Identifying Risks

ERM programs all start out with a suggestion that you must identify your risks.

Risks should be identified within several major categories.  Here is a typical list of categories for an insurer:

  • Insurance Risks
    • Underwriting
    • Reserving
  • Investment RIsks
    • Interest
    • Credit
    • Equity
    • Foreign Exchange
  • Other Counterparty Risks
  • Operational Risks
    • Legal/Compliance
    • IT
    • Distribution
    • Human Resources
    • Operations
  • Strategic Risks
  • Group Risks

Sounds simple enough.  But there are two ways to do this that give very different results.

  1. Top Down
  2. Bottom Up

The bottom up process is urged by COSO and requires volumes of documentation and hours and hours of meetings and discussions.  The result is a list of as many as 100 or more risks for a major sized organization.  This process requires at least a year to accomplish.  However, at the end of that year, the top executives of the firm will find that the product may well not be ready for them to get any use out of it.

That is because risk identification and in fact risk management takes on very different character at different levels of the organization.  There almost needs to be three different risk management programs at any larger organization.  One that is oriented to the top management, one that is oriented to the middle management and one that is oriented to the supervisory levels.

The COSO type risk identification process is designed to serve the  supervisory and middle management.  The initial risk identification process is done at the supervisory level, which at a very large organization can mean hundreds of people.  The findings are eventually summarized and ranked, but the summary is at a level that is appropriate for middle management attention.

The top management is better served by a risk identification process that is more top down.  If top management is unable or unwilling to do the risk identification work themselves, then it can be a middle up process.

Regardless of how the process is started or ended, there will need to be guidelines for for the significance of risks.  A typical bottoms up risk identification can end up with well over 100 risks often as many as 200.

Prioritization is the second half of this basic risk management step.  And the prioritization will depend upon the significance of the risks and significance will be based upon a measurement of the risks.  Which is the second fundamental practice of ERM.

The thresholds should be established for significance of risks that should get board attention, a lower threshold that should get top management attention, then a lower threshold for middle management attention and a lower threshold for risks to get attention from supervisors.

None of the risks identified by the detailed bottoms up process are unimportant, but it is important to determine WHO they should be important to.

Risks can be mapped in a frequency severity matrix.

The third step of this practice is to classify the significant risks between those risks that are known by management to be well controlled and those that are less well controlled.

Immediate attention can then be focused on those risks that were shown to be of high significance and lower control, providing an immediate valuable product out of this very first stage of ERM.

This post is the first in a series to discuss the 8 ERM Fundamental Practices.  There is more material for starting ERM programs at Introduction to ERM.

Explore posts in the same categories: Risk Identification


You can comment below, or link to this permanent URL from your own site.

7 Comments on “Identifying Risks”

  1. Sonia Jaspal Says:

    Excelllent post. Your point is very valid, at CXO level risks are not identified and addressed. Most of the programs operating in the comapnies is at middle and junior level. That is the reason there is limited understanding of strategic risks and why CRO’s don’t have visibility at board level.


  2. riskviews Says:

    Some good discussion of how to use Brainstorming to identify risks.

  3. Greg Sosbee Says:

    Yes a fully executed ERM Matrix will alert any organization to all risks they will face. That is the point of the matrix. If it doesn’t, the matrix is incorrect.

    “Insurance Risks” and “Group Risks” are not risks. Insurance is another term for risk financing, not a “risk” term. As such it is an option for the treatment of identified risks, not a risk in itself. The exposure generated from insuring certain risks is the counter party credit risk presented by each of the insurers. In a multi-unit organization the “Group Risk” is the risks presented by the group which has its own ERM Matrix.

    • riskviews Says:

      Sorry I was not clear whose risks. I was thinking of an insurance company. For them, Insurance written are risks that they assume and must manage as their first priority. List would be completely different for a company in a different sector. (I am going to edit the post to fix that omission).

      • Greg Sosbee Says:

        Understand, but capital allocation (common finance/insurance processes) and the risk selection (underwriting) and reserve management risks to an insurance company are operational risks. The risk financing component then becomes reinsurance.

  4. Robert Arvanitis Says:

    No standardized risk-schema can alert an enterprise to all the risks they face.
    For example, Japan is threatened by China’s cut off of critical minerals. A supply chain issue.
    A clever observer could force that into “other counterparty” or else shoe-horn it into “operations.”
    But that taxonomy-twisting would NOT alert an enterprise to the risk beforehand, before it was too late.
    Risk schema are a starting point. But we need robust and adaptive methods like “red team” challenges to traditional strategies.
    Just as water always finds the hole in the pail, a motivated group of outsiders will find weaknesses to which escape group-think mainstream planners.
    Even more robust, play the game! It’s often shocking how few variables can replicate complex behaviors. Simulate competitors, clients, suppliers and most critical in today’s enviroment, politicos and regulatory intruders.
    Surprising and edifying results are the norm for such exercises.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: