Exposures And Vulnerabilities
No matter how hard you try to identify and reduce threats, they can never be completely identified or eliminated.
What risk management provides, though, is a robust framework to help you prepare for adverse events and thus reduce negative effects.
The process of brainstorming to identify potential risks can also reveal vulnerabilities and exposures, so often the process itself is a valuable exercise regardless of actions taken as a result.
Summary of article:
Risk is defined as the effect of uncertain future events
Risk management helps you reduce the effects of and, sometimes the chances of, adverse events
A risk matrix helps you highlight the expected frequency and the severity of risks
Risk response strategies include the 4 ‘Ts’: Tolerate, Treat, Transfer, or Terminate risk
Risk is part of daily life, and whether you realize it or not, you often act as a risk manager. Risk can take different forms, although there is no universal definition and classification of risk.
Risk arises out of uncertainty.
It can be thought of as the effect of uncertain future events, in particular those that could have a negative impact, leading to loss or damage.
A good risk management process helps you reduce the likelihood and severity of adverse events. The consequences of inadequate risk management include everything from investment losses to personal insolvency.
Conceptualize risk management the way a company would:
Identify and prioritize risks
Assess the likelihood and potential severity;
Take preventive or mitigating actions, if necessary; and
Monitor and make adjustments.
Just like your existence, a company’s risk management process is not always planned and often evolves in response to a crisis. Well-run companies, however, benefit from people and processes that enable forward-looking attention to emerging risks. You can be your own chief risk officer by incorporating risk management steps into your periodic financial planning process.
Risk tolerance
This is the level of risk that you are able and willing to take.
Your ability to handle risk is primarily driven by your financial well-being as defined by current income, the likelihood of income continuing and growing, whether you have a buffer between what you earn and what you spend, your current savings, and so forth.
Your willingness to take on risk, which is also called your risk appetite, is another matter and depends on your attitude toward risk. Think about how you specifically define risk for yourself, not just how the investment industry defines risk, which is the volatility of returns.
Your risk management process should also identify key risk indicators that allow you to regularly check-in and confirm that your risk management actions are sufficient and appropriate.
Steps in the Risk Management Process
1. Remind yourself of your financial goals
This is the foundation of your risk management process because it’s pointless to manage risks that are irrelevant to your values and situation. With this as your starting point, you’ll be able to focus your brainstorming efforts on those risks that have the potential to hurt your chances of meeting your goals.
Linking future steps in the process back to this first step will give you confidence that your process is not random, but that everything is interwoven. A strong risk management process helps you make decisions that ensure you stay on track to meet your goals.
2. Detect and Identify Risk Events
The next step in the risk management process is to detect and identify events that may affect achieving your goals.
The aim of risk management is to try to capture the full range of risks, including hidden or hard to imagine ones. Therefore, you should brainstorm about the things that could derail your goals in a broad sense considering all aspects of your life and values.
There will always be unforeseen hazards. No matter how hard you try to identify and reduce threats, they can never be completely identified or eliminated. The complexity of modern life makes it impossible to understand and model the large number of possible outcomes and combinations of outcomes.
What risk management provides, though, is a robust framework to help you prepare for adverse events and thus reduce negative effects. The process of brainstorming to identify potential risks can also reveal vulnerabilities and exposures, so often the process itself is a valuable exercise regardless of actions taken as a result.
3. Assess and Prioritize Risks
No matter what form risk takes, two elements of it are typically considered: 1. the expected frequency of the event, and 2. the expected severity of its consequences.
Different expected levels of frequency and severity of outcomes can be specified in a matrix. This type of risk matrix can be used to prioritize risks and to select the appropriate risk response for each risk identified.
In step #2, you created a list of the risks you identified as relevant to your life and goals. Now, for step #3, you could transpose those risks into your matrix according to the expected severity and frequency of the risk.
Here’s a template of a standard risk matrix:
You could use the above risk matrix to record the results of your brainstorming to create a visual representation of your assessments.
And to enhance that visual representation, you could assign a colour to different zones in your matrix to highlight the need to act. Depending on the expected level of frequency and severity, risks will receive different levels of attention.
For example:
Green in the lower left. Risks in the green area should not receive much attention because they have a low expected frequency and a low expected severity.
Yellow in the lower right. Risks coded yellow are either more likely, but of low severity, or more severe, but unlikely. They should receive a little more attention than risks in the green area, but less attention than risks in the orange area.
Orange, indicating the zone dispersed in the middle, represents the most difficult risks to make decisions about how to manage. Risks in the orange area have a higher expected frequency or a higher expected severity than risks coded yellow, so they should be monitored more actively.
Red in the upper right. Risks coded red should receive special attention because they have a relatively high expected frequency and their effect would be severe.
Black in the upper left. Risks in the black area are highly unlikely but would have a catastrophic effect. These risks are sometimes called “black swans”, which is in reference to the presumption in Europe that black swans did not exist and is a belief that persisted until they were discovered in Australia in the 17th century. These risks are usually not identified until after they occur, which, of course, is a bit of a problem.
4. Select a Risk Response
The next step in risk management is to formulate responses to deal with the risks identified and prioritized in the previous step. For each risk, you’ll select an appropriate response.
Risk response strategies can be classified into four “T” categories:
Tolerate. Accept the risk and its potential effect
Treat. Take action to reduce the risk and its effect
Transfer. Move the risk and its effect to a third party
Terminate. Avoid the risk and its effect by ceasing an activity
5. Control and Monitor
It is at this point that you might want to consult a risk management specialist, also known as an insurance advisor. Having your risk matrix on hand and knowing the risks that are important for you to tolerate, treat, transfer, or terminate will eliminate the risk that you’ll be ‘sold’ an insurance product you don’t need.
In practice, the selection of key risk indicators, mentioned above, is important for the risk management function to be proactive and predictive. Key risk indicators or measures should provide a warning when risk levels are rising. They could be anything from travelling more, to opening a business, riskier hobbies, or a greater number of dependents.
You won’t regret a bit of organizational effort to document your (a) action steps taken and (b) action steps to be taken in the future. A simple handwritten note in a file with your insurance policies would suffice.
What I’ve noticed over the years with clients (and myself) is that because we don’t tend to need to monitor our risk management strategies very frequently, it’s easy to forget what you’ve done. Thus, a quick documentation of your efforts will be helpful.
