How to Develop an Enterprise Risk-Rating Approach

A risk taxonomy and risk-rating scales are foundational components of enterprise risk management (ERM). The former gives a firm the ability to pinpoint all of its risks, while the latter allows different risks to be aggregated and compared.

But what steps does a firm have to take to develop a clear, comprehensive risk taxonomy and consistent risk-rating scales? Where do quantitative and qualitative risks come into play, and how should one go about evaluating important factors like risk probability, impact, velocity, contagion and scoring?

Everything starts, of course, with agreement about the risks that are critical to your organization. As shown in Figure 1, an ERM taxonomy will contain both financial (or quantitative) risks and qualitative risks.

Figure 1: Quantitative and Qualitative ERM Risks

Financial risks include market, credit, and liquidity risk, all of which are measured directly in quantitative terms. For example, market risk may be measured as a portfolio's sensitivity to a change in interest rates.

Qualitative risks, on the other hand, are bucketed into non-financial risk categories (e.g., operational, strategic) and are typically characterized using unstructured descriptive text. They can have quantitative impacts on the income statement and balance sheet, as well as qualitative impacts on operational success and reputation. Risk scores allow qualitative risks to be analyzed as if they were quantitative.

Types of Risks

Although some risks may bring upside, risk is often thought of as a potential failure. A current risk, for example, is seen as a potential failure that could happen today.

Internal risks are potential failures in an organization's business, people, process and systems. External risks are potential failures in third-parties, customers or other external stakeholders. These risks may come from reputational and some business and strategic risks.

An emerging risk is a potential failure that could happen in the next one to two years. A strategic risk is a potential failure in the three-to-five-year time horizon that often will weaken a foundational pillar of the organization's existence.

A top or priority risk for reporting could be any risk chosen from the types above that has the highest risk score or is subjectively deemed critical. In addition to a risk with a high-risk score, an example of a top risk could be something pulled from the headlines (e.g., Brexit) that refers to several underlying risks in the organization's taxonomy (e.g., business, operational).

Benefits of Consistent Enterprise Risk-Rating Scales

Common risk rating scales offer several advantages, as shown in Figure 2.

Figure 2: Benefits of Consistent ERM Risk Ratings

A critical benefit of a consistent risk scoring approach is the ability to compare risks within a business process or across business processes - or across the enterprise. Firms can also benefit from the ability to aggregate risks within a business process or department - or across the enterprise. For example, data privacy could appear as a medium-level risk in several important businesses processes and aggregate to a critical risk for the enterprise.

What's more, risk appetite tolerance levels can be established based on risk scores. Levels that exceed a firm's designated risk tolerance can trigger treatments such as mitigation, insurance, avoidance or acceptance.

Probability and impact ratings allow risk heatmap graphs to simplify the communication of top risks. Moreover, within a business process or department, risk scores can be trended over time to understand the impacts of strategy, business and risk treatment investments.

Risk scores for qualitative risks can be based on probability, impact, velocity and contagion potential. Let's now take a closer look at each of these factors.

Risk Probability

Risks can be assessed in terms of the likelihood of a risk materializing. It is common to rate risk probabilities based on four to eight expressions of likelihood. In Figure 3, we show five risk probability scores. (To prevent a convergence in the middle bucket, some organizations prefer an even number of likelihood categories.)

Figure 3: Risk Probability Scale

Residual Risk Impact

Risk impacts can be assessed based on quantitative and qualitative impact factors - or subjectively scored as “high,” “medium” or “low.” Some organizations prefer to rate the impact of a risk based on a combination of qualitative and quantitative criteria.

In Figure 4, we assume six impact categories based on one quantitative financial impact factor and four qualitative impact factors. Under this scenario, the highest scoring factor (whether quantitative or qualitative) may be used to assess a risk.

Figure 4: Risk Impact Scale

Risk Velocity Potential

For emerging and strategic risks, risk velocity is the time to impact. Figure 5 provides some examples.

Figure 5: Risk Velocity Scaling Factors

Think of emerging risk velocity as an estimate of the time frame within which a risk may occur. The value of velocity scaling is that it can magnify importance of the emerging or strategic risk, based on its perceived speed to materialize. Current risks will have a velocity scaler of 0.

Risk Contagion Potential

A contagion indicator should be applied to cases where a potential failure occurring in one unit or area of an organization will likely have significant effects in multiple areas of the organization.

Think of this as a risk having a cascading impact within an organization (see Figure 6). For example, a business risk can quickly become a reputational risk, and a risk in an organizational process in one department may impact other departments.

Figure 6: Risk Contagion Scaling Factors

Risk Scoring

A risk score can be as simple as Probability * Impact. If we assume, for example, that the probability factor is 4 and the impact factor is 5, then the risk score would be 20.

Risk velocity and contagion indicators can be used as either as scalers in calculating a risk score or as weighting factors to rank risks with the same overall score, placing those with significant contagion effects at a higher weighted risk.

When using velocity or contagion scores as scalers, an adjusted risk score could be calculated as follows:

Risk Score = (Probability + Velocity + Contagion) * Impact

If we assume a velocity rating of .5, then the adjusted risk score would be (4 + .5) x 5 = 22.5. Figure 7 shows some additional risk-scoring examples based on this simple formula. The important takeaway is that contagion scores, as well as emerging and strategic risk velocity, can help rank these risks above similarly scored current risks.

Figure 7: Risk-Scoring Examples

Risks A and B share the same probability and impact scores, but risk B will be ranked as a higher risk, because of its potential contagion impacts. Meanwhile, emerging risk E ranks above C and D, because of its combined potential velocity and contagion impacts.

Note that risk-scoring formulas can become quite complicated - with, e.g., square roots and logarithmic factors that modify the sensitivity of the risk score based on changes in impact, probability, velocity and contagion inputs.

Illustrative Heatmaps

To acquire a better understanding of its most significant risks, a firm can create risk heatmaps. Figures 8 shows a 5x5 risk heatmap example that displays an organization's top risks.

Figure 8: 5x5 Risk Heatmap

Parting Thought

Every organization should have a risk scoring approach that is best for its maturity and risk management objectives. To allow for an ordinal comparison of risks, an organization just beginning its ERM journey should start by identifying its risk categories and by assigning subjective “high,” “medium” and “low” risk scores to each residual risk.

As an organization's ERM program matures and risk management is valued for its decision-support capabilities, a multilevel risk taxonomy may be accompanied by a simple risk-scoring approach based on probability and impacts.

Additional components of a risk scoring framework, such as a risk's velocity and contagion effects, may be introduced over time - as an organization's enterprise risk maturity increases. Through enterprise risk scoring, ERM can provide the decision-support information that is critical to organizational agility and success.

Brenda Boultwood is the Director of the Office of Risk Management at the International Monetary Fund. The views expressed in this article are her own and should not be attributed to IMF staff, Management or Executive Board.

She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Currently, she serves on the board of directors at the Anne Arundel Workforce Development Corporation.

Earlier in her career, Boultwood was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. She also previously worked as the global head of strategy, Alternative Investment Services, at JPMorgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.