If we manage risk to help organizations achieve strategic objectives set forth by management, then risk managers should communicate to management using a similar set of metrics and language. Too many operational risk managers use an entirely different set of measures. Management speaks in terms of revenue, profit, and cost, while operational risk managers report likelihood, impact, and controls. While the latter 3 metrics are important to assessing risk, you are well advised to translate risk management metrics into management's language. Without a common set of metrics management often dismisses risk management's value to the organization - it is seen as either a "nice to have", or worse a compliance effort.
The good news is that you may not have to change your current process, but rather add a few more steps to your risk analysis and reporting. You can also apply some practices from the credit risk world. "Risk adjusted" performance metrics will translate your current risk reports into something that management can relate to more closely. For example;
- Risk Adjusted Revenue (RAR) shows management what the predicted revenues are when you account for the residual financial impact of the risks you are currently managing
- Risk Adjusted Profit (RAP) shows (similarly to RAR) the relative impact to profit
- Risk Adjusted Costs (RAC) predicts costs factoring in residual operational risk impacts (not the cost of risk management, the cost of risk exposures)
When risk management teams add this perspective to their efforts, conversations with senior management will be more relevant to your audience. The risk adjusted reports you generate will include some subjective assumptions, however you will still be engaged in a conversation about how you are helping the organization to
perform better. That's a conversation they are prepared to have.
[Rich]
richard.m.wilson@ca.pwc.com
