Speedy risk management – for English readers.
We are not lacking occasions to manage risks these days… in the end we live in a risk society, but often either no one manages risk or only a few try to manage too little, too late.
Quite a long time ago risk managers observed that although we evaluated a risk in two dimensions (just to remind you), i.e. the likelihood and consequences of a “risky” event multiplied by itself (not added to each other, because such ideas do happen!), there are other dimensions of risk.
Thus, today we will describe the speed of materialization of a risk or in other words, the time that remains from risk identification until its occurrence.
Speedy risk and TTI
There are different terms that are related to the speed of a risk, such as: risk velocity, risk clock speed and Time To Impact (TTI). Relatively, the topic is quite poorly perceived by managers, although empirically-tested by each one of us when we come into the office Monday morning, refreshed and eager to work hard, then we check our email box and … boom!
Exactly. There is no doubt today, that the world has really accelerated and every day, apat from the old, traditional risks, completely new risks appear: political, cyber, fraud, reputational. Luckily there are both threats and opportunities, but… do not be deceived by a world of technological innovations: a time in which the most massive, “traditional” risk can materialize does not necessarily result from an implementation of new discoveries by eggheads. Just for example it is enough that our valued legislators fall into the new idea of new regulations, and like a bolt from the blue, we have a problem.
That is why those who manage risk recommend adding that third dimension, spreed of materialization, risk velocity to the size of a risk during risk analysis. Of course, according to the rules of risk management, it would be good to quantify this additional risk dimension. The best in “days”, because it would probably be too late to do it in “hours” (we should note however, that it could be a part of so called Business Impact Analysis, BIA, that is the cornerstone of BCM).
Out of the blue
So, there are risks that materialize quickly (fast clock speed risk) and require immediate reaction and those that can wait. Because we always have to consider the allocation of our resources in the most effective and appropriate way. In the end there will also be risks of a „boom” – type, completely out of the blue, in other words classic black swans or like hawks falling on peacefully-grazing corporate partridges. Speedy risk.
Giving up these ornithological comparisons we need to mention that the concept of the “speed” of a risk raises some controversy. Some people even believe that this idea undermines the very essence of the concept of a risk, which “by definition” is connected with uncertainty. For if we had the ability to estimate when an event would take place “in days”, “hours”, or even in “years” (for strategic risks).. where would the uncertainty be then?
Others argue that the speed of a risk is already included in our estimation of the likelihood of an event. In other words, if the likelihood of a specific risk is greater than the likelihood of another risk it is also because we (sub)consciously took into account the shorter time in which it can materialize.
The issue remains debatable and, for example, in the standards of a risk management we do not find clear guidelines on how to proceed although the well-known Committee of Sponsoring Organizations (COSO) in its interesting guidance “Risk assessment in practice” proposes an assessment of “the speed of onset” or just “velocity of risk”.
Speedy risk: technically speaking
It seems, however, that at least at the level of preparation of a corporate risk profile, this classic risk management report for C-level management, it would be a shame to give up information about estimated “time to impact” (TTI). Technically speaking, some suggest that TTI multiplied by probability and effects will give us a new line up of identified risks, precisely taking into account the “clock” dimension. Of course we should previously establish our criteria for a risk assessment, and therefore the benchmark for a risk measurement.
As in the case of impact and probability each of the “small” or “large” TTI means something different. Probably for manufacturers of computer games, risk velocity is measured in months, and in the case of heavy industry in years, but … are you sure today?
As always you need to carefully consider the criteria by which we measure anything, especially the scale of probability. It is indeed a typical mistake made during risk mapping and repeated in many companies with a strange stubbornness.
The issue of risk velocity becomes particularly important given the increasing regulatory requirements for risk management. Regulations, like Solvency or Basel, or issued by local market regulators, impose construction of heavy, shiftless, static risk management systems, and writing of lengthy disclosures on topics that had become (pre)history yesterday. Today a drastically changing horizon of new events continually brings us new risks. We need solutions that are lightweight, agile, and responsive to the upcoming opportunities and threats, agile risk management.