Internal Risks
One of the most important questions you can ask in Risk Identification is how much exposure to we have to a particular risk. It is important as a starting point to analyses the exposures of the company toward the taxonomy of risks of the company. A company might for example have a very light exposure to interest rates for example, but a very heavy exposure to energy consumption. Then should there be the same number of Risks Identified in Interest rates as there are in energy exposure? Or would it make more sense to concentrate the search for risks toward the area of energy. In such a case it would be expected that if the company has a high exposure to energy costs, that many of the business areas are dealing with energy costs, and as such a broad search should elucidate more risks in energy costs than interests’ rates. This may not always be the case however there may be a very high concentrations of risk to energy costs in just one part of the company.
It makes sense therefore to have a broad understanding of the companies’ exposures before beginning the risk identification process, so that the intensity of the search may be focused toward the areas where there are concentrations of exposure.
So, what does the term “Internal Risk” mean, when we classify a risk as an internal risk it is because the source of the risk can be identified and quantified internally, so to clarify of energy cost go up because of a geopolitical crisis, then the energy price increase is a external risk. However, the internal risk is our company’s exposure to the growth in energy price costs, or how our company is affected by the rise in energy costs.
Our internal risks can be thought of as our companies’ sensitivities to external risks, or risks that stem from the company itself. Such as knowledge concentration risk, or strategy risk, or internal fraud.
External Risks
So you might have guessed external risks are risk from outside the company, we are only interested in external risks that we are exposed to as a company. Examples of external risks are as follows:
- Inflation or inflation volatility
- Interest Rate rises or interest rate volatility
- Energy price rises or energy price volatility
- Currency Risk or Currency Risk volatility
- Pandemic
- Geopolitical Crisis
- Supply chain risks
- Political Risk
- Regulatory Risk
External Risks can often cause Cascade risks, ie inflation causes less discretionary spending, results in lower sales. For this reason, is a good idea to capture external risks first before running the internal risk identification process. The external risks can then be used to promote thought around the affects that the occurrence of such risks will have on the company’s exposures. External risks can be gathered in a Top-down manner, it is the job of Senior management to be aware of external threats or opportunities to the business, although they may not be aware of all the cascade effects of these threats or opportunities within the business.
External Risks can be circulated to the stakeholders or subject matter experts within the company for them to consider, how these risks might cascade against known exposures in their business area.
This is also a useful motivating factor for the SME’s who may be exasperated by having to contribute to the process. When they see that Senior Management have already given some thought to external threats, they will be more inclined to engage with the process.
This does not mean that only external threats are captured from Senior management, however passing Senior a senior management view of internal threats to the SME’s is likely to influence their objectiveness’ on the internal threats that the perceive. So it is recommended that only the external threats are passed to the SME’s for consideration. In order to keep an audit trail it is important that any internal threat that is seen as a cascading risk from an external threat is tagged to that external threat.
Emerging Risks
Emerging Risks can be internal or external, they are generally risks that are on the horizon but have not become material as of the time of reporting. An emerging risk should therefore have the ability to accelerate in itself or cascade into a broader risk. Emerging risks should also be gathered before the main risk identification process and fed through to that process for consideration, they are usually trigger events that can cause a cascade of possibly internal risks. In order for an emerging risk to be considered it must be considered to be both sufficiently likely and sufficiently impactful to be considered in this way.
Concentration Risks
Concentration risks are usually to be found where there is a concentration of exposure, as in concentration of exposure to a counterparty, line of business, or other underlying driver.
When building out the taxonomy of risks it is important to identify concentrations of exposure, and then to consider the ensuing concentration of possible risks that could cascade from these concentrations of exposures. Counterparty risk is a very common concentration risk, where there is a concentration of risk around one counterparty, different scenarios should be considered to understand potential cascading effects.
Cascade Risks
Risks do not usually occur in isolation, we can consider the Cascade element of risk to be the counterparty of concentration risk, just as a lack of diversification can heighten exposure to concentration risk, cascading risks happen when there is a lack of controls on residual risks. One risk triggers another risk resulting in a domino or cascade effect.
It is important to tag how risks can cascade one from the other, this will also help in the use of the Risk identification process for stress testing and scenario analysis.
Event Risks
Event driven risks can be a sudden an unexpected occurrence, the Event can be internal or external but again must have a significant likelihood and impact to be considered as an input into the risk identification process.
Core or Material Risks
The Risk inventory will need to be prioritised in order to focus resources on mitigating the most important risks. A final inventory of Core risks, that have a high severity should be the output of the Risk identification process. These should be limited in number, and should be presented too and considered by the most senior management in the firm.
Comments