What should an awesome risk report look like?

What should an awesome risk report look like?

Companies and regulators love reports, disclosures and transparency. And nobody loves risk reporting more than me. Trouble is risk reports are RM1. If we wanted to really make a difference to decision makers we would switch from risk reporting to risk-adjusted performance reporting instead. Risk managers always have a choice: generate own risk reports or use the outputs of risk analysis to improve existing performance and management reports instead. To me the choice is clear. Integrating risk information into existing management reporting is the future. So, what should risk-adjusted performance report look like?

5 items you would expect to see in an awesome performance report:

1. Probability of achieving a target or an objective / likelihood of success

A useful metric that risk managers should communicate to decision makers is the probability of meeting / achieving an objective or target. Think of it as achievability given the risks. If your performance report has targets or objectives, then risk managers can measure and report how achievable they are and whether they are more achievable today than last month. Norman Marks calls this likelihood of success and Tim Leech calls objective centric. I provide a step by the step guide how to do it here.  This can be represented as a single number (70% probability of achieving business plan objective) or as bands (forecasted performs falls within acceptable range). Separate likelihood of success needs to be reported for each significant objective. Archer Insight, for example, does a good job presenting risk information as probability distributions around the objective.

2. Risk-adjusted performance metrics

Most of the time it makes no sense reporting on the risks, instead information about risks can be represented as effect on some existing performance metric. Taleb calls it X and f(X). They also call it f(x) in operations research. Sure we can quantify any risk, build a loss exceedance curve and even make important conclusions related to the mitigation of that specific risk. This is called X. But it is so much more useful to measure the effect of risk on a decision or an objective instead. This is called f(X) or function of risk.

This can look like representing risks associated with an investment project as volatility of NPV or risks associated with construction project as volatility of budget and schedule. Risks associated with production can be represented as volatility of volume of product produced. Or assigning future cash flows to their associated risks expectations to inform decision makers that some promises are more certain than others. Other metrics like RAROC are also good examples.

Obviously it would be weird to see risk adjusted metrics in a risk report, instead good risk managers change how performance is reported in existing performance and management reports.

3. VaRs, EaRs, cVaRs

There are certain risks where it makes sense to report them as stand alone items. For these risks a loss exceedance curve is normally generated and useful metrics like expected losses, VaR (unexpected losses), probability above threshold, etc. are determined.

This is what a typical loss exceedance curve looks like:

Picture1.png?resize=730%2C228&ssl=1https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?resize=300%2C94&ssl=1 300w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?resize=150%2C47&ssl=1 150w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?resize=768%2C240&ssl=1 768w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?resize=1536%2C480&ssl=1 1536w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?resize=2048%2C639&ssl=1 2048w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?resize=900%2C281&ssl=1 900w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?resize=260%2C81&ssl=1 260w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?resize=600%2C187&ssl=1 600w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?w=1460&ssl=1 1460w, https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?w=2190&ssl=1 2190w" alt="insurance" width="728" height="228" data-attachment-id="25541" data-permalink="https://riskacademy.blog/understanding-the-risk-profile-is-the-most-important-step-in-insurance-decisions-so-why-isnt-everyone-doing-it/picture1-5/" data-orig-file="https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?fit=3898%2C1217&ssl=1" data-orig-size="3898,1217" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Picture1" data-image-description="" data-image-caption="" data-medium-file="https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?fit=300%2C94&ssl=1" data-large-file="https://i0.wp.com/riskacademy.blog/wp-content/uploads/2022/08/Picture1.png?fit=730%2C228&ssl=1" data-lazy-loaded="1" />

It makes sense to report risks as standalone if they need to be monitored on a regular basis and have a specific and mature market for mitigation, for example credit risk or market risks. Sometimes we reported operational risks as well, but usually to serve a specific and once-off narrow purpose like purchasing an insurance policy or adjusting maintenance budget or mitigating an environmental risk.

1200x200.png?w=730&ssl=1
 

If there is a culture within the organisation to track and monitor specific financial risks then it is common to pull that information into a separate risk report and present it on a regular basis to monitor whether risk exposure is within limits. Since VaR recalculation requires risk models companies usually automate that part of risk reporting. More on that in the next section.

4. Limit breaches and activated stop losses

Whenever risks are quantified as standalone, unexpected losses or VaRs can be used to set limits and use middle office to monitor against the target risk exposure. Risk management team plays an important internal control role by recalculating VaRs frequently, monitoring risk exposure and activating stop losses if risk exposure goes outside limits. This work usually requires close collaboration with finance, treasury and commercial teams.

5. Transparent methodology with a back test

Finally, an awesome risk-adjusted performance report would make the methodologies used in risk analysis transparent to the decision makers and provide clear results of the back tests used. Showing evidence of past back tests is important to give decision makers the confidence needed to make the decisions based on the information presented.

What would you add to the risk-adjusted performance report? Catch Graeme, David and I just before the FERMA event in Copenhagen to share ideas.

 

Votes: 0
E-mail me when people leave their comments –

Alex Sidorenko is an expert with over 15 years of private equity, sovereign wealth fund risk management experience across Australia, Russia, Poland and Kazakhstan. In 2014 Alex was named the Risk Manager of the Year by the Russian Risk Management Association.

YOUTUBE: <a href="https://www.youtube.com/channel/UCog9jkDZdiRps2w27MZ5Azg">https://www.youtube.com/channel/UCog9jkDZdiRps2w27MZ5Azg</a>
BLOG: <a href="https://riskacademy.wordpress.com">https://riskacademy.wordpress.com</a>

Alex specializes on integrating risk management into strategic and investment planning and decision making at venture capital, private equity, investment authorities and sovereign funds across the world. Alex worked as a Head of Risk Management at RUSNANO, one of the largest private equity funds in Russia, specializing in technology investment. Alex won an award for best ERM implementation at RUSNANO in 2014.

As a VP at Institute for strategic risk analysis in decision making, Alex is responsible for risk management consulting, training and certification across Russia and CIS. Alex is the co-author of the global PwC risk management methodology, the author of the risk management guidelines for SME (Russian standardization organization), risk management textbook (Russian Ministry of Finance), risk management guide (Australian Stock Exchange) and the award-winning training course on risk management (best risk education program 2013, 2014 and 2015).

In 2012 Alex created RISK-ACADEMY <a href="http://www.risk-academy.ru">www.risk-academy.ru</a> a web portal dedicated to risk management training across Russia and CIS. Since then RISK-ACADEMY became a global brand providing risk management services to some of the largest organizations in the world.

Alex recently published his second risk management book called “Effective Risk Management 2.0”. Alex also regularly presents at risk management conferences in the Middle East, Russia and Europe. In November 2012 Alex short a TV series dedicated to risk management in start-ups. Alex teaches risk management at major Russian business schools as well as corporate universities.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead