Efficiency of Enterprise Risk Management: The Black Swan Effect
1-INTRODUCTION
Enterprise risk management(ERM) is the process of planning, organizing, directing, and controlling the movements of an organization to minimize the harmful effects of risk on its processes (Mark Beasley, 2020). ERM includes the actions of avoiding, accepting, transferring and improving for risk (Nayak, 2010).
Enterprise Risk Management (ERM) has recently emerged as an important and relatively a new business trend which incorporates the principles of a traditional Risk Management approach. According to KPMG (2001) report, it is a more structured and disciplined practice aligning strategy, processes, people, technology, and knowledge to assess and operate the uncertainties the company encounters as it creates value (KPMG, 2001). ERM is a new phenomenon which involves risks associated with not only in health, safety and finance but also with technological, reputational and with other business areas (Nayak, 2010).
Companies that adopt ERM practices try to identify risks by grading the risks they detect in terms of impact and probability, determining their limits within the scope of perception and acceptance level-risk tolerance and capacity. But one of the things to think about with all these efforts is why crises are still unpredictable(Havemann, 2008).
While ERM is still an emerging field, its weaknesses have also emerged. One of these weaknesses is the events called Black Swan[1]. Black Swan can be understood simply as low-probability/high-impact, unknown-unknown and unknown-known events(Aven, 2013).
In the second part of the study ERM and two popular frameworks, in the third part Black Swan and its development, in the fourth part the effectiveness of the risk management studies’ logic against Black Swans are examined. In the conclusion, how ERM system taking the responsibility about Black Swan is examined.
2- ENTERPRISE RISK MANAGEMENT( ERM)
a- ERM Frameworks
In this section, we discuss two popular frameworks that are mostly used for ERM (i.e. COSO[1] ERM framework and Protiviti Risk Model[2]).
i-COSO ERM Framework
In 2001, Committee of Sponsoring Organisations of the Treadway Commission (COSO) initiated a project and triggerred PricewaterhouseCoopers (PWC) to develop a framework that would be readily usable by managements to evaluate and improve their organisations’ enterprise risk management (https://www.coso.org, 2022).
COSO describes risk as “the possibility that events will occur and affect the achievement of strategy and business objectives.” (COSO, 2004) . Risks are thought in this explanation include those relating to all relations objectives, including compliance. Compliance risks relate to possible violations of applicable laws, regulations, contractual terms, standards, or internal policies where such violation could result in direct or indirect financial liability, civil or criminal penalties, regulatory sanctions, or other negative effects for the organization or its personnel. After the first publication, COSO published ERM integrated framework, the most commonly used ERM framework in many organizations worldwide (COSO, 2004). A detailed account of its several components is presented in the picture.
Figure 1 COSO’s ERM Framework (Source: COSO, 2004)
Components of ERM Framework
COSO ERM framework is a three-dimensional model or a framework for understanding enterprise risk. It consists of eight horizontal rows or risk components as a part of one model dimension. They derived these components from how management runs an enterprise and integration with the management process.
Internal Environment: It consists of the overall environment within the organization.It sets the ground for how risk is considered and handled by an entity’s people, including risk management mindset and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting: The overall Objectives must be set before management identifies potential events affecting their achievement. ERM provides that management has a process to set objectives, that the chosen goals support and align with the organization’s mission, and are constant with its risk appetite.
Event Identification: Internal and external events affecting the achievement of an organization’s objectives must be identified to distinguish between risks and opportunities.
Risk Assessment: Risks are analyzed (given likelihood and impact) to determine how they should be managed. Risks are also assessed on an inherent and a residual basis.
Risk Response: Management determines and selects risk responses (avoiding, accepting, reducing, or sharing risk) and develops a set of efforts to align risks with the organization’s risk tolerances and risk appetite.
Control Activities: The establishment of policies and procedures to be implemented to ensure that the risk responses are effectively carried out.
Information and Communication: Relevant information is determined, charged, and shared in a form and timeframe that enable people to carry out their responsibilities. Good communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring: The full of enterprise risk management is monitored, and modifications are made as necessary. Monitoring is accomplished through proceeding management activities, separate evaluations, or both. (COSO, 2004).
COSO accepts that the ERM Framework provides a represented interrelationship between an organization’s risk management components and objectives that will fill the need to meet new laws, regulations, and listing standards and expects it will become widely accepted by companies and other organizations and interested parties (COSO, 2004).
ii-Protiviti Risk Model
The Protiviti Risk Model, developed by Protiviti, a global consulting firm, is considered another successful ERM model.(Proviti, 2005).
The Protiviti Risk Model is a complete organizing framework for clarifying and comprehending possible business risks and forming and governing the organization’s dynamic risk universe. (https://www.knowledgeleader.com/tools/protiviti-risk-model). The risks are categorized in the following picture.
Figure 2 The Categorized Risks Under The Protiviti Risk Model
3-BLACK SWAN
A Black Swan is a highly unimaginable major risk event that typically goes beyond what has been expected and is very difficult to predict with tremendous impact. The global economic crisis has brought this term into the focus of attention. In addition, Nassim Taleb has written a popular book called “Black Swan: The Influence of Extreme Probability.”(Taleb, 2010).
Taleb’s theory started from the Western belief that all swans are white. Until a Dutch explorer discovered Black Swans in Australia in 1967, the general belief was that all swans were white. However, this discovery was beyond standard expectations and profoundly changed zoology. Since then, the term “Black Swan” has been used to represent situations where impossibilities are refuted and risk effects when they occur (Dan, 2018).
A Black Swan is a highly unimaginable event and according to N.Nassim TALEB ” (Taleb, 2010), it has three characteristic features:
b- It has a giant impact: It carries an extreme impact.
Other definitions of the Black Swan have also been proposed. While Aven (Aven, 2013) expresses the Black Swan as a surprisingly extreme event according to the belief/knowledge of the person, Aven and Krohn (T Aven, 2014) defined three main types of Black Swan events based on this definition :
a)Events that were utterly unknown to the scientific environment (unknown unknowns)
b)Events not on the list of known events from the perspective of those who carried out a risk analysis (or another stakeholder) but known to others (unknown knowns — unknown events to some, known to others)
c)Events on the list of available events in the risk analysis are judged to have a negligible probability of occurrence and are thus not believed to occur.
The first category of Black Swan type of events (a) is radical — the type of event is unknown to the scientific community (RW Smithells, 1992). For example, after a drug launched in 1957, children using it have been observed to have unusually large limb malformations. In this type of Black Swan, in activities related to important information, such unknown unknowns are more likely to be rarer than in situations of serious or profound uncertainty.
The second type of Black Swans (b) is events not captured by the relevant risk assessments, either because we do not know them or we have not considered sufficiently thoroughly. If the event then occurs, it was not foreseen. The event could have been identified if a more thorough risk analysis had been conducted. The September 11 attack is an excellent example of this type of Black Swan.
The third category of Black Swans comprises events that occur even though the probability of occurrence is judged to be negligible. The events are known but considered so unlikely that they are ignored — they are not believed to occur, and cautionary measures are not implemented. An example is an event that an underwater earthquake occurs in the Marmara Sea, leading to a tsunami affecting, for example(“Tsunami ve Marmara,” n.d.).
4- RİSK MANAGEMENT SYSTEM AGAİNST BLACK SWAN
Black Swans challenge risk management, especially in our rapidly transforming technological landscape. Furthermore, those transformative changes in emerging technology do not add to the ability to analytically forecast and try to mitigate Black Swan events. The main reason is that such an event has never happened before.
An essential feature in the literature within the scope of classical or advanced risk management is to keep the business at a certain level of preparedness against uncertainties (Conner, 2012). However, this is not possible for every level in the rapidly developing world. Examples are unpredictable low-probability situations such as severe deviations from the birth-death rate or sudden war outbreaks. Therefore, care should be taken to be present at an always up-to-date level, reads the signals in advance, and makes quick decisions in risk management studies.
Nowadays, in risk management studies, risks are evaluated in terms of impact and probability with the most widely used method. These evaluations are based on sources such as personal experience. While these methods use knowledge, experience, and foresight to understand risks, it ranges from low to high. As a result of the evaluation, steps are taken regarding the risks scored in the very low-very high range. However, the studies are based on subjective sources such as experience, knowledge, and experience. They contain errors within themselves. One of them is the lack of objectivity. This issue is ignored in the studies, and it has been seen that the most fundamental reason is “epistemological arrogance .”The logical origins of this and similar’s causes are explained below(Taleb, 2010; Taleb N Goldstein D Spitznagel M, 2009):
1- Selectivity for positive events
2- Obvious causation
3-Foresight scandal concepts
Selectivity regarding positive events is one of the biggest obstacles to our objective evaluations. While we focus on positive results due to genetic codes, we tend to ignore negative ones. The truth is not always easy. Furthermore, adverse situations may be much more common than we think. In the literature, this situation has been termed the ‘Silent Evidence’ problem by N. Nicholas Taleb (Taleb, 2010). As an example, people who intend to be entrepreneurs think that they are different and believe they will be pretty successful. Unfortunately, these people do not want to see that 80 percent of businesses like themselves are closed within the first five years when they take a step. People tend to see positive events and hold a high probability that every event will result in a positive outcome. Nevertheless, as with start-ups, behind truly successful companies is a much larger company that loses.
The second one is ‘obvious causation’. The ability of people to tend to find a cause for every event has been termed the causation syndrome. In this case, people seek to explain everything, that is, to reach causal conclusions (Neila, 2018). They tend to label the most apparent reasons they find as “Explanations”.
An example of this situation is the death/injury of personnel not wearing a hard hat due to equipment falling on them in occupational accidents. Considering this situation, it will be thought that the most obvious reason is that the worker does not wear a hard hat. However, there may have been much more complex processes underlying the incident:
-For example, the worker may have committed such an act to commit suicide,
-There may be a lack of robustness tests of the equipment,
-Or the area where the accident took place may be a restricted area for personnel to enter.
The third one is the “foresight scandal”. Due to episdemic arrogance, people tend to overestimate the value of what they know and devalue what they do not know(Taleb, 2010). Moreover, because of this arrogance, risk management systems may remain weak. The best example of this is casinos. Casinos are structures that have the most advanced practices in risk management in the world. But despite the millions spent, they incur the most considerable losses for reasons beyond the scope of their risk management system (“The casion robbery which is unnoticed for seven months — TerraMedusa Secure,” n.d.). This is because arrogance comes into play, and people experience blindness in terms of foresight within the framework of their knowledge.(Taleb, 2010) .
Another major cause of the foresight scandal is the “Anchor effect” in psychology and economics (“Behavioral Economics 2 — Don’t Come To Anchor!” n.d.). According to this effect, people look for a basis for themselves while making predictions against abstract concepts. However, what they find is often insignificant. An example of this is the following year’s plans that companies’ marketing and sales departments make based on the previous year’s data. While making predictions in order to make an abstract prediction about the future, data from past years, which are factual, are used to eliminate the uncertainty. However, since it is impossible to know the past completely, the available data will not cover the entire past reality. In this context, it can be said that while people are afraid of abstraction about the future, there is a tendency to use past data as an anchor with a logic based on the assumption that the past is concrete.
4-CONCLUSION
As described above, risk management systems based on what we know, learn and experience about the past may be insufficient against Black Swans. In this regard, these systems can take on an identity that is unprepared for the realities of life due to the psychological and computational errors explained above.
For that reason, as in the example of the 2008 crisis (Havemann, 2008), risk management systems composed of well-educated and experienced people cannot predict Black Swans. In addition, the interval system should be used instead of precision in estimations, and estimations for very long periods should be avoided. In addition, since it is difficult to make probabilistic estimates within the first two of the three types of Black Swans, it may be considered to establish a continuous monitoring system for their effects. In this way, although Black Swans cannot be prevented, their effects will decrease as one will not be prepared for them.
In addition to all these, although Black Swans remain uncertain within the scope of developing technologies, it is possible to facilitate their detection using these technologies. Examples of this are the use of machine learning models[3] in risk calculations or the reinforcement learning models trained within the scope of stock market transactions (Maxime Wabartha, 2020).
In conclusion, to talk about the effectiveness of an ERM system, it is necessary to look at its effectiveness against Black Swans. At this point, ERM systems should use technological innovations effectively instead of being against them.
REFERENCES
https://www.knowledgeleader.com/tools/protiviti-risk-model.
Conner, J. F. (2012). Beware of the Black Swan: The Limitations of Risk Analysis for Predicting the Extreme Impact of Rare Process Safety Incidents.
COSO. (2004). Guidance-on-Enterprise-Risk-Management. Retrieved from https://www.coso.org/SitePages/Guidance-on-Enterprise-Risk-Management.aspx?web=1.
Dan. (2018). https://strategiccfo.com/articles/management-ownership/navigating-black-swan-events/.
https://erm.ncsu.edu/library/article/what-is-enterprise-risk-management. (n.d.).
https://www.coso.org. (2022). Retrieved from https://www.coso.org/SitePages/Guidance-on-Enterprise-Risk-Management.aspx?web=1.
Mark Beasley, P. (2020). Retrieved from https://erm.ncsu.edu/library/article/what-is-enterprise-risk-management.
Maxime Wabartha, A. D.-L. (2020). Handling Black Swan Events in Deep Learning with Diversely Extrapolated Neural Networks.
Nayak, N. A. (2010). A Knowledge-based Decision Support Tool for Enterprise Risk Management.
Neila, M. (2018). Causality, the critical but often ignored component guiding us through a world of uncertainties in risk assessment.
Proviti. (2005). https://cours2.fsa.ulaval.ca/cours/gsf-60808/Protiviti%20Risk%20ModelSM.pdf.
RW Smithells, C. N. (1992). Recognition of thalidomide defects.
T Aven, B. K. (2014). A new perspective on how to understand, assess and manage risk and the unforeseen.
Aven, T. (2013). On the meaning of a Black Swan in a risk context. Safety Science, 57, 44–51. https://doi.org/10.1016/j.ssci.2013.01.016
Aven, T. (2015). Implications of Black Swans to the foundations and practice of risk assessment and management. Reliability Engineering and System Safety, 134, 83–91. https://doi.org/10.1016/j.ress.2014.10.004
Bolton, R. J., Hand, D. J., Provost, F., Breiman, L., Bolton, R. J., & Hand, D. J. (2002). Statistical Fraud Detection: A Review. Statistical Science, 17(3), 235–255. https://doi.org/10.1214/ss/1042727940
Havemann, J. (2008). The Financial Crisis of 2008. In Britannica. Retrieved from http://global.britannica.com/topic/Financial-Crisis-of-2008-The-1484264
Ligon, B. L. (2004). Penicillin: Its Discovery and Early Development. Seminars in Pediatric Infectious Diseases, 15(1), 52–57. https://doi.org/10.1053/j.spid.2004.02.001
Prieto, B. (2011). “ Black Swan ” Risks. World Today, XIII(I), 1–14. Retrieved from www.pmworldlibrary.net
Sanders, G. (2013). A Risk Management Framework to Characterize Black Swan Risks: A Case Study of Lightning Effects on Insensitive High Explosives. Retrieved from http://search.proquest.com/openview/ae45bd9966c7f16acb157d0872287e49/1?pq-origsite=gscholar&cbl=18750&diss=y
Saraç, D. M. (2011). Risk Algısının Tarihsel Gelişimi Historical Development of Risk Perception, 31–43.
Taleb N Goldstein D Spitznagel M. (2009). The six mistakes executives make in risk management richard maclean. Harward Business Review, (JANUARY/FEBRUARY), 39–41. https://doi.org/Article
Taleb, N. N. (2010). The Black Swan: The impact of the highly unprobable.
Vona, L. W. (2008). Fraud Risk Assessment: Building a Fraud Audit Program. https://doi.org/x148
Açık Bilim | Bilim yeterince heyecanlıdır… (n.d.). Retrieved December 27, 2017, from http://www.acikbilim.com/2015/08/dosyalar/davranissal-ekonomi-2-yeme-capaya-gelmeyin.html
7 ay boyunca farkedilmeyen kumarhane soygunu — TerraMedusa Secure. (n.d.). Retrieved December 26, 2017, from https://terramedusa.com/7-ay-boyunca-farkedilmeyen-kumarhane-soygunu/
Tsunami ve Marmara. (n.d.). Retrieved December 26, 2017, from http://www.yerdurumu.org/makaleler/documents/tsunami_ve_marmara.asp
Identify “Black Swans” and Stress-Test Riskpdf. (n.d.).
2008 krizi ile Mark Faber ve Nouriel Roubini gibi felaket tellalı ekonomistler ön plana çıktı, kriz kahini ekonomistler Mark Faber ve Nouriel Roubini — Haberler. (n.d.). Retrieved December 26, 2017, from http://www.haberturk.com/ekonomi/para/haber/970646-iste-felaket-tellali-karavanaci-kahinler
Hu, J., Niu, H., Carrasco, J., Lennox, B., & Arvin, F. (2020). Voronoi-Based Multi-Robot Autonomous Exploration in Unknown Environments via Deep Reinforcement Learning. IEEE Transactions on Vehicular Technology.
Maxime Wabartha, A. D.-L. (2020). Handling Black Swan Events in Deep Learning with Diversely Extrapolated Neural Networks.
Mitchell, T. (1997). Machine Learning. New York: McGraw Hill. ISBN 0–07–042807–7. OCLC 36417892.
[1] https://www.coso.org/SitePages/Home.aspx
[2] https://www.knowledgeleader.com/tools/protiviti-risk-model
[3]“Machine learning (ML) is a field of inquiry devoted to understanding and building methods that ‘learn’, that is, methods that leverage data to improve performance on some set of tasks. (Mitchell, 1997) It is seen as a part of artificial intelligence. Machine learning algorithms build a model based on sample data, known as training data, in order to make predictions or decisions without being explicitly programmed to do so. Machine learning algorithms are used in a wide variety of applications, such as in medicine, email filtering, speech recognition, and computer vision, where it is difficult or unfeasible to develop conventional algorithms to perform the needed tasks.” (Hu, Niu, Carrasco, Lennox, & Arvin, 2020)
