Improved Capital Deployment. Robust Quantitative Risk Metrics and Key Performance Indicators (KPI) generated through a comprehensive ERM process will allow management to effectively assess overall capital needs and enhance its capital allocation (e.g., creating an Efficient Investment Portfolio subject to Budgetary, Schedule, Strategic, and other Constraints).<\/li>\n<\/ul>\nThe Typical Traditional ERM Process<\/strong> Traditionally, the ERM process involves qualitative risk assessment and documentation. The following lists the standard approach and traditional ERM process, which of course, can be modified and adapted to fit the organization under analysis. Throughout the rest of the whitepaper, we will revisit some of these steps to incorporate Integrated Risk Management (IRM)\u00ae methods and overlay quantitative risk management techniques onto the process.<\/p>\n\n- Establish senior management buy\u2010in and risk\u2010management culture.<\/li>\n
- Seek the board of directors and senior management involvement and oversight to discuss a riskmanagement framework and its benefits and to obtain agreement on high\u2010level objectives and expectations with resources and target dates regarding risk management in line with the organization\u2019s strategic plan.<\/li>\n
- Review existing ERM practices in the organization and identify areas for improvement.<\/li>\n
- Facilitate initial training and working sessions to ensure buy\u2010in and establish risk\u2010management culture with key personnel involved with ERM implementation.<\/li>\n
- Conduct working group discussions with stakeholders and key personnel to identify sources of risks.<\/li>\n
- Provide input for implementation in the strategic business planning process.<\/li>\n
- Coordinate the development, implementation, and monitoring of identified risk metrics.<\/li>\n
- Document risk inventories and mitigations within Risk Registers in the organization.<\/li>\n
- Develop risk dashboards for presentation to senior decision makers and the board of directors.<\/li>\n
- Assess exposure to the risk, assess adequacy of existing risk mitigation or monitoring, and identify opportunities to enhance mitigation or monitoring activities, then suggest and build best practices for enhanced risk\u2010adjusted returns.<\/li>\n
- Create reports that effectively and concisely deliver the business intelligence based on risk measures that management needs to make cost\u2010effective financial decisions.<\/li>\n
- Establish a reporting process for management and the board.<\/li>\n
- Establish a management working group to support the resources identified and drive the effort across the organization.<\/li>\n<\/ul>\n
Risk Registers and Basic Enterprise Risk Management<\/strong><\/p>\nThe typical traditional ERM method uses Risk Registers, which simply involves recording all risks present\u00a0or anticipated. Each Risk Element (i.e., each risk item that is recorded in the Risk Register) may include\u00a0information on the name of the risk, the category or type of the risk, who reported it, who is responsible\u00a0or is assigned the risk, what if any risk mitigation or risk control is required, contact person,\u00a0documentation, and so forth. Sometimes additional information such as frequency, or Likelihood, and\u00a0severity, or Impact that risk may have on the organization is included. These Likelihood and Impact\u00a0measures are usually qualitative estimates (high, medium, low) or can be assigned numerical values (1 to\u00a05 or 1 to 10, where the higher the frequency or severity, the higher the value assigned). Alternate methods of using Vulnerability (or the inverse of amount of risk mitigation completed) with multiple risk controls are also supported. Clearly the amount of information and detail required varies depending on the organization. One way to think of Risk Registers is akin to a check register. For example, if you have a checking account, you can write a check to pay a specific bill; on that single check, you write the recipient\u2019s name, date, and amount. You can, of course, write multiple checks to different recipients. And every time a check is written, you would record said checks in a check register (whether electronically in an accounting software or manually in a physical check register). Continuing with this analogy, each check represents a different risk element, and multiple risk elements make up the Risk Register. You may also own multiple bank accounts, each with its own check register, or, in other words, an organization may have multiple Risk Registers set up, one for each division or business unit or project, and so forth.<\/p>\n
However, the use of only Risk Registers by themselves often leads to ritualistic decision making, an\u00a0illusion of control, and the fallacy of misplaced concreteness and reliance on purely qualitative risks. While\u00a0the use of Risk Registers is a good starting point, Integrated Risk Management takes this qualitative\u00a0assessment to the next level with more powerful quantitative risk management\u00a0approaches.<\/p>\n
Case Example: Hospital Risk Management<\/strong> A simple example of a Risk Register in a hospital is shown in Figure 1, where certain types of risk events\u00a0(e.g., wrong dosage given, equipment failure, etc.) that have occurred within specific departments (e.g.,\u00a0surgery, intensive care) and the number of events that happened within a specific time period are\u00a0recorded, as well as other qualitative notes and associated details. Reports are then typically generated. Figure 2 shows a sample periodic (e.g., monthly) report of another organization showing the number of\u00a0risk events that occurred in the past.<\/p>\n![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-3-Image-11.jpg\")
<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-4-Image-21.jpg\")
<\/p>\n
Risk Matrixes<\/strong><\/p>\nIn other types of Risk Registers, Likelihood (L) and Impact (I) values can be used and entered for each risk element, and the product of these two variables is termed the Key Risk Indicator (KRI), where KRI = L \u00d7 I. These KRI values can be color coded into various regions based on their respective values. For instance, Figure 3 shows a 10 \u00d7 10 matrix where the columns going from left to right represent Likelihood from 1 to 10 (low to high), and the rows from bottom to top represent the Impact from 1 to 10 (low to high). The values inside each of the cells represent the KRI, and the color coding depends on the computed KRI (typically, lower KRI values are green, medium KRI values are yellow, and high KRI values are red). In a later section, we showcase examples of how these KRI values can be incorporated into the ERM Risk Register. As will be seen later, the color coding, matrix size, and category labels can be customized as required.<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-5-Image-3.jpg\")
<\/p>\n
Business Continuity Planning<\/strong><\/p>\nIn some organizations with potential public risk exposures\u2014such as nuclear power plants, airline companies, oil and gas exploration and drilling firms, banks, and government or public institutions\u2014 additional risk documentation is also recommended. These documentations are also part of the traditional ERM process. As an example, the following are typical procedures and documentation arising from operational risk planning, and they can be customized to an organization\u2019s unique needs:<\/p>\n
\n- Business Continuity Plan (BCP)<\/b>:focuses on sustaining business functions during and after a\u00a0disruption (e.g., business functions may include an organization\u2019s payroll process or consumer\u00a0information process). A BCP may be written for a specific business process or may address all key\u00a0business processes. IT systems are considered in the BCP in terms of their support to the business\u00a0processes. A Disaster Recovery Plan, Business Resumption Plan, and Occupant Emergency Plan\u00a0may be appended to the BCP as required.<\/li>\n
- Business Recovery Plan (BRP) or Business Resumption Plan<\/b>:addresses the restoration of\u00a0business processes after an emergency. Development of the BRP will be coordinated with the\u00a0Disaster Recovery Plan and BCP.<\/li>\n
- Continuity of Operations Plan (COOP)<\/b> focuses on restoring an organization\u2019s main essential\u00a0functions at an alternate site and performing those functions for up to 4 weeks before returning\u00a0to normal operations. COOP addresses headquarters\u2010level issues; it is developed and executed\u00a0independently from the BCP. The document can include Delegation of Authority, Orders of\u00a0Succession, and Procedures for Vital Records and Databases.<\/li>\n
- Continuity of Support Plan and IT Contingency Plan (Recovery Strategy)<\/b>includes the\u00a0development and maintenance of continuity of support plans for general support systems and contingency plans for major applications.<\/li>\n
- Cyber Incident Response Plan (CIRP)<\/b> establishes procedures to address cyber\u2010attacks against\u00a0an organization\u2019s IT system. It is designed to enable security personnel to identify, mitigate, and\u00a0recover from malicious computer incidents, such as unauthorized access to a system or data,\u00a0denial of service, or unauthorized changes to system hardware, software, or data (e.g., malicious\u00a0logic, such as a virus, worm, or Trojan horse).<\/li>\n
- Disaster Recovery Plan (DRP)<\/b> becomes applicable after catastrophic events that deny access to\u00a0the normal facility for an extended period. Depending on the organization\u2019s needs, several DRPs\u00a0may be appended to the BCP.<\/li>\n
- Crisis Management Plan (CMP) and Crisis Communications Plan (CCP)<\/b> detail how organizations prepare their internal and external procedures prior to and during a disaster. A crisis communications plan is often developed by the organization responsible for public outreach. Plan procedures are included as an appendix to the BCP. The communications plan includes designation of specific individuals as the only authority for answering questions from the public regarding disaster response.<\/li>\n<\/ul>\n
Comprehensive ERM with Quantitative Risk Management<\/strong><\/p>\nA true next\u2010generation comprehensive ERM process should include, at a minimum, the qualitative methods and steps previously outlined plus quantitative IRM methodologies. Instead of continuing the whitepaper by outlining additional items and bullet lists of methods and steps, we illustrate the quantitative ERM methods through the use of the PEAT software<\/p>\n
PEAT: Project Economics Analysis Tool<\/strong><\/p>\nProject Economics Analysis Tool (PEAT) software was developed to perform a comprehensive Integrated\u00a0Risk Management analysis on capital investments, discounted cash flow, cost and schedule risk project\u00a0management, oil and gas applications, healthcare analytics, and Enterprise Risk Management. This tool\u00a0will help you to set up a series of projects or capital investment options, model their cash flows, simulate\u00a0their risks, run advanced risk simulations, perform business intelligence analytics, run forecasting and\u00a0prediction modeling, optimize your investment portfolio subject to budgetary and other resource and\u00a0qualitative constraints, and generate automated reports and charts, all within a single easy\u2010to\u2010use\u00a0integrated software suite. The following modules are available in PEAT (Figure 4), and this whitepaper focuses on the ERM module:<\/p>\n
\n- Enterprise Risk Management (ERM)<\/li>\n
- Corporate Investments (Dynamic Discounted Cash Flow)<\/li>\n
- Corporate Investments (Lease versus Buy)<\/li>\n
- Goals Analytics (Sales Force Automation)<\/li>\n
- Healthcare Economics (HEAT and REJ)<\/li>\n
- Oil and Gas (Oil Field Reserves, Oil Recovery Analysis, Well\u2010Type Curves)<\/li>\n
- Project Management (Cost and Schedule Risk)<\/li>\n
- Public Sector Analysis (Knowledge Value Added)<\/li>\n
- ROV Compiled Models<\/li>\n
- Customized company\u2010specific modules and applications<\/li>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-7-Image-4.jpg\")
<\/p>\n
ROV\u2019s PEAT incorporates all of the advanced risk and decision analytical methodologies covered in\u00a0the Integrated Risk Management (IRM) process into a simple\u2010to\u2010use and step\u2010by\u2010step integrated software\u00a0application suite. It simplifies the risk\u2010based decision analysis process and empowers the decision maker\u00a0with insights from powerful analytics. If you already perform discounted cash flow modeling or Enterprise Risk Management in Excel, why do you still need PEAT? Because PEAT\u2019s integrated advanced analytical\u00a0techniques extend the analysis you have already performed, and do so in a simple\u2010to\u2010use, simple\u2010tounderstand,\u00a0and automated format, thus generating valuable insights that would be impossible without\u00a0such advanced methods. PEAT allows you to scale and replicate your analysis, archive and encrypt your models and data, create automated reports, and customize your own PEAT modules.<\/p>\n
\n- Enterprise Risk Management (ERM):<\/strong> Perform traditional qualitative ERM with Risk Registersbut also enhance the analysis with more quantitative analysis. This ERM module comes with\u00a0an online Web version as well as a module within PEAT, where you can enter and save\u00a0multiple Risk Registers to generate Key Risk Indicators (KRI) by Risk Divisions and Risk\u00a0Taxonomy (Geographic, Operations, Products, Activity or Process, and Department); assign\u00a0risk items to different Risk Managers by performing Risk Mapping of Risk Categories to\u00a0different Risk Divisions; create Risk Dashboards of the results; enter Risk Elements within\u00a0multiple customizable Risk Engagements; draw Risk Diagrams; perform and run Risk\u00a0Controls on KRIs to see if certain risks are within control or out of control; perform Risk\u00a0Forecasts; check if certain Risk Mitigation projects do, indeed, work or are statistically\u00a0ineffective; perform Risk Sensitivity on KRIs; perform Risk Scenarios on quantitative risk\u00a0metrics; run Risk Simulations on risk metrics; generate Risk Reports; and encrypt your data\u00a0and files for the purposes of Risk Security. See Dr Johnathan Mun\u2019s Modeling Risk, Third\u00a0Edition, Chapter 14, for the case study on Eletrobr\u00e1s in Brazil on how The PEAT ERM was\u00a0employed at this multinational.<\/li>\n
- Corporate Investments (Dynamic Discounted Cash Flow):<\/strong> With a few simple assumptions, you can auto\u2010generate cash flow statements of multiple projects; obtain key performance indicators and financial metrics (NPV, IRR, MIRR, PP, DPP, ROI); run risk simulations on uncertainty inputs; generate static Tornado sensitivity analysis; run dynamic sensitivities; simultaneously compare multiple projects within a portfolio; perform forecasts of future revenues and cash flow; draw multiple strategic investment pathways and options, and model and value these strategic paths; compute and optimize the best projects within a portfolio\u00a0subject to multiple constraints and restrictions; view results in management dashboards;\u00a0encrypt your model and data; and auto\u2010generate analysis reports. See Dr. Mun\u2019s Modeling\u00a0Risk, Third Edition, Chapter 18, for more details on using PEAT\u2019s stochastic discounted cash\u00a0flow module.<\/li>\n
- Corporate Investments (Lease versus Buy):<\/strong> Run a lease versus buy analysis, compare capitaland operating leases with interest payments and tax advantages, value the lease contract from the point of view of the lessee and lessor, and generate the complete cash flow analysis to obtain the net advantage to leasing.<\/li>\n
- Goals Analytics (Sales Force Automation):<\/strong> Develop and maintain corporate sales goals. A Webbased SaaS and desktop\u2010based PEAT module, it focuses on the creation and use of goals that help make goal\u2010setting more accurate and sustainable by any company seeking to improve its sales performance (sales goal forecasting, probability of hitting corporate revenues, sales pipeline analysis, and other sales\u2010based metrics analysis). See Dr. Mun\u2019s Modeling Risk, Third Edition, Chapter 14, for a case study on using PEAT\u2019s business plan forecasting module.<\/li>\n
- Healthcare Economics (HEAT and REJ):<\/strong> Run the economics of various options available under the U.S. Affordable Care Act (Obamacare) for corporations providing employer\u2010sponsored healthcare by loading employee\u2010census data (healthcare economics analysis tool, HEAT), or perform rapid economic justification (REJ) of each option by simulating its high\u2010level inputs. See Dr. Mun\u2019s Modeling Risk, Third Edition, Chapter 14, for a case study on using PEAT\u2019s health care economics module.<\/li>\n
- Oil and Gas (Oil Field Reserves, Oil Recovery, and Well\u2010Type Curves):<\/strong> Perform oil and gas industry models on analyzing the economics of oil field reserves and available oil recovery based on uncertainty and risks, as well as generate oil\u2010well\u2013specific type curves and economics.<\/li>\n
- Project Management (Cost and Schedule Risk):<\/strong> Draw your own project pathways (simple linear project tasks versus complex parallel and recombining projects), then click a button to autogenerate\u00a0the model. Enter the cost and schedule estimates as well as their spreads, then run a risk simulation on the model to determine the probability of cost\u2010schedule overruns, costschedule buffers at various probabilities of completion, critical path identification, and sensitivity analysis. See Dr. Mun\u2019s Modeling Risk, Third Edition, Technical Note 6, for a case study on using PEAT\u2019s project management (cost and schedule risk) module.<\/li>\n
- Public Sector Analysis (Knowledge Value Added):<\/strong> Model government and nonprofit\u00a0organizations\u2019 value, value to society, or intangible value via Knowledge Value Added utilizing\u00a0market comparables to identify and monetize such projects and assets.<\/li>\n
- ROV Compiled Models:<\/strong> With the compiler software, users can compile their existing Excel models into license\u2010controlled executable EXE files. ROV\u2019s patented methods can be used to encrypt and lock up the intellectual property and mathematical algorithms of the model, and issue hardware\u2010controlled and timed licenses to the purchaser\u2019s own users or customers.<\/li>\n<\/ul>\n
Critical ERM Risk Characteristics and Modeling Criteria<\/strong><\/p>\nPEAT ERM is both a desktop software and online Web\u2010based application, with over 20 related U.S. and\u00a0worldwide patents and patents pending. The desktop PEAT version is for internal risk department\u00a0personnel to manage the results and data set, keep the data encrypted and safe, and run analyses such as\u00a0simulations, scenarios, Tornado analysis, and so forth. \u00a0Not everyone needs these advanced analytics.\u00a0Therefore, in a large corporation, there can be multiple end users who should have the ability to enter\u00a0data, and a few local administrators with access to control everything from granting access to and creating\u00a0end users, to setting up the risk profile of the company. End users (e.g., plant managers, supervisors,\u00a0secretaries, etc.) can only enter in data and information. These end users have limited access and limited\u00a0knowledge, making training simple, and they enter in values only pertaining to their areas of\u00a0responsibilities. Local administrators then have a database that rolls up to the corporate level and they\u00a0can see results, generate reports, perform more advanced quantitative risk analytics, and so on.<\/p>\n
\n\n- Risk Settings and Risk Classifications<\/strong> Users typically start by setting up how Key Risk Indicators (KRI) should be set up, any E\u2010Alerts that need to be triggered and sent if KRIs exceed certain values for any Risk Element, etc. Such global settings should also allow users to set Risk Indicator Categories (1\u20105 or 1\u201010) with Customizable Color Coding of KRI (Key Risk Indicators) via a Risk Matrix (Figure 5).<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-9-Image-5.jpg\")
<\/a>![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-9-Image-6.jpg\")
<\/p>\n\n\n- Risk Groups and Risk Taxonomy<\/strong>Typically, ERM implementation also requires the ability to create various divisions,departments, risk categories, and other segmentation within an organization. Such segregation is required because data entered for the Risk Elements can be sliced and diced every which way, as well as being in compliance with COSO Integrated Risk Framework.Figure 6 shows the PEAT set up of various Risk Divisions, Risk G.O.P.A.D., Risk Category, and RiskManagers. Cumulatively, these categories represent the Risk Taxonomy of the ERM system. For example, multiple business or operational Divisions within a Company can be created, such that the company can manage multiple risk profiles for each division. Users can also create and assign various G.O.P.A.D. categories (geographic, operations, products, activity or process, and department) such that analysts can analyze the company\u2019s risk profile from multiple points of view, select from and create queries of specific G.O.P.A.D. categories to analyze, and so on. Users can create customized Risk Categories or use PEAT\u2019s library of predefined risk categories, and lists of persons in charge of certain risks and their contact information can be set up.<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-10-Image-7.jpg\")
<\/p>\n
\n\n- Risk Mapping<\/strong> Based on previously created Risk Groups and Risk Taxonomy, we can now map and link these hierarchies on one or more dimensions. This process will allow putting various projects with related risks into the various groups and segments for analysis and the ability to view how a certain risk permeates through the organization as well as how a specific risk element may touch multiple departments, divisions, processes, and so forth. The previously completed segments can then be mapped as shown in Figure 7.\u00a0For example, a Risk Category can be mapped to one or multiple G.O.P.A.D. categories, which can then be\u00a0mapped to one or more Divisions. All Divisions roll up to the Corporation. This way, when a risk element\u00a0is entered in the Risk Register, users can choose the Risk Category and the remaining connection routes\u00a0will be determined. Using these mapped connections, the software can slice\u2010and\u2010dice and look at different\u00a0Divisions, G.O.P.A.D. categories, or Divisions and see the risk profile from various points of view.<\/li>\n<\/ul>\n<\/ul>\n
![\"\"](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-11-Image-8.jpg\")
<\/p>\n
\n\n- Risk Register<\/strong>Now comes the Risk Register setup. As discussed, the Risk Register represents the center of the ERM world, and in the PEAT utility, users can set up, create new, and save multiple Risk Registers in a single file. That is, users can create multiple Risk Registers where each Risk Register has multiple Risk Elements consisting of Causes of Risk, Consequences of Risk, Risk Mitigation Response, Risk Manager Assignments, Risk Category, Risk Status, Likelihood, Impact, Key Risk Indicators, Risk Dates (Creation, Edit, and Due Dates), Total Risk Levels ($), Residual Risk Levels ($), Mitigation Cost, Multiple Risk Controls, and so forth, as illustrated in Figure 8.<\/li>\n
- Informational Inputs<\/strong> Multiple Risk Registers (e.g., different projects, business units, investment initiatives, plants, facilities, etc.) can be saved and archived as required, where each Risk Register contains multiple Risk Elements\u00a0(e.g., the individual risks such as fire, fraud, IT downtime, human errors, accidents, and so forth, within\u00a0each project, business unit, initiative, facility, etc.), shown as rows in the data grid (Figure 8). The typical\u00a0qualitative informational inputs include the name of the risk, a short name or acronym, causes of the\u00a0specific risk, consequences of the risk, any risk mitigation responses, action plans to execute, current\u00a0status (active or inactive), risk manager it is assigned to, and the Likelihood and Impact levels of the\u00a0current Risk Element. Risk Category is also a required input and based on the Risk Mapping performed,\u00a0selecting a specific Risk Category will automatically insert the inputted risk into all mapped relationships, as will be used later in the Risk Dashboards.<\/li>\n
- Impact and Likelihood<\/strong> As mentioned, the Risk Register entries require a two\u2010dimensional input of Likelihood (L) or frequency of\u00a0a risk event occurring and Impact (I) or the severity in terms of financial, economic, and noneconomic\u00a0effects of the risk. These L and I concepts are industry standard and used even in regulatory environments\u00a0such as the Basel II and Basel III Accords (initiated by the Bank of International Settlements in Switzerland\u00a0and accepted by most Central Banks around the world as regulatory reporting standards for operational\u00a0risks). Alternate measures such as Vulnerability (V), Velocity (\uf075), and others can be used as well. The\u00a0whitepaper on applying PEAT ERM at Eletrobr\u00e1s in Brazil showcases one example of how velocity\u00a0measures are used.\u00a0The uncertainties of repetitive events observed in enterprises\u2019 operations over long periods of time\u00a0can become predictable but usually not with absolute certainty. Such observances can be associated with\u00a0mathematical functions that reflect the statistical properties of something likely to occur at a future time.\u00a0The risk of an event occurring is connected to two parameters: the Impact (I) caused by an uncertain event\u00a0and the probability, or Likelihood (L), of an event occurring. Given some known probability of a risk event\u00a0occurring, the higher the impact, the greater the risk. If the impact is zero, the risk will be zero even though\u00a0the event has a high probability of occurring. The reverse argument is also true. If the probability of a risk\u00a0event occurring is equal to zero, the risk is zero (this is an environment of pure certainty), regardless of\u00a0the magnitude of the impact.<\/li>\n
- Risk Mitigation and Total versus Residual Risk<\/strong> Risk Mitigation, Total Risk, and Residual Risk are the optional monetary inputs in each Risk Element in the Risk Register. Total Risk means the total amount of risk impact this specific Risk Element may cost the organization. The inputs are the projected minimum impact, most likely impact, and maximum impact it might cause. For instance, the risks of a counterparty violating an existing contract may have financial impacts, where the minimal impact might be, say, $0 if the contract is still in force through the end of its term, to a most likely impact of $100,000 in anticipated delays and cost overruns by the counterparty, to a maximum of $300,000 if the counterparty becomes insolvent and subsequent lost business opportunities due to nonperformance of the counterparty. The Mitigation Cost is the amount of money used to reduce the risk exposure of the specific Risk Element, for instance, the cost of obtaining a secondary subcontractor with prenegotiated terms whose contract becomes live only if the original\u00a0contractor is not performing. Such risk mitigation methods tend to have a financial cost, and the Residual\u00a0Risk Level as seen in Figure 8 reflects the remaining risk exposure after these risk mitigation strategies\u00a0have been employed. That is, by having a secondary contract, the risk exposure is a lot less but may still\u00a0remain.<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-13-Image-91.jpg\")
<\/p>\n
\n\n- Risk Dashboard<\/strong>Users of the PEAT ERM system can create multiple types of customized Risk Dashboard views complete with reports, data grids, charts, and visuals, where analysts can select from a specific G.O.P.A.D. category, Division, Risk Category, or Risk Dates. Following are some sample Risk Dashboard views.<\/li>\n
- Risk Dashboard \u2013 Risk Elements<\/strong> Here KRIs can be viewed using Pareto charts, that is, visual charts on KRI scores across different selected segments, division, or G.O.P.A.D. category of the organization over a specified time span, as shown in Figure 9.<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-14-Image-10.jpg\")
<\/p>\n
\n\n- Risk Dashboard \u2013 Risk Heat Maps<\/strong>Risk Heat Maps of KRI counts with relevant customizable risk\u2010based color codes across various risk categories, divisions, and segments over specified time periods can also be generated (Figure 10). Each value in the matrix\u2019s cells represents the total number of Risk Elements falling within that specific cross section of Likelihood and Impact levels.<\/li>\n
- Risk Dashboard \u2013 Risk Groups<\/strong> Risk accumulation by G.O.P.A.D. category or other risk groups can be shown as bar charts indicating the Risk Element counts within these selected groups (Figure 11). The ability to slice and dice the data to generate customized reports comes from the previously setup various G.O.P.A.D. components and their mapped relationships to risk types and risk categories.<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-15-Image-111.jpg\")
<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-15-Image-121.jpg\")
<\/p>\n
\n\n- Risk Dashboard \u2013 Risk Exposure<\/strong>The Risk Exposure of a selected segment is shown as risk dials and charts and is compared against the entire Company (Figure 12). These dials and charts represent the Total Risk Exposure and Total Residual Risk Exposure for the selected category and time period, by summing all the relevant Risk Elements\u2019 dollar or monetary exposures in the active Risk Register. The default terms of Total Gross Risk (also known as Inherent Risk or Total Risk) and Residual Risk (also known as Active Risk, Remaining Risk, or Current Risk), can all be user\u2010defined in the Risk Settings tab.<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-16-Image-13.jpg\")
<\/p>\n
\n\n- Risk Dashboard \u2013 Risk Taxonomy<\/strong>This report provides top\u2010down (drill\u2010down) visual representation of the structure of the corporation and its risk associations or Risk Taxonomy, as well as a bottom\u2010up view of how a specific risk permeates throughout the corporation (Figure13).<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-17-Image-14.jpg\")
<\/p>\n
\n\n- Risk Dashboard \u2013 Risk Inventory<\/strong>SQL queries are used to obtain the customized risk profiles and risk reports by Division, G.O.P.A.D. category, Risk Category, Risk Dates, and so forth. The queries will search the active Risk Register for all the relevant Risk Elements that fall within the search parameters and return an inventory of all the risks identified (Figure 14). This report allows for the Risk Monitoring of project management, tasks, completion, and assignments, and it also provides for Risk Governance; provides a Risk Effectiveness Summary, Risk Audit Trail, and Compliance; and complies with International Standards Organization\u00a0(ISO) Standards. See the whitepaper on how PEAT and ROV technology is in compliance with multiple global risk standards such as COSO, BASEL III, NIST, ISO 31000:2009, and others.<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-18-Image-15.jpg\")
<\/p>\n
\n\n- Risk Dashboard \u2013 Risk Probability<\/strong>This dashboard provides users the ability to compute the PDF\/CDF probability of a discrete risk event\u00a0occurring or continuous risk amounts using historical experience. The analysis is similar to that in Risk\u00a0Simulator\u2019s Distributional Analysis tool, where after a probability distribution is selected and its required\u00a0input parameters are entered, the PDF and CDF values are returned as a probability table. Figure 15 shows\u00a0an example situation where a discrete Poisson distribution is selected and the Lambda (mean) value\u00a0entered is 1.5 (e.g., data was collected for 3 months on the number of errors in bank check deposits per\u00a0work week at a specific branch of a national bank, and the data shows that there is, on average, 1.5 errors\u00a0per work week). By setting some starting and ending range and step size, the computed table shows the\u00a0PDF probability and CDF cumulative probability of a specific risk category\u2019s number of events per work\u00a0week (check deposit errors). The probability that within any work week there will be no check deposit\u00a0errors is 22.31%, exactly one error is 33.47%, exactly two errors is 25.10%, and so forth. Cumulatively,\u00a0we can also state that we are 93.44% sure that within any work week, there will be three or fewer risk\u00a0event errors of the same risk category, assuming history is the best indicator of future performance.<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-19-Image-16.jpg\")
<\/p>\n
\n\n- Risk Diagrams<\/strong>Users can create Risk Diagrams with ready\u2010made templates on Bowtie Hazard Diagrams, Cause and Effect Ishikawa Fishbone Diagrams, Drill\u2010Down Diagrams, Influence Diagrams, Mind Maps, and Node Diagrams. Sometimes, customized risk diagrams such as those shown in Figure 16 can be used to better illustrate the risk process, risk mitigation, risk cause and effect, and risk impact of the Risk Register. Right\u2010click on the Risk Diagram tab to add additional diagrams or to delete and rename existing diagrams. In addition,\u00a0various pre\u2010configured diagram templates are available in the droplist to help users get started in generating their own risk diagrams.<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-20-Image-17.jpg\")
<\/p>\n
\n\n- Risk Controls<\/strong>The PEAT ERM system also allows for the creation of Control Charts and KRI Risk Trends over time (Figure 17), and statistical process controls can be applied to determine if a certain risk element is in\u2010 or out\u2010ofcontrol. Control charts help to visually and statistically determine if a specific risk event is in\u2010control or out\u2010of\u2010control. For instance, if the number of risk events such as a plant accident spikes within a certain time period, was that set of events considered expected under statistically normal circumstances or was it an outlier requiring more detailed analysis?<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-21-Image-18.jpg\")
<\/p>\n
\n\n- Risk Forecast<\/strong>As part of the IRM process, historical risk data can be used to apply predictive modeling to forecast future\u00a0states of risk, as well as Risk Tracking, Time\u2010Series Risk Forecasts, PDF\/CDF Likelihood of Occurrence,\u00a0and Snapshots per period and over time (Figure 18). Using historical data or subject matter estimates, you\u00a0can run forecast models on time\u2010series or cross\u2010sectional data by applying advanced forecast analytics\u00a0such as ARIMA, Auto ARIMA, Auto Econometrics, Basic Econometrics, Cubic Splines, Fuzzy Logic, GARCH\u00a0(8 variations), Exponential J Curves, Logistic S Curves, Markov Chains, Generalized Linear Models (Logit,Probit, and Tobit), Multivariate Regressions (Linear and Nonlinear), Neural Network, Stochastic\u00a0Processes (Brownian Motion, Mean\u2010Reversion, Jump\u2010Diffusion), Time\u2010Series Analysis, and Trendlines.<\/li>\n
- Risk Knowledge<\/strong>Any good ERM system should always include quick getting started guides and training videos. The\u00a0Knowledge Center in PEAT\u2019s ERM module has slides, training materials, and videos that are all fully\u00a0customizable for an organization (Figure 19).<\/li>\n<\/ul>\n<\/ul>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-22-Image-19.jpg\")
<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-22-Image-20.jpg\")
<\/p>\n
\n- Risk Mitigation<\/strong>The Risk Mitigation analysis in PEAT\u2019s ERM helps determine if a specific risk mitigation strategy or\u00a0technique is working, at least statistically speaking. Risk managers can collect data from before and after\u00a0a risk mitigation strategy is implemented and determine if there is a statistically significant difference\u00a0between the two. The utility allows for the valuation and statistical computation of the effectiveness of\u00a0risk mitigation programs through various hypothesis testing methods. For example, in the risk event of\u00a0check deposit errors, the bank could potentially invest in high resolution check scanners with smart\u00a0optical character recognition software with embedded algorithms to check for any potential human\u00a0errors. If the number of check errors is tracked before the new scanner system was implemented and\u00a0compared with after the implementation, risk analysts can determine the efficacy and effectiveness of said\u00a0scanner, if it was worth the money invested, and if additional scanners should be implemented across\u00a0other bank branches.<\/li>\n<\/ul>\n
Archiving Risk Events and Risk Engagements<\/strong><\/p>\nSometimes Risk Registers can be simplified to not require any Likelihood, Impact, Risk Exposure amounts,\u00a0Mitigation Costs, or Residual Risk Exposure amounts. That is, only qualitative information and details are\u00a0required by the organization. Figure20 shows an illustration of a simplified \u00a0Risk Register of items in the\u00a0PEAT ERM system. The risk maps can still be used but only simple risk event counts, event names, and\u00a0dates are used and captured.<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-23-Image-21.jpg\")
<\/p>\n
Sometimes, qualitative risk event information needs to be saved and archived. This is where the PEAT\u00a0ERM\u2019s Risk Engagement sections come in handy. Multiple Risk Engagements can be created in a single file\u00a0where each of the following subsections has multiple Risk Elements: Pre\u2010Engagement Risks, Engagement\u00a0Risks, and Lessons Learned (Post\u2010Engagement) as seen in Figure 21. By archiving these qualitative risk aspects, a Risk Library can be generated and historical risks can be analyzed over time.<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-24-Image-22.jpg\")
<\/p>\n
Bridging the Gap between Qualitative and Quantitative Risk Management<\/strong><\/p>\nERM historically has been a qualitative risk management technique. However, in this whitepaper, IRM methods have been applied and interjected into this traditional ERM process. For instance, Likelihood and\u00a0Impact measures, Total Risk Levels, Residual Risk Levels, and Mitigation Costs are all numerical values.\u00a0These variables are applicable to each Risk Element in the Risk Register and are Risk Mapped throughout\u00a0various Risk Segments in the organization. By doing this, we are now able to apply quantitative IRM risk\u00a0analytics to these values such as Tornado analysis, Monte Carlo Risk Simulations, scenario analysis, heat\u00a0maps, and other analytics.<\/p>\n
ERM Tornado Analysis<\/strong><\/p>\nAs discussed in earlier whitepapers, Tornado analysis helps identify the critical success factors or which\u00a0risk element contributes the most to the bottom\u2010line risk profile of the company (or risk segment) by\u00a0statically perturbing each of the risk element\u2019s financial risk levels (Figure 22). The same interpretation\u00a0as discussed in previous whitepapers holds true for Tornado analysis.<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-25-Image-23.jpg\")
<\/p>\n
ERM Scenario Analysis<\/strong><\/p>\nScenario Analysis helps create multiple risk scenarios of your current or total risk amounts of individual\u00a0risk elements to determine the impact on the corporate risk profile and to create scenario heat maps.<\/p>\n
ERM Monte Carlo Risk Simulations<\/strong><\/p>\nThe PEAT ERM system also allows for the creation of Risk Simulations of the user\u2019s risk register element\u00a0input assumptions via ranges (e.g., minimum, most likely, maximum, average, standard deviation,\u00a0location, scale, range, percentiles) and returns probabilistic distributions of the individual risk elements\u00a0or rolled\u2010up risks by categories (output metrics include risk element count, KRI sum, sum and count of\u00a0risk register elements within a risk category, total risk dollars, total risk mitigation cost, etc.). These\u00a0probability distributions are automatically generated based on the user\u2019s total and residual risk inputs\u00a0and can be modified and updated as required in the Set Input Assumptions tab (Figure23). The simulated\u00a0results can be interpreted as usual (Figure24).<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-26-Image-24.jpg\")
<\/p>\n
![\"FIGURE](\"http:\/\/rovdownloads.com\/blog\/wp-content\/uploads\/2015\/02\/Page-26-Image-25.jpg\")
<\/p>\n