Risk Models : Essential tools for analyzing, monitoring and managing risk

There is perhaps no term in the vocabulary of a modern enterprise that causes more confusion and misunderstanding than ‘Risk Analytics’. ‘Risk Management’ fares slightly better but is also a contentious definition. Depending on the vertical you belong to and your role within the organization, this could mean very different things. A typical day in the life of a professional working on Financial Risk Management is very different from that of one working on Technology Risk Management, which in turn varies vastly from a professional working on Operational Risk Management. However, there are some common themes that risk professionals across these diverse areas could agree upon.

Risk management typically includes (but is not limited to) the following:

• Definition and identification of risks
• Identifying and monitoring the entities in the ecosystem impacted by risk
• Defining the quantitative impact of risk
• Identifying and defining the conditions that incur risks
• Data points required to evaluate the conditions for imminent risk
• A consistent and sustained process for collecting and collating said data
• Defining the measures to mitigate or remediate risk
• Managing the process for implementing mitigation and remediation measures

Risk Analytics attempts to build upon generic risk management themes by leveraging the power of intelligent systems to deliver a data driven and informed perspective of risk. These programs — typically driven by the analysis of a large magnitude of data points — aim to go beyond a reactionary approach to risk. They try to engender a better understanding of the current state of the organization with respect to risk and attempt to predict with some amount of confidence how things will look further down the line, if the risk environment stays the same or if certain factors change.

Risk analytics programs and systems typically involve (but are not limited to) the following:

• A big data (since we’re on the topic of ambiguous terms…) backend for processing large magnitudes of data quickly and efficiently
• Ability to correlate and analyze risk data from disparate sources
• Factoring in business context and organizational bias or mandates to augment raw risk information
• Identifying and representing key risk criteria
• Metrics to define, evaluate, and monitor critical risk conditions
• Historical representation of risk information
• Application of mathematical and analytical libraries
• Ability to define alerts and notifications based on current or imminent conditions
• Manual and automated asset classification
• Data mining capabilities for analyzing existing risk data and providing recommendations
• Clustering capabilities to discovering hidden relationships between relevant risk assets

If any of the themes listed above seem familiar to you, and you are involved in initiatives within your organization targeted towards these, then (consciously or not) you are using risk models to achieve these goals. Whether your model is designed and maintained through manual processes using spreadsheets, specialized ETL, custom applications etc. or through sophisticated data modeling tools, the success or failure of your risk management or analytics program is heavily predicated on the accuracy, efficiency and performance of your model. If you are managing your program manually, without the help of a dedicated risk-modeling tool and would prefer to continue to do so, it might still be beneficial to think about the design of the program as an exercise in risk modeling.

Good risk models have certain key characteristics and functions including (but not limited to) the following:

• Identify and accurately represent all relevant types of risk— depending on the industry you work in and nature of the risks you are interested in evaluating, it is very likely that there are products or services that monitor and report relevant data. Some examples include geopolitical ratings for foreign investment risk, credit ratings for vendor or supplier risk, software vulnerabilities for technology risk etc. Whatever the source of risk data, good risk models should represent and interpret this information accurately.
• Identify and accurately represent all relevant risk entities — risk ecosystems are complex, fickle and infinitely diverse. It is highly unlikely that for any two distinct organizations, no matter how similar their risk management or analytics goals, the same risk model accurately captures all relevant risk criteria and mandates. By all means, see further by standing on the shoulders of giants (where they are offered), and learn from your peers, but it is imperative that you understand your organization’s risk ecosystem thoroughly and ensure that your risk model represents what is important to you as an organization. Within an organization itself, risk mandates and priorities change as you learn from your mistakes and react to the risk challenges the world poses, so it is crucial that your risk model is adaptive and capable of evolving.
• Represent relationships and risk flows — risk originates from different sources within the organization and propagates until it impacts critical business entities and functions. Good risk models define chains of risk inheritance and flow, which can allow you to preemptively understand the effect of specific events on the risk ecosystem and their impact to business.
• Play favorites — identify critical assets and functions so you can focus on the most critical risk information at any given time. Not all applications that support the daily operations of an organization have the same importance. Every partner and supplier serves a distinct (and rarely equally important) function.
• Make data collection painless — the accuracy of your risk model is directly affected by the efficiency and performance of your data collection processes. Spend time, effort and money to make data collection as painless as possible. Put measures in place to monitor the health of data collection processes and to catch and highlight errors and exceptions.
• Make provisions for manual data collection — while automated risk data collection represents the ideal situation, there will be scenarios where the required information resides with individuals and cannot be collected through automated means. Develop and implement structured processes to collect this information and complete the risk picture.

Whatever your final risk management or analytics goals, you can realize the significant benefits of a more formal and structured process while identifying and reducing inefficiencies and gaps by using an actual risk model to represent your organization’s ecosystem or by thinking about the design of your program in data modeling terms.