We were asked today - What risk reduction actions can we apply? We share our response below:
Risk management has actions or strategies
Risk reduction may be implied from each strategy or used to support one or more strategies. However, first, the entity should identify the outcome from the strategies it is trying to achieve and its objective.
The starting point has to be “your” Risk Appetite (or the managements consensus of the risk appetite – which is typically the lowest common acceptable level and not the head of operations or the operator’s risk appetite). Ask – What risks are inherent in your business or business model?
Some practitioners think risk management is all about risk reduction or as often miss-described as risk optimization. Unfortunately, a good reading of the core text on risk advises that Black Swans exist and occur more frequently than we expect because of our cognitive mental thinking and behaviours.
So whilst I comment below on what each strategy means in the context of risk reduction – because of the inherent interpretation of a manager or third party (like a regulator or judge or the wider society as to what is an acceptable risk reduction action, control or strategy may dictate what is consensus is for a risk reduction action or control required – we still live with the hindsight that the Titanic had not assessed the risk of a multi-hull breach and did not have adequate lifeboats for the passengers and crew). You must be very clear on what is your risk appetite and what is the true risk faced by your firm before you try and engage in risk reduction. There is a level of steady state of risk in the market and the environment. Merely by operating in the market or business environment, you have an exposure to the market level of risk. Trying to reduce your risk below the market level does not reduce your risk. Volatility happens – you can seek risk-reducing actions, but you will still be exposed to a compound function of the frequency and scale of impact from normal volatility in the market/environment. Typically the cost of risk reduction strategies trying to reduce the risk below the market level will exceed the benefit. A classic example of this is post the 2008 market crash, regulators have introduced much higher capital and liquidity controls in banks. We still do not know if the banks over the long term can generate the rewards for shareholders and stakeholders from these additional controls. The new controls/ risk reduction actions on capital and liquidity for banks under BASEL III and etc has created opportunities for rich picking for FINTECH firms, trading houses and alternative lenders.
You can use risk controls to seek to “control” or understand your risk reduction program. However, the risk may still exist or be present and occur more frequently than you would like or expect.
Avoid Risk: Risk reduction here is to not conduct or engage in an activity that exposes you to the risk. I.e. running petroleum transportation services is a dangerous business. I was engaged by an asset financing firm – who effectively to avoid the inherent risk the asset owner faces (joint and several liability with the operator and driver) who made the decision that it was outside their risk appetite and set a risk control to reduce the risk that they would not own, lease or operate fuel trucks or tankers. They would happily engage in the business of other tanker types- food, chemicals, water dowsers, sewage etc.
Mitigate: Risk reduction here accept the risk, but to impose actions, criteria or controls to contain or mitigate the risk. In my prior example an owner or operator may consider several actions / controls to mitigate the risks attaching to petroleum transportation [effectively to keep the risk within a lower risk appetite to control frequency and/or impact of the risk arising] Actions – special training for drivers to handle dangerous loads, regular training to ensure loading and unloading of the product follows strict specific safety rules (clear the forecourt, no smoking, adequate ventilation, one tanker on a forecourt at a time, pump pressures, dispensing and loading rules), higher frequency of maintenance and safety checks on the tankers, pressure venting, speed limits, regular cleaning of the tanks, [at each end plus the transportation unit (and the additional safety training and procedures required for tank cleans), pre-check safety all planned road trips to ensure the road surface can cope with the tankers weight – distribution – adequate bridge clearances – no tight bends in the road – traffic volumes and time of day – planned road works, pre-check weather conditions and operational rules when to suspend deliveries, rules on loads and what fuel is loaded [diesel, parafin, regular petrol and hi-octane will each have different rules), no passengers on plane when dispensing into a airplane, build the tankers with special design to stop back pressure, use of special steels and alloys, shorter term operational life than asset life. etc).
Transfer: Understand the firm has a risk, but the appetite might not be there. risk reduction action examples – whether you trade on imports and exports under CIF or FOB. Or to reduce the risk the firm engages a specialist carrier to transfer the risk exposure – this could be outsourced operations to specialist operator, as skills are not in-house – let a specialist carrier conduct the transportation – You will find most large independent fuel garages and airports don’t try and collect petroleum from the depot/refinery – they rely on specialist carriers. They still have a risk – you are responsible for the goods in the tanker ( as many large independent fuel stations are), but they engage a specialist to complete the transportation. Note: if the firm only pays for fuel delivered at the service station delivery point the entity has followed the risk reduction strategy of Risk Avoidance – accepting on dispensed fuel into the entities local owned tank.
Some “risk managers” or “risk management service” providers classify buying insurance as risk transfer. Sadly, this is not true as insurance can be used as a control (and controls fail – the mitigation of transfer does not always work – Insurance providers set out in insurance contracts clause which may nullify the policy – for example all policyholders declare the controls and actions to control the risk – However, Black Swans occur and controls fail and the insurance policy, may not payout or payout a much lower amount than was planned or be inadequate. For many people this could be the alarm was not turned on when burgled or the front door was unlocked or the list of valuables and the evidence of value was in the house when it burnt down. Corporate examples a vehicle hitting a railway bridge or exploding in a tunnel are some of the largest insurance claims on record and the firm might not have completed the correct driver’s training or the driver was tired having broken the layover rules on the tachograph – simple but important matters that can lead to no payout.. Other things that happen are the insurance company did a risk share policy i.e. the risk transfer only insured a percentage (typically 80%) of the risk and entity held a % of the risk for it’s own account.
Accept the risk: You may find you have to take the risk to be in the business. However, accepting the risk does not mean you just ignore the impact and run with it. The firm can still undertake risk reduction actions and controls similar the risk mitigation strategies – however, you will find the risk appetite and tolerance may be much higher and the amount they are willing to spend on risk reduction controls and strategies is lower – These firms tend to consider they can weather the risk volatility or want to seek to profit from the risk volatility – investing in holding an market index fund means you accept both the upside and downs risk in the equity market pool holdings with no risk reduction.
A good example of accepting the risk I encountered was a case where the bank’s customers required 24/7 up time at 99.9% to manage the ATM network for service levels. The bank could not achieve this through risk controls and actions and they were not prepared to run the full risk of a lower tolerance up time. The sheer cost of the UPS, data centres, real-time back-ups, switchover (and yes routers and connectors fail) and network infrastructure [disaster recovery risk reduction strategies need to be end to end] to achieve operational success levels was to much burden in the banks operational management and cost – they rationally decided it was not their core business – even though they engaged in the risk taking]. The Bank accepted they were the responsible party under Accept Rules – but felt they could cover this with a risk reduction strategy to recover any potential losses from a 3rd party provider of an agreed charge x downtime hours would be accepted by a 3rd party provider who could guarantee the required system up-time for the ATM service. So they decided to engage a specialist to run the data centres and keep the network up and running to support ATM’s. The specialist had a different Risk Appetite to the bank and won the contract offering the service level the Bank required (i.e. service provision at a lower net cost), but accepted the risk of a higher tolerance for losses arising from non-performance (and did not spend the money on infrastructure, UPS, back up data centers etc. – The service provider rational (read connotative dissidence) was they believed they could effectively manage disaster recovery fast(er) and more efficiently). What happened is the normal range of standard deviation volatility occurred combined with multiple control failure – the perfect storm in the risk analysis sense) and the “black swan” event occurred. Over a specified period the system was out for 24 hours over a end of month peak shopping saturday (2 am to 10 pm). The risk reduction actions of the outsourced supplier suffered from cognitive dissidence or thinking they could control or reduce the risk when they accepted higher risk tolerance. The Bank still had to pay the fines, penalties and costs for the network failure (including the loss the customers and adverse press and brand impact – the wider risk impact – but the outsource supplier made a payment (Operational Loss) for the downtime to the Bank – a single smaller once off payment under the contract (Agreed Price Rate x Downtime). The outsourced supplier was never known to the market. The Bank took the full brunt of the Risk Acceptance inherent in operating the ATM payment system and suffered brand and lost customers and revenue on a scale exceeding the risk reduction compensation they had agreed – the outsourcing did not reduce the risk! merely a small offset in costs. Was risk reduction achieved? The Bank and the 3rd party supplier had risk reduction action and controls, but under estimated the impact and frequency or the risk assessment of a perfect storm.
In the risk book “Black Swan” the author describes how buying out the money options always proved for him to be a profitable trade as the market under estimated the risk reduction actually required from the option risk premiums to properly price the options for the natural occurrence of the market volatility. More cognitive dissidence behaviour of the the market and environment.
A similar flow-through happens when you have an insurance claim under a policy – you get a immediate payment for the event (or a new building as the case may be) but the wider impact on your customers, service levels, reallocation of management time, push back of the business strategy etc experienced by the firm. The risk was curtailed (reduced) in cash flow terms – but overall risk and consequential impact of the risk event covered under the policy was not reduced.
I hope this helps you better understand risk reduction and the actions you can take to manage your risks.