Five Buckets of Risk
Forget about risk registers and risk models.
To manage your risks, you then need to know
- which bucket each risk goes into;
- How much is already in each bucket;
- How much you want to have in each bucket.
Each bucket will have different rules for how it is monitored and managed. About who must pay attention to the new risks going into the bucket. And who makes sure that what was put in the buckets still belongs in that bucket.
One way to define the five buckets would be to say that
Bucket 5 – these risks must be approved by the Board. The Board must monitor all of the risks in this bucket very regularly. Strategic Risks belong in this bucket. Especially large concentrations of risks should go into this bucket. Risks that are of a size that an adverse experience might endanger the company’s survival must go into this bucket. Once the Board has agreed on what it wants in this bucket, then they should require management to assert that they are getting regular reports on all of the exposures that the companies has or are considering that should go into this bucket.
Bucket 4 – there risks must be approved and are monitored by the CEO and top management.
Bucket 3 – these risks must be approved and are monitored by a business unit head.
Bucket 2 – these are risks that must be approved and are monitored by supervisors or middle managers.
Bucket 1 – these are risks that do not need approvals.
The criteria for assigning risks to buckets will vary from company to company. One criteria may be size, another familiarity with the risk. Volatility or extreme losses per unit of activity that is mugh higher than normal for the company should mean a higher number bucket.
The funny thing about this system is that absolutely everyone already uses the bucket system. But few have written down the definitions of what goes into each bucket. Few monitor the risks systematically.
To go from an unconscious five bucket risk management system to a Five Bucket ERM System all that is needed is to formalize the assignments, monitor that risks in each bucket regularly, produce reports that show how much risk that is in all of the buckets at regular intervals.
The final step in shifting to an a Five Bucket ERM System is to shift from using the buckets to monitor risk to using them to manage risk. That means shifting from activity metrics to risk metrics. It also means identifying the profits that are coming from each bucket. It leads to conscious decisions of how muck risk that can be accepted in each bucket.
The first step in this transition for everyone is to start to notice the buckets that are already right there in your office.