its time to view the risks as a comprehensive
portfolio to enable the next step prioritizing for risk
response and reporting to different stakeholders. The term
risk profile represents the entire portfolio of risks facing
the enterprise. Some entities represent this portfolio as
a hierarchy, some as a collection of risks plotted on a
heat map. Entities with more mature ERM programs and
quantitative capabilities may aggregate individual risk
distributions into a cumulative loss probability distribution
and refer to that as the risk profile.
Similar to assessing risks, ranking and prioritizing is often
done in a two-step process. First, the risks are ranked
according to one, two, or more criteria such as impact
rating multiplied by likelihood rating or impact multiplied
Business Unit 1
Strategic
Risk ABC
Risk ABC
Risk DEF
Project 1
Risk UVW
Financial
Risk DEF
Risk XYZ
Project 2
Risk GHI
Risk UVW
Risk XYZ
Business Unit 2
Operational
Risk UVW
Risk UVW in Project 1
Risk ABC
Risk GHI
Risk JKL
Risk DEF
Risk DEF in Bus. Unit 1
Compliance
Risk n . . .
www.co s o.o rg
Risk Maps
Another simple way to view the portfolio is to create a
risk map, often called a heat map. These are usually twodimensional representations of impact plotted against
likelihood. They can also depict other relationships such as
impact versus vulnerability. For even richer information, the
size of the data points can reflect a third variable such as
speed of onset or the degree of uncertainty in the estimates.
The most common way to prioritize risks is by designating
a risk level for each area of the graph such as very high,
high, medium, or low, where the higher the combined
impact and likelihood ratings, the higher the overall risk
level. The boundaries between levels vary from entity to
entity depending on risk appetite. For example, an entity
with a greater risk appetite will have boundaries between
risk levels shifted toward the upper right, and an entity with
greater risk aversion will have boundaries between risk
levels shifted toward the bottom left. Also, some entities
adopt asymmetric boundaries placing a somewhat greater
emphasis on impact than on likelihood. For example, a risk
having an impact rating of moderate and likelihood rating
of frequent has an assigned risk level of high, whereas a
risk having an impact rating of extreme and a likelihood
rating of possible has an assigned risk level of very high.
15
After plotting on the heat map, risks are then ranked from
highest to lowest in terms of risk level. These rankings
may then be adjusted based on other considerations such
as vulnerability, speed of onset, or detailed knowledge of
the nature of the impact. For example, within a group of
risks having a designation of very high, those risks having
extreme health and safety or reputational impacts may be
prioritized over risks having extreme financial impacts but
lesser health and safety or reputational impacts.
When using numerical ratings in a qualitative environment,
its important to remember that the numbers are labels and
not suitable for mathematical manipulation although some
entities do multiply the ratings, such as for impact and
likelihood, to develop a preliminary ranking.
Where entities have defined impact scales for both
opportunities and risks, they may plot risks on a map
such as that illustrated in exhibit 6. This allows a direct
comparison of the highest rated opportunities and risks for
consideration and prioritization.
Extreme
Major
Risks
Moderate Minor
Moderate
Major
Extreme
Frequent
Likely
Possible
Unlikely
Rare
www.co s o.o rg
3
10
Likelihood
11
5
n
n n
n
1
1
60
n n
12
n
4
Impact
Dots represent risk #1 - #n
Dot size reflects speed of onset:
Very Low
Low
Medium
www.co s o.o rg
ID
Risk
1
2
3
4
5
6
7
8
9
10
1 1
12
n
60
I = Impact
High
Very High
L = Likelihood
4.8
4.1
4.3
4.4
4.0
3.8
3.9
4.5
2.9
3.4
4.0
2.7
...
1.6
3.7
3.3
4.7
4.5
3.7
4.2
4.5
3.6
4.0
4.6
4.0
4.1
...
2.7
3.8
3.5
2.3
4.1
3.5
3.2
3.6
4.2
2.9
2.9
3.3
2.7
...
1.6
4
2
4
3
2
1
1
1
3
1
5
4
...
1
17
48
Potential Impact
11
2
5
10
Redeploy Resources
12
2
ID
Risk
1
2
3
4
5
6
7
8
9
10
1 1
12
4.8
4.1
4.3
4.4
4.0
3.8
3.9
4.5
2.9
3.4
4.0
2.7
3.7
3.3
4.7
4.5
3.7
4.2
4.5
3.6
4.0
4.6
4.0
4.1
3.8
3.5
2.3
4.1
3.5
3.2
3.6
4.2
2.9
2.9
3.3
2.7
4
2
4
3
2
1
1
1
3
1
5
4
1
1
Potential Vulnerability
Dots represent risk #1 - #n
Dot size reflects speed of onset:
Very Low
Low
Medium
High
I = Impact
L = Likelihood
Very High
www.co s o.o rg
www.co s o.o rg
19
About COSO
Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control,
and fraud deterrence. COSOs supporting organizations are the Institute of Internal Auditors (IIA), the American Accounting
Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI),
and the Institute of Management Accountants (IMA).
www.co s o.o rg
C o m m i t t e e
o f
S p o n s o r i n g
O r g a n i z a t i o n s
o f
t h e
T r e a d w a y
C o m m i s s i o n
D evelo p i n g
K e y
R isk
I n dic a tors
to
S tre n g the n
E n ter p rise
R isk
M a n a g eme n t
By
Mark S. Beasley | Bruce C. Branson | Bonnie V. Hancock
Authors
Mark S. Beasley
Deloitte Professor of Enterprise Risk Management
Bruce C. Branson
Associate Director, ERM Initiative
Bonnie V. Hancock
Executive Director, ERM Initiative
Larry E. Rittenberg
COSO Chair - Emeritus
Mark S. Beasley
American Accounting Association
Chuck Landes
American Institute of Certified Public Accountants
Richard F. Chambers
The Institute of Internal Auditors
Jeff Thomson
Institute of Management Accountants
Marie Hollein
Financial Executives International
Preface
This project was commissioned by COSO, which is dedicated to providing thought leadership
through the development of comprehensive frameworks and guidance on enterprise risk
management, internal control, and fraud deterrence designed to improve organizational
performance and governance and to reduce the extent of fraud in organizations. COSO is a
private sector initiative, jointly sponsored and funded by the following organizations:
www.co s o.o rg
D evelo p i n g
K e y
R isk
I n dic a tors
to
S tre n g the n
E n ter p rise
R isk
M a n a g eme n t
December 2010
Copyright 2010, The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1 2 3 4 5 6 7 8 9 0 PIP 19876543210
All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or
by any means without written permission. For information regarding licensing and reprint permissions please contact the
American Institute of Certified Public Accountants, licensing and permissions agent for COSO copyrighted materials.
Direct all inquiries to copyright@aicpa.org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd.,
Durham, NC 27707. Telephone inquiries may be directed to 888-777-7707.
www.co s o.o rg
Thought Leadership in ERM | Developing Key Risk Indicators to Strengthen Enterprise Risk Management | III
Introduction
Boards of directors have become increasingly aware
of their responsibilities related to effective oversight
of managements execution of enterprise-wide risk
management processes. This is due, in part, to significant
external pressures that have developed recently that
are thrusting risk management and its oversight to the
forefront of many board agendas and management action
plans. For example, the New York Stock Exchange in 2004
adopted governance rules that require audit committees of
NYSE-listed firms to oversee managements risk oversight
processes. In 2008, Standard & Poors began explicitly
evaluating an issuers enterprise risk management (ERM)
processes in seventeen new industries, as an additional
component of their credit ratings analysis. In 2009, the
Securities and Exchange Commission (SEC) expanded
proxy disclosure requirements to increase information for
investors about the boards role in risk oversight. The 2010
Federal Financial Reform legislation now mandates risk
committees for boards of financial institutions and other
entities overseen by the Federal Reserve.
Many organizations are embracing an enterprise-wide
approach to risk oversight known as enterprise risk
management (ERM) and executive management teams
leading these efforts are turning to frameworks, such as
COSOs 2004 Enterprise Risk Management Integrated
Framework (COSO ERM Framework), to aid them in
strengthening their enterprise-wide risk management
processes.
COSOs ERM Framework defines ERM as follows:
www.co s o.o rg
iv
| Developing Key Risk Indicators to Strengthen Enterprise Risk Management | Thought Leadership in ERM
Content Outline
Page
Description
Differentiating Key Performance Indicators
from Key Risk Indicators
10
Summary Observations
11
About COSO
12
12
www.co s o.o rg
Thought Leadership in ERM | Developing Key Risk Indicators to Strengthen Enterprise Risk Management |
Objective
Manage the collection of accounts receivable to reduce loss due to write-offs
Key Performance Indicator (KPI)
www.co s o.o rg
| Developing Key Risk Indicators to Strengthen Enterprise Risk Management | Thought Leadership in ERM
Linking Objectives
Linking Objectives to Strategies to Risks To KRIs
Strategic
Initiative #1
Increase
Revenues
Strategic
Initiative #2
Profitability
Strategic
Initiative #3
Reduce
Costs
Strategic
Initiative #4
www.co s o.o rg
Potential
Risk
KRI
Potential
Risk
KRI
Potential
Risk
KRI
Potential
Risk
KRI
Potential
Risk
KRI
Thought Leadership in ERM | Developing Key Risk Indicators to Strengthen Enterprise Risk Management |
Example
A buffet-style restaurant chain monitors gas prices to identify sales and profitability trends
that may signal the need for modifications to sales strategies.
Objective
Strategic Response
Increase earnings
through revenue
increases.
Promote premium
buffet options to
attract additional
customers.
Revise marketing
to promote more
value options
if gasoline price
trends are rising.
Customer
income levels
and discretionary
income drop and
prevent customers
from visiting
restaurants or from
selecting premium
buffet options.
Potential
Risk
Risk Event
Intermediate Event
Leading Indicators of Event?
Root Cause Event
Leading Indicators of Event?
www.co s o.o rg
| Developing Key Risk Indicators to Strengthen Enterprise Risk Management | Thought Leadership in ERM
KRIs
to Inform About Risk of Debt Covenant Default
Example
KRIs to Inform About Risk of Debt Covenant Default
Potential
Risk
Risk Event
Debt covenant breach
Intermediate Event
Leading KRIs might include sales trends, cash on hand,
changes in short-term borrowings, etc.
Root Cause Event
Leading KRIs might include customer financial reports, industry reports,
economic conditions, pricing trends, labor issues, plant capacity, etc.
www.co s o.o rg
Thought Leadership in ERM | Developing Key Risk Indicators to Strengthen Enterprise Risk Management | 5
Trigger Points
KRIs
Trigger Points
KRIs
Uncertainty
Increases
with Longer
Time Horizons
Time
Initial Strategies
Revise Strategies
Revise Strategies
www.co s o.o rg
| Developing Key Risk Indicators to Strengthen Enterprise Risk Management | Thought Leadership in ERM
www.co s o.o rg
Thought Leadership in ERM | Developing Key Risk Indicators to Strengthen Enterprise Risk Management |
Example
Regional grocery store chain seeks to grow earnings by adding new stores in Northern
Virginia and Washington, DC area.
Risk Events
1. Economic downturn in
Washington, DC markets
affect retail storefront
rental demand and real
estate values
2. Competition increases
in the Washington, DC
markets
3. Cost of financing
too high
4. Delays in developing
property and opening
stores
KRI Communication and Reporting: Role of the Board, Management, and Risk Owners
As is true for the larger goal of implementing an enterprise
risk management process in general, the development
and implementation of a set of KRIs requires sensitivity
to organizational culture and a strong message of the
importance of this task from top management and the
board of directors. Creating buy-in from those individuals
within the organization that have day-to-day management
responsibility for various risks will be necessary.
The primary beneficiary of KRIs will be the risk owners
themselves. They will have a set of predictive tools that
should allow them to better manage their business units
to meet goals and objectives set for that unit. Senior
www.co s o.o rg
8 | Developing Key Risk Indicators to Strengthen Enterprise Risk Management | Thought Leadership in ERM
KRI
Status
Trend
Retail Occ
RE Rental Market
Change in Stores
Big Box Exp
Price Comp
Debt Spreads
Interest Rates
Stock Perf.
Constr. Progress
Labor Market
Govt. Emplmt.
Unemployment
Cons. Spending
Unemployment Rate
8
8.0
7.9
7.8
7.9
7.9
7.8
7.7
7.5
7.5
7.5
Actual
Projected
7.0
80
80
81
Retail Occupancy %
90
88
88
86
85
85
85
84
82
80
82
Actual
80
Projected
75
www.co s o.o rg
7.5
7.5
7.5
Thought Leadership in ERM | Developing Key Risk Indicators to Strengthen Enterprise Risk Management | 9
Actual
Projected
7.0
80
80
81
Retail Occupancy %
90
88
88
86
85
85
85
84
82
80
82
Actual
80
Projected
75
www.co s o.o rg
10 | Developing Key Risk Indicators to Strengthen Enterprise Risk Management | Thought Leadership in ERM
www.co s o.o rg
Thought Leadership in ERM | Developing Key Risk Indicators to Strengthen Enterprise Risk Management | 11
Summary Observations
KRIs are metrics used to provide an early signal of
increasing risk exposure in various areas of the organization.
In some instances, they may be little more than key ratios
that the board and senior management track as indicators
of evolving problems, which signal that corrective or
mitigating actions need to be taken. Other times, they may
be more elaborate, involving the aggregation of several
individual risk indicators into a multi-dimensional risk score
about emerging potential risk exposures. KRIs are typically
derived from specific events or root causes, identified
internally or externally, that can prevent achievement of
strategic objectives. Examples can include items such as
the introduction of a new product by a competitor, a strike
at a suppliers plant, proposed changes in the regulatory
environment, or input-price changes.
www.co s o.o rg
12 | Developing Key Risk Indicators to Strengthen Enterprise Risk Management | Thought Leadership in ERM
About COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a voluntary private-sector organization
comprised of the following organizations dedicated to guiding executive management and governance participants
towards the establishment of more effective, efficient, and ethical business operations on a global basis. It sponsors and
disseminates frameworks and guidance based on in-depth research, analysis, and best practices.
COSO, 2010
www.erm.ncsu.edu
www.co s o.o rg
Original Article
Abstract
The fundamental thesis of this paper is that no matter how much physical science and technology are involved in complex systems, no system is ever purely or
solely physical or technical. Certainly no system of which we are aware is purely scientic
or technical in its operation or management. Furthermore, while research on and the
modeling of complex systems usually rely heavily on the consideration of technological
variables and processes, they typically fail to consider the contributions of individual psychological, organizational and contextual factors. This paper argues that we need models
that avoid committing errors of the third kind, solving the wrong problem precisely. The
paper sets out a mechanism for developing models that include contextual as well as
technological variables.
Introduction
hat do the Exxon Valdez spill, the Katrina levee failure and flood
and the Piper Alpha Platform failure disasters have in common?
They occurred because of the failure to recognize oil infrastructure,
ship-safety and flood control as complex infrastructure systems (CISs). Such
systems require risk assessments that include psychological, social, organizational and political processes in addition to those typical of traditional engineering practices. As a result, we suggest reformulating the problem of risk. To
give appropriate weight to social processes in risk assessment, we suggest applying findings from other disciplines including agent-based modeling (ABM),
the use of geographic information systems (GISs) to integrate multi-scale and
multi-discipline input, technology delivery system (TDS) design and high reliability organization (HRO) management principles.
31
Bea et al
The fundamental thesis of this paper is that no matter how much physical
science and technology are involved in a complex system, no system is ever
purely or solely physical or technical. Certainly no system of which we are
aware is purely scientific or technical in its operation or management.
Every system consists of a complex set of (a) technical processes and variables that interact strongly with a complex set of (b) individual human (that is,
psychological), (c) organizational and (d) socio-political processes and variables. Technical, individual, and so on variables that compose the system can
only be distinguished from one another with great difficulty. In other words,
the variables are so strongly coupled that it is almost impossible to determine
where one kind typically begins and others end or leave off.
By its very nature, modeling complex systems is inherently interdisciplinary.
This means that determinations of the probabilities of system failure are also
inherently interdisciplinary. In turn, the assessment of risks associated with
complex systems is inherently interdisciplinary as well.
In spite of this, the modeling and risk assessment of complex systems have
not been as interdisciplinary as they need to be. As a result, a basic and fundamental error underlies the vast majority of risk assessments. This error is
known as the Error of the Third Kind, or the Type Three Error (E3) (Mitroff
and Linstone, 1992).
E3 is defined as the probability of solving the wrong problem precisely.
Whereas Type One (E1) and Type Two (E2) errors are well known and utilized
in statistics, E3 is not. E1 and E2 (accepting or rejecting a null hypothesis)
relate to problems that are already known or well defined. In sharp contrast,
E3 pertains to how problems are defined or formulated in the first place. In this
sense, E3 is both prior to and more basic than E1 and E2.
This paper shows that by taking (a) technical, (b) individual human, (c) organizational and (d) socio-political variables equally into account, E3 can be
expressed on a quantitative basis like E1 and E2. Anything less leads to dangerously misleading risk assessments.
An interdisciplinary approach to modeling complex systems allows us to
formulate and determine the E3s associated with them. Combating E3s in
practice also requires an interdisciplinary approach. Organizations that relegate risk assessment to individuals with narrow technocratic expertise will inevitably commit E3s. Only by incorporating multiple perspectives and being
alert to discrepancies between models and reality can organizations deal with
risk in a realistic way.
Background
Work on this paper started almost two decades ago with an investigation
by one of the authors (Bea) of the dramatic failure of the Piper Alpha offshore
oil and gas drilling and production platform in the North Sea. This platform
32
served as a hub in a major part of the oil and gas infrastructure in the
North Sea. The investigative report stated that the majority of the causes
of this failure (80 per cent or more) were firmly rooted in human, organizational and institutional malfunctions. The remaining causes could reasonably be attributed to malfunctions in the engineered parts of this complex
system. This was a rude awakening because the platform was intensely
studied prior to its failure using traditional engineering approaches and engineering fixes were put in place. However, these fixes proved to be totally
ineffective.
Defining the problem as primarily an engineering problem, commits a major E3. Hence, problem definition is critical in designing, operating, maintaining and managing critical CISs. In the Piper Alpha situation a new problem
was exposed that involved other parts of this production infrastructure. When
the first fires and explosions erupted on the platform, personnel on interconnected production platforms realized that the pressures in the pipelines had
dropped. In response to the drop in pipeline pressure and organizational pressures to catch up on back production, these platforms increased production
to the Piper Alpha platform, further escalating and accelerating the final melt
down of the system.
It was subsequently recognized that a broader, more holistic problem definition is of critical importance in designing, operating, maintaining and managing CISs. Findings such as this are now common in investigations of other
disasters (for example, Challenger and Columbia, Texas City and Bhopal,
Katrina and Betsy, and so on). Most recently, this background was incorporated into an NSF-funded research project to investigate the causes of the failure of the flood defense system for the Greater New Orleans Area (Kardon
et al, 2006; Seed et al, 2007ac).
The human, organizational and institutional causes are termed extrinsic.
The categories of uncertainties traditionally addressed by engineers natural
or inherent (aleatory) and those associated with parametric, state and analytical model uncertainties (epistemic) are termed intrinsic. Because the neglected
extrinsic factors are actually fundamental to system performance, expected
risks were under-predicted by factors of 100 or more. These findings are consistent with a large body of research that highlights the role of extrinsic factors in large-scale system failures (for example, Perrow, 1984; Roberts, 1990;
Clarke and Short, 1993; Vaughan, 1996, 1999).
Traditional engineering analyses and processes also result in inappropriate
strategies for managing risk. Another example of an E3 that is the result
of thinking that overemphasizes improving things such as system components, rather than addressing process and people factors that produce risk
and the consequences of risk. Compelling evidence for this is available in reports of major catastrophes such as Bhopal (Shrivastava, 1987), Columbia
(Gehman et al, 2003) and Katrina (Farber et al, 2007).
2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 3043
33
Bea et al
Figure 1:
Often level 1 analyses fail to address the critically important issues associated with the consequences of failure particularly those associated with rescue and recovery resilience. Levels 2, 3 and 4 are the important additional
elements contributed by individual differences psychology, organizational and
social sciences to enable a more holistic assessment of risks and the management alternatives that are available to reduce the likelihoods of failures
and consequences contributing to the CISs risks (Roberts and Sloane, 1988;
Roberts et al, 2004, 2005).
The guiding logic of our approach is that a full understanding of CIS vulnerability can only be achieved through the analysis of interactions within and
across these four levels, in context and over time. As discussed above, prior
engineering research has focused on the first level the physical elements that
make up engineered systems while treating the other two levels as extrinsic
to formal analytic frameworks. In contrast, this paper recognizes that managing risks associated with CISs is a multi-dimensional problem that must be
addressed through collaborative research and educational activities that cross
and transcend disciplinary boundaries.
P ( F ) = P ( FI FE )
(1)
where I stands for intrinsic factors, E stands for extrinsic factors and stands
for the Union operator. I typically stands for technical factors such as the failure of levees and pumping systems, while E stands for organizational/social
factors such as the breakdown of communications between different entities
charged with managing a CIS.
In turn,
P ( F ) = P ( FI / E )P ( E ) + P ( FI / Not E )P ( Not E )
+ P ( FE / E )P ( E )
(2)
The first term in equation (2) addresses the likelihood of system failure due
to intrinsic factors (technical) given (that is, conditional upon) the uncertainties associated with extrinsic factors (psychological, organizational, social,
legal, and so on). The second term addresses the same likelihood given no
extrinsic factors. By our initial assumption that every complex system is composed of the interactions between technical and social variables, the second
term is impossible. We include it, nonetheless, for an important reason that
will become apparent shortly. The third term addresses the likelihood of
system failures due directly to extrinsic factors.
2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 3043
35
Bea et al
P[P ( F )] = P[P ( FI / E )P ( E )
+ P ( FI / Not E )P ( Not E )]
(3)
failures clearly indicates there are important limitations to proactive assessments and the associated management strategies. The future changes things;
systems are more organic than mechanical; and predictability is extremely limited. Even reactive (after the accident or failure) analyses and associated
approaches are limited because they focus on things not on processes and
people. This leads to trying to fix the wrong things in the wrong ways.
37
Bea et al
interrelated components: (1) the public/s (people affected by the CISs), (2) the
governments (of, by and for the people with responsibilities for the CISs) and
(3) industry (responsible for providing CISs). The linkages among these components are facilitated and enhanced with modern communication and information technology including the media and GISs. The fundamental objective
is to provide improved information and knowledge that will help impact values, beliefs and behaviors in ways beneficial to the publics and to the environments in which they exist. At present the concepts associated with the TDS are
used in efforts to integrate flood protection strategies and procedures into
improving the flood protection systems for the Greater New Orleans and
Sacramento Delta areas.
Developing effective TDSs is one of the most critical parts of building resilient and sustainable CISs. Without the required societal and political wills,
the technology ways to improve resilience, sustainability and reliability of
CISs will not be effectively implemented.
For the last 20 years research on HROs examined a number of adaptive
management strategies that work to render organizations highly reliable and
sustainable. One finding suggests that adaptable organizations change their
structures in response to changing conditions. When their environments are
very uncertain HROs flatten their structures considerably, returning to more
hierarchical structures as their environments gain more certainty. Another
characteristic of HROs is that they push decision making to the lowest level of
the organization commensurate with the knowledge needed to make that decision. In other words, if a decision about refueling an aircraft in the fast paced
and potentially dangerous environment of an aircraft carrier is best made by a
chief petty officer on the deck, it is certainly not given over to the ships captain
on the bridge of the ship (Weick and Roberts, 2003). These kinds of structural
and decision-making strategies render the organization more resilient than are
organizations who do not follow them. This resilience opens the organization
up to the possibilities of looking for potential E3s and doing something to
correct the situation.
It is hypothesized that the adaptable CISs do much the same thing. A good
deal of networking research has been done in organizational behavior. An initial step in understanding how CISs adapt and make decisions is to uncover
their networks of relationships. It is hypothesized that more resilient CISs have
more tentacles into other complex systems than less resilient CISs. Other aspects of the influence of both political decisions and organizational processes
need to be included in dealing with CISs.
Engineers are trained to focus on technical errors. Narrow and exclusive
focus on technical factors is a source of E3s, simply because engineers tend to
place too much reliance on technical models without realizing the likelihood
that those models fail to capture key elements of risk. If engineers and other
system designers can learn to take a broader perspective, E3s can be reduced.
38
39
Bea et al
GIS can provide a methodology for the kind of broad-gauged planning process needed to minimize E3s. For example, one use of GIS for environmental
assessment broke the geographical area into cells of areas with similar vegetation, climate and soils. A model was used to predict, on a cell-by-cell basis, the
growth and aging of a forest, including the size and distribution of each forest
type. Those calculations in turn were used together with a habitat suitability
model to predict impacts on wildlife (Eady, 1995). In another instance, the
Bureau of Reclamation made good use of GIS in performing an assessment of
the operations of the Glen Canyon Dam. Public interest was very high, with
more than 30 000 people commenting on the draft of the environmental EIS.
Thus, GIS contributed significantly to the planning process, both in terms of
procedure and in terms of allowing a broad synthetic analysis, as the White
House Council on Environmental Quality (1997) explained:
GIS provides the analyst with management of large data sets, data overlay and
analysis of development and natural resource patterns, trends analysis, mathematical impact modeling with locational data, habitat analysis, aesthetic analysis, and
improved public consultation. Using GIS has the potential to facilitate the efficient
completion of projects while building confidence in the NEPA process.
We also need to consider the incentives that will lead system designers to
broaden their horizons and augment the planning process. One such mechanism is the potential for civil liability. The potential for liability can push designers to consider broader ranges of risk. Similarly, insurance companies can
play a proactive role in encouraging safe design, bringing to bear their broad
range of experience with other system failures and safety methodologies.
In seeking to avoid E3s, we can also benefit from the rich literature about
organizational learning. Organizations learn by embedding historical experience
in their routines (Levitt and March, 1988). Organizational routines are based on
implicit models that help the organization make sense of the world and respond
to perceived problems. These models are as subject to E3 as are the more formal
engineering models. However, without conditions motivating change, routines
are often relatively stable and organizations generally tend to be inert, relying on
existing models and adapting less than perfectly to and falling in and out of
alignment with their environments (Nelson and Winter, 1982). Disaster preparation calls for a different form of learning in which organizations draw on not
only their own experiences but also those of other organizations. Such network
effects exist for a variety of learning processes (for example, Argote et al, 1990;
Baum and Ingram, 1998; Beckman and Haunschild, 2002).
HROs are also concerned with learning. They are careful to accept input
from individuals at all levels of the organization, thereby broadening their
base of knowledge and perspectives, and they pay careful attention to unexpected outcomes and system failures (Roberts, 1990; Weick and Roberts,
40
2003). Thus, they are able to detect the shortcomings of their implicit models
and avoid E3s.
Over the past few decades, scholars from many disciplines have advocated relational or systems approaches, as opposed to reductionist approaches that study
particular events and entities in isolation (Miller, 1972; Wolf, 1980). For instance,
collaborative governance involving multiple organizations both public and private is a principal focus in recent environmental and administrative law scholarship (Freeman, 1997; Minow, 2003). We are gaining solid information about how
these interactions work in the context of regulation (Freeman, 1997; Cunningham
et al, 2003), and in developing policy networks (Agranoff, 2003). Researchers are
beginning to understand how law can facilitate formal and informal relations that
achieve the appropriate balance between accountability to public goals, and flexibility necessary for maximizing the utility of private-sector involvement (Karkkainen et al, 2000; Bamberger, 2006).
Conclusion
All too often, researchers and decision makers focus exclusively on E1s, the risk
of accepting a false hypothesis about the true value of a variable. They fail to
take into account E2s, the risk of rejecting a true hypothesis about the true value
of a variable. Thus, statistical reliability trumps statistical power. But even more
important are E3s the risk that the entire model used in the analysis is wrong,
often because it omits key variables. For researchers, this can be merely a methodological headache, which goes under the name of specification error or omitted variables bias. But for decision makers, the consequences can be literally
deadly. Models can produce precise calculations of the value of a risk that are
nonetheless meaningless because the model is radically incomplete.
In this paper, we attempted to propose methodologies for dealing with E3s in
risk assessment. As we saw, E3s are to some extent subject to rigorous
analysis, and promising methodologies exist with which to improve formal modeling. But the greater challenge may be to design human systems for risk analysis
that allow E3s to be detected and corrected. Such systems require broad input
and a willingness to reassess models in light of the unexpected. In designing such
systems of risk assessment, we must both improve formal modeling and learn
from the organization literature to design better processes for decision-making.
Acknowledgement
This project was supported, in large part, by the National Science Foundation
(NSF) under EFGRI Grant No. 0836047. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors
and do not necessarily reflect the views of NSF.
2009 Palgrave Macmillan 1460-3799/09 Risk Management Vol. 11, 1, 3043
41
Bea et al
Re ference s
Agranoff, R. (2003) A New Look at the Value-adding Functions of Intergovernmental
Networks. Paper presented for National Public Management Research Conference,
Georgetown University, Washington DC.
Argote, L., Beckman, S.L. and Epple, D. (1990) The persistence and transfer of learning
in industrial settings. Management Science 36(2): 140154.
Axelrod, R. and Tesfatsion, L. (2007) On-line guide for newcomers to agent based
modeling in the social sciences, www.econ.iastate,edu/testfatsi/abmread.htm, accessed
5 January 2007.
Bamberger, K.A. (2006) Blurring Boundaries: Organizational Theory, Regulated Firms,
and the Administrative State. Berkeley: University of California. Working paper.
Beckman, C.M. and Haunschild, P.R. (2002) Network learning: The effects of partners
heterogeneity of experience on corporate acquisitions. Administrative Science Quarterly 47(1): 92124.
Baum, J.A.C. and Ingram, P. (1998) Survival-enhancing learning in the Manhattan hotel
industry, 18981980. Management Science 44(7): 9961016.
Bea, R.G. (2007a) Reliability Assessment and Management Lessons from Hurricane
Katrina, OMAE 2007-29650, Proceedings of the Sixth International Conference
on Offshore Mechanics and Arctic Engineering, New York: American Society of
Mechanical Engineers.
Bea, R.G. (2007b) Lessons From Failure of the Flood Protection System for the Greater
New Orleans Area During Hurricane Katrina, OMAE 2007-29649, Proceedings of
the Sixth International Conference on Offshore Mechanics and Arctic Engineering,
New York: American Society of Mechanical Engineers.
Clarke, L. and Short, J. (1993) Social organization and risk: Some current controversies.
Annual Review of Sociology 19: 375399.
Cummings, M.C., McGarvey, D.C., Vinch, P.M. and Colletti, B.W. (2006) Homeland
Security Risk Assessment, RP05-024-01a, Arlington, VA: Homeland Security Institute.
Cunningham, N., Kagan, R.A. and Thornton, D. (2003) Shades of Green: Business,
Regulation, and Environment. Stanford, CA: Stanford University Press.
Eady, W. (1995) The use of GIS in environmental assessment. Impact Assessment
13: 199206.
Farber, D.A., Bea, R.G., Roberts, K., Wenk, E. and Inkabi, K. (2007) Reinventing flood
control. Tulane Law Review 81(4): 10851127.
Freeman, J. (1997) Collaborative governance in the administrative state. UCLA Law
Review 45(1): 199.
Gehman, H.W. Jr. et al. (2003) Columbia Accident Investigation Report, Vols. 6,
Washington DC: Government Printing Office.
Gerschwer, L. (1993) Informational standing under NEPA: Justiciability and environmental decisionmaking process. Columbia University Law Review 93: 9961001.
Gilbert, N. and Terna, P. (2000) How to build and use agent-based models in social
science. Mind and Society 1: 5772.
Miller, J.G. (1972) Living Systems. New York: McGraw Hill.
Minow, M. (2003) Partners, Not Rivals: Privatization and the Public Good. Boston, MA:
Beacon Press.
Kardon, J.B., Bea, R.G. and Williamson, R.B. (2006) Validity and Reliability of Forensic
Engineering Methods and Processes. Herndon, VA: American Society of Civil Engineers.
Karkkainen, B.C., Fung, A. and Sabel, C. (2000) After backyard environmentalism:
Toward a performance-based regime of environmental regulation. American Behavioral Scientist 44(4): 690709.
42
Klick, K.A. (1994) The extraterritorial reach of NEPAs EIS requirement after environmental defense fund v. Massey. American University Law Review 44: 291322.
Levitt, B. and March, J.G. (1988) Organizational learning. Annual Review of Sociology
14(2): 319340.
Mitroff, I.I. and Linstone, H. (1992) The Unbounded Mind. New York: Oxford
University Press.
Nelson, R.R. and Winter, S.G. (1982) An Evolutionary Theory of Economic Change.
Cambridge, MA: Harvard University Press.
Perrow, C. (1984) Normal Accidents: Living with High Risk Technologies. New York:
Basic Books.
Radke, J. and Lan, M. (2000) Spatial decompositions, modeling and mapping service
regions to predict access to social programs. Geographic Information Sciences 6(2):
105112.
Radke, J.T., Cova, M.F., Sheridan, M., Troy, A., Lan, M. and Johnson, R. (2000)
Application challenges for GIS science: Implications for research education, and
policy for risk assessment. Emergency Preparedness and Response (RAEPR)? URISA
Journal 12(2): 1530.
Roberts, K.H. (1990) Some characteristics of one type of high reliability organization.
Organization Science 1(2): 160176.
Roberts, K.H. and Sloane, S.B. (1988) An Aggregation Problem and Organizational
Effectiveness. In: B. Schneider and D. Schoorman (eds.) Facilitating Organizational
Effectiveness. Lexington, MA: Lexington Press, pp. 125144.
Roberts, K.H., Madsen, P. and Desai, V. (2004) Bridging Levels, Variables, and
Methodologies. In: F.J. Yammarino and A.E. Dansereau (eds.) Research in Multi
Level Issues: An Annual Series. Oxford, UK: Elsevier, pp. 6978 (also in Science Direct).
Roberts, K.H., Madsen, P. and Desai, V. (2005) The Space Between in Space Transportation: A Relational Analysis of the Failure of STS 107. In: M. Farjoum and W. Starbuck
(eds.) Organizations at the Limit: Lessons from the Columbia Disaster. Malden, MA:
Blackwell Publishing, pp. 8198.
Seed., R.B. et al. (2007a) Investigation of Levee Performance in Hurricane Katrina:
The New Orleans Drainage Canals, Proceedings Geo, Denver, 2007, ASCE.
Seed, R.B. et al. (2007b) Investigation of Levee Performance in Hurricane Katrina:
The Inner Harbor Navigation Canal, Proceedings Geo, Denver, 2007, ASCE.
Seed, R.B. et al. (2007c) Investigation of the Performance of the New Orleans Regional
Flood Protection Systems During Hurricane Katrina: Lessons Learned, Proceedings
Geo, Denver, 2007 ASCE, pp. 116.
Shrivastava, P. (1987) Bhopal: Anatomy of a Crisis. Cambridge, MA: Ballinger.
Vaughan, D. (1996) The Challenger Launch Decision: Risky Technology, Culture, and
Deviance. Chicago, IL: University of Chicago Press.
Vaughan, D. (1999) The dark side of organizations: Mistake, misconduct, and disaster.
Annual Review of Sociology 25: 271305.
Weick, K.E. and Roberts, K.H. (2003) Collective mind in organizations: Heedful
interrelating on flight decks. Administrative Science Quarterly 38: 357381.
West Publishing Co. (2008) Selected Environmental Statutes 20082009, Educational
edn. St. Paul, MN.
White House Council on Environmental Quality. (1997) The National Environmental
Policy Act: A Study of its Effectiveness after 25 Years, http://www.nepa.gov/nepa/
nepa25fn.pdf.
Wolf, F.A. (1980) Taking the Quantum Leap. New York: Harper and Row.
43
GARP Code
of Conduct
I.
]
Risk practitioners should understand these as concepts
Introductory Statement
that reflect an evolving shared body of professional stanThe GARP Code of Conduct (Code) sets forth principles
practitioner resides.
II.
Code of Conduct
Committee Members and GARPs staff (hereinafter collectively referred to as GARP Members) in support of the
1.
Principles
1.1
profession.
The pursuit of high ethical standards goes beyond
following the letter of applicable rules and regulations and
culture.
ethical culture.
making.
2.
Professional Standards
sional skill.
or illegal purposes.
their expertise.
analysis, recommendations, actions, or other profes-
responsibility to others.
sional activities.
management profession.
applicable standards.
right to use the FRM designation or any other credentials that may be offered by GARP.
standard.
1.
Conflict of Interest
GARP Members:
1.1
GARP Members:
2.1 Shall act fairly in all situations and must fully disclose
any actual or potential conflict to all affected parties.
3.
Confidentiality
GARP Members:
5.
5.1 Shall execute all services with diligence and perform all
4.
Fundamental Responsibilities
GARP Members:
or regulations.
IV. Applicability and Enforcement
4.2 Shall have ethical responsibilities and cannot out-source
or delegate those responsibilities to others.
has occurred.
Creating a culture of
risk awareness.TM
Global Association of
Risk Professionals
111 Town Square Place
Suite 1215
Jersey City, New Jersey 07310
USA
+ 1 201.719.7210
Minster House, 1st Floor
42 Mincing Lane
London EC3R 7AE
UK
+ 44 (0) 20 7397 9630
www.garp.org
About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to
preparing professionals and organizations to make better informed risk decisions. Membership represents over 100,000 risk management practitioners and researchers from banks, investment management firms, government agencies, academic institutions, and
corporations from more than 195 countries. GARP administers the Financial Risk Manager (FRM) and the Energy Risk Professional
(ERP) exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via
comprehensive professional education and training for professionals of all levels. www.garp.org.