Tag Archives: galer

Moving Past ERM: New Focus Is ERRM

No, the title does not have a typo. ERRM refers to Enterprise Risk and Resiliency Management. And, no, it is not necessarily new. When ERM is practiced in a mature and robust fashion, it should add to an organization’s resiliency.

Resilience refers to both the ability to rebound after a loss has occurred due to risk that could not be fully mitigated or was unrecognized and also the ability to capitalize on the upside risk.

Let’s look at two scenarios.

Company A, an industrial manufacturer, implemented ERM several years ago. Its risk committee, recognizing changing climate conditions and weaknesses in an aging facility, got approval for a multi-year investment in flood protection. This decision was made part of the strategic plan. Not only did the company invest in flood gates for its access points to lower levels, but it also cemented over unneeded windows and redesigned storage racks at sub-levels. All drainage lines around the facility were tested and repaired, if required. Very importantly, its business continuity and disaster recovery plans were updated and had been rehearsed doing table top rehearsals. So, when a one-in-50-year flood occurred and crippled other businesses in the area for weeks, Company A was virtually unaffected. It was able to resume full business operations in two days. On top of that, it was able to capitalize on the excellent press coverage it got locally, which enhanced its ability to attract the talent it had been seeking from the area.

For this company, ERM was more than identifying risks and creating reports. It was about taking action to build true resiliency in the face of risk.

See Also: How to Measure the Value of ERM

Company B, a woman’s clothes design and manufacturing company, practiced ERM with a very strategic approach. By that is meant, the risks to the company’s strategic direction were focused on first and became a key component of the risk identification and mitigation processes. When changes in customer preferences and buying habits were identified as risks to the current strategy, the strategy was adjusted accordingly. Since women were trending toward buying fewer and more basic garments, (for example, slacks that could be worn with multiple tops), while buying more accessories at more expensive prices, the company added new product lines such as jewelry and handbags.

As margins became squeezed at less diversified companies, this company prospered. Its quick reaction to emerging risk by adding product lines was rewarded with year-over-year return on equity (ROE) increases for each year of the strategic plan period. In other words, the company found the upside of risk and enhanced its resiliency because of it.

These hypothetical companies, based loosely on actual ones, illustrate that ERM is not just about risk; ERM is about resiliency. It is about the ability to address risk in such a way as to wind up in as good or better a position as the company was before having dealt with the risk or its impact.

How do companies embed resiliency into their ERM programs?   Each of the following points enables greater resiliency, when practiced consistently:

  • ERM needs to be strategic. First, risks to the strategy must be analyzed as well as operational and other risks. Second, risk mitigation plans for all risks that require a significant commitment of organizational resources need to be documented in the strategic plan to ensure there is proper allocation of such resources. In its fifth annual risk report, PwC has a recommendation that reinforces this idea while adding the element of business continuity planning, “Ensure strong triangulation between strategy, risk management and business continuity management.”
  • ERM must be seen to offer insights not only to the downside of risk but also to the upside. How does a given risk offer an opportunity in addition to or instead of a threat? If rising raw material costs are posing a risk to profitability, how can buying consortiums, vertical integration, multi-year contracts or changing the material composition of products pose opportunities? Innovation has a role to play in seeing and responding to the upside of risk. Indeed, risk and managing risk can be catalysts for innovation.
  • ERM mitigation plans need to be as bold as necessary to meet the potential impact level posed by the risk. For example, it does little good to mitigate a reputational risk by issuing a statement of corporate values when hiring a new senior team is what is needed. A particular mitigation plan may need to be as big as entering a new market or leaving an established one, moving a manufacturing center to a new location or making a sizeable technology investment to stay competitive or safeguard property.
  • Business continuity and disaster recovery plans are not sufficient to create resiliency. Public relations plans are also necessary to support resiliency. When there is a serious, public risk event, stakeholders want to know the what, why and how it will be handled. Companies such as British Petroleum (during the BP oil spill in the Gulf) and Toyota (during the faulty power window allegations and recall) learned that statements by CEOs could make the situation worse than it already was thereby heightening the risk. PR plans need to spell out how the company will communicate in terms of transparency, tone and types of meaningful responses it is prepared to make to address the issue in question.
  • ERM must be a continuous process where risks are updated and mitigation plans are monitored and adjusted on a regular basis. Given the pace of change, the ERM process must be as dynamic as the environment within which it exists. When a risk morphs, the actions planned to address it must morph with it, when new risks emerge, tactics to deal with them must be developed. Complacency or slow reaction time will sabotage an ERM process. As such, neither must be allowed to invade the process. If they do, resiliency will surely be sacrificed.

The marketplace continues to see seismic disruption and more massive shocks than ever before. Companies lacking the ability to bounce back from the effect of these will not be able to survive long-term. That is why every effort must be made to create a resilient form of risk management that deserves to be labeled ERRM.

How to Measure the Value of ERM

When the question of whether ERM is a success or failure comes up, it raises a further question: Why aren’t companies doing a better job of measuring the value it generates?

The reasons that the value of ERM is not quantified by companies include:

  • It is extremely hard to know when a loss did not happen because of ERM.
  • It is just as hard to quantify the cost of loss that did not happen.
  • It is difficult to quantify the “soft” benefits of enhanced reputation because ERM is practiced or because of improved strategic alignment in the organization; ERM requires an understanding of the company’s strategic goals and objectives to identify the risks that might derail their achievement.
  • It is often hard to justify the time and expense of measuring something that is not easy to measure.

Having acknowledged some of these obstacles, the only way that companies will know if their ERM efforts are successful is to create some measurement scheme that makes sense for their particular situation. Without measurement, how would a company know not only if it wants to continue an ERM implementation but also how much to invest in it.

Let us look at a few possible approaches to measuring the value of ERM:

Before-and-After Approach

Once an ERM process has gained some level of maturity in an organization, this approach would take the form of looking at fairly common and reliable metrics on a before-ERM and after-ERM basis. (There are ERM maturity models, developed by experts, that can be used to evaluate how far along the path to full or optimal implementation a company has progressed.) In fact, each of the approaches described would only be reasonable if the ERM process had been in place and well-executed for some period.

Naturally, there will multiple variables, not just the practice of ERM, that play into these metrics, but that is true for most metrics, and explanations can and should accompany the numbers to explain such variables.

Such metrics would include: 1) number of insurance claims, 2) number of worker injuries, 3) number of lawsuits related to a risk/loss events, 4) number of days or hours production is lost because of a risk/loss event, 5) cost of insurance and 6) total cost of risk (TCOR). Thus, when reviewed before and after ERM, the metrics can be charted to show absolute changes in value as well as trend lines. It might even be possible to notice on a relative basis that there are fewer risk-related surprises brought to management’s attention because ERM effectively identified risks while there was still time to deal with them.

Each company will be able to come up with its own unique metrics based on what it is currently capturing, what it could capture and what is important to its business operations.

The value of ERM would be evident or could be computed from the before-and-after metrics.

“What If” Approach

In the “what if” approach, one or more of the most significant risks in the risk register, which did not materialize when expected because of mitigation by the company, would be selected. Perhaps this was a regulatory change that would have harmed a product line, but the company took lobbying efforts or did product redesign because the risk was appropriately identified, prioritized and mitigated.

The amount of the loss that the risk would have likely have produced would be computed. Even if it were an insured loss, the estimate would take into account such things as the potential increase in insurance rates, management time and all other attendant expenses not covered.

Since the risk did not produce a loss, the amount of the “what if” loss is the value of ERM.

Alternatively, a significant loss event that affected key competitors but did not affect the company using ERM could be used to assess value. Perhaps it was a natural catastrophe that the company was better protected for or a demographic shift that the company anticipated and reacted to because of ERM.

To get at ERM’s value, the company would have to approximate what the risk, if ignored, would have cost.

Lacking Any Other Explanation Approach

In “The Valuation Implications of Enterprise Risk Management Maturity,” a wholly independent and peer-reviewed research project conducted by Mark Farrell of Queen’s University Management School and Dr. Ronan Gallagher of University of Edinburgh Business School, pub­lished in The Journal of Risk and Insurance, using data from the RIMS Risk Maturity Model, the case is made that, failing any other explanation, the companies with greater maturity have higher valuations because of it. Specifically, the study found that there was “clear and significant statistical correlation between mature enterprise risk management practices and a firm’s value.” Organizations exhibiting mature risk management practices-as assessed with the RIMS Risk Maturity Model-realize a valu­ation premium of 25%.

Discretionary Approach

Yet another approach that does not rely on metrics, per se, is a discretionary approach. In other words, the board, CEO or C-suite could attribute a value to ERM that is based on the recognition that the ERM process has, for example: 1) created a risk aware culture, 2) helped to identify and ameliorate risk, 3) made recovery from risks that have materialized much faster and more efficiently and 4) enhanced the brand among stakeholders.

The discretionary approach does require that management is involved in the ERM process, has an open mind about its contribution and will articulate its conclusions about ERM’s value so that the entire organization is aware of this assessment. Without management’s giving voice to its success, the question of whether it is a success or failure will haunt ERM.

Conclusion

There are undoubtedly other approaches that could be used. The key point is that companies that have invested in introducing ERM should do so in a vigorous way and should measure and communicate its value. This will ensure that the entire organization maintains a commitment to this important process.

3 Criticisms of ERM: Justified?

A large retailer gets hacked, and customer data is taken, which costs millions in expense and lost revenues. A product recall is perceived to be badly handled, which tarnishes a manufacturer’s reputation and seriously erodes revenue, as well as margins. An acquisition fails to produce the expected profit lift and hurts a technology company’s share price. These organizations have implemented ERM, and, clearly, ERM has failed. Or has it?

Let’s look at three criticisms of ERM:

ERM Cannot Identify and Protect Against All Significant Uncertainties

This criticism is fair in the most literal sense only. Even a very robust and well-administered ERM process cannot find every major risk that an organization is subject to, nor can it protect against all risks, whether identified or not. However, without ERM, the ability to identify a majority of significant uncertainties facing an organization is greatly diminished. Not only that, without an ERM approach to risk, the mitigation of known risks is more likely to be addressed silo by silo even when an enterprise-wide solution is necessary.

In addition, with ERM, organizations are generally better prepared to rebound from unexpected, unidentified risks that do hit them. For example, ERM organizations typically have very robust business continuity and business recovery plans, have done tabletop exercises or drills that simulate a crisis and have maintained a lessons-learned and special expertise file that can be called upon, as needed.

According to a post by Carrier Management, citing RIMS, “A whopping 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.”

These survey results do not suggest that chief risk officers or risk managers, who are responsible for the ERM process, are cyber experts or that all cyber risks can be specifically ascertained. Rather, the survey suggests that ERM better positions a company to discover cyber risks, just as it does with other categories of risk.

If ERM can reduce business uncertainties and surprises by identifying risks and managing them better than other forms of risk management, despite not being able to do so 100% of the time, it has not failed. In fact, it has most probably added great value. Consider a CEO who can avoid even one unnecessary sinking feeling when realizing that a risk that should have been spotted and dealt with has hit the company. How much is it worth to that CEO to prevent that feeling?

ERM Focuses on the Negative Rather Than the Positive

This criticism is not fair in any sense. It requires an upside-down view of ERM. Think about it. In almost any definition of ERM, there is some sort of statement as to the purpose or mission of ERM. The purpose is to better ensure that the organization achieves its strategy and objectives. What could be more positive?

By dealing with risks that challenge the ability of the organization to meet its targets, ERM is fulfilling an affirmative and important task. That most risks pose a threat is not disputed. But by removing, avoiding, transferring or lessening threats, organizations have a better chance of succeeding.

This is not the only positive result that can emanate from ERM’s handling of risk. Often, a thorough examination of a risk will result in opportunities being uncovered. The opportunity could take the form of innovating a product or entering a new market or creating a more efficient workflow.

Consider a manufacturer that builds a more ergonomic chair because it has identified a heightened risk of lawsuits arising from some new medical diagnoses of injuries caused by a certain seat design. Or, consider an amusement park that is plagued by its patrons throwing ticket stubs and paper maps on the ground, thereby creating a hazard when wet or covering dangerous holes or obstacles. Imagine that the company decides to reduce the risk by increasing debris pick-up and offering rewards to patrons for turning in paper to central depositories, then turns it into “clean” confetti sold to a party goods manufacturers.

These are hypothetical examples, but real-life examples do exist. Some are quite similar to these. Many risk managers, unfortunately, are reticent to share their success stories in turning risk into a reward. For that matter, many are reluctant to share their successes of any kind. One could speculate why this is so. It may be as simple as not wanting to tempt the gods of chance.

ERM Is Too Expensive

Those who criticize ERM for being too expensive to implement may lack information or perspective. Consider the following questions:

  • Has ERM been in place long enough to produce results?
  • Has the organization started to measure the value of ERM (there are ways to measure it)?
  • Can an organization place a dollar value on avoiding a strategic risk or a loss that does not happen; does it need to?
  • Has the number of surprises diminished?
  • Are there successes along with failures?
  • How much is it worth to enhance the company’s reputation because it is seen as a responsible, less volatile company because of ERM?
  • How efficiently has the ERM process been implemented?
  • Is too much time being spent on selling the concept rather than implementing the concept?
  • Has the process and reporting of ERM results been kept clear and simple?

To answer the criticism of a too expensive process, the following are things that a company can do to make sure the process is cost-effective:

  • Embed the process, as far as feasible, into existing business processes, e.g. review strategic risk during strategic planning, hold ERM committee meetings as part of or right after other routine management meetings, monitor ERM progress during normal performance management reviews, etc.
  • Assign liaisons to ERM in the various business units and functional departments who have other roles that complement risk management.
  • Do not try to boil the ocean; keep the ERM process focused on the most significant risks the company faces.
  • Measure the value that ERM brings, such as reduction in suits or lower total cost of risk or whatever measures are decided upon by management.

In the author’s purview of ERM in various organizations, the function tends to be kept very lean (without diminution of its efficacy). If the above suggestions are adopted, along with other economical actions, the costs associated with the process can be kept in balance with the value or well below the value.

Conclusion

It is possible for an ERM process to be poorly executed, and thus deserve criticism. It is also possible for an ERM process to be well-executed and deserve nothing more than continuous improvement.

The caution is that no one should expect perfection or suppose that one unanticipated risk that creates a loss denotes a total failure of this enterprise-wide process. Organizations are sometimes faced with situations that are beyond a reasonable expectation of being known or managed.

It would be fair to lodge criticism of ERM under certain circumstances; for example, if an organization’s ERM process did not reveal a risk that all its competitors recognized as a risk and addressed. But even in that case, perhaps there were reasons to think the risk would not penetrate protections the organization already had in place. Suffice it to say, every process and situation must be evaluated on its own merits and within the proper context.

3 Keys to Achieving Sound Governance

Of the many definitions of governance, the simplest ones tend to have the most clarity. For the purpose of this piece, governance is a set of processes that enable an organization to operate in a fashion consistent with its goals and values and the reasonable expectations of those with vested interests in its success, such as customers, employees, shareholders and regulators. Governance is distinct from both compliance and enterprise risk management (ERM), but there are cultural and process-oriented similarities among these management practices.

It is well-recognized that sound governance measures can reduce the amount or impact of risk an organization faces. For that reason, among others, ERM practitioners favor a robust governance environment within an organization.

A few aspects of sound governance are worth discussion.  These include:  1) transparency and comprehensive communications, 2) rule of law and 3) consensus-building through thorough vetting of important decisions.

Transparency 

Transparency lessens the risk that either management or staff will try to do something unethical, unreasonably risky or wantonly self-serving because decisions, actions and information are very visible.  An unethical or covert act would stand out like the proverbial sore thumb.

Consider how some now-defunct companies, such as Enron, secretly performed what amounted to a charade of a productive business. There was no transparency about what assets of the company really were, how the company made money, what the real financial condition actually was and so on.

Companies that want to be transparent can:

  • Create a culture in which sharing of relevant data is encouraged.
  • Publish information about company vision, values, strategy, goals and results through internal communication vehicles.
  • Create clear instructions on a task by task basis that can used to train and be a reference for staff in all positions that is readily accessible and kept up to date.
  • Create clear escalation channels for issues or requests for exceptions.

Rule of Law

Good governance requires that all staff know that the organization stands for lawful and ethical conduct. One way to make this clear is to have “law abiding” or “ethical “as part of the organization’s values. Further, the organization needs to make sure these values are broadly and repeatedly communicated. Additionally, staff needs to be trained on what laws apply to the work they perform. Should a situation arise where there is a question as to what is legal, staff needs to know to whom they can bring the question.

The risks that develop out of deviating from lawful conduct include: financial, reputational and punitive. These are among the most significant non-strategic risks a company might face.

Consider a company that is found to have purposefully misled investors in its filings about something as basic as the cost of its raw materials. Such a company could face fines and loss of trust by investors, customers, rating agencies, regulators, etc., and individuals may even face jail time. In a transparent organization that has made it clear laws and regulations must be adhered to, the cost or cost trend of its raw materials would likely be a well documented and widely known number. Any report that contradicted common knowledge would be called into question.

Consider the dramatic uptick of companies being brought to task under the Foreign Corrupt Practices Act (FCPA) for everything from outright bribes to granting favors to highly placed individuals from other countries. In a transparent organization that has clearly articulated its position on staying within the law, any potentially illegal acts would likely be recognized and challenged.

How likely is it that a highly transparent culture wherein respect for laws and regulations is espoused would give rise to violations to prominent laws or regulations? It would be less likely, thus reducing financial, reputational and punitive risks.

The current increase in laws and regulations makes staying within the law more arduous, yet even more important. To limit the risk of falling outside the rule of law, organizations can:

  • Provide in-house training on laws affecting various aspects of the business.
  • Make information available to staff so that laws and regulations can be referenced, as needed.
  • Incorporate the legal way of doing things in procedures and processes.
  • Ensure that compliance audits are done on a regular basis.
  • Create hotlines for reporting unethical behavior.

Consensus-Building

Good governance requires consultation among a diverse group of stakeholders and experts. Through dialogue and, perhaps some compromise, a broad consensus of what is in the best interest of the organization can be reached. In other words, important decisions need to be vetted. This increases the chance that agreement can be developed and risks uncovered and addressed.

Decisions, even if clearly communicated and understood, are less likely to be carried out by those who have not had the chance to vet the idea.

Consider a CEO speaking to rating agency reviewers and answering a question about future earnings streams. Consider also that the CFO and other senior executives in separate meetings with the rating agency answer the same question in a very different way. In this scenario, there has clearly not been consensus on what the future looks like. A risk has been created that the company’s credit rating will be harmed.

To enhance consensus-building, companies can:

  • Create a culture where a free exchange of opinions is valued.
  • Encourage and reward teamwork.
  • Use meeting protocols that bring decision-making to a conclusion so that there is no doubt about the outcome (even when 100% consensus cannot be reached).
  • Document and disseminate decisions to all relevant parties.

During the ERM process step wherein risks are paired with mitigation plans, improved governance is often cited as the remedy to ameliorate the risk. No surprise there. Clearly, good governance reduces risk of many types. That is why ERM practitioners are fervent supporters of strong governance.

10 Questions Boards Should Be Asking on Risk Management

Although most boards of directors are aware of risk and the need to manage it, many board members do not actually know much about risk management or how to oversee it. This article reviews a list of questions that may help board members execute their mandate. The list is not comprehensive but is illustrative of important points a board member would want to know about how an organization is managing its risk.

  • Who is responsible for the enterprise risk management or risk management process?

Without assigning someone clear accountability for the process of risk management, it is unlikely that risks would be identified, prioritized and mitigated across an organization on a periodic basis and in a thorough way. In addition, it is unlikely risk would be given the focus that is required to achieve a reasonable degree of control over the many uncertainties facing organizations in today’s highly dynamic marketplace.

Less important are such details as the title of the individual with the accountability or how large a budget or staff the individual is provided. A named, accountable person is key to ensuring that a sound process is in operating.

  • What are the most significant risks to the strategy, and what is being done to address these?

Given that failures are generally caused by a strategic risk that has not been addressed rather than by a catastrophic storm or single cyber attack, for example, it is vital for organizations to know and deal with their strategic risks.

Strategic risks typically involve aspects of the business such as:

  1. What is the organization’s vision of the future – does it take into account where technology, science and other dynamic forces are going?
  2. What is the mission – what does the organization make or sell, to whom and in which geographies?
  3. What are the goals and objectives – how much does the organization want to grow, at what margins, keeping what capital and debt levels?
  4. What are the values – how does the organization want to behave and be perceived in the marketplace?
  5. What is the position with strategic partners, investors and vendors?
  • Is there a single risk register that collates all significant risks (strategic and non-strategic), with action plans to mitigate them?

Strategic and non-strategic risks of a certain magnitude should be combined into one risk register that allows management and the board to see:

  1. all the major risks
  2. what is being done to mitigate them
  3. what is the progress against the risk mitigation plan

The board should expect to see such a report or ask for one, if it is not already being created.

  • What are the top 10 risks overall?

These should be top of mind for the organization’s senior team at all times and be a familiar topic of discussion with the board. Board members should consider if these make sense based on all the information they have been privy to about the organization.

  • Do individual performance plans include risk management?

If managing risk is really important to the organization, the individual performance plans of a large number of employees at different levels of the organization should include a specific objective or task related to risk management. Thus, the performance against these would be evaluated at regular intervals. It is well-known that what gets measured gets managed, and what gets rewarded gets attention.

  • Who is responsible for information technology security?

Clear accountability for the task of ensuring IT security is also critical. With the risk of cyber breaches, demands for service, extortion and stealing of bank accounts and intellectual property so high, an organization needs to ensure it has the necessary expertise to create a secure technological platform. This can be in the form of hired staff or expert contractors.

In the case of some recent, high-profile breaches, it appears that the role of chief information security officer (CISO) was either non-existent or that the individual filling the role was brand new. An inference can be drawn that a seasoned CISO who understood the organization might have made a difference.

Of course, having the role filled does not guarantee never having a security risk come to fruition. But it does reduce the risk to some extent, and having a CISO makes the discovery and recovery from a breach or attack quicker and more efficient when one does occur.

  • Do all employees get some information and training on identifying and reporting a risk? Is there a risk reporting “hot-line”?

The answer to this question will give the board insight into several things. If there is a hot-line, it shows that the organization is seriously interested in identifying risks and that the topic of risk is being handled fairly transparently within the organization. If there is not one, the board may wonder why there is no channel for the rank and file to alert management about risks.

  •   Have correlated risks been looked for, and what are they?

Large and small organizations, alike, have the potential to harbor correlated risks. Correlated risks are a group of risks that might occur at the same time because there is a relationship of some sort among them. The aspect at play could be:

  1. a geography in common
  2. a single source with multiple ties. For example, a company that has call centers, data processing and manufacturing plants in a single Southeast Asia country has the potential for correlated risk if that country is hit by a natural catastrophe, political upheaval or some other turbulence.  Another example is, if different product units of a manufacturing company use the same supplier for raw materials or OEM parts, there is the potential for correlated risk if that supplier is unable to deliver on its orders.

A correlation might also be in terms of chain reactions. One risk event may give rise to other risks, which is often true in the case of natural disasters such as earthquakes and hurricanes.

A question about correlated risks will not only elicit an answer about those risks but also provide insight as to whether risk is being discussed in depth and across organizational silos.

  • Are a business continuity plan and disaster recovery plan in place?

No matter how robust a risk management process is, a company will experience catastrophes of one sort or another from time to time. There is a need for plans that deal with these because reaction speed is critically important in managing them well.

The business continuity plan has the aim of keeping all or some of the business running from another venue or with back-up systems or on-call staff, or whatever allows continuous operations. The disaster recovery plan has the mission to restore normal operations as quickly as possible after the business has been interrupted in whole or in part.

In reviewing these plans, key elements to look for include:

  1. a communication hierarchy for notification that is complete and up to date
  2. a decision tree for creating clarity around who can make which decisions
  3. a list of third-party resources that have been previously vetted and can be called in to assist – some will be part of any insurance policies that may be triggered by the risk/loss event.
  • What risks are being transferred by insurance versus what is being mitigated internally, and what is the quality of the insurer?

Insurance can be an effective and efficient way to handle risk when it is used in a well-constructed fashion. The board will want to consider high-level issues such as:

  1. Is the right set of risks covered; i.e. those that are less predictable, require special expertise and are beyond the financial wherewithal of the organization to withstand?
  2. Are the right limits being purchased; i.e. is the value of the policy high enough to truly cover a major loss?
  3. How highly is the insurer rated, and what is its claims service reputation.

A way in which the board can judge the merit of the answers to these questions is to find out:

  1. the kind of analysis that was done to determine the insurance program
  2. who did the analysis
  3. whether there is benchmark information to look at from comparable organizations.

There are, undoubtedly, other questions that the board may need to ask. These are an excellent starting place for getting a sense of how well the organization is addressing risk.