3.3 Risk Management process
3.3.2 Risk evaluation
After correct risk assessment and categorization, companies are able to see to what risk they are exposed to and can see a comprehensive picture of the industry and environment in which they operate.
The purpose of risk evaluation is to make decisions, based on the outcomes of risk analysis and identification, about which risks need treatment and which are treatment priorities.66
66 AS-NZ 4360-2004 Risk Management, Standards Australia/Standards New Zealand, Australia, 2004 p.19 Table 14: Porter's five forces
After identifying the general risks, it is important to estimate how important each risk is, and how vulnerable a company could become if a particular risk was to be left out of the Risk Management process.
Obviously, not all exposures are equally relevant and therefore prioritization is extremely important. Risk prioritization can be both simple and very complex. The simplest way is an estimation based on the “gut-feeling” of top management. Complex ways of performing risk prioritization are based on various stochastic models which most corporations develop to support their decisions. Andersen says that a gut feeling should not be underestimated and stochastic models should not be overestimated. Managers are always knowledgeable and perceptive, and are usually the most able and competent people in an organization; therefore, their gut feeling is very important.67
Advanced evaluation is based on comparing the estimated risks against risk criteria that the organization has established. The risk criteria may include associated costs and benefits, legal requirements, socio-economic and environmental factors, concerns of stakeholders, etc.
The most common method of risk evaluation is the likelihood and impact matrix. Likelihood is based on the probability of risk occurrence and impact is based on how heavily an organization can be impacted in regard to finance.
67 Finkelstein S.: Why smart executives fail, and what You can learn from their mistakes, Penguin Group 2004. ISBN: 1-59184-010-4, p 2-4
FERMA framework suggests likelihood for threats as well as likelihood for opportunities. This part of the thesis will focus on likelihood of unwanted occurrence, which is described by FERMA in the following way:
LOW HIGH
LOWHIGH
Likelihood
Im p a ct
Table 15: Risk evaluation matrix
Table 16: Likelihood description
Description indicators
HIGH Likely to occur each year or more than 25% chance of occurrence
Potential of it occurring several times within the time period (for example 10 years).
Has occurred recently.
MEDIUM Likely to occur in ten year time period or less than 25% chance of occurrence
Could occur more than once within time period (for example 10 years). Could be difficult to control due to some external influences.
Is there a history of occurrence?
LOW Not likely to occur in a ten year period or less than 2% chance of occurrence
Has not occurred.
Unlikely to occur.
Example of an impact table proposed by FERMA:
Table 17: Impacts description Description
HIGH
Financial impact on the organisation is likely to exceed xEUR.
Significant impact on the organisation's strategy or operational activities.
Significant stakeholders concern
MEDIUM
Financial impact on the organisation is likely to be between xEUR and yEUR.
Moderate impact on the organisation's strategy or operational activities. Moderate stakeholders concern
LOW
Financial impact on the organisation is likely to less than xEUR.
Low impact on the organisation's strategy or operational activities.
Low stakeholders concern
The framework of likelihood and impact proposed by FERMA is not a directive. Some organizations find that assessing likelihood and impact on a scale (low, medium and high) is quite adequate for their needs and can be presented as a 3x3 matrix. Other companies might want to use the scale and use a 5x5 matrix or even a 6x6 matrix, which they might find more detailed and useful.68 As an example of more detailed assessment of likelihood and impact we can see on SaxoBank A/S which uses 6x6 matrix.
68 Federation of European Risk Management Association- A Risk Management Standard FERMA, UK, 2002
Table 18: Likelihood defined by Saxo Bank A/S
Rating Criteria - Likelihood
Score Rating Description
6 Frequent occurrence Occurs more often than 3 times a year
5 Almost certain Occurs 1-3- times per year
4 Likely Occurs once every 1-3 years
3 Moderate Occurs once every 3-10 years
2 Unlikely Occurs once every 10-25 years
1 Rare Occurs more seldom than once every 25 years
Source: Saxo Bank A/S
Regarding impact, Saxo Bank A/S uses six criteria as well. The scale, from a minor impact to a catastrophic impact which could threaten the firm’s existence, can be seen below.
Table 19: Impact rating criteria defined by Saxo Bank A/S Rating Criteria - Impact
Score Rating Description
6 Catastrophic Could threaten the firm’s existence
5 Severe Estimated more than 2 months of profit before tax, but do not threaten the existence of the firm
4 Major Estimated between 10 days and 2 months loss of profit before tax 3 Significant Estimated 1-10 days average loss of profit before tax
2 Moderate Estimated 10-100% loss of the average daily profit before tax 1 Minor Loss of less than 10% of the average daily profit before tax.
Source: Saxo Bank A/S
Another tool that can be used for risk evaluation is an influence matrix, from which management is able to identify risk interdependencies and treat them based on their final score.
Table 20: Example of an influence matrix69
Risk 1 Risk 2 Risk n Active
score
Risk 1 x 1 0 0 2 3
Risk 2 1 x 2 2 0 5
Risk 3 0 0 x 2 2 4
.... x …
Risk n 2 2 2 2 x 8
Passive score 3 3 4 6 4
0- No Influence 1-some influence 2- major influence
Risk evaluation is very important in order to assign importance to each risk. It is basically used to make decisions about the significance of risks to the organization and whether each specific risk should be accepted or treated.