Tag Archives: palisade

4 Steps to Integrate Risk Management

Let me start by saying that integrating risk management into strategic planning is NOT doing a strategic risk assessment or even having a risk conversation at the strategy-setting meeting; it is so much more.

Kevin W. Knight, during his first visit to Russia a few years ago, said, “Risk management is a journey… not a destination.” Risk practitioners are free to start their integration journey at any process or point in time, but I believe that evaluating strategic objectives at risk can be a good starting point. The evaluation is relatively simple to implement yet has an immediate, significant impact on senior management decision making.

Step 1 – Strategic Objectives Decomposition

Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives, it is important to follow the McKinsey MECE principle (ME – mutually exclusive, CE – collectively exhaustive) to avoid unnecessary duplication and overlapping. Most of the time, strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, saving the risk manager a lot of time.

This breakdown is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.

Important note: While it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead. 

Example: Risk Management Implementation

VMZ is an airline engine manufacturing business in Russia. The product line consists of relatively old engines, DV30, which are used for the medium-haul airplanes Airliner 100. The production facility is in Samara, Russia. In 2012, a controlling stake (75%) was bought by an investment company, Aviarus.

During the last strategic board meeting, Aviarus decided to maintain the production of the somewhat outdated DV30, although at a reduced volume due to plummeting sales, and, more importantly, to launch a new engine, DV40, for its promising medium-haul aircraft Superliner 300.

See also: What Gets Missed in Risk Management  

The board signed off on a strategic objective to reach an EBT (earnings before tax) of 3,000 million rubles by 2018.

Step 2 – Identifying Factors, Associated With Uncertainty

Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by management.

Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:

  • Whether the assumption is associated with high uncertainty.
  • Whether the assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
  • Whether the organization has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
  • Whether there are reliable external sources of information to determine the possible range of values and the possible distribution of values.

For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.

Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections and interviews with key employees.

By the end of this step, risk managers should have a list of management assumptions. For every management assumption identified, risk managers should work with the process owners and internal auditors and use internal and external information sources to determine the ranges of possible values and their likely distribution shape.

Example: Risk Management Implementation (Continued)

The assessment would look into:

Macroeconomic assumptions

  • Foreign exchange
  • Inflation
  • Interest rates (rubles)
  • Interest rates (USD)

Materials

  • DV30 materials
  • DV40 materials

Debt

  • Current debt
  • New debt

Engines sales

  • New DV30 sales volume
  • New DV40 sales volume
  • DV30 repairs volume
  • DV40 repairs volume
  • DV30 price
  • DV40 price

Other expenses

  • Current equipment and investments in new
  • Operating personnel
  • General and administrative costs

Based on the management assumptions, VMZ will significantly increase revenue and profitability by 2018. Expected EBT in 2018 is 3,013 million rubles, which means the strategic objective will be achieved.

We will review what will happen to management projections after the risk analysis is performed in the next section.

See also: A New Paradigm for Risk Management?  

Step 3 – Performing Risk Analysis

The next step includes performing a scenario analysis or Monte Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modeling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modeling. All examples in this guide were performed using the Palisade @Risk software package, which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modeling.

When modeling risks, it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software. Such analysis helps to determine the causes and consequences of each risk and improves the modeling of them as well as identifying the correlations between different management assumptions and events.

The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is strategy@risk.

Example: Risk Management Implementation (Continued)

The risk analysis shows that while the EBT in 2018 is likely to be positive, the probability of achieving or exceeding the strategic objective of 3,000 million rubles is 4.6%. This analysis means:

  • The risks to achieving the strategy are significant and need to be managed
  • Strategic objectives may need to change unless most significant risks can be managed effectively

Further analysis shows that the volatility associated with the price of materials and the uncertainty surrounding the on-time delivery of new equipment have the most impact on the strategic objective.

Management should focus on mitigating these and other risks to improve the likelihood of achieving the strategic objective.

Tornado diagrams and result distributions will soon replace risk maps and risk profiles as they much better show the impact that risks have on objectives.

This simple example shows how management’s decision making process will change with the introduction of basic risk modelling.

Step 4 – Turning Risk Analysis Into Actions 

Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then management, with help from the risk manager, may need to:

  • Revise the assumptions used in the strategy.
  • Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
  • Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
  • Accept risk and develop a business continuity/disaster recovery plan to minimize the impact of risks should they eventuate.
  • Change the strategy altogether (the most likely option in our case)

Based on the risk analysis outcomes, it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalized.

See also: A Revolution in Risk Management  

At a later stage, the risk manager should work with the internal auditor to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.

Join our free webinar to find out more (click the link to see available dates and times). Read the full book from which this is adapted. You can download it for free here.

How to ‘Gamify’ Risk Management

In 2014, I collaborated with EY to develop Russia’s first risk management business game. It was great fun, and as a result we created a pretty sophisticated business simulation.

Participants were split into teams of 10, each person receiving a game card that describes a role (CEO, CFO, risk manager, internal auditor, etc.). At the start of the game, teams must choose one of four industry sectors (telecom, oil and gas, energy or retail) and name their company. The game consists of four rounds, in each of which teams must make risk based decisions. Each decision has a cost associated with it and a number of possible outcomes. Teams must analyze and document the risks inherent in each decision they make. The riskier the decision, the higher the probability of adverse outcome. At the end of each round, a computer simulation model chooses a scenario, and the outcome is announced to each team.

AAEAAQAAAAAAAAlVAAAAJDA3YTMxZGQyLTNjMWQtNDA1ZC1hNDkyLWYxODE4NWM2Nzc1Mw

The aim of the game is to increase the company valuation by properly weighing risks and making balanced business decisions. The winning team is the one that increased its company’s value the most after four rounds.

This game was successfully played by participants at two risk management conferences as well as postgraduate students at the Moscow Institute of Physics and Technology.

See also: Can Risk Management Even Be Effective?  

More information about first game is available here. Let me know if your company is interested in sponsoring the translation and running the game in English.

Risk management business game 2015

In 2015, I started working with Palisade to develop something a little different.

Just like in the previous version of the game, the participants were split up into teams of 10. However, the game mechanics have changed substantially. Each player still receives a card describing a role, but this time the card provides a complete history of the character’s role within the company and assigns each player a unique secret mission.

AAEAAQAAAAAAAAkXAAAAJDkyYjY4MWY2LTVjNzktNDIyOC04NjVjLWI5NTZiNDRhNmM3ZQ

The aim of the game is to successfully complete a merger between a large holding company and an innovative startup. The game, as before, consists of four rounds. The first round involves performing a risk assessment of the target company. Each team must identify 10 significant risks using only the information provided on the cards.

The second, third and fourth rounds are dedicated to the management of these risks. Each identified risk has between 5 and 10 possible mitigation strategies that can be selected by the team. Each team has a limited budget dedicated to risk mitigation, and each mitigation action has a cost.

The effects of each mitigation action selected by the teams was modeled using Palisade@Risk to determine whether it increases or decreases the value of the target company. The winning team is the one that increases the value of the target company more than the others and is then able to complete the merger.

More information is available here. Let me know if your company is interested in sponsoring the translation and running the game in English.

Risk management business game 2015 (online version)

With the help of eNano, we went even further and produced an interactive risk management business game (only available in Russian). This game combined an e-learning course and an interactive business simulator.

AAEAAQAAAAAAAAkkAAAAJDljMGRmYzkxLTM4NGMtNGU1MC05ZjdmLWJmYjViMDFhM2MwYg

Each participant takes on the role of general manager of one of three innovative companies. They then receive tasks that need to be completed throughout the e-learning course:

  • First, each participant needs to conduct interviews with all colleagues to identify and document risks;
  • Then he needs to evaluate risks using the information presented. Note that, just like in real world, most of the information presented is biased;
  • Then he needs make difficult decisions relating to risk mitigation given a limited budget;
  • During the last step, participants need to develop an action plan designed to improve risk culture.

All of these steps increase or decrease the company valuation. You can find out more about this course here.

Risk management game 2016

This game is the result of collaboration among Risk-academy, Palisade, Institute for Strategic Risk Analysis (ISAR) and Deloitte. Together we have created an amazing business game to teach non-financial management and staff how to perform risk modeling on day-to-day management decisions.

AAEAAQAAAAAAAActAAAAJGFkNTI0MWUwLTYxYzctNDhiNy1hNjRiLTYxNmYwMTBlYmVkNg

Participants will have to play a role of an aircraft engine manufacturing company. Each team has prepared a business case for a multimillion-dollar plant modernization. Unfortunately, the project plan have just been rejected by the board, so teams only have a couple of hours to conduct in-depth risk analysis and present an updated business case to the board.

See also: Risk Management, in Plain English  

The game is focused on risk modeling, requiring participants to identify and validate management assumptions, identify relevant risks, establish ranges and select possible distributions for each assumption, perform Monte Carlo simulation using Palisade@Risk and present the final results. All this has to be performed in limited time and with incomplete information… just like in real life. And just to add a little bit of drama, like in real life participants have to deal with unexpected “black swans” during the game.

The aim of the game is to prepare risk analysis for a multimillion-plant modernization investment project. The team with the highest risk-adjusted rate of return wins.

This game has also become one of the modules in the risk management training ran by ISAR; more information is available here.

Due to lots of positive comments, the latest risk modeling game is now available in English here.

What’s next?

The latest game was both hard and entertaining, so we began talks with our partners to turn it into an online risk quantification championship. The games will require online registration, have downloadable content and require proper risk modeling. Championships will run once a quarter, and winners will receive wonderful prizes.