• The Sarbanes–Oxley Act (2002) requires management to certify the accuracy of financial information of companies listed on US exchanges. The guidelines cover issues relating to risk assessment and internal controls, rather than management decision-making.
• A number of other organisations have provided guidelines, recommendations and standards relating to risk assessment and its methods. A few examples include:
• The International Organization for Standardization (ISO) has published ISO 31000 Risk Management – Principles and Guidelines and 31010 Risk Management – Risk Assessment Techniques. The British Standards Institution (BSI) has published BS 31200:2012 Risk Management: Code of practice and guidance for the implementation of BS ISO 31000, and other works.
• The Institute of Risk Management (IRM), the Association of Insurance and Risk Managers (AIRMIC), Alarm (the Public Risk Management Association) the Federation of European Risk Management Associates (FERMA) and the Committee of Sponsoring Organizations (COSO) each regularly publishes documents, such as COSO Enterprise Risk Management – Integrated Framework. Each provides guidance on risk management processes and controls for management. The PRMIA (Professional Risk Managers' International Association) also publishes on a number of similar topics.
Of course, organisations will not succeed simply by following mandated guidelines: of utmost importance is the ability to create, identify and exploit opportunities that are aligned with strategy, create value and have some competitive differentiation. According to financial theory, in efficient markets, higher risks should be associated with higher returns only where such risks cannot be reduced economically efficiently or diversified away: the taking of risk per se is not rewarded. In contrast to many personal situations (for which the making of an “adequately good” decision is usually sufficient) organisations exposed to high levels of competition will need to perform to a superior standard, and to create opportunities, structure projects and make decisions that are (close to) the best possible ones available.
Formalised risk assessment can support effectiveness in these areas in several ways:
• Supporting the consideration of a full range of decision options.
• Helping to ensure that the opportunities being considered are value-creative and structured optimally.
• Ensuring that decisions are supported by robust rational analysis and data, and are appropriately transparent.
• Ensuring more transparent trade-offs and appropriate risk tolerances in decision-making.
• Reducing biases in analysis and in decision-making.
• Ensuring that project execution risks are appropriately considered within decision evaluation processes, as well as within the detailed implementation projects.
Businesses almost always require that important decisions are supported with fairly detailed quantitative analysis. Risk assessment can be used to support this in many ways:
• Reflecting the reality that the situation inherently contains risk and uncertainty.
• Providing a structured process to ensure that all relevant factors are included in the analysis and quantitative model.
• Understanding the range of possible outcomes, and generating an understanding of how likely a particular (e.g. “base”) case is to be achieved, and what modifications are required (e.g. to targets, inclusion of contingencies, implementation of risk-response measures, or development of new structural options).
• Enhancing the ability to compare projects with different risk profiles, and to support the development of optimal business portfolios.
• Allowing risk tolerances to be made explicit, reflected in decision-making and to be done in a way that is aligned with organisational objectives (see below for further discussion).
• Increasing transparency, reducing biases and supporting the achievement of the appropriate balance between intuition and rationality in decision-making.
Robust decision-making in business contexts requires a consideration of risk tolerances:
• Corporate governance. Shareholder demands for appropriate risk taking (to create rewards for equity investors by taking appropriate risk) need to be reflected in decision-making and in project selection: in theory (and practice), some companies should be more risk seeking than others, but it would seem difficult for a company to appropriately manage its risk profile without knowing and measuring (quantitatively) how much risk is being taken. Instead, very often, such processes remain intuitive, non-transparent and elusive, and are likely to be suboptimal.
• Consistency. Without a formal consideration of risk tolerances, a decision that would be authorised on one occasion may not be authorised on another. Thus, in one instance a project that is high risk/high reward may be favoured over a lower risk/lower reward one, whereas in similar circumstances on another occasion the reverse would be the case. This may be due to the presentation or framing of the decision, or to short-term inconsistencies and fluctuating optimism or pessimism that occur in day-to-day behaviours when formal processes are not put in place.
• Business portfolio optimisation. Most businesses can be considered as portfolios of components (e.g. customers, geographies, projects or products). As such, there is an optimisation aspect to the appropriate business design and strategic choices, with an optimal portfolio consisting of a combination of components with different profiles, so that some elements balance out against others.
Given these drivers, the application of a formalised risk analysis process in many business situations is likely to create significant benefits in terms of the quality of the final decision.
1.4 The Objectives and Uses of General Risk Assessment
Risk assessment processes and tools are already widely used in some business contexts. Typical applications include general planning and forecasting (e.g. revenue and capital expenditure, financing needs), cost estimation and contingency planning, project schedule uncertainty, portfolio structuring and optimisation, valuation of the flexibilities associated with being able to respond to uncertain outcomes or of gaining additional information (such as real option analysis), and general decision-making under uncertainty. Such applications apply to essentially any sector; key examples include oil, gas, energy, resources, construction, pharmaceuticals, insurance, reinsurance and finance.
Of course, formalised risk assessment is much more than simply “expecting the unexpected” by identifying possible risk factors in advance. Ultimately, the overall objective is to enhance organisational performance through superior project design, selection, decision-making and management. In particular, the essential role of risk assessment is to support the development and choice of the optimal context in which to operate (operating within the best structural context, and mitigating and responding to risks within it in the best way), and to support the evaluation of a final decision within that context by taking into account the residual uncertainty and risk tolerances of the decision-maker. This may be achieved through more specific objectives, which are generally of several forms:
• Adapting and improving the design and structure of plans by managing, mitigating or exploiting uncertainties.
• Achieving optimal project structures and economically efficient risk mitigation.
• Enhancing decision-making concerning project evaluation, objectives and target setting, contingency planning and the reflection of risk tolerances within the decision-making processes.
• Managing project execution and implementation effectively.
• Constructing, selecting and optimising business portfolios.
• Supporting the creation of strategic options and corporate planning.