How Risk Assessment Frameworks Can Be Used to Prioritize and Manage Systemic Risks

I’ve held a number of enterprise risk management positions at financial institutions during my 30-plus-year career, primarily in the areas of counterparty credit and systemic risk management. All roles required the risk teams under my responsibility to identify, assess, and mitigate credit and other forms of risks to my organizations, as well as to the broader financial system.

One of the most important topics I’ve faced throughout my career is the real-world relevance of the risk assessment framework covered in the Traditional ERM Practices course I’m teaching this semester in the Enterprise Risk Management program at Columbia’s School of Professional Studies (SPS).

Risk assessment is the process of identifying, assessing, prioritizing, and responding to issues that can impact an entity’s ability to meet its business objectives. Its purpose is to assess how big the risks are, individually and collectively, in order to focus management’s attention on the most important threats and opportunities and to lay the groundwork for risk mitigating actions.

There are three basic steps to any risk assessment:

• The first step in the assessment process is to estimate the impact, which refers to the extent to which a risk event might affect the entity and the likelihood, which represents the probability a risk event will occur.
• The second step is usually accomplished in two stages where an initial screening of risks is performed using qualitative and quantitative techniques, depending on the specific type of risk being analyzed.
• The final step in the “assess” part of risk assessment recognizes that risks do not exist in isolation; risks can interact to cause greater damage or create significant opportunities. Many firms refer to this as interconnectedness risk.

I’ve applied this framework extensively to the management of systemic risks during my career. For example, given the wide array of risks present in today’s global financial ecosystem (e.g., geopolitical risks, cyber risk, interest-rate risk, etc.), this risk assessment framework allowed me to focus my company’s resources primarily on those risks deemed to have a combination of the greatest potential likelihood of occurring and the greatest potential impact.

Depending on the nature of the specific risks under review, a qualitative or quantitative assessment is made. Should the risk in question lend itself to quantitative measurement, this would allow for further prioritization among the other risks being reviewed. Firms can then utilize “heat maps” to visually illustrate these risks, which provides senior management and board risk committees a very clear and user-friendly picture of which risks require their closest attention.

At this point, a firm can choose to take additional risk mitigation measures such as reducing a counterparty’s credit limit, requiring an increased amount of collateral, or establishing a firewall to prevent cyber-attacks, just to name a few.

Alternatively, a firm may choose to accept the residual risk, meaning that the risk cannot be further mitigated, but also cannot be avoided due to the nature of the firm’s business model or operating environment. One such example might be a significant concentration risk in a single cloud service provider such as Amazon Web Services to host a firm’s data and transactions, which may be difficult to avoid due to the limited number of firms who provide such a unique service.

The real-world benefits of using traditional enterprise risk management techniques such as the risk assessment framework are apparent once recognized and understood. They can be used to better manage all forms of risks facing firms that operate in today’s complex global marketplace.

This article was originally published on the Columbia School of Professional Studies website on Oct. 22, 2024.