Presentation on theme: "James August, CQA 01/21/09 1 (Four Case) Risk Management Analysis James August, CQA ASQ South Jersey Section Jan. 21, 2009."— Presentation transcript:
James August, CQA 01/21/09 1 (Four Case) Risk Management Analysis James August, CQA ASQ South Jersey Section Jan. 21, 2009
James August, CQA 01/21/09 2 (Four Case) Risk Management Analysis Value-at-risk (VaR) is a category of risk metrics that describe probabilistically the market risk of a trading portfolio. Value-at- risk is widely used by banks, securities firms, commodity merchants, energy merchants, and other trading organizations. from the Risk Glossary at
James August, CQA 01/21/09 3 (Four Case) Risk Management Analysis Value-at-risk equals the amount of money such that there is a 90% probability of the portfolio losing less than that amount over the next trading day. Example: A one-day 90% USD VaR is illustrated for a hypothetical portfolio. Shown is the probability density function for the portfolio's value 1P one trading day from now. The portfolio's current value 0p is known.
James August, CQA 01/21/09 4 COSO and SOx According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal financial control consists of: (1) the control environment that sets the tone of the organization, (2) risk assessment, or the identification and analysis of relevant risks, (3) the policies and procedures or control activities that help ensure management directives are carried out, (4) the identification and communication of pertinent information, and (5) a monitoring process that assesses the quality of the internal control system’s performance.
James August, CQA 01/21/09 5 (Four Case) Risk Management Analysis But the location and management of risk are not restricted to stock portfolios or business fortunes. Risks appear in operating functions every day. The management of these risks is the responsibility of every entrepreneur, CEO, department head, project leader and change agent.
James August, CQA 01/21/09 6 (Four Case) Risk Management Analysis Risk definition - what constitutes a business risk? Risk identification - where are my risks hiding? Risk evaluation - how important is each risk? Risk mitigation - what do I do about it? Effectiveness evaluation - how do I know that my actions were effective?
James August, CQA 01/21/09 7 (Four Case) Risk Management Analysis Risk management is a process The process has parallels with DMAIC and PDCA
James August, CQA 01/21/09 8 Definition
James August, CQA 01/21/09 9 Risk definition “Exposure to a chance of loss or damage…” “The difference between your current level of protection and the level of protection you should be at.” “An assumption that you cannot verify is a risk.” Adolfo Ferreira
James August, CQA 01/21/09 10 Risk definition A comparator accruing from the likelihood of specific endeavor outcomes, its magnitude being a function of the possible consequences of the endeavor and the probabilities associated with those consequences.
James August, CQA 01/21/09 11 Risk definition Risk = f(magnitude) x f(likelihood) = severity x frequency of occurrence high risk outcome = fruits of opportunity or devastating result compare with FMEA: RPN = severity x occurrence x detectability
James August, CQA 01/21/09 12 Risk definition Two occasions for which risk should be calculated: RTP and ITP –RTP (run the process): core processes which must be maintained to keep the current business performance level –ITP (improve the process): processes which may be improved increasing the performance level
James August, CQA 01/21/09 13 Risk definition Risk appetite: the amount of risk that you are willing to accept Risk tolerance: the limits of outcomes that you are willing to accept
James August, CQA 01/21/09 14 Risk definition There are two sides to every risk calculation - the positive potential and the negative potential. Both must be calculated. Costs can be small or large
James August, CQA 01/21/09 15 Risk definition process improvement (ITP) risk factors: –cost of improvement = $ –value of improved output = $ –value of reduced output = $
James August, CQA 01/21/09 16 Risk definition process maintenance (RTP) risk factors: –cost of doing nothing = 0 or cost of doing nearly nothing = $ –value of continued output –value of lost output
James August, CQA 01/21/09 17 Risk definition These are the four cases that should be considered as part of a risk management methodology.
James August, CQA 01/21/09 18 Risk definition
James August, CQA 01/21/09 19 Buy a ticket: high chance of winning (only a few dozen sold) at a low cost of entry but low return. Buy a lottery ticket: low chance of winning but if you hit … it’s millions of dollars! Buy a second house for investment: high chance of eventually getting a good return but with a high cost of entry. Risk definition examples
James August, CQA 01/21/09 20 Risk definition Your tolerable loss limit (risk tolerance) is an estimate of the maximum you can afford to lose in the worst case scenario It is a number (generally expressed in dollars) and could be based on an organization's expected profits or revenues
James August, CQA 01/21/09 21 Risk definition tolerable loss limit small cost, big gains “no brainer” “not a good idea”
James August, CQA 01/21/09 22 Risk management definition A formal process used for identifying hazards associated with a product/service, estimating and evaluating the associated risks, controlling those risks, and monitoring the effectiveness of the control. RM provides a rational foundation for decisions concerning risk. ANSI/AAMI/ISO 14971:2000, definition 2.18
James August, CQA 01/21/09 23 Risk assessment, as defined by the IIA Standards for the Professional Practice of Internal Auditing, is a systematic process, for assessing and integrating professional judgments about probable adverse conditions or events. Risk impacts an organization’s ability to compete and to maintain its financial strength and the quality of its products and services. It’s the internal auditor’s job to identify all auditable activities and relevant risk factors and to assess their significance. Risk management definition
James August, CQA 01/21/09 24 Risk management system Risk management is another management system to be fused into your organization. It has structure: –Objectives and goals –Policies –Procedures
James August, CQA 01/21/09 25 Risk management policy Risk mitigation (intervention) is deciding what to do about each of the risks assessed as important to your (management or project) objectives, implementing the changes and documenting the planned response.
James August, CQA 01/21/09 26 Risk management Procedures –Risk definition and identification –Risk evaluation and assessment application of valuation and diagnostic tools –Risk mitigation or reduction treatment selection application of remedy tools –Risk control at the new level
James August, CQA 01/21/09 27 Identification
James August, CQA 01/21/09 28 Risk identification Where are my risks? Which are “run the process” risks and which are “improve the process” risks? RTP risks tend to have little upside but huge downside. ITP risks tend to have large upside and measurable downside.
James August, CQA 01/21/09 29 Risk identification What is at risk?
James August, CQA 01/21/09 30 Risk identification What is at risk? Achieving your objectives!
James August, CQA 01/21/09 31 Risk identification Areas of business risk –Strategic (Economy, Technology, Politics, Competition,...) –Organizational (Financial, Legal, Disaster, Personnel,...) –Operational (Labor, Materials, Quality, …) –Compliance (Environmental, Safety, Security, …) from “Risk Management - Essential in Today’s Economy”, Sandford Liebesman, PhD, NEQC 57 th Conference, Marlborough, MA, Oct
James August, CQA 01/21/09 32 Risk identification core business op’ns & processes –acquire new customers –take orders –procure materials –create products, manage inventories –deliver products –collect payments
James August, CQA 01/21/09 33 Risk identification core sales sub-processes –market research –pricing –promotion and advertising –order taking (order entry) –warranty management
James August, CQA 01/21/09 35 Risk identification core operations sub-processes –materials sourcing (availability) –quality control (product & process) –plant & workplace safety –environmental concerns –inventory –logistics and transport
James August, CQA 01/21/09 36 Risk identification core finance sub-processes –budgeting –accounts receivable and payable –banking –currency exchange –MIS and IT processes
James August, CQA 01/21/09 37 Risk identification support business processes –strategic planning, –brand management –facilities and infrastructure management –process Engineering –capital investment –asset management
James August, CQA 01/21/09 38 Risk identification support business sub-processes –communications –knowledge management: training and education –materials management and logistics –legal/ regulatory reporting (FDA, Sox,...) –supplier evaluation, management
James August, CQA 01/21/09 39 Risk identification support business sub-processes –quality assurance –predictive/ preventive maintenance –recruitment, compensation –employee relations (work stoppages) –employee performance mgt –payroll, benefits,...
James August, CQA 01/21/09 40 Risk identification other business areas –outplacement –employee well-being –insurance –mergers & acquisitions –construction / expansion
James August, CQA 01/21/09 41 Risk identification SWOT analysis is a sorting method for identifying and prioritizing risks. – Strengths – Weaknesses – Opportunities – Threats
James August, CQA 01/21/09 42 Risk identification other techniques for risk identification –Working groups and brainstorming –Surveys and interviews –Experiential or documented knowledge –Outputs from "what if" scenario analyses –Historical information - lessons learned –Templates: critical path, engineering,...
James August, CQA 01/21/09 43 Evaluation
James August, CQA 01/21/09 44 Risk evaluation How risky is my risk? Does "risk" = "cost"?
James August, CQA 01/21/09 45 Risk evaluation HIIT Occasional IILT Remote HHIL Probable HHIL Frequent SevereMajorMinorNegligibl e Severity Frequency
James August, CQA 01/21/09 46 Risk evaluation
James August, CQA 01/21/09 47 Risk evaluation
James August, CQA 01/21/09 48 Risk evaluation Non-financial measures Risk matrices Failure Mode and Effects Analysis –FMEA –Criteria: RPN 100 where –RPN = Severity x Frequency x Detectability
James August, CQA 01/21/09 49 Risk evaluation Typical approaches for quantification –Weighted probabilities –Extended cost –Future Value or Net Present Value –Capability analysis –Value stream mapping –Cost of poor quality –Discounted Cash Flow –Internal Rate of Return
James August, CQA 01/21/09 50 Risk evaluation Project justification –Develop meaningful (financial?) performance measures –common in Engineering and R&D projects –usually a statement of expected payoff from time and material invested –may be based on estimates of increased sales or improved process efficiency
James August, CQA 01/21/09 51 Risk evaluation Financial measures of c/b Return on Investment (ROI) Net B/C ratio = (PV of benefits – PV of operating costs)/PV of capital costs
James August, CQA 01/21/09 52 Risk evaluation Financial measures of c/b Net Present Value (NPV) The NPV represents total cash flow across the analysis period, adjusted to reflect the time value of money. Other things being equal, the action or investment with the larger NPV is the better option. NPV uses the Present Value concept, the idea that money you have now is worth more than an identical amount received in the future.
James August, CQA 01/21/09 53 Risk evaluation NPV = a 0 + a 1 /(1+i) + a 2 /(1+i) 2 + a 3 /(1+i) Where “a” is the return for each period at rate “i”
James August, CQA 01/21/09 54 Risk evaluation Discounted cash flow rate (DCF) The discounted cash flow approach describes a method to value a project, company, or financial asset using the concepts of the time value of money. All future cash flows are estimated and discounted to give them a present value. The discount rate used is generally the appropriate cost of capital, and incorporates judgments of the uncertainty (riskiness) of the future cash flows. Financial measures of c/b
James August, CQA 01/21/09 55 Risk evaluation Internal Rate of Return (IRR) IRR (like NPV) is a financial metric that reflects the time value of money. The meaning of IRR is less obvious to most people, but IRR is nevertheless often used as a central decision criterion among financial specialists. As the word "Return" implies, the IRR view of the cash flow stream is essentially an investment view: money will be paid out and compared to returns. Financial measures of c/b
James August, CQA 01/21/09 56 Risk evaluation The internal rate of return (IRR) is the interest rate such that the discounted sum of net cash flows is zero. If the interest rate were equal to the IRR, the net present value would be exactly zero. The IRR cannot be determined by an algebraic formula, but rather has to be approximated by trial and error methods.
James August, CQA 01/21/09 57 Risk evaluation IRR p The value of "i" such that a t / (1+i) t = 0 t=1 Financial measures of c/b
James August, CQA 01/21/09 58 Risk evaluation Three IRR definitions: 1. "The IRR for an investment is the discount rate for which the total present value of future cash flows equals the cost of the investment." 2. "The IRR for an investment is the discount rate that produces a 0 NPV for the projected cash flow stream." 3. "IRR answers this question: How high do interest rates have to climb (the discount rate for NPV calculations) in order for the PV of gains to just cover the PV of costs? The answer in each case is an interest rate; the higher the interest rate (that is, the higher the IRR), the more robust the investment and the better the returns compare to the costs.
James August, CQA 01/21/09 59 Risk evaluation Excel spreadsheets can do PV, NPV, IRR and other financial value calculations.
James August, CQA 01/21/09 60 Risk evaluation Four cases for risk evaluation:
James August, CQA 01/21/09 61 Risk evaluation Four cases for risk evaluation: –implement the change and perform primary c/b analyses assuming the results are achieved –implement the change resulting in adverse (unplanned) results –do nothing (ongoing costs only) and see learning curve improvement –do nothing and get adverse results
James August, CQA 01/21/09 62 Risk evaluation
James August, CQA 01/21/09 63 Risk evaluation Use the risk valuation method preferred by your organization (ROI, NPV, DCF, IRR, etc.). Compare the results of the four risk cases. Keep in mind the organization's risk tolerance loss limit.
James August, CQA 01/21/09 64 Mitigation
James August, CQA 01/21/09 65 Risk mitigation Risk mitigation (handling) is deciding what to do about each of the risks assessed as important to your project, implementing the changes and documenting the (planned) response.
James August, CQA 01/21/09 66 Risk mitigation How do I reduce my risk? Risk is a function of probability of success (or lack) and value of success (or cost) Either reduce the chance of failure or reduce the cost of failure
James August, CQA 01/21/09 67 Risk mitigation treatments Risk avoidance Risk reduction Risk retention Risk transfer
James August, CQA 01/21/09 68 Risk mitigation treatments Risk avoidance Includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the liability that comes with it. Another would be not flying in order to not take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits. from Wikipedia
James August, CQA 01/21/09 69 Risk reduction Involves methods that reduce the severity of the loss. Examples include sprinklers designed to put out a fire to reduce the risk of loss by fire. Modern software development methodologies reduce risk by developing and delivering software incrementally. Early methodologies suffered from the fact that they only delivered software in the final phase of development; any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. Risk mitigation treatments from Wikipedia
James August, CQA 01/21/09 70 Risk retention Involves accepting the loss when it occurs. True self insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. Also any amounts of potential loss (risk) over the amount insured is retained risk. Risk mitigation treatments from Wikipedia
James August, CQA 01/21/09 71 Risk transfer Means causing another party to accept the risk, typically by contract or by hedging. Insurance is one type of risk transfer that uses contracts. Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group. Risk mitigation treatments from Wikipedia
James August, CQA 01/21/09 72 Risk mitigation Distribute your risk – don’t put all your eggs in one basket! Some common risk mitigation tools –Design for Six Sigma –Investment hedging –Concurrent Engineering –Employee education & training
James August, CQA 01/21/09 73 Risk mitigation Some mitigation approaches for core processes –Published financial documents – open review –Probability weighted Sales forecasts –Raw material cost projections –FTA and FMEA for design and process simulations and prototyping –Inventory ABC analysis
James August, CQA 01/21/09 74 Risk mitigation and –Freight carrier performance statistics –Statistical Process Control –Electronic surveillance –Hedging –Invoice aging analysis and variance –Process check lists
James August, CQA 01/21/09 75 Risk mitigation Checklists – Sample Risk Checklist for Pricing from the Wired for Growth TM web site Management maintains an accurate awareness of market trends, competitor prices, etc. as determinants of pricing policy. Steps are taken to protect commercially sensitive pricing information from unauthorized access and leakage.
James August, CQA 01/21/09 76 Risk mitigation Checklists – Sample R&D Risk Checklist from the Wired for Growth TM web site Determine whether product development has realistic costs and timeframes. Check that a detailed budget has been established for product development.
James August, CQA 01/21/09 77 Risk mitigation Checklists – Sample Materials Management Risk Checklist from the Wired for Growth TM web site Ensure prompt action is taken to reject substandard supplies and arrange replacement stock. Verify that measures are in place to assess potential suppliers for their competence and commitment to quality. Make sure quality specifications have been defined, authorized and formally documented.
James August, CQA 01/21/09 78 Evaluation (re-evaluation after control)
James August, CQA 01/21/09 79 Risk evaluation revisited Re-evaluate costs and benefits –estimate annual losses associated with each risk –determine frequencies of occurrence –multiply together to calculate the raw Annual Loss Exposure (raw ALE) and sum over all risks
James August, CQA 01/21/09 80 Risk evaluation revisited Re-evaluate costs and benefits –use the valuation calculation that is meaningful to your organization (ROI, NPV, DCF, IRR, etc)
James August, CQA 01/21/09 81 Risk evaluation revisited Re-evaluate costs and benefit –Determine effectiveness of mitigation by recalculating Annual Loss Exposure assuming all controls are working –Determine cost of risk-mitigating controls –Determine improvement in ALE to to controlled recovery
James August, CQA 01/21/09 82 Conclusions
James August, CQA 01/21/09 83 Risk management conclusions Every process has risk, even when just maintaining performance (RTP and ITP) Assessment of new or changed processes can be done by combined cost/ benefit comparisons Assessment of ongoing processes must be expressed in comparison with expected costs and results There is no simple single calculation for risk assessment (FMEA, ROI, …)
James August, CQA 01/21/09 84 After you identify a potential risk, take the five steps to risk management: Control Mitigate Evaluate Identify Define Risk management conclusions
James August, CQA 01/21/09 85 Risk management conclusions Consider the potential risks of every decision Include the RTP decisions as they can hide substantial risk Consider all four risk cases When appropriate support your assessment with recognized c/b calculations
James August, CQA 01/21/09 86 Process control - the mitigation tool for the risk management process –Check lists –Non-financial indexes (FMEA, c p, etc) –Financial calculations (ROI, etc) –SPC –... Risk management conclusions
James August, CQA 01/21/09 87 Personal areas –Employment –Health care –Insurance Retirement funding –Investments Home Car Risk management conclusions
James August, CQA 01/21/09 88 “... the greatest risks are never the ones you can see and measure, but the ones you can’t see and therefore can never measure.” from J Nocera (on N Taleb) in “Risk Mismanagement” New York Times Sunday Times Magazine pg 28, Jan Risk management conclusions
James August, CQA 01/21/09 89 (Four Case) Risk Management Analysis Thank you Questions?