How to Manage Portfolios of Enterprise Risks

Risk is the potential for undesirable outcomes such as financial losses, damage to property or reputation, and personal injuries or deaths. Businesses face a multitude of risks from ongoing operations and critical decisions aimed at improving their performance, growth, or competitive positioning. Critical decisions — such as adopting new business models, creating new lines of business, merging with other companies or restructuring, and replacing technology platforms — tend to be complex, play out over years rather than weeks or months, impact multiple stakeholder groups, and carry high or even existential risks.

Prudent companies formulate and execute strategies called Enterprise Risk Management (ERM) to minimize exposure to significant risks. ERM is a critical business decision in its own right as it spans a company’s exposure to all risks stemming from its ongoing operations and critical business decisions.

ERM encompasses two primary activities — risk analysis and management. Risk analysis identifies and assesses threats that can trigger losses. Risks can be categorized as strategic, preventable, or external. Strategic risks arise from poor critical decisions, flawed execution of critical decisions, or failures to respond to changes in markets, customer needs, or technologies. For instance, decisions about developing new products are vulnerable to misreading market needs, sourcing errors, and unanticipated market entrants. Preventable risks derive from flawed business processes or human errors, which can result in defective products, security failures, industrial accidents, or violations of laws and ethical norms. External risks arise from events, trends, or forces that are largely uncontrollable, such as disasters, wars, disease, and social, political, or economic turmoil. Many sectors define risk taxonomies tailored to their specific needs. For example, the financial services industry worries about market, credit, insurance, operational, and liquidity risks.

Once a risk is identified, it must be assessed and modeled causally. How does it produce losses and how big are they? How does the threat arise — what conditions and sequences of events are required to produce it? For example, cyber threats are carried out through various attack modes: hacking, ransomware, phishing, denial of service, and insider sabotage. Each mode of attack is carried out by gaining access to a web site or computer network and then compromising it in specific ways tied to attack objectives.

Engineers and insurers quantify risk using the following formula:

Risk in $ = Likelihood of occurrence * Economic value of loss in $

However, estimating risk is often challenging. Likelihoods are difficult to appraise for infrequent events such as pandemics or satellite launches. And anticipating the magnitude of losses from terrorist attacks or hurricanes, immediate and long-term, is similarly daunting, as is translating intangible losses such as reputational or symbolic damage or social and psychological harm.

Risks are managed by allocating resources to prevent, mitigate, or recover from harm. Effective management presupposes a thorough analysis of risk. Business resources are never sufficient to address all salient risks. By quantifying risks, analysis allows them to be compared and prioritized, which facilitates the assignment of scarce resources to where they will provide the most benefit. Understanding how threats arise and cause losses is similarly crucial to developing measures to avoid them or mitigate and recover from their effects.

Risk can be managed in four ways: it can be avoided, reduced, shared, or accepted. Risk is avoided by refraining from actions that could lead to losses. For example, companies decline to purchase contaminated industrial properties to prevent exposure to legal liabilities.

Risk is reduced by lowering the likelihood of threats or the magnitude of losses they produce. For example, products and production processes can be re-engineered to reduce the probability of defects. Companies can reduce losses by adopting “business continuity” methods such as emergency preparedness, training, and investing in redundant data centers, backup power supplies, and multiple sourcing vendors. Cybersecurity threats are generally reduced by adopting technology solutions such as firewalls and intrusion detection systems, coupled with enhanced governance and workforce education.

Risk is shared by transferring portions to other parties such as insurers or partners. Insurance protects against risks that are external or preventable, such as natural disasters, theft, accidents, and legal liabilities. It helps compensate for economic losses, but doesn’t prevent or reduce harm, or cover non-intangible losses such as reputational or strategic damages.

Risks that are not avoided, shared, or reduced are accepted. Businesses commonly accept risk for events that are affordable, rare, or unmanageable. Acceptance need not be purely passive. Government regulations require banks and insurers to maintain certain levels of assets in reserve to cover losses. Many large companies also accept risk by self-insuring to manage employee health care expenses.

Risk-Based Resource Allocation: A Portfolio-Based Approach

Most businesses fund ERM begrudgingly because it doesn’t grow revenues or contribute to bottom-line profits. Thus, resources allocated to ERM must be apportioned carefully across enterprise risks to maximize their effect. One approach is to apply portfolio management methods originally developed for financial investments. A financial portfolio consists of instruments drawn from multiple asset classes, such as stocks, bonds, real estate, and commodities, that each carry their own distinctive risks. The central idea behind portfolio theory is that holding a diverse set of financial assets protects against losses because some assets will tend to perform well when others do not. Portfolio theory applies optimization techniques to maximize returns on investment relative to particular tolerances for risk. A portfolio for managing enterprise risks rather than financial assets inverts this objective: it seeks to maximize the amount of risk reduction from a fixed set of resources. That is, an ERM portfolio allocates resources to maximize the enterprise’s “bang for the buck” for reducing (or covering) its exposure to risk.

Financial portfolios are created by selecting percentages of funds to allocate to different asset classes, and then picking instruments within each class based on their expected rates of return and degrees of risk. Constructing a portfolio for managing risk is not all that different. Three ingredients must be specified:

• Threats
• Targets for threats
• Current and proposed measures to manage risk.

Threats are adverse events or conditions that produce risk. Targets consist of assets, business units, or populations of stakeholders that are vulnerable to threats — offices or plants in regions prone to earthquakes or power disruptions, key production equipment, employees with rare or costly medical conditions, raw materials with volatile supplies and prices, and web sites, control systems, and computer networks. A target set consists of one or more targets of the same type. Threats must be mapped onto target sets because not all threats apply to all target sets. For example, drug side-effects pose no threat to physical assets or intellectual property, only to patients (and drug brands). The pairing of a threat and a target set vulnerable to that threat is called a risk exposure segment.

Enterprise risks can be modeled as a gaming table. Each rectangle on the table corresponds to one risk exposure segment. A bet on a casino table places chips on one or more rectangles that correspond to a roll of dice or spin of a roulette wheel. A decision “bet” in a risk portfolio “game” specifies one or more risk management measures to apply against one or more risk rectangles, as illustrated in Figure 1. ERM bets are constrained by how many “chips” are available — business assets and employees already dedicated to existing ERM measures plus investments in new personnel, processes, and assets.

Figure 1. Enterprise Risk Management “gaming table”

The rectangles for placing bets on a roulette table correspond to the number of slots on the wheel plus special combinations such as any red or black slot. By contrast, the number of rectangles on a risk gaming table is variable, determined by the number of risk exposure segments identified for a company at a given time. On a standard gaming table, the odds of winning and payoffs are fixed for each rectangle, with special combinations having different odds and rewards from bets on the standard rectangles. By contrast, total risk for risk exposure segments and the “payoff” for risk management measures are highly variable. Total risk for a risk exposure segment equals the product of the risk for an individual target and the size of its target set population. Payoff depends on the measure and the nature of the threats and targets. To add insult to injury, risk gaming tables are dynamic: as businesses grow (or shrink) and their environments evolve, the number of risk exposure segments and their total risk can change.

Test Driving ERM Strategies

Like other critical decisions, ERM strategies carry high stakes for a company’s well-being and survival. They are also vulnerable to unintended consequences stemming from poor design, flawed execution, and unanticipated contingencies.

My book, Bending the Law of Unintended Consequences, describes a method for improving the quality of critical decisions and reducing the likelihood of undesirable outcomes. This method uses simulations to test drive decisions before committing to them, much like consumers test drive cars on different types of roads to explore their steering, braking, acceleration, visibility, and comfort before buying them. Similarly, test drives for decisions project the outcomes of alternative strategies under a range of possible future conditions, uncovering unintended consequences in a safe, virtual environment. This enables decision-makers to avoid poor decisions or refine decent ones to improve their outcomes.

A test drive for ERM strategies simulates the consequences of placing ERM bets on a company’s risk gaming table. This method enables decision-makers to analyze and improve the risk reduction yield of ERM strategies, much as financial portfolios can be tuned. It consists of the following steps:

1. Building a Risk Gaming Table: Businesses construct risk gaming tables by conducting a comprehensive analysis of enterprise risks. That analysis identifies consequential threats and target sets, maps threats onto relevant target sets, and estimates the total risk for each such pairing. Threats can be gleaned from industry trade publications, insurers, and risk experts. Target sets for those threats can be identified and sized using a company’s accounting and personnel systems. Methods for quantifying risks can be found in the literature on risk or obtained from risk consultants.

2. Defining ERM Bets: Developing ERM strategies is the most challenging phase of the decision test drive process, requiring expert knowledge and creativity. An ERM bet is modeled as a plan for rolling out risk reduction measures over time. Plans generally include both new and existing measures. The latter may be fully in place or in the process of being deployed (or phased out) across the company. Plan components consist of a schedule, a cost profile, and the anticipated risk reduction impact of a measure on a risk exposure segment. The schedule defines the rate at which a risk management measure is rolled out across one applicable target set. Costs are broken out into three categories: start-up, labor, and operations and maintenance. Effect is estimated as the percentage impacts on threat likelihood and consequence for the given risk exposure segment. A measure reduces a likelihood if it improves detection and/or prevention of the threat. It reduces consequence if it mitigates harm, such as property damage or deaths and injuries. These values can often be derived from the financial, engineering, or actuarial models originally used to assess risks.

For example, a measure to increase physical security might roll out surveillance cameras at the rate of one site per month. This measure might be estimated to reduce the likelihood of attacks by 8% per site but not reduce consequence at all. Such a measure might cost an average of $30,000 in start-up costs per site, $6000/month in incremental labor costs, and $1000/month for operations and maintenance. Training programs typically incur one-time costs. These specifications enable the test drive simulator to project outcomes for ERM bets.

3. Identifying Contingencies: Like other critical decisions, ERM strategies depend upon assumptions about future conditions. It is highly unlikely that these predictions will all come true, rendering strategies brittle in the face of uncertainty. To improve robustness, test drives project the outcomes of decisions across scenarios — a set of alternative futures in which disruptive events occur, trends and forces vary, and parties such as customers, competitors, and hackers change their behavior patterns. These dynamics are important because they alter a company’s risk gaming table over time. Events such as mergers or divestitures add or remove risk exposure segments from the gaming table. Business growth or layoffs cause the sizes of target sets to change, while new technologies and political forces transform threats and their attendant risks.

4. Identifying Performance Metrics: The key factors for assessing ERM portfolio strategies are risk and cost. The following metrics enable decision-makers to compare projected outcomes:

• Risk reduced: how much risk is eliminated (or covered) by risk management activities
• Residual risk: how much total uncovered risk remains as ERM strategies are rolled out over time
• Cost: how much money is spent on risk management measures
• Return on investment (ROI): combines total cost of the ERM bet and total risk reduced to measure financial efficiency
• Time efficiency: a metric that favors measures that reduce risk rapidly over slower ones

These metrics are seldom aligned. For example, measures that reduce large amounts of risk but are labor-intensive tend to incur high costs, producing mediocre ROI. Measures that reduce risk quickly may have poor ROI. Leaders must make tradeoffs between these metrics to identify the “best” ERM strategy.

5. Running Simulations: The test drive simulator projects the “payoffs” (i.e., outcomes) of a company’s ERM strategy bets on its risk gaming table across multiple scenarios. The pairing of an ERM strategy and a scenario of contingencies amounts to the script for a play or movie. The simulator dutifully executes the directions specified in that script, month by simulated month. It injects timely events and changes in trends, forces, and behavior patterns on cue from the scenario, altering the risk gaming table. It also deploys (or withdraws) risk reduction measures according to their schedules, updating risk metrics for relevant rectangles and the accumulated costs for each measure to reflect labor and operations and maintenance expenses for measures already in place (plus incremental start-up costs). The simulator then updates total enterprise risk, cost, ROI, and time efficiency. This “bookkeeping” produces a log of the simulated performance of ERM strategies over time. Decision-makers can analyze and compare these logs to identify gaps in coverage of risk exposure segments and unintended consequences of ERM bets and contingencies that require remediation. They can apply these insights to improve ERM bets by trimming or eliminating measures that reduce too little risk or cost too much, add measures to cover risks from contingencies, and double down on measures that reduce large amounts of risk at reasonable cost.

Why Bother?

This portfolio approach to managing risk allows decision-makers to answer four key questions:

1. What is the most effective way to manage the risk for all target sets subject to a particular threat?
2. What is the most effective way to protect a particular target set against all relevant threats?
3. How much risk can be reduced (or covered) with a fixed budget of Y dollars?
4. How much risk can be reduced (or covered) with high-efficiency measures (i.e., ROI > threshold X)?

Question 1 focuses on ERM bets placed along one row of the gaming table, while 2 looks at bets along one column. For example, we performed a test drive of maritime counter-terrorism strategies for the US Coast Guard. Threats consisted of terrorist attack modes involving hijacking, assault teams, and boat bombs using small vessels. Targets included bridges, refineries, cruise ships, and tankers in a coastal region containing seven ports. Risk reduction measures consisted of increasing security patrol boat hours (which requires purchasing new boats and hiring new crews) and refining patrol tactics. This test drive explored trade-offs between risk reduced, cost, and ROI for various investment and deployment strategies over a five-year period.

By contrast, Questions 3 and 4 involve bets placed across all rectangles on the gaming table. We conducted another test drive for the Transportation Security Administration. Their gaming table for this study encompassed thirteen terrorist attack modes against eighteen target set made up of different types and sizes of commercial truck and bus fleets that travel the nation’s highways. The study analyzed three ERM betting strategies: covering all risk exposure segments with all relevant measures, applying security measures to segments only when they generate an ROI that exceeds a cutoff value, and applying measures to cover one-third of all target sets with the highest risk. Strategy S1 assumed an unlimited budget (and produced a dismal ROI = 0.004), while S2 and S3 assumed the current budget level. Strategy S2 maximized ROI (= 9.0), but offered no protection for the vast majority of soft targets such as school and commercial buses. This is politically unfeasible, so Strategy S3 (ROI = 2.0) attempted to compromise by ensuring some coverage to all rectangles by funding measures that produce the highest ROI for those target sets. These results can be refined by using the simulation logs to guide more selective betting.

The portfolio approach to risk enables decision-makers to tune ERM strategies from both global and threat- or target-specific perspectives. Equally important, enterprise risk is dynamic: threats, target sets, budgets, and the effects of risk reduction measures all change over time. Risk reductions and the costs to achieve them accumulate in complicated ways. For example, expenses to develop new security measures accrue from day one, but they reduce no risk until they are actually deployed. Failure to appreciate these nuances leads to poor estimates for key risk metrics, which results in flawed ERM strategies and unnecessary exposure to risk. Simulation-based test drives for ERM strategies require more effort than simple back-of-the-envelope or before/after “snapshot” analyses. However, that extra effort buys a far more accurate assessment of the performance of, and tradeoffs between alternative ERM strategies, and produces better outcomes.

For More Information

My book, Bending the Law of Unintended Consequences, describes the decision test-drive method and its application to ERM in more detail. See Robert Kaplan and Anette Mikes’ article for a more detailed discussion on categories of risk and Werner Meyer’s article for an introduction to risk quantification.