A recent article in the Harvard Business Review advocates explicitly modeling risk as part of evaluating a firm’s strategy options. Businesses today face an ever-increasing range of risks. Managing risk is itself a strategy; one becoming vital to more firms. FAIR is a natural vehicle for evaluating any kind of operational risk.
Quantitative analysis of risk may be coming of age
Estimating the probabilities of threat events and keeping records on loss magnitudes has been done for decades on Wall Street and in banks, and for hundreds of years in insurance. Now, if the authors of an article in the Harvard Business Review [1] have their way, it’s coming to corporate strategy. We of the FAIR Institute can lead the way to managing operational risk on a level that contributes to strategy. [2]
Although it was originally targeted on information risk, even named for it, FAIR naturally applies to all kinds of operational risks. FAIR is not only a taxonomy and a computational framework, it is a way of thinking about risk, and how to analyze and assess it. The current explosion of data science suggests a level of comfort with statistical thinking that management in industry is ready for an analytical way of managing operational risk. Information risk is just the start.
Hopper and Spetzler consider the case of a multinational consumer brand company faced with decisions about how to plan sourcing for the next decade. The company depends on overseas suppliers who may be vulnerable to political instability, labor unrest, and natural disasters, to name a few threats. Let’s take two and see how FAIR could be used to analyze the risk.
One threat is political turmoil that would effectively put the supplier out of business for years, an example of a low-probability but catastrophic-impact threat. Another is labor unrest, a threat that we’ll judge to have a higher probability (annual rate of occurrence) but a lower impact per occurrence. These two examples book-end the ranges of likelihood and loss magnitude.
To refresh your memory, here is a copy of the top levels of the FAIR tree.
Two Examples
Labor Unrest. Consider first labor unrest. We can model Threat Event Frequency as an uncertain annual rate of occurrence without decomposing it further. We can also suppose, at least for a simple first-cut analysis, that the Vulnerability is 100%. (Recall that Vulnerability is the conditional probability that a threat event will result in a loss event.) In effect, we are simply posing a certain range of numbers for Loss Event Frequency (times per year). We can decompose this side of the tree later to various kinds of labor strife and various ways of mitigating possible labor strife with more-detailed scenarios.
We can be equally simple on the Loss Magnitude side, again at least for starters. The Primary Loss is mainly that our supply of goods is interrupted, and we lose sales. We’d model that by a range of the dollar value of supply reduction multiplied by a range of the number of months (low to high). There could also be costs to repair damage and restart production. Later we can add Secondary Losses if activists object to our use of offshore labor or their pay and working conditions.
The result is that we get a probability distribution of Annual Loss Expectancy, as usual for FAIR, something like this. The analysis can be extended in all the usual ways, to the extent useful, with more scenarios and different choices of mitigations or controls. The play is the same, only the names of the characters have changed.
Political Turmoil. Next, let’s see how FAIR could treat the threat of political instability. Even more than labor unrest, the variety of possible scenarios is all too rich. Let us note in passing that the key to the analysis, one that FAIR almost forces us to confront, is to be precise and explicit in defining the scenario. This in itself is a material contribution to analysis, one that is too easily overlooked, or pooh-poohed, in a business meeting: “Exactly what are we talking about?” For our purposes, let’s suppose that political turmoil means that a new regime comes into power – not just a new government, but a new kind of government – that forbids or prevents our supplier from doing business. Something like the Khmer Rouge in Cambodia.
The analysis proceeds as before. Our committee of experts assesses the likely annual rate of occurrence (Threat Event Frequency) as, say, between once in 50 years to once in 10 years. By definition of the scenario, the Vulnerability is 100%, so the Loss Event Frequency is the same as the Threat Event Frequency. On the Loss Magnitude side, the supplier is wiped out. We have no goods to sell until another supplier can be stood up or expanded. We estimate that to take 6 to 12 months and cost some amount of money. The top level of the FAIR tree gives us the probability distribution of annual loss expectancy just as before. In it the analyst may spot a small probability of a catastrophic loss, which may provoke consideration of a contingency plan. Thus a FAIR analysis may lead naturally to business continuity and disaster recovery planning.
A critic might say that estimating loss expectancy for only one year is a misleading metric for a long-term strategic decision. That is no problem for FAIR. There is nothing magic about using one year the unit of time. Use 5 or 10 years if it seems more natural. Analytically it is just a change of unit.
Now let’s go back to threats that might be considered “operational” risks. The Basel Committee originally defined operational risks for banks as being any risk that is not something else [3] - a wide range indeed. No matter what you think operational risks are, it is hard to think of a threat that cannot be usefully analyzed in the FAIR manner. This is because FAIR at bottom is nothing less than a general framework for calculating the probability distribution of losses in a period of time for a defined scenario, which is exactly what we mean by “risk.” FAIR’s most important contribution is that it provides a productive way of thinking about risk. Any loss then can be represented as money can be handled.
Non-Monetary Losses
Actually, that’s not quite correct. Any loss that can be quantified can be handled by FAIR. We assume for companies that everything boils down to money sooner or later. But more and more companies care about social and environmental values – both perception and reality. They have multiple quantifiable things to care about. A healthcare organization – hospital, pharmaceutical firm, medical device manufacturer, even a regulator – cares about deaths, infections, and re-admissions, and these numbers have such emotive power they may need to be considered apart from money.
An organization can do a FAIR analysis on any one of these metrics, just as with money. The interesting part is what to do when there are two distinctly different loss metrics, for example money and loss of life, where both must be managed. Suppose a company is considering a major investment in a safety system. The company could do FAIR analyses on both the monetary and loss-of-life scales and combine the results into the joint probability distribution of the two. To make a decision on whether to make the investment, various scenarios corresponding to various policy choices would be analyzed, and corresponding joint distributions gotten. This gives decision makers a way to see the combined effect on cost and life safety.
The Strategy of Managing Risk
Our world, and specifically our business world, is increasingly concerned with risk. Our leaders must manage the risks, and not just react to them. An extremely wide variety of operational risks can be analyzed and understood with the FAIR framework. Understanding the risks and how they change with decisions is the beginning of managing them. FAIR is useful to analyze any risk that can be quantified. We should take the advice of Hopper and Spetzler another step forward and manage risk as a strategy in itself.
Extensibility of FAIR
FAIR can easily and naturally handle any risk whose losses can be quantified in a single metric. That embraces virtually all operational risks where money is the metric of loss, but also many risks to health and life safety. It can even be pushed to cases involved two incommensurable loss metrics, like money and disease morbidity.
FAIR – a very handy tool to have in your management toolbox, and great skill to have in your career.
[1] Hopper, Peter, and Carl Spetzler, You Can’t Make Good Predictions Without Embracing Uncertainty, Harvard Business Review, May 18, 2016
[2] This article assumes the reader has a basic familiarity with the FAIR taxonomy. For variety, synonyms for standard FAIR terms are used.
[3] Specifically, market, credit or strategic. See Power, Michael, “The Invention of Operational Risk,” ESRC Centre Analysis of Risk and Regulation, Discussion Paper No. 16, June 2003. The US Federal Financial Institutions Examination Council (FFIEC) recognizes six categories of risk: credit, market, liquidity, operational, legal, and reputational.
