Professor Forman

Enterprise Risk Management

Yes, you CAN manage risks in a comprehensive, scientifically meaningful way that produces optimal risk-adjusted returns with minimal surprises!

However, to do so, you need to be aware of the difference between two kinds of risk: risks we face and risks we take.

Why? Because the focus of risks we face is on uncertain events that matter — the primary concern of chief risk officers and with direction and input from boards of directors and C-level managers — while the focus of risks we take is on decision alternatives — choices made by boards of directors, C-level managers, operations managers and engineers . Recognizing the differences between ‘risks we face’ and ‘risks we take’ is also important because while they are related to one another, they are measured and managed in fundamentally different ways. Managing ‘risk taking’ involves consideration of risk appetites when selecting alternatives while managing ‘risk facing’ involves application of controls according to the risk tolerances of the organization.

Optimization is achievable for both risks we take and risks we face. For risks we take, an optimum choice consists of selecting an alternative or combination/portfolio of alternatives that best achieves an organization’s objectives (taking into account benefits, costs, risks, and opportunities) subject to a variety of constraints. For risks we face, optimization is achieved by selecting a set of controls that best reduces risks to tolerable levels, subject to a variety of constraints.

Both long term and short term risks need to be considered when making risk management decisions. While the losses realized in the long term will be very close to the estimated risks, short term or catastrophic losses, as measured by the probability of losses exceeding some threshold, need to be estimated and avoided so the organization survives in the long term.

Managers are inherently reluctant to invest in controlling risks for events that may never occur. Contrary to previous beliefs, humans are not risk averse. They are risk averse when it comes to gains, but risk seeking when it comes to losses — including uncertain losses or risks. This tendency manifests itself as a reluctance to devote today’s resources in order to prevent or mitigate losses from risk events that may never occur. Scientifically valid measures of risk are necessary to convince management that an ounce of prevention can be worth far more than a pound of cure!

The framework and processes we describe for effective enterprise risk management:

We offer a broader, operational definition of Enterprise Risk Management to include:

  1. Enterprise wide — managing risks across all silos of the organization
  2. All inclusive — managing risks to all organizational objectives
  3. Both facing risks and taking risks — managing risks an organization faces by identifying, measuring, and controlling risk events as well as considering risks and opportunities taken when making decisions involving the selection of one or a portfolio of alternatives.

Click here to see a video of a webinar discussing the above in more detail.

The material that is contained herein is based on an academic, scientific foundation as presented in the following risk analytic courses at The George Washington University:

%d bloggers like this: