Professor Forman

Enterprise Risk Management

Yes, you CAN manage risks in a comprehensive, scientifically meaningful way that produces optimal risk-adjusted returns with minimal surprises!

However, to do so, you need to be aware of the difference between two kinds of risk:

Risks we face


Risks we take

When facing risks, we identify, analyze, and control uncertain events .

Risks We Face

Events that matter, resulting in losses to one or more organizational objectives. Risks we face are the primary concern of chief risk officers — with direction and input from boards of directors and C-level managers

When taking risks, we identify, analyze and decide on one or more alternatives.

Risks We Take

Alternatives from which decision makers such as boards of directors, C-level managers, operations managers and engineers choose one or a combination (portfolio) of alternatives.

Recognizing the difference between ‘risks we face’ and ‘risks we take’ is important because they are distinct but related — measured and managed in fundamentally different ways.

Managing ‘risk taking’ involves consideration of risk appetites when selecting alternatives.

Managing ‘risk facing’ involves identification and selection of controls based on the risk tolerance of the organization.

With scientifically valid measurement methods, Optimization is achievable for both risks we take and risks we face.

For Risks we Take

an optimum choice consists of selecting an alternative or combination/portfolio of alternatives that best achieves an organization’s objectives (making trade offs among benefits, costs, risks, and opportunities) subject to a variety of constraints.

For Risks we Face

optimization is achieved by selecting a set of controls that best reduces risks to tolerable levels, subject to a variety of constraints.

Both long term and short term risks must be considered when making risk management decisions. While the losses realized in the long term will be very close to estimated risks, short term or catastrophic losses, as measured by the probability of losses exceeding some threshold, need to be estimated and avoided so the organization survives in the long term.

The ‘long term’ loss is, by the classical definition of risk, the expected or average loss. The law of large numbers assures us that in the ‘long term’, the losses that we experience due to uncertain events will be very very close to the expected loss — or risk.

Monte Carlo simulations are useful, indeed necessary in order for us to understand ‘short term’ losses — in the form of loss exceedance curves or probabilities.

Short term losses are typically viewed as probabilities of exceeding a specific % or value of loss.  Short term losses are shown by loss exceedance curves generated with Monte Carlo simulations.

Managers are inherently reluctant to invest in controlling risks for events that may never occur. Contrary to previous beliefs, humans are not risk averse. While humans are risk averse when it comes to gains, they are risk seeking when it comes to losses — specifically when it comes to uncertain losses or risks. This human tendency manifests itself as a reluctance to devote today’s resources to preventing or mitigating losses from events that may never occur.

Managing risks comprehensively and scientifically is necessary to determine the level of resources (money, people, …) to apply today to reduce risks for events that may never occur.  Unlike issues, which are certain to occur, risk events are uncertain and may never occur.  So, there is a natural tendency for managers to put off expenditures today in order to prevent losses from events that may not occur in the next year, five years, or 10 years.  However the law of large numbers tells us that, given a large number of risks that can occur, one or more WILL occur!

Comprehensive and scientifically valid measures of risk are necessary in order to convince management that an ounce of prevention can be worth far more than a pound of cure!

The mayor of Houston decided not to invest 30 million dollars or so to fix the levies that needed fixing.  The losses from Hurricane Harvey amounted to a thousand times that amount.

Comprehensive and scientifically valid risk measurement and management will prevent issues from becoming risks and risks becoming crises!

An ideal framework and process for effective enterprise risk management:

We offer a broader, operational definition of Enterprise Risk Management to include:

  1. Enterprise wide — managing risks across all silos of the organization
  2. All inclusive — managing risks to all organizational objectives
  3. Both facing risks and taking risks — managing risks an organization faces by identifying, measuring, and controlling risk events as well as considering risks and opportunities taken when making decisions involving the selection of one or a portfolio of alternatives.

Click here see a video of a webinar discussing the above in more detail.

The material that is contained herein is based on an academic, scientific foundation as presented in the following risk analytic courses at The George Washington University:

%d bloggers like this: