Case Study in Enterprise Architecture: Government of Canada

Enterprise
Risk Management

Stefan Hunziker

Modern Approaches to
Balancing Risk and Reward

Enterprise Risk Management

Stefan Hunziker

Enterprise Risk Management
Modern Approaches to Balancing
Risk and Reward

Stefan Hunziker
Rotkreuz, Switzerland

ISBN 978-3-658-25356-1 ISBN 978-3-658-25357-8 (eBook)
https://doi.org/10.1007/978-3-658-25357-8

Library of Congress Control Number: 2019936302

Springer Gabler
© Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2019
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage
and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or
hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does
not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective
laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors
or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer Gabler imprint is published by the registered company Springer Fachmedien Wiesbaden GmbH
part of Springer Nature
The registered company address is: Abraham-Lincoln-Str. 46, 65189 Wiesbaden, Germany

v

Preface

Now more than ever, students, junior staff, instructors, managers and decision-makers
have to understand the value-creating aspect of modern Enterprise Risk Management
(ERM).

Welcome to the world of enterprise risk management (ERM), one of the most popular
and misunderstood of today’s important business topics. It is not very complex. It is not
very expensive. It does add value. We just have to get it right. Until recently, we have been
getting it wrong (Hampton 2009, p. vii).

This is a quote from Professor Hampton, director at St. Peters’ College and former direc-
tor of the Risk and Insurance Management Society (RIMS). His statement is representa-
tive of what still applies to many companies today: ERM is considered as an expensive
and unprofitable “business inhibitor”. Traditionally, it does only embrace a few areas
of the company (in many cases the finance department). Usually, there is no equal
company-wide management of all risk categories in a consistent framework and risk
management is often an independent stand-alone process, which is not linked to deci-
sion-making processes and business planning. In this way, traditional risk management
is unable to generate any benefits and unnecessarily ties up resources in the company. A
positive risk culture, which considers information provided by risk management as being
supportive to management, is often wishful thinking. Modern risk management aims to
be a strategic management tool that creates value for the company. In order for the risk
manager to be welcomed at the strategy table, a rethinking from traditional risk manage-
ment to modern ERM is required.

Didactic Philosophy and Learning Objectives
Amongst other, ERM is a powerful tool that enhances a manager’s and board’s ability to
make better decisions under uncertainty. Pure learning of ERM definitions, theories and
techniques by heart is much less important for students than being able to apply relevant
ERM concepts to practical situations. For this reason, Enterprise Risk Management—
Modern Approaches to Balancing Risk and Reward embraces theory, concepts and
practical examples so that students get a sound understanding of how ERM can be

vi Preface

implemented in practice. I encourage students to make use of the offered learning mate-
rials at the very end of each chapter.

The content of Enterprise Risk Management—Modern Approaches to Balancing Risk
and Reward is applicable to all business sectors, including non-profit, service, selling,
manufacturing, retail and administrative situations. The focus of the textbook is clearly
on improving decision-making under uncertain situations, not on operational risk man-
agement or internal control at very low organisational levels.

My goal is to encourage students to apply modern approaches to good ERM and to
link ERM to decision-making processes. Students begin their understanding of why
ERM matters in today’s complex business environment and progress to more complex
questions of how assessing risk and opportunities by the means of consistent and effec-
tive assessment techniques and how to create a risk culture that enables effective ERM.
To support the student’s learning success, my approach is to introduce concepts accessi-
bly and to complement them with practical examples from diverse companies.

The textbook has been primarily developed for training and continuing education at
university level in German-speaking countries. However, it is also of high practical rel-
evance. Based on concrete cases of medium-sized and large companies, concepts pre-
sented in Enterprise Risk Management—Modern Approaches to Balancing Risk and
Reward of ERM are transferred into practice. It serves students and practitioners alike
as a source of ideas on how ERM can generate value to all stakeholders. The novelty of
this textbook is reflected primarily in the fact that theoretical and psychological findings
relevant to decision-making situations will be explicitly incorporated.

Acknowledgements
I have received many valuable comments and suggestions for this textbook during the
last few years from ERM professionals, consultants, managers and professors. I cordially
thank each of these contributors. In addition, I wish to thank the following people and
institutions:

• Mr Marcel Fallegger, CMA, CSCA, Lucerne School of Business. Besides his subject
matter expertise, he supported me in all administrative matters.

• Lucerne School of Business for its financial support.
• Springer Gabler. All colleagues from the editorial, production and marketing depart-

ments for their great support in making this textbook possible.
• My relatives, for their patience and understanding of the many “write-related absences”.

Finally, students in my graduate and undergraduate classes on Enterprise Risk
Management have inspired me to write this textbook and contributed many thoughtful
ideas.

Stefan Hunziker

vii

1 Introducing ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Why ERM Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Definition of ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Risk Definition in the ERM Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 ERM Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5 Challenges to ERM Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 Countering Biases in Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1 Motivational Biases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.1.1 Affect Heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.2 Attribute Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.1.3 Confirmation Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1.4 Desirability of Options and Choice . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.5 Optimism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.1.6 Transparency Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.2 Cognitive Biases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.1 Anchoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.2 Availability Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.3 Dissonance Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2.4 Zero Risk Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2.5 Conjunction Fallacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2.6 Conservatism Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.7 Endowment and Status Quo Bias . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.8 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.9 Gambler’s Fallacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.2.10 Hindsight Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.2.11 Overconfidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.2.12 Perceived Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Contents

viii Contents

2.3 Group-Specific Biases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.3.1 Authority Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.3.2 Conformity Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.3.3 Groupthink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.3.4 Hidden Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.3.5 Social Loafing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

3 Creating Value Through ERM Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.1 Balance Rationality with Intuition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2 Embrace Uncertainty Governance as Part of ERM . . . . . . . . . . . . . . . . . . . 52
3.3 Collect Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.3.1 Identify Sources, Events and Impacts of All Risks . . . . . . . . . . . . 55
3.3.2 Develop an Effective and Structured Risk Identification

Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.3.3 Identify Risks Enterprise-Wide . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.3.4 Treat Business and Decision Problems not as True Risks . . . . . . . 59
3.3.5 Don’t Let Reputation Risk Fool You . . . . . . . . . . . . . . . . . . . . . . . 61
3.3.6 Focus on Management Assumptions . . . . . . . . . . . . . . . . . . . . . . . 64
3.3.7 Conduct One-on-One Interviews with Key Stakeholders . . . . . . . 76
3.3.8 Complement with Traditional Risk Identification . . . . . . . . . . . . . 83

3.4 Assess Key Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.4.1 Identify Key Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.4.2 Quantify Key Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.4.3 Support Decision-Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.4.4 Differentiate between Decisions and Outcomes . . . . . . . . . . . . . . 115
3.4.5 Overcome the Regulatory Risk Management Approach . . . . . . . . 115
3.4.6 Overcome the Separation of Risk Analysis and

Decision-Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
3.4.7 Assess Impact on Relevant Objectives . . . . . . . . . . . . . . . . . . . . . . 118
3.4.8 Avoid Pseudo-Risk Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . 120
3.4.9 Develop Useful Risk Appetite Statements . . . . . . . . . . . . . . . . . . . 121
3.4.10 Make Uncertainties Transparent and Comprehensible . . . . . . . . . 128
3.4.11 Exploit the Full Decision-Making Potential of ERM . . . . . . . . . . 133
3.4.12 Align ERM with Business Planning . . . . . . . . . . . . . . . . . . . . . . . 136
3.4.13 Replace Standard Risk Reporting . . . . . . . . . . . . . . . . . . . . . . . . . 141
3.4.14 Disclose Risks Appropriately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

3.5 Assess and Improve ERM Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
3.5.1 Test ERM Effectiveness Appropriately . . . . . . . . . . . . . . . . . . . . . 149
3.5.2 Increase ERM Maturity Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

ixContents

4 Setting up Enterprise Risk Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
4.1 Comply with Laws and Check Relevant Governance Codes . . . . . . . . . . . . 165
4.2 Consider ERM-Frameworks Thoughtfully . . . . . . . . . . . . . . . . . . . . . . . . . 168

4.2.1 Motivation for Risk Management Standards . . . . . . . . . . . . . . . . . 168
4.2.2 ISO 31000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
4.2.3 COSO ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
4.2.4 Similarities and Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
4.2.5 Limitations of ERM Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . 174

4.3 Develop a Sound Risk Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
4.3.1 Risk Policy and Corporate Strategy . . . . . . . . . . . . . . . . . . . . . . . . 177
4.3.2 Risk Policy as the Basis for Dealing with Risks . . . . . . . . . . . . . . 178
4.3.3 Limitations of Risk Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

4.4 Enhance Risk Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
4.4.1 Relate Risk Culture to Corporate Culture . . . . . . . . . . . . . . . . . . . 184
4.4.2 Understand How Risk Culture Evolves . . . . . . . . . . . . . . . . . . . . . 188
4.4.3 Increase Risk Culture Maturity Level . . . . . . . . . . . . . . . . . . . . . . 189

4.5 Organise ERM Properly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
4.5.1 Does a Best-Practice ERM Organisation Exist? . . . . . . . . . . . . . . 197
4.5.2 ERM Organisation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
4.5.3 Some Thoughts on Roles and Responsibilities . . . . . . . . . . . . . . . 201

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

5 Looking at Trends in ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
5.1 Emerging Digital Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

5.1.1 Impact of Disruptive Technologies . . . . . . . . . . . . . . . . . . . . . . . . 210
5.1.2 Digital Risk Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

5.2 Digitization of ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
5.3 Using Multiple Sources of Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
5.4 Increasing Demand for Analytic Skill Sets . . . . . . . . . . . . . . . . . . . . . . . . . 222
5.5 Increasingly Sophisticated Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . 225
5.6 Networked Economy and Collective ERM . . . . . . . . . . . . . . . . . . . . . . . . . 227
5.7 Improving ERM Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

1© Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2019
S. Hunziker, Enterprise Risk Management,
https://doi.org/10.1007/978-3-658-25357-8_1

Learning Objectives
When you have finished studying this chapter, you should be able to:

• Define the term ERM and its key attributes
• Contrast ERM with traditional risk management
• Explain which characteristics distinguish the term risk in the ERM approach
• Explain why ERM is important to support decision-making processes
• Describe the main challenges of ERM

1.1 Why ERM Matters

Many, if not all corporate activities are linked to uncertainties of future developments
that can result in either new threats or opportunities. The volatile nature of markets
(e.g. for raw materials) and business environments (e.g. regulatory changes, behav-
iour of competitors) poses a great challenge to the existence and success of companies.

Introducing ERM 1

Contents

1.1 Why ERM Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Definition of ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Risk Definition in the ERM Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 ERM Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5 Challenges to ERM Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2 1 Introducing ERM

The growing complexity and dynamics of the context in which companies nowadays
operate has caused a relentless increase in the level of risk in all areas of corporate
management and business activities. As a result, the discipline and practice of risk
management has enforced itself gradually in various sectors and industries, as well as
across different company sizes (Verbano and Venturini 2013).

Risk management within corporations has gone through various stages starting in the
post-World War II times. Whereas historically risk management activities were mostly
uncoordinated with a strong focus on the mitigation of financial risk by the means of
insurance and derivative instruments to protect the company against financial loss,
a more holistic approach has emerged in the 1990s. This advanced approach is rather
intended to achieve a coordinated management of all significant risk sources a company
might be exposed to (McShane et al. 2011; Mishkin and Eakins 2018). Simultaneously
the concept of Enterprise Risk Management (ERM) has emerged in the early 1990s as
a programme that manages the total risk exposure in one integrated and comprehensive
tool (Hampton 2015, p. 18). Clearly, one of the main advocate of ERM adoption in the
1990s has been the release of the COSO Framework in 2004 (Committee of Sponsoring
Organizations of the Treadway Commission) “Enterprise Risk Management—Integrated
Framework” (COSO 2004). In the 2000s Risk management became even more important
mainly due to negative events with high public awareness such as September 11th, cor-
porate accounting fraud and the financial crisis.

Although ERM was a much-debated business topic in the 2000s, there has also been
severe critique. In particular, with the evolvement of the financial crisis in 2008 and 2009
that resulted in many corporate failures and bankruptcies, the effectiveness of ERM pro-
grammes within firms was heavily questioned. Critics brought forward the argument that
the effectiveness of ERM had not yet been proven, and consequently, the promotion and
implementation within companies slowed down shortly after the financial crisis (Hoyt
and Liebenberg 2011, p. 796).

In the meantime, most of the criticism has fortunately faded. Specifically, over the last
couple of years, the perspective on ERM has significantly changed. Many organisations
have recently implemented policies and processes and started to intensively apply mod-
ern ERM practices. The main reason for that is that ERM has substantially evolved as a
management tool and is no longer seen as a pure regulatory requirement to prevent nega-
tive events. In fact, academics and risk professionals appreciate ERM as a value adding
function (Lam 2017, pp. 34–37). Various empirical studies (e.g. Smithson and Simkins
2005; Hoyt and Liebenberg 2011; Eckles et al. 2014) have been undertaken which con-
firm that companies with ERM systems in place have a significantly higher company
value than non-ERM companies. Ultimately, from a very modern perspective, value crea-
tion is the sole reason for implementing an ERM programme. This is also the only cor-
rect answer to the “why Enterprise Risk Management”-question from an economic point
of view: If ERM consumes more resources than the value it creates, companies should
refrain from implementing it.

3

To be more concrete, the most important features of modern ERM which all con-
tribute to the value creation are briefly introduced. First and foremost, value creation is
facilitated if ERM is directly linked or built into to the decision-making processes within
the company, which in turn affect the prosperity of an organisation. ERM creates value
by allowing firms to gain a more optimised risk-return trade-off of their decisions. A
commonly misunderstood characteristic of ERM in this context is that the goal of risk
management is to minimise total risk exposure. However, ERM is about determining the
ideal level of risk to maximise value: Some risks might be deliberately taken in order to
exploit opportunities and hence to create a higher return (Romeike 2018, p. 14). Thus, a
key reason why to deal with ERM is the improved internal decision-making by consider-
ing and balancing the upside and downside potential of each decision and by providing a
more rational basis for decisions.

A second key reason for implementing ERM is to gain a comprehensive view on all
risks, opportunities and their respective interdependencies. This enables both the senior
management’s and the board’s capability to oversee total risk exposure and its poten-
tial effect on certain business objectives. The availability of transparent and fully quan-
tified risk exposures offers new opportunities for effective strategic decision-making
and risk taking which is in line with the corresponding risk appetite statements (Farrell
and Gallagher 2014, pp. 628–629). Moreover, the risk aggregation approach enables
the management of residual risks rather than dealing with single independent risks.
Companies adopting aggregation techniques may benefit from a risk diversification
effect and can make advantage of natural risk hedges. Thus, only a few remaining risk
needs to be managed which is more efficient and effective way than dealing with each
single risk independently (McShane et al. 2011).

In addition, ERM has recently been observed to be of great benefit to organisations
because it has led to:

• Stabilised earnings which improve shareholder’s value;
• Decreased cost of capital via improved ratings from credit rating agencies
• Better exploitation of equity (risk) capital
• Lessened dynamics in stock price, which also improves shareholder’s value;
• Boosted investors’ confidence (still a much-debated and controversial topic);
• Enhanced competitive advantage through the identification of significant risks which

can be actively managed.

So far, we keep in mind that ERM can add value to the company. If you were asked, why
a firm should deal with ERM, your very first answer would definitely be value creation
through improved decision-making. Before we can embark on our journey into the con-
crete process of ERM implementation, we have to define ERM properly and in particular
the often misunderstood term “risk”.

1.1 Why ERM Matters

4 1 Introducing ERM

1.2 Definition of ERM

In theory, a vast amount of ERM definitions is available, but essentially many of these
descriptions comprise similar aspects. Hampton (2015) states that the ERM concept is
a comprehensive and complex system that concerns major areas of a company and for
that reason, many definitions of ERM exist (p. 19). In order not to lose oneself in the
numerous definitions, it makes sense to have a closer look at the two most well-known
risk management frameworks and their definitions, published by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) and the International
Organization for Standardization (ISO). Both frameworks have been recently updated in
2017 (COSO) and 2018 (ISO), respectively. According to the COSO ERM Framework,
ERM is defined as:

The culture, capabilities, and practices, integrated with strategy-setting and its execu-
tion, that organizations rely on to manage risk in creating, preserving, and realizing value.
(COSO 2017, p. 10)

As we can easily notice, COSO puts emphasis not only on the capabilities, techniques
and tools, but also on the very important cultural aspects. Many risk professionals have
argued in the last couple years that cultural aspects are perhaps even more relevant for
an effective risk management than the existence and implementation of ERM techniques
per se (Levy et al. 2010, p. 2; Vazquez 2014, p. 10). A second aspect of COSO’s ERM
definition stands out—it shall be integrated with strategy-setting and its execution. Thus,
COSO stipulates that ERM should be linked to business objectives in order to create
value, which is fully in line with our main reasoning of “why ERM” (see Sect. 1.1). In
contrast, ISO defines Risk Management as (even if ISO promotes a modern, integrated
risk management approach, the term ERM is not mentioned at all in the guidelines):

…coordinated activities to direct and control an organization with regard to risk. (ISO
31000:2018, p. 1)

Although ISO’s definition does not explicitly comprise the link between risk manage-
ment and value creation, it specifies the purpose of risk management in the principles
section as the creation and protection of value, quite similar to COSO’s approach (ISO
2018, p. 2). In addition, ISO clearly states that culture significantly impacts all aspects of
risk management what is again in line with COSO’s view on ERM. Overall, both defini-
tions represent a sound basis for modern ERM as they both promote the link between
ERM and value creation. As such, both definitions perfectly serve the purpose of the
textbook at hand and we could stop discussing approaches. For the sake of not relying
only on definitions created by risk management frameworks and norms, here are a few
others which don’t fundamentally deviate from COSO and ISO.

The Risk Management Society (RIMS) for example defines ERM as

5

…a strategic business discipline that supports the achievement of an organization’s objec-
tives by addressing the full spectrum of its risks and managing the combined impact of
those risks as an interrelated risk portfolio. (Hopkin 2017, p. 53)

This definition puts emphasis on the aspect of having a unified and integrated approach
where separate management of individual risks is abandoned and risks are treated holisti-
cally throughout the whole organisation (Hopkin 2017, p. 98; Segal 2011, p. 3). Again,
in line with the two former ones, the reference of the link to the company’s objectives is
obvious. This is similarly confirmed by Segal (2011, p. 3) and by Hunziker (2018, p. 2)
who describe that modern ERM is a comprehensive approach to identify, evaluate, man-
age and disclose important risks in order to increase company value.

Based on the previous discussion, the following deliberately brief definition is best
suited to this textbook:

u ERM embraces enterprise-wide coordinated activities with which companies identify,
assess, actively manage and report all key risks in order to create value for the firm.

At this point, we conclude that many ERM definitions have been created by consultants,
risk professionals, agencies and legislative bodies. Modern definitions of ERM typically
postulate a company-wide (i.e. in all areas and across all risk categories) identification,
assessment and management of risks plus a clear link between ERM and the strategy,
business objectives, decision-making processes and ultimately value creation.

1.3 Risk Definition in the ERM Approach

In practice, firms often expect that ERM as a comprehensive approach inevitably leads
to the management of hundreds or even thousands of risks. Particularly in the US, after
COSO ERM was released in 2004, there had initially been a great deal of scepticism that
ERM might be nothing else but an extended task that ties up many resources. Since the
COSO ERM framework is generally based on the COSO framework for Internal Control,
firms felt confirmed by that. However, ERM does clearly not aim to assess, manage and
monitor all risks identified by a company. ERM has a different focus and deals only with
so-called key risks.

Basically, a risk can evolve to a key risk over time or it is being considered as a key
risk by the time of its first assessment. We define a key risk as a risk that exceeds a sig-
nificance threshold in the case of risk occurring set by the company and thus can sig-
nificantly affect one or several business objectives and subsequently can impact company
value or any another financial benchmark. Let’s consider the following example:

1.3 Risk Definition in the ERM Approach

6 1 Introducing ERM

Example
The Swiss company FarAway AG operating in the travel industry markets holiday
trips in Switzerland in business unit A and holiday trips to the euro zone in business
unit B, mainly Germany and Austria. The risk database includes the following two
risks, among others:

• petty cash theft
• entry of a new competitor

As a financial benchmark, FarAway AG defined an acceptable lower bound of 8%
EBIT margin for the next business year (excepted EBIT margin is 10%).

After a first risk assessment, the following worst-case scenarios for both risk look
as follows:

• petty cash theft, worst case −0.01% on expected EBIT margin (= 9.99% after risk
impact)

• loss of market share, worst case −4% on expected EBIT margin (= 6% after risk
impact)

Based on that simple analysis, FarAway AG concluded that petty cash theft is cur-
rently no key risk and therefore not included in the further ERM process, instead put
on a watch list. In contrast, loss of market share is considered as a key risk due to the
severe threat it poses on the financial objectives of FarAway AG.

We conclude that ERM will never have to deal with several hundreds or thousands risks,
as this can certainly be the case while maintaining an Internal Control system of a large
company. A practicable ERM approach thus requires meaningful criteria, which risks
qualify as key risks and which are only stored in a database as a “watch list”, but are
not included in the ERM model. Practical experience shows that, regardless of the size
and industry of a company, many traditional risk management approaches fail because of
their complexity and attempt to incorporate and manage all risks instead of focusing on
key risks.

Another challenge in properly defining risk for the purpose of ERM is the fact that
managers tend to think predominantly about the (financial) impacts of risks. These con-
siderations are clearly important, but not sufficient. To develop effective risk strategies,
we need to know the sources (causes) of each risk. The relevant question to define risks
effectively shall be: How can we prevent a risk from occurring so that it does not have
any financial impact? The answer is to create a plausible story, embedded in a cause-
effect chain. The cause at the very beginning of that story is usually the starting point for
discussing effective risk mitigation strategies. Let’s consider again our practical example:

7

Example
FarAway AG identified and assessed the key risk “loss of market share”. The worst
case is a loss of −4% EBIT margin. The Chief Financial Officer (CFO) of FarAway
AG claimed that this risk must be categorised as a financial risk due to its significant
impact on the financial performance. In a meeting with the risk manager, however,
he learned that every risk is to be categorised by its source rather than its impact to
develop preventive risk mitigation measures.

The Chief Risk Officer (CRO) together with the CFO created a simplified cause-
effect chain for that specific key risk:

Due to missing out on a timely tracking of new trends and customer needs in the
travel industry, the competitors may gain a competitive advantage over FarAway
AG with new and innovative offers. This may lead to less customer satisfaction of
our customer base and to less new customers. In turn, this has a negative impact on
our revenues and consequently leads to a loss of 4% EBIT margin in a worst case
scenario.

The CRO showed understanding and agreed to change that risk from the financial
category to the strategic risk category. “Now we can think of preventive measures”, he
suggested.

Thirdly, it is obvious that many risks can have both an upside potential (opportunity)
and a downside potential (risk), possibly to varying degrees. However, the term risk is
traditionally negatively interpreted. Questions such as “What can go wrong?” and “What
can we (financially) lose?” are the main focus in many risk management workshops.
The assessment of a potential impact and a corresponding probability of occurrence is
still prevailing in practice (Hampton 2009, pp. 4–5). The following figure illustrates the
modern approach to define risk as a possible positive and/or negative deviation of an
expected outcome. This understanding of risk is crucial for a realistic assessment of the
total risk exposure at company-wide level.

Looking at Fig. 1.1, it becomes apparent that different risks involve different upside
and downside potentials. For example, the debtor default risk and the IT failure risk do
not have a symmetrical risk/opportunity distribution, but are strongly downside-oriented
(unrewarded risks). On the other hand, the early recognition of changing customer needs
or market entry with new products can become a strategic competitive advantage with
disproportionate potential opportunities (rewarded risks with an expected positive out-
come). To decide which risk strategy is adequate for each risk, an ERM model deals with
various positive and negative scenarios, covering the best case and the worst case at both
ends of the possible ranges. Let’s assume a company only takes into account the negative
scenarios of all risks in its ERM model. This would sum up to a severe overvaluation of
the overall risk exposure, since the positive scenarios (opportunities) and their diversifi-
cation effects on entity level are not considered in the risk assessment.

1.3 Risk Definition in the ERM Approach

8 1 Introducing ERM

The following example illustrates risk balancing between two business areas, and how
ERM can help create value for the company.

Example
The Swiss travel company FarAway AG identified the risk of an unexpected change in
the CHF/€ currency pair as another key risk. The news from the Swiss National Bank
(SNB) on January 15, 2015 that the minimum exchange rate of CHF 1.20 per euro
would be raised hit the company unexpectedly. The minimum price was introduced at
a time of strong overvaluation of the Swiss franc and great uncertainty on the finan-
cial markets. The aim of this temporary measure was to protect the Swiss economy
from financial loss. One reason for the SNB’s move was that the overvaluation had
been somewhat generally reduced since the introduction of the minimum price and
companies had been able to adjust to this new situation (SNB 2015).

The impact of the appreciation of the CHF against the euro was twofold: business
unit A lost around 20% of sales in 2015, as fewer holidays were booked in “expen-
sive” Switzerland. However, the company recorded a significant 10% increase in sales
in the important euro business. If both effects are offset against each other, this has a
net positive impact at company-wide level. Traditional risk management would have
significantly overestimated this risk, as only the negative impact from business unit A
would have been included in the overall risk assessment (Hunziker 2018, p. 12–13).

Suppliers

Customer
needs

Debtors

Opportunity potential of all key risks

Risk potential of all key risks

Market
entry

Key risks business unit A

IT failure

Currencies
Fire

Key risks business unit B

Customer
needs

Fig. 1.1 Risk in the ERM approach. (based on Hunziker 2018, p. 11)

9

We conclude that the term “risk” in the modern ERM approach must be understood as an
enabler to seize opportunities, as it directly and measurably compares the opportunities
and the downside risk associated with a business goal or a strategic option. In addition,
dependencies between risks must be identified and communication about risks must be
promoted. If risk is defined in this way (deviation from expected), ERM leads to better
decisions, as they can be evaluated more rationally and realistically.

1.4 ERM Frameworks

There are many options for the practical implementation of ERM. While companies
have recently increased their ERM activities and developed approaches by themselves,
consulting and auditing firms as well as standards bodies have published many ERM
guidelines, and specialised expert teams and rating agencies included ERM as a specific
assessment criterion into their rating systems (Hoyt and Liebenberg 2011, p. 795). As
COSO ERM (2017) and ISO 31000:2018 are by far the best-known and most widely
used aids to implement ERM, we will focus on these two frameworks. Basically, we
have to answer the following two questions:

• Which of these two frameworks is better suited for a modern ERM implementation?
• What is the relationship between this textbook and the COSO ERM/ISO 31000

frameworks?

The answer of the first question is not quite straightforward and needs some elabora-
tion. The following brief assessment of the two frameworks is only related to the recently
updated versions of COSO ERM 2017 and ISO 31000:2018. Generally speaking, the
two frameworks lag behind the extant literature and research on proper risk manage-
ment. Surprisingly, to date no empirical studies as to whether the two standards actually
work in practice, i.e. create value for companies, are available. In light of the fact that
ISO:31000 and COSO ERM have existed many years, no publications with concrete case
studies that have successfully implemented COSO ERM or ISO 31000 as a whole can be
found.

Although both frameworks postulate a strong link between ERM and business objec-
tives, they both approach the “story of risk management” differently: ISO 31000 is much
shorter and contains only 16 pages and starts with core risk management definitions. ISO
recommends in note form to examine and understand its external and internal context
such as mission, vision, strategy and the complexity of networks and dependencies (ISO
2018, p. 6). In contrast, COSO ERM is written in much more detail and contains about
110 pages without appendices. It aims to gain a sound understanding of corporate strate-
gies as a starting point for ERM implementation, followed by a risk analysis that allows
risks to be aligned with the corresponding strategies. Moreover, COSO released in 2018
a supplement to its framework. The compendium includes many practical examples for

1.4 ERM Frameworks

10 1 Introducing ERM

implementing their 20 principles of the COSO ERM framework. Again, this supplements
puts emphasis on the link between ERM, strategy setting and value creation.

COSO ERM has been criticised by many practitioners as too extensive, only top-
down oriented, too lengthy and too “prescriptive”. To understand this, we need to know
who developed COSO ERM: Essentially, the main contributors to the framework are
large US accounting and auditing associations that share a common interest in a highly
compliance-oriented ERM that emphasises the importance of internal control and inter-
nal auditing. On the contrary, ISO 31000 is much more generic in nature. As a result, it
can be used to support both a top-down and bottom-up approach to ERM.

To finally answer the first question: Neither COSO ERM nor ISO 31000 fully cover
all modern ERM topics in a way companies can easily implement. However, both frame-
works basically support a modern, value-creating view on ERM (see also Sect. 1.2). In
principle, they can be used complementarily, as they complement each other in many
areas, are considered mature, holistic and largely consistent. However, it should be noted
that such frameworks in general have to reflect the consensus of many different opin-
ions and hence can per definition only be valid for the “average company”. Significant
innovations don’t find their way into ERM frameworks, because they are usually not
capable of winning a majority. Thus, every risk professional should be aware of both
frameworks. They are helpful guidelines and can—to a certain extent—support a sound
ERM implementation.

To answer the second question: Neither COSO ERM nor ISO 31000 reflect all rel-
evant topics in this textbook. Or to put it differently: Both frameworks can not fully
replace the textbook at hand. Where appropriate, the two frameworks are referenced and
examples are discussed. At this point, we note that both frameworks basically do support
the paradigm of modern, value-creating risk management. To give the reader an impres-
sion of how this book differs from the recommendations of the frameworks, a few exam-
ples are discussed below (Hunziker 2018, pp. 6–7):

• Although both frameworks emphasise the importance of the connection to strategic
management, it remains unclear how the economic benefit (i.e. the value contribu-
tion) can be justified or measured in practice. In light of the fact that many companies
(still) do not recognise the benefits of ERM enough, this is very crucial.

• ISO 31000 and COSO ERM do not manage to establish a practical link between risk
appetite and decision-making processes. Risk appetite are concrete statements of what
types of risks (or the amount of uncertainty) a company consciously accepts regarding
potential impact and probability of occurrence in order to achieve its business objec-
tives. Both ISO and COSO struggle to explain how a company can discuss and set
its “risk appetite” properly. First, the statements on risk appetite made by COSO are
rather confusing and unrealistic. COSO ERM suggests that companies can formulate
very simple, qualitative risk appetite statements, such as “we do not accept serious
risks that could endanger our strategy”. These kind of statements are useless for deci-
sion-makers as they cannot be broken down into concrete recommendations for action

11

at lower organisational levels. If risk appetite is not reflected in the decisions which
impact business objectives on a daily base, risk appetite statements are not actionable.

• ISO 31000:2018 does not use the term risk appetite at all. Instead, the phrase “risk
criteria” is used: “The organization should specify the amount and type of risk that it
may or may not take, relative to objectives. It should also define criteria to evaluate
the significance of risk and to support decision-making processes” (ISO 2018, p. 10).
As the term risk appetite is well-known by most organisations and annual reports fre-
quently contain risk appetite statements, guidance how to concretely set risk appetite
would be helpful (IRM 2018, p. 11).

• Risk identification should also include a scanning process of the external environ-
ment, but COSO ERM is strongly internally focused. Many risks are neglected if
no external screening (competitors, trends, legal developments, international market
developments, etc.) is carried out. Moreover, COSO ERM ignores so-called “black
swan” events, i.e. risks with a very low probability of occurrence and a high potential
for negative impact.

• COSO uses the term “risk event” throughout the framework. By definition, a risk
event can suddenly become acute. However, there are many risks that manifest them-
selves slowly, sometimes over months or even years (e.g. changes in customer needs).
These so called emerging risks cannot be reflected in “risk events”. In addition, the
downside risk (what can go wrong?) dominates COSO’s view on risk. This can lead to
a significant overestimation of the overall business risk if opportunities are excluded
from the risk assessment.

• Practitioners may find ISO 31000 too generic in the sense of that the effort needed to
define and develop their own ERM framework is too time-consuming, too costly and
too less supported by the framework.

To sum up, we appreciate both frameworks as valuable sources for modern ERM imple-
mentation. As both frameworks partially lack the incorporation of well-accepted empiri-
cal evidence on methods, approaches and techniques in risk management, the textbook at
hand aims to contribute to closing these gaps as far as possible.

1.5 Challenges to ERM Implementation

Although we now know the main benefits of modern ERM, the potential is not yet being
fully exploited in practice. Risk management is still perceived mainly as a regulatory
requirement without significant added value. There are various reasons for this (see also
Segal 2011, pp. 28–31).

First, historically grown so called risk silos in the company must be eliminated.
Traditionally, risks have been managed by assigning risk responsibilities to specific
business unit leaders. For example, the CFO manages risks related to the organisation’s
financial risks (interest rates, liquidity, currencies). The Chief Operating Officer (COO)

1.5 Challenges to ERM Implementation

12 1 Introducing ERM

deals with risks in his or her area of responsibility, i.e. production and distribution. The
Chief Information Officer (CIO) is responsible for cyber risks and IT failure risks, and
so on. Each of these functional leaders is charged with managing risks related to their
key areas of responsibility. Each “silo leader” is responsible for identifying, assessing
and managing risks within their silo (Beasley 2016, p. 1). ERM language and techniques
have grown consistently within these silos, but not across the various silos. This often
impedes to assess enterprise-wide risk exposures due to inconsistencies of the diverse
assessment techniques applied in the risk silos.

The “E” in the term ERM requires an enterprise-wide risk assessment. However,
in practice, some business areas or support functions may not be considered relevant
enough from an overall perspective because they appear financially unimportant. As very
common in the audit profession, companies might apply a similar concept of material-
ity in planning and performing ERM activities. Very often, the scope of ERM projects
is defined according to certain significance thresholds. For example, a company could
assess the relative contribution (economic relevance) of each business area to the over-
all firm performance. For reasons of resource constraints, ERM processes are then often
not implemented in the areas defined as economically less important. However, this can
severely undermine the effectiveness of an ERM. A risk can originate, for example, in
rather unobtrusive, stable and smaller business areas and may impact the company as a
whole later on.

Thirdly, many companies strongly focus on financial risk management and financial
risks, which can be explained, among other things, by the recent financial crisis (global
phenomenon) and currency crisis (i.e. in Switzerland due to the strong Swiss franc).
From an ERM perspective, the question arises as to whether financial risks must indeed
be of highest priority for all companies. The management of financial risks is undoubt-
edly important, but for most non-financial companies, it often accounts for only an insig-
nificant amount of overall risk exposure. Various studies have shown that strategic risks
have by far the greatest impact potential on company value, followed by operational risks
(e.g. Smit and Trigeorgis 2004). Thus, for non-financial companies, most significant risk
sources can usually be identified in the development and implementation of the corporate
strategy. In most cases, risks and opportunities of technological change, the digitization
of business models, changing customer needs, growing competition or wrong decisions
in strategic project prioritization are far more important than pure financial risks spring-
ing from interest rates or currencies.

Fourthly, many practitioners and consultants obstinately believe that strategic and
operational risks cannot be quantified. However, only an appropriate quantification of all
risk categories allows a meaningful prioritization, assessment and management of risks
and opportunities. Since the well-known techniques of financial risk management can-
not be easily transferred to other risk categories, quantification of other risks does not
happen. In addition, other arguments are brought forward against risk quantification,
e.g. missing historical data, complexity of risks, non-applicability of stochastic models
and spurious accuracy. Other approaches, such as scenario analyses or Failure Mode and

13

Effects Analysis (FMEA), which draw on human intuition and subject matter expertise,
are not or too less used.

Finally, the training and professional experience of many risk managers is another
challenge to ERM. As a rule, the background and experience of the risk manager (or the
person in charge of risk management) significantly influences the specific approach of
ERM implementation. For example, risk managers with predominant experience in the
financial industry, equipped with training in mathematics, statistics and quantitative risk
modelling, are more focused on financial risks than on strategic risks.

With these challenges in mind, we proceed with the next chapter outlining the very
relevant topic on how to counter motivational, cognitive and group-specific biases in risk
analysis. Although a great deal of empirical evidence already exists on these biases, it is
still predominantly neglected in the practical application of ERM.

Key Aspects to Remember
Define the term ERM and its key attributes

ERM is an enterprise-wide coordinated process with which companies identify,
assess and actively manage all key risks in order to create value for all stakehold-
ers. An up-to-date ERM approach thus addresses risks in all business areas and
across all risk categories and considers the aggregated impact of those risks as an
interrelated risk portfolio on business objectives.

Contrast ERM with traditional risk management

Unlike ERM, many traditional risk management approaches fail because of their
complexity, their silo approach and their attempt to manage hundreds of risks at
the same time. Moreover, risk is traditionally only negatively interpreted and there-
fore diversification effects of upside risk potentials are neglected. Modern ERM
assesses risks and opportunities on an enterprise-wide level by the means of a con-
sistent “ERM language” which is understood across the company. Moreover, ERM
is directly linked to decision-making processes.

Explain which characteristics distinguish the term risk in the ERM approach

In the ERM approach, the primary causes of risk, which may be strategic, opera-
tional and financial, are relevant for the development of effective risk mitigation
strategies. It is crucial not to confuse cause with impact. By definition, risks can
both have an upside potential (better than expected) and downside potential (worse
than expected). Risk assessments thus deal with scenario development, covering
the sources and impacts (plausible story) of specific risks and result in providing

1.5 Challenges to ERM Implementation

14 1 Introducing ERM

realistic “quantified uncertainty ranges” between the worst and best case scenario
of each risk.

Explain why ERM is important to support decision-making processes

An integrated ERM approach enables decision-makers to include risk/return-con-
siderations in their judgements. Measured in terms of aggregated risk exposure and
contrasted with risk appetite, it becomes clear whether a company takes too few
risks and thus misses promising strategic opportunities (and vice versa). If compa-
nies understand how to manage their risk exposures, lower borrowing costs from
better ratings, higher firm value through better decisions, and greater capital effi-
ciency can result.

Describe the main challenges for ERM implementation

Although ERM emerged as an important business topic in practice, major chal-
lenges still pose a threat to successful ERM implementation. First, a stronger focus
on strategic risks is required. Many important risk sources spring from strategic
choices and strategy implementation. Second, all risks must be consistently quan-
tified to enable prioritization and evaluation. Thirdly, the background and expe-
rience of the risk manager in charge heavily determine the success of an ERM
programme. Finally, ERM has to cover all relevant business areas of the company,
even allegedly unimportant ones.

Critical Thinking Questions
1. Why is it important to differentiate between risk and uncertainty?
2. What role do cultural aspects play for the success and value creation of ERM?
3. What types of risks typically have an asymmetric risk distribution?
4. What is the main purpose of the 2017 updated COSO ERM Framework? To

what extent does the framework meet these intentions?
5. Why is it considered difficult to assess strategic and operational risks

quantitatively?

References

Beasley, M. S. (2016). What is Enterprise Risk Management? Poole College of Management,
Enterprise Risk Management Initiative, 1–6.

15

Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2017). Enterprise
Risk Management – Integrating with Strategy and Performance. Jersey City, NJ: AICPA.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2004). Enterprise
Risk Management –Integrated Framework. Jersey City, NJ: AICPA.

Eckles, D. L., Hoyt, R. E., & Miller, S. M. (2014). The impact of enterprise risk management on
the marginal cost of reducing risk: Evidence from the insurance industry. Journal of Banking &
Finance, 43 (C), 247–261.

Farrell, M., & Gallagher, R. (2014). The Value Implications of Enterprise Risk Management
Maturity. The Journal of Risk and Insurance 82 (3), 625–657.

Hampton, J. J. (2015). Fundamentals of Enterprise Risk Management. How top companies assess
risk, manage exposure, and seize opportunity (2nd Ed.). New York: American Management
Association.

Hampton, J. J. (2009). Fundamentals of Enterprise Risk Management. How top companies assess
risk, manage exposure, and seize opportunity. New York: American Management Association.

Hopkin, P. (2017). Fundamentals or Risk Management. Understanding, evaluating, and imple-
menting effective risk management (4th Ed.). London: Kogan Page.

Hoyt, R. E., & Liebenberg, A. P. (2011). The value of enterprise risk management. The Journal of
Risk and Insurance, 78 (4), 795–822.

Hunziker, S. (2018). Erfolgskriterien von Enterprise Risk Management in der praktischen
Umsetzung. In S. Hunziker & J. O. Meissner (Eds.), Ganzheitliches Chancen- und
Risikomanagement. Interdisziplinäre und praxisnahe Konzepte (pp. 1–28). Wiesbaden: Springer
Gabler.

Institute of Risk Management (IRM) (2018). A Risk Practitioners Guide to ISO 31000: 2018.
London: IRM.

ISO (2018). ISO 31000:2018 – Risk management Guidelines. Geneva, Switzerland: ISO.
Lam, J. (2017). Implementing Enterprise Risk Management. From Methods to Applications. New

Jersey: John Wiley & Sons.
Levy, C., Lamarre, E., & Twining, J. (2010). Taking control of organizational risk culture.

McKinsey Working Papers on Risk.
McShane, M. K., Nair, A., & Rustambekov E. (2011). Does Enterprise Risk Management Increase

Firm Value? Journal of Accounting, Auditing and Finance, 26 (4), 641–658.
Mishkin, F. S., & Eakins, S. G. (2018). Financial Markets and Institutions (9th Ed.). Harlow, UK:

Pearson.
Romeike, F. (2018). Risikomanagement. Wiesbaden: Springer Gabler.
Segal, S. (2011). Corporate Value of Enterprise Risk Management: The Next Step in Business

Management. New Jersey: John Wiley & Sons, Inc.
Smit, H. T. J., & Trigeorgis, L. (2004). Strategic Investment – Real Options and Games. Princeton:

Princeton University Press.
Smithson, C., & Simkins, B. J. (2005). Does Risk Management Add Value? A Survey of the

Evidence. Journal of Applied Corporate Finance, 17 (3), 8–17.
Schweizerische Nationalbank (SNB) (2015). Medienmitteilung: Nationalbank hebt Mindestkurs

auf und senkt Zins auf -0,75%. Zürich.
Vazquez, R. (2014). Five steps to a risk-savvy culture. Risk Management, 61 (9), 10–11.
Verbano, C., & Venturini, K. (2013). Managing Risks in SMEs: A Literature Review and Research

Agenda. Journal of Technology Management & Innovation, 8 (3), 186–197.

References

17© Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2019
S. Hunziker, Enterprise Risk Management,
https://doi.org/10.1007/978-3-658-25357-8_2

Countering Biases in Risk Analysis 2

Contents

2.1 Motivational Biases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.1 Affect Heuristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.2 Attribute Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.1.3 Confirmation Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1.4 Desirability of Options and Choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.5 Optimism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.1.6 Transparency Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.2 Cognitive Biases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.1 Anchoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.2 Availability Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.3 Dissonance Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2.4 Zero Risk Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2.5 Conjunction Fallacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2.6 Conservatism Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.7 Endowment and Status Quo Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.8 Framing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.9 Gambler’s Fallacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.2.10 Hindsight Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.2.11 Overconfidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.2.12 Perceived Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

2.3 Group-Specific Biases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.3.1 Authority Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.3.2 Conformity Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.3.3 Groupthink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.3.4 Hidden Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.3.5 Social Loafing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

18 2 Countering Biases in Risk Analysis

Learning Objectives
When you have finished studying this chapter, you should be able to:

• know the different biases in risk analysis
• understand the importance of biases in risk analysis
• recognise the need to counter biases throughout the risk process
• understand the limitations of debiasing strategies
• establish some real examples for your management and employees

There is always an easy solution to every human problem — neat, plausible, and wrong.
(Henry Louis Mencken)

Throughout the whole ERM process, it’s crucial to recognise that many risks do not
manifest themselves by exogenous events, but rather by people’s behaviour and choices.
Only by applying the intellectual capacity to question our current future prospects and
long-lived assumptions, we can obtain the means to manage the real risks to which com-
panies are exposed (Wolf 2012). As already explained, the primary objective of ERM is
to increase the quality of decisions by systematically analysing opportunities and risks.
Such risk analyses should make decision-making situations in companies more transpar-
ent and help to present uncertainties more realistically. Paradoxically, however, the input
factors for risk analyses are just as subject to biases as the decision situation itself. This
means that risk analyses only contribute to the quality of a decision if the risk manager
is aware of the most important motivational, cognitive and group-specific biases and can
reduce them by taking appropriate countermeasures.

Identifying and quantifying risks are two of the most important ERM activities in
which risk managers and related personnel engage. Behavioural decision research over
the last 50 years has found that these two risk management process steps are prone to
many motivational and cognitive biases. People usually overestimate some risks and
their corresponding probabilities and underestimate others. Biases are an inherent chal-
lenge to all decisions and deeply rooted in human behaviour. Thus, the question in ERM
activities is not whether biases exist, but rather how these distortions within the risk
management decision-making process can be effectively managed.

In the following, a distinction is made between cognitive and motivational biases. The
former refer to false mental processes that lead to deviant behaviour from socially well-
accepted normative principles (however, it is strongly believed that this type of bias is
important for evolutionary reasons). The latter include conscious or unconscious distor-
tions of opinions due to different incentives like social pressure, organisational environ-
ment and self-interest (Montibeller and von Winterfeldt 2015, p. 1230).

Unfortunately, the vast amount of literature has dealt only with cognitive biases
and has neglected motivational biases which are harder to account for in an ERM pro-
gramme. In many cases in literature, motivational biases are mistakenly classified as

192.1 Motivational Biases

cognitive biases. Some of the biases of both groups can be alleviated or amplified in
group decision-making processes. To account for the importance of group-specific activi-
ties in ERM processes (e.g. risk management workshops), a separate chapter particularly
covers group-specific biases.

After the explanation of each bias, specific measures are suggested which the risk
manager can apply or propose to mitigate or eliminate the negative effects. These proce-
dures and attempts to counter biases are known as “debiasing techniques”.

2.1 Motivational Biases

Let us first look at motivational biases. These biases are judgments that are influenced
by the desirability or undesirability of events, consequences, outcomes or decisions in a
company. This includes, for example, the deliberate attempt by experts to provide opti-
mistic forecasts for a preferred action or outcome. Another example is underestimat-
ing the cost of a project to deliver bids that are more competitive. Selected motivational
biases which are believed to severely impact risk analysis are presented below.

2.1.1 Affect Heuristics

Affect heuristics are a sort of mental abbreviation in which people make decisions that
are strongly influenced by their current emotions. Essentially, everyone’s personal affect
(a psychological term for emotional reaction) plays a crucial role. Emotions influence all
kinds of decisions, large and small ones. After all, it seems obvious that someone is more
likely to take risks or try new things when he or she feels happy. Likewise, individuals
are less likely to make difficult decisions when they are depressed. If someone relies on
his “gut feeling” to make an important decision, this is typically an example of affect
heuristics (Montibeller and von Winterfeldt 2015, p. 1235).

Affect-based assessments are more pronounced when people do not have the
resources or time to think. Rather than looking at risks and rewards independently, peo-
ple with a negative attitude, e.g. towards an internationalization strategy of a company,
may assess their benefits (opportunities) as low and their risks as high. This leads to a
more negative risk-benefit correlation than would be observed under conditions without
time pressure (Finucane et al. 2000).

One study for example found that tobacco, alcohol and food additives are all per-
ceived as high-risk and low-reward topics. In contrast, X-rays, vaccines and antibiotics
are considered low-risk and high-reward (Fischhoff et al. 1978). The important aspect
of this result is that the positions have always been classified as both low-risk and high-
reward (or vice versa), even if some positions are actually high-risk/high-reward or low-
risk/low-reward. This result occurs because smoking, drunkenness and food additives
trigger negative emotional reactions, while the other activities trigger positive emotions.

20 2 Countering Biases in Risk Analysis

Therefore, we do not really consider the true risks and opportunities; we automatically
choose the more positive option (low risk and high reward) for concepts with positive
associations and do the opposite for those with negative associations (The Decision Lab
n. d.).

Various approaches can help to reduce the negative consequences of affect heuris-
tics. Risk managers can check whether decision-makers focus too much on a single risk
assessment proposal. They can bring critical decisions to a panel with alternative view-
points to discuss risks and opportunities. In this way, it is possible to avoid underesti-
mating the risks of an idea that somebody is very attached to. Companies can also use
decision-making tools that allow various factors to be weighted and evaluated. Within
the scope of risk identification, risks and potential risk scenarios should be formulated as
neutrally as possible. In risk assessments, it may be necessary to have risk scenarios to
be assessed by different people with different backgrounds, interests and incentives.

For example, this could be supported by an ERM committee. Such a committee usu-
ally consists of specialists and experts from different divisions and business units. This
means that the assessment of losses or financial consequences resulting from a potential
occurrence of risk should be much more well-founded and complete than the assessment
by individual, possibly unrelated employees.

2.1.2 Attribute Substitution

Attribute substitution is an attempt to solve a complex problem with a heuristic attrib-
ute that is a false substitution. Concretely, people involved in risk analysis may sub-
stitute a difficult problem for an easier one incorrectly and without being aware of it.
Attribute substitution is a generic model that is applicable in many different areas and
can be easily remembered. Essentially, attribute substitution is the collapse of attention
from a broader, complex question to one that is narrower, but more easily answered
(Smith and Bahill 2009, p. 2). Attribute substitution may take many forms. Examples
include the substitution of an emotion such as fear. The problem of attribute substitu-
tion is that it often causes inaccurate (risk) assessments of emotional themes such as
dread risks (terrorism, plane crash, pandemic situation).

For example, when individuals are offered insurance against their own death in a ter-
rorist attack while on a foreign trip, they are willing to pay more for it than they would
for insurance that covers death of any kind on that trip, although the latter risk obviously
includes the former risk. Kahneman concludes that the attribute of fear is being substi-
tuted for an assessment of the total risk exposure of being abroad. Fear of a terrorist
attack is perceived as more significant risk than fear of dying on a trip (Kahneman 2007).

Kahneman and Frederick propose three conditions for attribute substitution (2002):

• It is not expected that substitution will take place when answering factual questions
that can be retrieved directly from memory or about current experiences.

21

• An associated attribute is easily accessible, either because it is automatically assessed
in normal perception or because it has been primed.

• Substitution is not recognised and corrected by the reflective system. For example,
when asked, a bat and a ball cost CHF 1.10 together. The racket costs CHF 1 more
than the ball. How much does the ball cost? Many respondents erroneously answer
with CHF 0.10. One explanation regarding attribute substitution is that instead of
working out the sum, respondents split the sum of CHF 1.10 into a large and a small
amount, which is easy to do. Whether they think this is the correct answer depends on
whether they check the calculation with their reflective system.

There is unfortunately no simple solution for the substitution attributes in the ERM
process. First of, it is important to become aware of the fact that people tend to sub-
stitute simpler but related risk assessments in place of more complex risk assessments.
Subsequently, examples of this bias can be presented to managers and decision-makers
to demonstrate their own behaviour. Some suggestions made by Smith and Bahill (2009)
in the context of ameliorating attribute substitution in systems engineering might be
adapted to risk analysis (pp. 15–16): To counter the risk to mistakenly replace a complex
risk phenomenon with an easier, but wrong one, is to deliberately create risk analogies of
greater complexity in addition to the current (easy) risk scenario. The idea behind this is
that the development and discussion of risk analogies of greater complexity can be use-
ful because they offer new perspectives on the same risk and reduce the risk to come to
quickly to a too simple, substituted solution.

A second (partial) remedy of attribute substitution is to draw on subject matter experts
in risk analysis processes. A subject matter expert is characterised by long lasting practi-
cal experience that positively impacts perceptual abilities, recognition skills and enables
faster decision-making. In addition, experts have stronger self-monitoring capabilities
which allows them to recognise when they make for example false and too easy judge-
ments on risks. As Smith and Bahill (2009) point out, “such noncollapsing situational
awareness should serve to prevent erroneous attribute substitution” (p. 16).

2.1.3 Confirmation Bias

Confirmation bias is one of the most common cognitive biases for decision-makers. This
type of bias tends to interpret information based on an earlier assumption rather than let-
ting the data speak for itself (Wolf 2012). It shows the tendency to select and consider
only (risk) information that confirms our existing beliefs and assessments. For example,
suppose a manager believes that men will respond positively to a new service and sends
surveys to men who have tested the service. Confirmation biases can lead him to inter-
pret this survey in a way that confirms his preconceived notion. On an organisation-wide
level, the data that underlie a decision process can be flawed. Without conscious, system-
atic probing, data selection is prone to confirmation bias (Baer et al. 2017).

2.1 Motivational Biases

22 2 Countering Biases in Risk Analysis

The confirmation bias can occur in different stages of the ERM process. During the
risk identification process, there is a risk that only factors that confirm an initial pre-
selection will be taken into account. For example, cyber risk exposure can be confirmed
due to the high media presence. This is despite the fact that a company has no online
presence at all and is already very well prepared when dealing with the Internet. The
distortion can also occur during risk analysis and quantification. Once an assessment has
been carried out, facts are sought that support it.

As a manager or risk manager, it is a rare luxury to have all the relevant data before
making an informed decision. More often, we have to deal with incomplete information,
which leaves us open to confirmation bias. To avoid this trap, it is recommended to take
some time before making important decisions and ask ourselves what would have hap-
pened if we had made the opposite choice. One approach to effectively counter that bias
is to collect specific data to defend an opposite view of specific risk scenarios and then
compare it with the data that supported the first risk assessment. Next, risk managers can
reassess the decision against the larger record. Still, the perspectives may be incomplete,
but the risk assessment will be much more balanced (Redman 2017).

To further reduce the confirmation bias, risk managers should review the following
countermeasures. It is highly recommended that different subject matter experts on the
same topic are involved when making decisions on risks. For example, when it comes to
probability assessments, it is worth having the same risk scenario assessed independently
by different experts. It is also advisable to remove the time pressure from decisions and
to deal intensively with an important risk/reward decision that have considerable con-
sequences on business objectives. Finally, a corporate culture that allows for different
views and opinions supports the critical engagement with risks.

2.1.4 Desirability of Options and Choice

Desirability bias refers to the tendency to give socially desirable answers instead of
choosing answers that reflect true views. The distortion of responses due to this personal-
ity trait becomes an important issue when, for example, unwanted risks or risks that may
jeopardise a project are being discussed. If a person knows that he or she is being moni-
tored, it is more likely that he or she will primarily indicate the risks that are known or
easy to manage. This obviously distorts the risk relevant data (Grinnell and Unrau 2018,
p. 488). Accordingly, the bias leads to over- or underestimating of probabilities, conse-
quences, values, or weights in a direction that favours a desired alternative (Montibeller
and von Winterfeldt 2015, p. 1235).

Precautions should be taken to mitigate the negative effects of the desirability of
options. Basically, it helps (again) to involve different stakeholders in decision-making
situations (Montibeller and von Winterfeldt 2015, p. 1235). With regard to ERM, for
example, opinions of experts from other departments or business units can be consulted
during risk assessments. The collected risk scenarios and associated risk data can also

23

be validated by experts. It is advisable to implement incentives and responsibilities that
fundamentally reduce this bias. Those people who are responsible for achieving business
objectives are basically more focused on a comprehensive identification and analysis of
the risks.

In addition, it is a crucial task to ask the right questions in the consciousness of this
bias. Thus, suggestive questions should be consistently avoided. It is also important to
create a corporate culture in which risks can be discussed openly. This includes ensur-
ing that the disclosure of risks has no negative impact on employees. This means that the
level (impact) of the risks would play only a minimal or no role when it comes to remu-
neration. Rather, the far-sighted management of relevant risks intentionally accepted in
order to pursue business objectives should be assessed. Presenting concrete examples of
such biases at the beginning of decision-making processes can also increase awareness.

2.1.5 Optimism

This cognitive bias occurs when the desirability of a result leads to an increase in entry
expectations. It is often referred to as “wishful thinking” or “distortion of optimism”.
The bias is particularly evident when people assess the impact or consequences of a risk
scenario. It is the tendency to judge positive results too optimistically or the tendency not
to identify the potentially negative results or to not see them completely (Emmons et al.
2018, p. 58). Unwanted optimism can therefore lead to unnecessary risks being taken.

For example, we usually underestimate the risk of being involved in a car accident
or falling ill. At the same time, we expect to live longer than is indicated by objective
data. We also think that we are more successful in our job than we are (Sharot 2011,
p. R941). The same distortion can also be seen in everyday business or in projects. Many
large projects are budgeted far too low because decision-makers face an optimism bias.
This often has negative financial consequences. Despite this, some of today’s elementary
buildings would hardly have been realised if cost truth had prevailed right from the start.
Accordingly, this distortion can also have positive effects.

The following factors make the optimism bias more likely to occur (Cherry 2018a).

• Infrequent risk scenarios are more likely to be influenced by the distortion of opti-
mism. People tend to think that they are less likely to be affected by events such as
floods just because they are usually not everyday events.

• People experience the distortion of optimism more when they think that the events are
under direct control of the individual. It is not the case that people believe that things
will work magically, they rather think that they have the skills and know-how to do so.

• The distortion of optimism is more likely to occur when the negative risk scenarios
are perceived as unlikely. For example, if a person believes that companies rarely go
bankrupt, they are rather unrealistically optimistic about these specific risks.

2.1 Motivational Biases

24 2 Countering Biases in Risk Analysis

Research has shown that people who are anxious are less likely to be confronted with the
optimism bias. It has also been found that experiencing certain risk events can reduce the
distortion of optimism. Related to ERM, the occurrence and consequences of a risk can
thus reduce the value of experience and thus the optimism bias. After all, it is less likely to
experience the bias if one regularly compares one’s behaviour with that of others in deci-
sion-making situations. In this context, it can help to establish valuation rules and place
hypothetical bets against the desired event (Montibeller and von Winterfeldt 2015, p. 1235).

Researchers also have tried to help people reduce the distortion of optimism, espe-
cially to promote healthy behaviours and reduce risky behaviours. However, they have
found that reducing or eliminating the bias is indeed incredibly difficult. Attempts to
reduce the optimism bias through measures such as educating participants about risk fac-
tors, encouraging them to consider risky examples, and educating subjects have led to
little change (Cherry 2018a).

In the context of risk analysis, the following approach might reduce the optimism
bias: Similar to the previous biases, it is crucial to take an outside view on risk scenarios
by considering additional perspectives of subject matter experts. One effective approach
that supports this idea is called “prospective hindsight”, in which participants of risk
assessments imagine that a specific business objective has not been accomplished and
then identify all the possible risks why this happened. This exercise enables people iden-
tify possible risks and opportunities in their assessments that may not come to mind oth-
erwise (see similar Singh and Ryvola 2018).

2.1.6 Transparency Bias

Gleißner (2017) states that a transparent identification and presentation of risks is not
necessarily in the personal interest of each manager and decision-maker (p. 14). Various
reasons for this can be found that lead to both conscious and unconscious non-identifica-
tion of risks. For example, it can be assumed that people who are prepared to take fraud-
ulent (business-damaging) actions do not support complete transparency. They probably
do not want past fraudulent actions to be uncovered, nor do they want such actions to be
thwarted in the future.

Furthermore, the transparent presentation of risks can weaken a manager’s own posi-
tion. It is possible that some projects would be discontinued if all risks were presented
transparently. Specifically if an employee or even a manager is dependent on a project
and wants to advance his or her career with it, a conscious non-identification is to be
assumed. However, lack of communication about the benefits of ERM can also lead to
uncertainty on the part of employees, who consciously and unconsciously conceal risks.

Increasing managers’ motivation to be accurate is a key remedy. This can be done by
making them aware of potential biases, or by incentivizing them for the accuracy of their
feedback. Rewards for accurate feedback on risks and rewards does not sound intuitive at
first. The key idea here is to reward people to be more transparent and precise about risk,

25

independent from the scale (impact) of the risk. Training, bonuses or other incentives
could be offered for increasing the transparency in risk assessments. If such incentive
systems are adequately established, superiors can also recognise who is reporting hon-
estly and correctly which also increases visibility.

Gamification might be a very promising approach to counter transparency bias. In
fact, very little research on the relationship of game mechanisms and ERM transparency
is available. However, motivating people to be transparent in risk assessments could be
enhanced by awarding specific “transparency rewards”: Collecting points, unlocking
new levels, receiving fictitious titles and other approaches could play an important role.
Internal and external leaderboards support these transparency efforts. In this context, it is
important that incentives should not only be implemented at the individual level, but also
at the team and department level (Hossain and Li 2013).

2.2 Cognitive Biases

Cognitive biases are systematic errors in thinking that may affect input into decisions
and judgments that people make. Basically, from an evolutionary standpoint, these
instincts provide mechanisms to make rapid decisions in important and complex situa-
tions based on previously observed patterns (Rees 2015, p. 12). One must be careful not
to confuse cognitive biases with logical fallacies. A logical fallacy is based on an error
in a logical argument, while a cognitive bias is related to false thought processing often
arising from challenges with attention, attribution, memory or other mental stumbling
blocks.

2.2.1 Anchoring

To arrive at a decision an individual usually starts from an anchor number and then
adjusts that number or estimate by correcting it up or down (Wolf 2012). A decision
maker must be careful not to use this as a shortcut that can lead to wrong decisions.
People have the habit that they like to think automatically. Sometimes we avoid making
decisions because it is too much of a burden. Anchoring could be an easy way to make
decisions based on one particular piece of information. When decision makers focus on
or give too much weight to one piece of information without considering other crucial
factors, serious mistakes are made (Friedman 2017).

Information overload and lack of time make people more susceptible to anchoring. If
there are no clear points of orientation available to the decision-maker, the person prefers
to seek for an anchor. If an anchor is not readily available, a decision-maker will prob-
ably consider the first one when some numbers, statistics or other information is pre-
sented. Any projection of the future is to some extent based on historical data and also

2.2 Cognitive Biases

26 2 Countering Biases in Risk Analysis

includes some anchoring. As the balanced and conscious decision-making on risks and
rewards is a centrepiece of ERM, it is important that risk-based decisions are not based
on anchors that may significantly bias risk perception and risk assessments.

Example
Anchoring is not a curiosity only occurring in research laboratories; it can be just as
powerful in the real world. In an experiment conducted a few years ago, real estate
agents were given the opportunity to assess the value of a house that was actually for
sale. They visited the house and studied a comprehensive information brochure con-
taining a price claim. Half of the brokers saw an asking price that was significantly
higher than the list price of the house; the other half saw one that was significantly
lower. Each broker expressed his opinion about a reasonable purchase price for the
house and the lowest price at which he or she would sell the house if he or she were
the owner.

The estate agents were then asked about the factors that affected their judgment.
Remarkably, the asking price was not one of these factors; the brokers were proud
of their ability to ignore them. They claimed that price demands did not influence
their answers, but they were wrong. The anchor effect was 41%. In fact, knowledge-
able practitioners were almost as vulnerable to anchor effects as students of business
administration without real estate experience, whose anchor index was 48%. The
only difference between the two groups was that the students admitted to having been
influenced by the anchor, while the professionals denied this influence (Kahneman
2012).

Several measures are available to deal with anchoring. Risk managers can consider a
specific reference point for information when preparing risk-based decisions. It may be
essential to set an anchor based on current knowledge and financial objectives and be
willing to adapt it to changing circumstances. It is important to consider and discuss the
underlying fundamental data and assumptions which led to a specific anchor. In addi-
tion, risk managers must ensure that risk assessments remain flexible and are open to
new sources of information during workshops or interviews. They must be aware of that
bias in risk analysis and not provide interviewees with specific anchors prior risk identifi-
cation and risk assessment.

A skilled risk manager can ask relevant questions that can reveal a company’s anchor-
ing behaviour. Are risk assessments carried out in such a way that a constructive dis-
cussion between different opinion leaders has led to consensus? Are risks assessed on
a neutral basis without specifying anchor numbers or anchor data prior to risk assess-
ment? Are risks consequently discussed with an advocate who argues against the first
consensus within risk assessments or risk workshops? Taking into account these aspects
may help to ameliorate anchoring bias (see similar Kent Baker and Puttonen 2017,
pp. 118–119).

27

2.2.2 Availability Bias

As suggested by Tversky and Kahneman (1973), a persistent cognitive bias that has spe-
cial relevance for risk perception is known as availability. Leaning on frequently occur-
ring (risk) events is an often applied short cut when trying to predict the future and make
decisions when faced risk and uncertainty (Wolf 2012). Availability is also affected by
numerous factors unrelated to the frequency of occurrence. An example of availability is
the extent to which individuals are influenced by their memories and perceptions of past
events in discussion about (future) risks and opportunities.

Due to the availability bias, many risk assessment are heavily distorted. For example,
we tend to systematically overestimate the risk of earthquakes, thunderstorms or fires.
At the same time, we underestimate strategic or operational risks such as increasing
customer complaints or systematic bottlenecks at management level. Topics often inten-
sively covered by media and press are often much rarer as we believe. Spectacular risks
are basically much more present in our brains than the opposite.

The availability bias may for example affect the Board of Directors. As a rule, there
is usually an intense discussion about what management presents, e.g. quarterly figures
such as revenues and EBIT. More important topics such as a skilful product launch by
the competition, increased employee turnover or an unexpected change in customer
behaviour are rarely adequately discussed. However, these neglected topics can pose sig-
nificant threats to the company, i.e. can become strategic risks.

The following points can be suggested as countermeasures. It may be worth to offer
basic courses and trainings on how probability estimates can be assessed not based on
past events and experience. Providing counter-examples can also be used to show the
effect of availability biases. In this context, risk managers can address the challenge
of assessing risks prospectively instead of retrospectively. Risk managers can set high
standards for “neutral thinking” in risk workshops by asking questions to uncover poten-
tial availability distortions such as: What happened in the past? Has this risk occurred
once or several times in the past? What type of risk mitigation has been performed after
this risk? Is this risk still relevant in the future? In summary, it can be said that risk man-
agers and risk managers who assess risks should pay attention to past information that
flows into scenario development (Montibeller and von Winterfeldt 2015, p. 1233).

Additionally, different perspectives of various persons involved in risk assessments
should be considered regularly. A risk manager may form a team with different experi-
ences and perspectives. This countermeasure itself will limit the distortion of availability
as people usually question each other’s natural thinking. It can be worth to consider also
external perspectives that simply do not exist within the company.

2.2 Cognitive Biases

28 2 Countering Biases in Risk Analysis

2.2.3 Dissonance Bias

An incompatible opinion (e.g. risk assessment) with our existing way of thinking cre-
ates discomfort because our mind cannot easily deal with contradictory ideas at the same
time. This discomfort is called cognitive dissonance. The result is the urge to discredit
or ignore information that does not fit the current way of thinking. Thus, it is conceiv-
able that information about downside risk is ignored because it contradicts the poten-
tial opportunities (rewards). Avoiding this dissonance can obviously affect the quality of
decisions under uncertainty.

Cognitive dissonance in the workplace is widespread and a major source of stress for
professionals working for example in organisational support functions such as risk man-
agement. There are many examples and scenarios that can lead to cognitive dissonance,
ranging from observing inappropriate and poor leadership practices to encouraging peo-
ple to take on tasks that are not consistent with procedures, norms, training, organisa-
tional or personal values. When confronted with contradictory beliefs and practices and
the pressure to tolerate them, these professionals often experience deep personal dissatis-
faction (Celati 2004, p. 58).

A first step in overcoming and eliminating dissonances is that risk managers are
aware of it and address them in risk management workshops or interviews. Skilled risk
managers can try to identify existing and potential dissonances. Role-playing exercises
can create comfort and confidence, which in turn reduces dissonance. Another approach
is to ask trusted people to review its own actions and beliefs and suggest alternative
courses. Successful risk managers seek feedback from others and consider their opinions
in risk assessment (Kent Baker and Puttonen 2017, p. 121).

2.2.4 Zero Risk Bias

The zero risk bias describes individual’s preference for options which result in reduc-
ing small risk to zero over a greater reduction in larger risks compared to the first. In
other words, we tend to have a preference for the absolute certainty of a smaller benefit
(i.e., complete elimination of risk) to the lesser certainty of receiving a larger benefit.
This bias can be observed specifically by risk averse people and managers. These risk
averse decision-makers prefer small benefits which can be certainly realised to large ones
which are less certain. For a risk decision-maker, the importance of having knowledge
about this bias cannot be understated.

Example
Scientists identified a risk-free bias in the responses to a questionnaire about a hypo-
thetical cleaning scenario involving two dangerous sites X and Y, with X causing 8
cases of cancer annually and Y causing 4 cases annually. Respondents chose three
remedies: Two options each reduced the total number of cancer cases by 6, while the

29

third reduced the number by 5 and completely eliminated the cases at site Y. The third
option reduced the number of cancer cases by 6 per year. The third option reduced
the total number of cancer cases by 6, while the third option reduced the number by 5
and completely eliminated the cases at site Y. The third option reduced the total num-
ber of cancer cases by 6, while the third option reduced the number by 5 and com-
pletely eliminated the cases at site Y. The third option reduced the number of cancer
cases by 6, while the third option reduced the number by 5 and completely eliminated
the cases at site Y. While the latter option had the worst overall reduction, 42% of
respondents rated it better than at least one of the other options. This conclusion was
similar to an earlier economic study, which found that people were willing to bear
high costs to eliminate a risk completely (Baron et al. 1993).

This bias can occur at various stages in ERM, specifically when weighing two options.
In order to reduce the risk of a disaster from 5 to 0% (i.e. to completely exclude it),
people would invest a lot more than they would to reduce it from 10 to 5%. This effect
shows that people attach irrational importance to unlikely events. Particularly concerning
risk mitigation efforts, this bias can have a considerable impact on costs.

A general solution for zero risk bias is not known. It is important to be aware that
there is no such thing as complete security, i.e. zero risk. One way to reduce the cer-
tainty effect can be by avoiding so called “sure things” in utility elicitation and separat-
ing value and utility elicitation. It can also be useful to examine the relative risk attitude
and to point out possible misinterpretations. In summary, it is often not the best course of
action to completely eliminate one risk. Instead, a balanced risk portfolio that will yield
a greater aggregated relative risk reduction is more efficient and effective than focusing
solely on risks which can be completely mitigated.

2.2.5 Conjunction Fallacy

The conjunction (joint occurrence) of two risk events is considered more likely than the
constituent risk event, specifically if the probability assessment is based on a reference
case similar to the conjunction. Conjunction errors occur when we assign a higher prob-
ability to a risk event with higher specificity. This fundamentally violates the laws of
probability. Consider the following example from tennis:

• A: Roger Federer will win the game
• B: Roger Federer loses the first set
• C: Roger Federer will lose the first set, but win the match
• D: Roger Federer wins the first set, but loses the match

Different studies by Kahneman show that people arrange the chances by directly con-
tradicting the laws of logic and probability. He explains this as follows using the above

2.2 Cognitive Biases

30 2 Countering Biases in Risk Analysis

tennis example: The critical points are B and C. B is the more comprehensive event and
its probability must be higher than that of an event it contains. In contrast to logic, but
not representativeness or plausibility, 72% of the respondents gave B a lower probability
than C. However, the loss of the first set is by definition always a more likely event than
the loss of the first set and victory in the game (Tentori et al. 2013). The following exam-
ple rooted in the insurance industry further illustrates the conjunction fallacy.

Example
If people are given the opportunity to take out air travel insurance shortly before the
flight, they appear willing to pay more for insurance that covers terrorism than insur-
ance that covers any cause of death from air travel—including terrorism. Obviously,
insurance that only covers terrorism should be worth less than insurance that covers
terrorism in addition to some other risks (see Fig. 2.1). Perhaps because we are more
capable to imagine a particular risk event, we are often more likely to expect that risk
happen compared to broader, unspecific risk events (Hubbard 2009, p. 100).

In business we are often prone to conjunctional errors, probably because we face so
much supportive context. For example, we might hear separate rumours that company
budgets are about to be cut and that a senior executive in our department is considering
leaving the company. We consider each of these events unlikely—perhaps a 33% chance
of budget cuts and a 25% chance of the executive leaving. But if we hear both rumours at
the same time, our intuition that both events will happen is pretty high—maybe 50% or
more.

To reduce conjunction fallacy, risk managers should illustrate the logic of joint prob-
abilities with Venn diagrams and provide concrete examples to participants of risk
workshops or interviews. Employees need to understand the bias and its relevance for
decision-making. One approach to uncover the conjunction fallacy is to assess the proba-
bility of two events separately and then estimate the conditional probability of one event,
given that the other event occurs. Whenever a company faces important decisions which
include several risk scenarios that can occur simultaneously, it is helpful to discuss the
probabilities of these scenarios with several experts within and outside the company.

Terrorism
insurance

Insurance for
other causes of

death

Insurance for
any cause of

death

Fig. 2.1 Intersection example from the insurance industry

31

2.2.6 Conservatism Bias

Conservatism bias is a mental process in which people hold on to their previous views or
predictions at the expense of recognizing new information (Edwards 1982). Suppose a
trader receives bad news about a company’s earnings and this news contradicts another
profit estimate from the previous month. Decision-makers can take a conservational
approach in order to minimise risks. However, this bias can result in lower profits.
Avoiding bizarre and unhealthy risks should be the goal, while at the same time increas-
ing prudent risk taking, which does not necessarily leads to greater risk exposures.

For example, there is a tendency to overestimate the probability of low-probability
risk events occurring, where impact would be significant if such a risk event did happen.
At the same time, a conservative mind-set may not fully take into account the reality that
most operational risks are higher-probability risk scenarios. It is important to note that
the conservatism bias seems to contradict the representativeness bias, the latter referring
to an overreaction to new information, while the distortion of conservatism refers to an
underreaction to new information.

Risk managers can reduce conservatism bias by carefully reviewing new informa-
tion to determine its value over previous beliefs and seek unbiased advice. If new infor-
mation is difficult to discover, verify, or explain, opinions by subject matter experts
become more important. However, every new piece of information should be analysed
and deserves careful review—it may reduce uncertainty. Another approach is to make the
thinking process more flexible, meaning that people need to learn to let go of previous
beliefs when confronted with credible evidence that contradicts existing opinions and
estimates. If people are about to ignore information because it is difficult to understand
(such as math or statistics), risk managers must either take the time to translate this infor-
mation into “business language” or involve an expert who can support the explanation of
this information.

2.2.7 Endowment and Status Quo Bias

Another type of cognitive bias is the status quo bias. People prefer things to stay the way
they are, or that the current state remains the same. They ask to get paid more for an item
they own than they are willing to pay for it when they do not own it. Accordingly, their
disutility for losing is greater than their utility for gaining the same amount (Montibeller
and von Winterfeldt 2015, p. 1235). This distortion can affect human behaviour and is of
interest in many areas of sociology, politics and economics.

The evidence from a large number of experimental studies demonstrates the endow-
ment effect. In simple versions of such experiments, half of the participants receive a
particular object—for example a lottery ticket, a chocolate bar, or a pen, depending on
the experiment—and the other half receive the equivalent monetary value. Subsequently,

2.2 Cognitive Biases

32 2 Countering Biases in Risk Analysis

participants are allowed to swap the object and the money, either with the experimenter
or with each other, again depending on the particular experiment.

However, the number of trades is usually considerably lower than expected, and the
vast majority of participants prefer to keep what they receive: for instance the pens were
worth more money to those objects who started with pens than to those who started with
money. This behaviour is usually regarded as a consequence of the effects of “loss aver-
sion” and the “status quo” bias.

In politics, the status quo bias is also often used to explain the conservative way of
thinking. People who describe themselves as conservative tend to focus on preserving
traditions and keeping things as they are. This avoids risks associated with change, but
also misses possible benefits that change could bring. Of course, as with many other cog-
nitive distortions, the status quo bias has a benefit. Since it prevents people from tak-
ing risks, the bias provides some protection. However, this risk avoidance can also have
negative effects if the alternatives actually offer more safety and benefit than the current
state (Cherry 2018b).

Debiasing endowment and status quo is difficult in practice. Risk managers could
explain that the status quo is not relevant for future decisions on risks and rewards. When
for example discussing project risks, he or she can show that sunk costs should not play
a role in the risk analysis and subsequent decisions (Montibeller and von Winterfeldt
2015, p. 1235).

2.2.8 Framing

Framing effects mean that people’s response to information is influenced by how infor-
mation is presented (Wolf 2012). People’s preferences can be reversed by appropriate
information design. As in prospect theory, framing often comes in the form of profits
or losses. This theory shows that a loss is perceived as more significant and thus more
avoidable than an equivalent gain. In the hierarchy of choice architecture, a safe profit
is preferred to a probable one, and a probable loss to a safe loss. Decisions can also be
formulated in such a way that the positive or negative aspects of the same decision are
highlighted, thus bringing affect heuristics to the fore.

The following example can illustrate the framing effect:

Example
“Participants saw a film of a traffic accident and then answered questions about the
event, including the question ‘About how fast were the cars going when they con-
tacted each other?’ Other participants received the same information, except that
the verb ‘contacted’ was replaced by either hit, bumped, collided, or smashed. Even
though all of the participants saw the same film, the wording of the questions affected
their answers. The speed estimates (in miles per hour) were 31, 34, 38, 39, and 41,
respectively.

33

One week later, the participants were asked whether they had seen broken glass at
the accident site. Although the correct answer was ‘no,’ 32% of the participants who
were given the ‘smashed’ condition said that they had. Hence the wording of the ques-
tion can influence their memory of the incident.” (Memon et al. 2003, p. 118).

Risk managers can reduce framing effects by trying to “see through the frame”, or rather,
to look at things more objectively. This task is difficult because people may have incen-
tives “nudge” others in a certain direction or decision by the way they present informa-
tion. For example, division managers try to convince management of their successful
projects or risk mitigation measures by advertising and presenting them positively (Kent
Baker and Puttonen 2017, p. 121).

It seems important in this context that incentives exist not only at the individual level
but also at the team and department level. Another option is to get a second opinion from
a person who is not involved in the decision-making process. In most cases, the latter
can look at the different options from a more neutral perspective. Finally, research for-
tunately shows that if people feel happy, framing effects can be reduced (Cassotti et al.
2012).

2.2.9 Gambler’s Fallacy

Tversky and Kahneman introduced the gambler’s fallacy as a result of heuristic repre-
sentativeness in the 1970s. It arises from belief in the law of small numbers, namely the
notion that irrelevant information about the past is important to predict future events. If
a random event has occurred several times, we tend to predict that it will occur less fre-
quently in the future, so that the results balance out on average. This, we do not realise
that small samples are often not representative of the population (Sun and Wang 2010,
pp. 124–125). This error must be taken into account in particular in risk analysis and risk
scenario quantification.

Gambler’s Fallacy and the hot hand fallacy are closely related, but somewhat dif-
ferent. The hot hand fallacy refers to the phenomenon that we believe a number of
successful events (e.g. non-occurrence of risk) must be continued just because a num-
ber of successes have just occurred. For example, because no risk occurred in the last
three years, we are more likely to think that no risk will occur in the fourth year. The
Gambler’s Fallacy applies in case we expect a reversal of the results, not for the continu-
ation of a certain result.

Today, a large number of risk decisions are strongly influenced by data analysis.
McCann (2014) noted that with the increasing dependence on data analysis results, play-
ers’ mistakes are becoming more and more apparent. A typical evidence that can be
found in prediction is the tendency to observe and identify certain patterns in data, even
if these “patterns” can only occur due to nothing but random events.

2.2 Cognitive Biases

34 2 Countering Biases in Risk Analysis

In order to reduce Gambler’s Fallacy, it is advisable to impart basic statistical knowl-
edge to employees. Managers who make important decisions need to know and under-
stand statistical fundamentals. By explaining the probability logic and the independence
of events, better decisions can be made. Risk managers can identify typical examples
of mistakes and present them to management and employees (Montibeller and von
Winterfeldt 2015, p. 1236).

2.2.10 Hindsight Bias

The hindsight bias describes that people change their estimates of the probability of
events and outcomes after they are already known. They overestimate their ability to
predict past events, even if the outcome was completely unpredictable (Wolf 2012).
The bias arises because it is difficult for people to separate what they currently know
from past experience. Although hindsight bias is now widely accepted, the under-
lying mechanisms that explain it are still being discussed. The problem with this bias
is that we believe that the causes of past events were simpler than they actually were.
Understanding this distortion is therefore essential so that we can learn from our expe-
riences and mistakes. One area in the decision-making process that is very likely to be
affected by hindsight bias is the control phase and the environmental scanning phase (see
similar Barnes 1984, p. 130).

Typical examples of this are strategic decisions made by companies that are subse-
quently regarded as obvious. For example, only a few companies in the media and cloth-
ing industries have relied on Internet commerce. In the meantime, numerous traditional
companies from these sectors have gone bankrupt. Frequently the question is asked why
these companies were not also relying on the Internet. At the time of the strategic deci-
sion, however, it could not yet be foreseen that this would be the right decision.

One way to deal with this bias is to admit that companies are susceptible to hindsight
bias. Risk managers need to remind all employees that the future is basically unpredict-
able, even if people think that they can predict certain risk scenarios based on their past
experience. Risk managers should use objective data if available to complement opinions
by subject matter experts. It is also worthwhile to review risk scenario assumptions about
future developments using (outside) expert opinions. In summary, this means that risk
managers and decision-makers should weigh different alternatives against each other,
taking into account the fact that situations are constantly changing.

2.2.11 Overconfidence

This bias describes a decision-maker’s overestimation of his or her own abilities. This
can occur in two forms: Overestimation of one’s own abilities or performance and over-
estimation of one’s own knowledge. The overestimation of one’s own performance

35

often occurs. For example, most drivers consider themselves to be better than average.
However, it is not possible that more than half of the drivers are better than average. The
term is used more frequently for the second form of overestimation. Decision-makers are
overconfident if they consider their own judgements to be more precise than they actu-
ally are.

Overconfidence often manifests itself in the fact that, for example, intervals are given
too narrowly. People are confronted with difficult factual questions and asked for their
answers. This is done by giving the best answer together with a 90% confidence inter-
val. Because the given interval is often set too narrowly, the true value is often missed
(Shefrin 2016, pp. 62–63). This phenomenon is also called “miscalibration”.

Economist Philip Tetlock spent 20 years studying forecasts by experts about the econ-
omy, stock markets, wars and other issues. He found the average expert did as well as
random guessing or as he put it “as a dart-throwing chimpanzee”. Tetlock believes fore-
casting can be valid, but only when done with a long list of conditions, including humil-
ity, rigorous use of data and a ruthless vigilance for biases of all types. He said that he
believes it is possible to predict the future, at least in some situations and to some extent,
and that any intelligent, open-minded and hardworking person can cultivate the requisite
skills. Obviously, this is a challenge at the heart of the whole risk industry (Tetlock and
Gardner 2015, p. 6).

In order to overcome overconfidence bias some selected debiasing strategies can help.
Risk managers should declare probability training obligatory for risk owners and deci-
sion-makers. Risk managers can, for example, start the risk assessment with extreme risk
estimates (low and high) and thus avoid central tendency anchors (Montibeller and von
Winterfeldt 2015, p. 1233). To challenge risk scenario assessments, counter-arguments
can be developed that challenge the underlying values and assumptions. Risk managers,
but also every employee should further consider constructive criticism from people they
trust. This can serve as a very important step to reduce overconfidence. It is not necessar-
ily the case that criticism is always right, however, risks managers and risk owners get
some food for thought to challenge their own risk perception.

2.2.12 Perceived Risks

Psychologist Paul Slovic has dealt with the question why opinions of risk experts differ
from those of non-experts. Understanding these differences and the ability to articulate
them is a critical skill that risk managers must have (Shefrin 2016, p. 56). Slovic points
out that risk managers, when assessing risks, tend to focus more on specific variables
such as expected death rates. He points out that non-experts, on the other hand, rely more
on intuitive risk assessments (risk perceptions) that can be very different from expert
judgements.

The risk perception of non-experts is heavily influenced by two factors, dread risk
and an unknown risk. Dread risk includes dread and a number of other considerations

2.2 Cognitive Biases

36 2 Countering Biases in Risk Analysis

such as perceived lack of control, fatal consequences, catastrophic potential and une-
qual distribution of costs and benefits. In the context of dread risk, he mentions serious
events such as Chernobyl and Fukushima. Unknown risk is the lack of familiarity, e.g.
whether the activity or technology has new, unobservable, unknown and delayed harm-
ful consequences. For example, the public assesses nuclear power as much riskier than
risk experts. The difference can be attributed to both dread risk and an unknown risk.
Dread risk is very complex to deal with. In this context, perceived control is an important
issue. For example, psychometric research has found that people are willing to tolerate
voluntary risks, e.g. from skiing, 1000 times higher than risks associated with involun-
tary activities, e.g. from food preservatives. Unknown risk is relevant because people are
naturally afraid of the unknown (Shefrin 2016, p. 58).

The perceived risk can be managed by using two different risk reduction strategies.
The first strategy is to reduce uncertainty by seeking information. To achieve this, a
company-wide information system is important. In this system, objective risk informa-
tion can be collected and made available to employees. It is also possible to support risk
assessments by providing useful questions such as “how often in 10 years will a major
problem with a nuclear power value occur” or “how often will we have a supply bot-
tleneck in the next 10 years”. Wrong risk perception can only be changed with the nec-
essary experience and the acquisition of knowledge. The second strategy is to reduce
vulnerability by reducing the risk exposure (Al-Shammari and Masri 2016, p. 248). It
is also helpful that risk managers support risk owners during risk identification and risk
assessment interviews. Specifically for inexperienced people, it is important to have a
mentor (risk manager) who helps to assess risks more objectively.

2.3 Group-Specific Biases

At the collective level, the confirmation bias introduced in Sect. 2.1.3 is referred to as
group-specific distortion. It typically occurs when a group aims to reach consensus
before making decisions. Group-based decisions have fundamental advantages that are
particularly evident in the following points:

• More information available
• Enriched discussion with different opinions and perspectives
• Improved accuracy and more creativity
• Higher acceptance of the decision

The relevant question is whether teams actually make better decisions than individuals
do. The so-called group-specific biases must be viewed critically. The time allowed for
decision-making in groups can be so limited that the group may be in a hurry to make
the wrong decisions. Efforts should therefore be made to ensure that all views are heard
in risk management workshops or ERM committees and taken into account.

37

u Tip In order to integrate different views on the same risk scenario, it is neces-
sary to adopt a critical attitude. Often the best decisions come from chang-
ing the way people think about problems and looking at them from different
angles. “Six thinking hats” can help to look at problems from different per-
spectives, but one by one, to avoid confusion from too many angles that over-
load your thinking. It is also a powerful decision-checking technique in group
situations, as everyone examines the situation from every perspective simulta-
neously (Manktelow 2005, pp. 86–87).

Each “thinking hat” is a different way of thinking. These are explained below
(de Bono 1999):

• White hat: With this thinking hat, the focus is on the available data. We look
at information we have, analyse past trends, and see what we can learn. We
look for gaps in our knowledge and try to close or take them into account.

• Red hat: “Wearing” red hat, we look at problems with our intuition, gut
reaction and emotion. Also, we think about how others might react emo-
tionally. We try to understand the answers from people who do not fully
understand our reasoning.

• Black hat: We use black hat thinking and consider the potentially nega-
tive results of a decision. We look at it carefully and defensively. We try to
understand why it might not work. This is important because it shows the
weaknesses in a plan. It allows us to eliminate them, change them, or cre-
ate contingency plans to address them.

Black hat thinking helps make our plans “harder” and more resilient. It can
also help us to identify fatal errors and risks before we begin a course of
action. It is one of the true benefits of this model, as many successful peo-
ple get so used to thinking positively that they often cannot see problems
in advance. As a result, they are not well prepared for difficulties.

• Yellow hat: This hat helps us to think positively. It is the optimistic view that
helps u to see all the benefits of the decision and the value in it. The yellow
hat thinking helps us to go on when everything looks gloomy and difficult.

• Green hat: The green hat stands for creativity. This is where we develop
creative solutions to a problem. It is a freewheeling way of thinking with
little criticism of ideas (we can try out a number of creativity tools that will
help us).

• Blue hat: This hat represents process control. It is the hat worn, for exam-
ple, by people who lead meetings. If they have difficulties because ideas
dry up, they can direct the activity into green hat thinking. When emer-
gency plans are needed, they will prompt black hat to think.

One variant of this technique is to look at problems from the perspective of
different professionals (e.g., doctors, architects, or sales managers) or different
customers.

2.3 Group-Specific Biases

38 2 Countering Biases in Risk Analysis

Applied in this form, the six thinking hats concept can help to reduce or even prevent
biases in many of the group situations described below.

2.3.1 Authority Bias

This cognitive bias describes the tendency of people to weight the opinion of a person
of authority comparatively strongly. They are also more easily influenced or persuaded
by authority persons. There are numerous examples of how this cognitive bias is used
to influence consumer behaviour. These can be stock market tips from self-proclaimed
financial experts or advertisements for toothbrushes that promote a unique cleaning
result. The effect already occurs when people look like persons of authority, whether
they are actually experts in the field or just pretending to be. Conformity and compliance
are so deeply embedded in a person’s psyche that the acceptance of any kind of com-
mands coming from such a person becomes a standard habit. Unfortunately, we usually
simply stop questioning these authorities.

We often come across numerous articles claiming long-term health benefits associated
with coffee, wine or dark chocolate. However, it is claimed that these results are based
on extensive research. It may be worth to dig a little deeper and we may experience a
surprise (Kamal 2018).

• This research could always be funded by these companies.
• The research could be done at an obscure university.
• The sample size can be less than 100.
• All participants can belong to a specific ethnic group.
• Etc.

Various debiasing strategies are available to reduce this distortion. Basically, it is helpful
to build mutual trust. Employees are often more open if they are not constantly moni-
tored. If we strengthen this relationship (corporate culture), employees will be more
likely to honestly report risks and opportunities. Research has also shown that increasing
psychological distance can help reduce bias. Instead of permanently discussing impor-
tant decisions in the same office, researchers have found that telephone conversations or
changes in premises can also contribute to bias reduction (Milgram 1965).

Risk managers can use suitable examples to draw the employees’ attention to that
bias. Before the global financial crisis of 2007/2008, which was preceded by a phase
of high growth, only a few voices were critical. Hardly any financial experts dared to
comment critically on the development, even though economic up and down cycles have
always been part of economic action.

39

2.3.2 Conformity Bias

Humans are social beings. Ideas about risks that conflict with the group are not always
welcome. Even if some risks are very important, people tend to contribute to stability
and cooperation. When a decision maker encounters both affirmative and conflicting evi-
dence, the tendency is to overweight the affirmative evidence and underweight the con-
flicting evidence. Having received affirmative evidence, we are often confident that we
have enough appropriate evidence to underpin our faith. The more affirmative evidence
we gather, the more confident we become.

Kelman (1958) distinguished between three different types of conformity:

• Compliance: This occurs when one person exerts influence because he or she hopes to
achieve a positive response from another person or group. He assumes induced behav-
iour because he expects to receive specific rewards or approvals and to avoid specific
punishment or rejection by conformity (Kelman 1958, p. 53).

• Internalization: This occurs when an individual assumes influence because the content
of the induced behaviour—the ideas and actions it consists of—is inherently reward-
ing. It adopts the induced behaviour because it is congruent with its value system
(Kelman 1958, p. 53).

• Identification: This occurs when an individual assumes influence because he or she
wants to establish or maintain a satisfying, self-defining relationship with another per-
son or group (Kelman 1958, p. 53).

Example
A good example of the conformity bias is the experiment conducted by Asch (1956).
He shows how group coercion can influence a person to such an extent that they judge
an obviously false statement to be correct. Asch’s attempt was to ask for the length of
several presented lines. The test persons were given a small card with a line printed on
top and a selection of three more lines underneath. One of the three lower strokes was
obviously just as long as the upper one, one longer, one shorter. The test subjects only
had to name the line matching the upper line. Faced with this simple task alone, each
subject gave the right answer.

But then Asch brought the participants together in groups. Each group consisted
of a test person and seven helpers, who Asch had instructed without the knowledge
of the test persons. The helpers now began unanimously to give wrong answers. They
called short strokes long, long strokes short. And the unsuspecting test subjects? They
followed. The same test persons who had previously been able to correctly identify
the lines in front of their eyes, now explained that strokes that ended after a few finger
widths were longer than those that extended almost over the entire page. Not even one
in four subjects managed to resist the nonsense of the helpers.

2.3 Group-Specific Biases

40 2 Countering Biases in Risk Analysis

Asch (1956) explained the denial of reality with the fear of a dissenting opinion.
In interviews, the test subjects said that they had doubted their own perception in
the face of the helpers’ so convincingly delivered judgments. Others claimed to have
noticed the other’s error, but did not want to spoil the mood. Some test persons even
confessed that they were basically convinced that something was wrong with them.

Obviously, avoiding risk management workshops in larger groups and conducting one-
on-one interviews instead fully eliminates conformity. To counteract conformity bias in
workshops, risk managers can also collect anonymous feedback on risk scenarios first
and then discuss these inputs within the group. Additionally, the can invite new experts
into the group on a regular basis. Fresh people in risk management workshops do not
yet feel the same pressure to adapt as other members. Also, outsiders will be unlikely to
share the group’s acquired prejudices. Conflicts can nevertheless arise in such a setting.
Due to their outsider role, however, they do not endanger cooperation within the team.
No workshop member has to stand against his own team and expect consequences that
could endanger further cooperation with the risk manager (Clayton 2011, pp. 148–149).

Basically, if people contribute anonymously to a risk assessment, they are much more
comfortable and will probably say what they really think about risks. One way to support
this is to use anonymous mailboxes as well as contact persons who are not considered
direct superiors. Management must also set the right tone that this feedback is given high
priority (Clayton 2011, p. 148). Last but not least, eliciting a second risk assessment in
addition to the first consensus on a risk can further reduce conformity bias.

2.3.3 Groupthink

Groupthink is a certain way of thinking of people in a group (team, meeting, workshop,
conference, and committee). In group thinking, the group tends to avoid conflicts or tries
to minimise them and aims at reaching consensus. However, this consensus is usually not
but based on adequate critical evaluation and analysis. Individual perspectives and
individual creativity are (partially) lost, lateral thinking is often undesirable. It is not the
case that the group members feel compelled—they rather feel very bound to the group
and avoid getting into a conflict situation. The harmony of the group is felt as more
important than the development of realistic risk scenarios. This can indeed lead to people
making unfavourable decisions (Kaba et al. 2016, pp. 403–404).

There are several factors that can make groups susceptible to group thinking. First, a
group might have a leader who advises members not to disagree. At the same time, the
leader makes clear what he or she wants to do and hear. People are inherently selfish,
and most will seek opportunities in their own interests to support the leader in a way that
is consistent with their own goals. The leader might want to hear “yes”, not “yes, but”
and certainly not “no”. It also encourages group thinking when the group is made up of
members with similar backgrounds. As a result, confirmation bias and availability bias

41

combine to limit discussion of relevant risk issues and risk perspectives (Shefrin 2016,
p. 65).

Groupthink has a special significance when it comes to risk decisions. It leads to
“polarization”, i.e. the group dynamics strengthen the risk attitudes of the group mem-
bers. Group polarization may occur when assessing risk scenarios in risk workshops.
Groups tend to make extreme judgments during such workshops. This is particularly the
case if the persons involved hold similar opinions before the meeting starts (Moscovici
and Zavalloni 1969, pp. 125–135). If, for example, individual group members are not
very risk-averse in their attitude prior to a risk workshop, group thinking can result in
the whole group being too extremely risk-averse. If many individuals classify a risk as
high before a group discussion, this can lead to an even higher assessment of the risk
through the group discussion. Thus, there is the danger of under- and overestimation of
risks through group discussions (Lermer et al. 2014, pp. 3–4).

Example
One of the main causes of the Challenger Space Shuttle disaster in January 1986 is
considered the phenomenon of group thinking, particularly the illusion of unanimity.
The latter means that the group decision corresponds to the majority view. When such
cognitive distortion occurs, it is assumed that the majority of opinions and individual
judgements are unanimous. Group thinking results from the confirmation heuristic
and is explained by the following three characteristics: overestimation of the group,
narrow-mindedness, and pressure to conform. These characteristics can distort the
group’s decision in the wrong direction.

Although the manufacturer of the O-ring (part of the Space Shuttle) has identi-
fied the risk of the O-ring malfunctioning in extreme cold, the manufacturer agreed
to launch the Challenger Space Shuttle due to group thinking. Factors contributing
to this irrational behaviour include in particular direct pressure on dissidents (group
members are under social pressure not to contradict the group consensus), self-cen-
sorship (doubts and deviations from the perceived group consensus are not accepted)
and the illusion of unanimity.

During the occurrence of the Challenger Space Shuttle disaster, the group as a
whole did not consider the manufacturer’s opinion that the O-ring could not function
properly in a very cold environment and did not conduct a full analysis of this opin-
ion. This eventually led to the critical disaster (Murata 2017, p. 400).

Polarization occurs because group members try to reinforce each other’s judgements and
suggestions. For example, one group member may propose a risky strategy. Other group
members confirm why this would be a good idea. This can lead to increased risk appe-
tite because the arguments are mutually confirmed and the members feel comfortable
with even more risk. In this case, the group accepts more risk than the individual would
(Stangor 2014). Finally, a group member often only discloses information if it supports
the direction in which the group is moving about certain risk scenarios. This then leads

2.3 Group-Specific Biases

42 2 Countering Biases in Risk Analysis

to the confirmation of others in the group. Information that runs counter to this direction
is withheld. The same applies to information that makes the discloser appear in a less
favourable light (Shefrin 2016, p. 65).

To reduce the group thinking bias, risk managers should look for different person-
alities in a risk workshop and establish a climate where group members know why it is
important to question risks and opportunities. It is also important that all group members
follow certain rules to ensure a fair exchange of ideas and assessments. To achieve this,
groups should be kept small (5–8 participants). It is also advisable to let the group mem-
bers speak first, not an authority person. This also includes reducing power imbalances,
i.e. working with flat hierarchies in these teams. In this respect, it is advisable to provide
channels for anonymous feedback. In this way, individual members who recognise the
overconfidence but do not dare to express themselves critically can express their opinion
anonymously. Otherwise, there would be a danger that the group would portray them as
moaners and whingers. An also effective measure is to invite people from other depart-
ments in risk management workshops or risk committees, especially those affected by
decisions (Shefrin 2016, pp. 64–65).

Within the scope of risk identification, it should be noted that risks and then oppor-
tunities are first discussed within the group. In reverse order, there is a danger that the
opportunities overshadow the potential risks and are therefore discussed too less criti-
cally. In group situations, it can be helpful to define a person as an advocate whose task it
is to challenge assumptions critically, including individual opportunities identified by the
organisation. With regard to the negative effects mentioned, it must be taken into account
that team decisions reflect the creativity of a large number of people and are generally
highly accepted (Shefrin 2016, p. 65).

2.3.4 Hidden Profile

If risks are identified in groups, group-specific factors can distort the ERM process.
Among other things, groups rarely manage to exchange all available and relevant infor-
mation on risks. This particularly affects information known only to individuals (Lermer
et al. 2014, p. 2). This phenomenon is discussed under the term hidden profile and is
based on the investigations of Stasser and Titus (1985). The two researchers formed
groups consisting of four students and gave the individual students convergent and diver-
gent information. The students were to arrive at a correct result in groups of four with the
help of the information received. However, this was only possible if all students shared
all the information they received with the group. Though, most groups could not solve
the hidden profile. Convergent information was exchanged and discussed. However,
divergent information often remained unmentioned (pp. 1467–1478). This phenomenon
has been reproduced in various other studies.

43

Moskaliuk (2013) describes various strategies to reduce this bias. Four of them are
listed below:

• Being aware of this bias as a risk manager: This creates the basic prerequisites for
specifically avoiding the phenomenon of hidden profiles.

• Avoid hierarchies: Especially people with low status tend to withhold their exper-
tise. People with high status should thus first hold back with their own assessments in
order to give all participants opportunities to share their views with the group.

• Search and collect first, then evaluate information: This prevents information that
might be significant from being devalued directly.

• Making the expertise of those involved transparent: This makes it clear that different
opinions can be expected on the basis of their specialist knowledge. In addition, the
individual participants can be asked directly about their expert assessments.

The first point is basically applicable to all psychological factors mentioned. Just as risks
need to be known in order to be managed, ERM specialists should be aware of psycho-
logical factors in order to reduce them. It is important to note that discussion and group
leaders in particular should become aware of psychological factors. Because of their
role, they have the necessary skills and power to steer the group in a goal-oriented man-
ner. Furthermore, the strategy of avoiding hierarchies can also be transferred to the other
group-specific biases (Scherrer 2018).

The third point tends to be present in ERM if the individual process steps are con-
sistently carried out separately. If risk identification and risk assessment are carried out
together, cognitive biases, which tend to occur in both process steps, are also effective.
This prevents adequate identification and would consequently reduce the quality of the
entire process. It is thus better to first identify risks with a conscious management of
cognitive biases and only in a next step—which may even take place on another day—
to consciously assess the identified risks again. The last point suggested by Moskaliuk
(2013) can be considered as a specific measure to counter hidden profiles (Scherrer
2018).

2.3.5 Social Loafing

Lermer et al. (2014) describe that groups are less creative than individuals in identify-
ing risks. Thus, risk identification in groups is not necessarily advantageous (p. 1). A
possible explanation for diminishing creativity is the Ringelmann effect or social loaf-
ing. Ringelmann discovered that the average pulling force of a person during tug-of-war
decreases proportionally the more people are involved in the pull. However, this effect
could not only be proven in tug-of-war, but also in mental work activities (Leitl 2007).
This is a kind of motivation deficit, which occurs above all when the performance of
individuals is not apparent.

2.3 Group-Specific Biases

44 2 Countering Biases in Risk Analysis

It is important to remember that social loafing does not always happen. For example,
Karau and Williams (1997) found that social loafing did not occur for a cohesive group.
Moreover, the results of their second study suggest that people can actually make greater
efforts when working with low-performing employees (a social compensation effect).

According to Dobelli (2018), individual benefits should be made visible in order to
reduce social loafing (p. 139). This can be done using various methods. With regard to
risk identification, Lermer et al. (2014) recommend that brainstorming be dispensed with
in the group and that brainwriting be used instead. Possible risks are noted in writing by
the individual experts. In order to avoid the negative group effect as far as possible, they
recommend that the group context be avoided altogether. This means that the experts
involved in brainwriting neither meet the other experts surveyed nor present their results
to a group. They also recommend using a network of individual experts for risk identifi-
cation, whose results are collected centrally and, if necessary, played back individually to
the experts (pp. 2–3).

As you have learned, the landscape associated with ERM processes is burdened with
psychological landmines. Even risk perceptions and expert assessments are suscepti-
ble to a wide range of psychological influences. The above mentioned concepts are in
the spotlight of every risk assessment. Some biases overlap in certain aspects because
they address similar problems. Reducing some cognitive biases require the inclusion of
a group, whereas group situations can in turn be associated with numerous own biases.
Reducing susceptibility to biases is therefore a recurring task. In particular, the reduction
of biases in group work can only succeed in a suitable social environment, meaning that
the risk culture must also be addressed (Shefrin 2016, pp. 68–69).

Key Aspects to Remember
Know the different biases in risk analysis

Throughout the whole ERM process, it is important to note that many risks do
not manifest themselves by exogenous events, but rather by people’s behaviour
and choices. Basically, the following three categories of biases can be identified:
Motivational, cognitive and group-specific biases. Especially in the case of cogni-
tive biases, we are usually not aware of many thinking errors and they can only be
identified by an in-depth analysis and corresponding skills of risk managers and
decision-makers.

Understand the importance of biases for risk analysis

Biases are an important topic for risk analysis because systematic errors are made
in the risk identification and risk assessment of risks. Knowledge of biases and the
measures taken to reduce them can help companies to carry out a more objective

45

risk analysis. Most importantly, errors in risk identification due to biases can nega-
tively affect the whole ERM process.

Recognise the need to mitigate biases throughout the risk process

The mitigation of biases is an important issue. This can take place at various points
in the assessment and decision-making process. One of the most important meas-
ures is to reduce cognitive errors by making concrete examples of biases available
to risk owners and management. In addition, the involvement of several perspec-
tives or experts is often recommended. Finally, it can help to impart basic statisti-
cal knowledge to employees.

Be familiar with limitations of biases mitigation

Not all biases can be eliminated. Every day people are confronted with possible
thinking traps and they cannot always be resolved without contradiction. There are
also scenarios in which biases can be revealed through group discussion, but at the
same time new biases are created by the group itself. Thus, a cost-benefit analysis
should also be carried out with regard to the reduction of biases.

Have some easy to understand examples for your employees ready

Theoretical knowledge of biases is merely the basis for recognizing biases in com-
plex practical situations. Companies are well advised to disclose identified or com-
mitted errors of thought to a broad circle of decision-makers. This is the only way
to improve decision quality. Ultimately, it helps if the risk manager can show some
biases using concrete examples. Using past decision processes documented for
example in risk management workshops, the risk manager can plausibly demon-
strate how such biases have influenced decisions about risks.

Critical Thinking Questions
1. To what extent do motivational biases differ from cognitive biases?
2. What general measures can companies take to reduce cognitive biases?
3. Under what conditions are group decisions preferable to individual decisions?
4. How can the concept of “six thinking hats” help to identify and avoid group-

specific biases?
5. What role can a positive risk culture play in reducing cognitive biases?

2.3 Group-Specific Biases

46 2 Countering Biases in Risk Analysis

References

Al-Shammari, M., & Masri, H. (2016). Ethical and Social Perspectives on Global Business
Interaction in Emerging Markets. Hershey, Pennsylvania: IGI Global.

Asch, S. E. (1956). Studies of independence and conformity: I. A minority of one against a unani-
mous majority. Psychological Monographs, 70 (9), 1–70.

Baer, T., Heiligtag, S., & Samandari, H. (2017). The business logic in debiasing. https://www.mck-
insey.com/business-functions/risk/our-insights/the-business-logic-in-debiasing. Accessed 17
December 2018.

Barnes, J. H. (1984). Cognitive Biases and Their Impact on Strategic Planning. Strategic
Management Journal, 5 (2), 129–137.

Baron, J., Gowda, R., & Kunreuther, H. (1993). Attitudes toward managing hazardous waste:
What should be cleaned up and who should pay for it? Risk Analysis, 13, 183–192. https://doi.
org/10.1111/j.1539-6924.1993.tb01068.x.

Cassotti, M., Habib, M., Poirel, N., Aïte, A., Houdé, O., & Moutier, S. (2012). Positive emotional
context eliminates the framing effect in decision-making. Emotion, 12 (5), 926–931.

Celati, L. (2004). The Dark Side of Risk Management: How People Frame Decisions in Financial
Markets. London: Prentice Hall.

Cherry, K. (2018a). Understanding the Optimism Bias. AKA the Illusion of Invulnerability. https://
www.verywellmind.com/what-is-the-optimism-bias-2795031. Accessed 11 December 2018.

Cherry, K. (2018b). How the Status Quo Bias Affects Your Decisions. https://www.verywellmind.
com/status-quo-bias-psychological-definition-4065385. Accessed 11 December 2018.

Clayton, M. (2011). Risk Happen: Managing risk and avoiding failure in buisness projects.
London: Marshall Cavendish International.

de Bono, E. (1999). Six thinking hats. Boston: Back Bay Book.
Dobelli, R. (2018). Die Kunst des klaren Denkens. 52 Denkfehler, die Sie besser anderen überlas-

sen. München: Deutscher Taschenbuch-Verlag.
Edwards, W. (1982). Conservatism in Human Information Processing (excerpted). In D.

Kahneman, P. Slovic & A. Tversky (Eds.), Judgment under uncertainty: Heuristics and biases.
Cambridge: Cambridge University Press.

Emmons, D. L., Mazzuchi, T. A., Sarkani, S., & Larsen, C. E. (2018). Mitigating cognitive biases
in risk identification: Practitioner checklist for the aerospace sector. Defense Acquisition
Research Journal, 25 (1), 52–93.

Finucane, M. L., Alhakami, A., Slovic, P., & Johnson, S. M. (2000). The affect heuristic in judg-
ments of risks and benefits. Journal of Behavioral Decision Making, 13 (1), 1–17.

Fischhoff, B., Slovic, P., & Lichtenstein, S. (1978). Fault trees: Sensitivity of estimated fail-
ure probabilities to problem representation. Journal of Experimental Psychology: Human
Perception and Performance, 4, 330–344.

Friedman, H. H. (2017). Cognitive Biases that Interfere with Critical Thinking and Scientific
Reasoning: A Course Module. SSRN Electronic Journal. http://dx.doi.org/10.2139/
ssrn.2958800.

Gleißner, W. (2017). Grundlagen des Risikomanagements. Mit fundierten Informationen zu
besseren Entscheidungen (3rd Ed.). München: Verlag Franz Vahlen.

Grinnell, R. M., & Unrau, Y. A. (2018). Social Work Research and Evaluation. Foundations of
Evidence-Based Practice (11th Ed.). New York: Oxford University Press.

Hossain, T., & Li, K. K. (2013). Crowding Out in the Labor Market: A Prosocial Setting
Is Necessary. Management Science, 60 (5), 1148–1160. http://dx.doi.org/10.1287/
mnsc.2013.1807.

47

Hubbard, D. W. (2009). The failure of risk management. Why it’s broken and how to fix it.
Hoboken, NJ: John Wiley & Sons Inc.

Kaba, A., Wishart, I., Fraser, K., Coderre, S., & McLaughlin, K. (2016). Are we at risk of group-
think in our approach to teamwork interventions in health care? Medical Education, 50 (4),
400–408.

Kahneman, D. (2007). Short Course in Thinking About Thinking. https://www.edge.org/3rd_cul-
ture/kahneman07/kahneman07_index.html.

Kahneman, D. (2012). Schnelles Denken, langsames Denken (3rd Ed.). München: Siedler Verlag.
Kahneman, D., & Frederick, S. (2002). Representativeness revisited: Attribute substitution in intui-

tive judgement. In T. Gilovich, D. Griffin & D. Kahneman (Eds.), Heuristics and biases: The
psychology of intuitive judgment (pp. 49–81). Cambridge: Cambridge University Press.

Kamal, P. (2018). How To Spot These Cognitive Biases To Make You Smarter. And Strategies To
Make It Work For You. https://medium.com/@piyush2911/how-to-spot-these-cognitive-biases-
to-make-you-smarter-4649a82b5a6c. Accessed 22 November 2018.

Karau, S. J., & Williams, K. D. (1997). The effects of group cohesiveness on social loafing and
social compensation. Group Dynamics: Theory, Research, and Practice, 1, 156–168.

Kelman, H. C. (1958). Compliance, identification, and internalization: three processes of attitude
change. Journal of Conflict Resolution, 2, 51–60.

Kent Baker, H., & Puttonen, V. (2017). Investment Traps Exposed: Navigating Investor Mistakes
and Behavioral Biases. Bingley, UK: Emerald Publishing.

Leitl, M. (2007). Social Loafing? Harvard Business Manager. http://www.harvardbusinessmanager.
de/heft/artikel/a-622728.html. Accessed 20 November 2018.

Lermer, E., Streicher, B., & Sachs, R. (2014). Psychologische Einflüsse II: Risikoeinschätzung
in Gruppen. https://www.munichre.com/site/corpo-rate/get/documents_E399088179/mr/asset-
pool.shared/Documents/0_Corporate_Webs-ite/1_The_Group/Focus/Emerging-Risks/2013-09-
emerging-risk-discussion-paper-de.pdf. Accessed 20 November 2018.

Manktelow, J. (2005). Mind Tools. Essential skills for an excellent career (4th Ed.). Swindon, UK:
Mind Tools Ltd.

McCann, D. (2014). 10 cognitive biases that can trip up finance. CFO.com. http://ww2.cfo.com/
forecasting/2014/05/10-cognitive-biases-can-trip-finance. Accessed 20 November 2018.

Memon, A. A., Vrij, A., & Bull, R. (2003). Psychology and Law: Truthfulness, Accuracy and
Credibility (2nd Ed.). Chichester: Wiley.

Milgram, S. (1965). Some Conditions of Obedience and Disobedience to Authority. Human
Relations, 18 (1), 57–76.

Montibeller, G., & von Winterfeldt, D. (2015). Cognitive and motivational biases in decision and
risk analysis. Risk Analysis, 35 (7), 1230–1251.

Moscovici, S., & Zavalloni, M. (1969). The group as a polarizer of attitudes. Journal of
Personality and Social Psychology, 12 (2), 125–135.

Moskaliuk, J. (2013). Warum Gruppen falsch entscheiden. https://www.wissensdialoge.de/hidden_
profile. Accessed 20 November 2018.

Murata, A. (2017). Cultural Difference and Cognitive Biases as a Trigger of Critical Crashes or
Disasters – Evidence from Case Studies of Human Factors Analysis. Journal of Behavioral and
Brain Science, 7, 399–415. https://doi.org/10.4236/jbbs.2017.79029.

Redman, T. C. (2017). Root Out Bias from Your Decision-Making Process. Harvard Business
Review. https://hbr.org/2017/03/root-out-bias-from-your-decision-making-process. Accessed 11
December 2018.

Rees, M. (2015). Business Risk and Simulation Modelling in Practice: Using Excel, VBA and @
RISK. Chichester: John Wiley & Sons.

References

48 2 Countering Biases in Risk Analysis

Scherrer, M. (2018). Menschlicher Faktor im Risikomanagement. Bachelor Thesis, Lucerne
University of Applied Sciences and Arts.

Sharot, T. (2011). The optimism bias. Current Biology, 21 (23), R941–R945.
Shefrin, H. (2016). Behavioral Risk Management. Managing the Psychology That Drives

Decisions and Influences Operational Risk. New York: Palgrave Macmillan.
Sing, R., Ryvola R. (2018). Cognitive Biases in Climate Risk Management. https://reliefweb.int/

sites/reliefweb.int/files/resources/RCRCCC%2Bcognitive%2Bbiases_5%2Bshortcuts.ppd.
Accessed 18 January 2019.

Smith, E. D., & Bahill, A. T. (2009). Attribute Substitution in Systems Engineering. Systems
Engineering (January 2009), 1–19.

Stangor, C. (2014). Principles of Social Psychology – 1st International Edition. https://opentextbc.
ca/socialpsychology/. Accessed 29 January 2019.

Stasser, G., & Titus, W. (1985). Pooling of unshared information in group decision making: Biased
information sampling during discussion. Journal of Personality and Social Psychology, 48 (6),
1467–1478.

Sun, Y., & Wang, H. (2010). Gambler’s fallacy, hot hand belief, and the time of patterns. Judgment
and Decision Making, 5 (2), 124–132.

Tentori, K., Crupi, V., & Russo, S. (2013). On the determinants of the conjunction fallacy: prob-
ability versus inductive confirmation. Journal of Experimental Psychology, 142 (1), 235–255.

Tetlock, P. E., & Gardner, D. (2015). Superforecasting: The Art and Science of Prediction. New
York: Crown Publishers.

The Decision Lab (n. d.). Affect Heuristic. https://thedecisionlab.com/bias/affect-heuristic/.
Accessed 11 December 2018.

Tversky, A., & Kahneman, D. (1973). Availability: A heuristic for judging frequency and probabil-
ity. Cognitive Psychology, 5 (2), 207–232.

Wolf, R. F. (2012). How to Minimize Your Biases When Making Decisions. https://hbr.
org/2012/09/how-to-minimize-your-biases-when. Accessed 21 November 2018.

49© Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2019
S. Hunziker, Enterprise Risk Management,
https://doi.org/10.1007/978-3-658-25357-8_3

Creating Value Through ERM Process 3

Contents

3.1 Balance Rationality with Intuition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2 Embrace Uncertainty Governance as Part of ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.3 Collect Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.3.1 Identify Sources, Events and Impacts of All Risks . . . . . . . . . . . . . . . . . . . . . . . . 55
3.3.2 Develop an Effective and Structured Risk Identification Approach . . . . . . . . . . . 56
3.3.3 Identify Risks Enterprise-Wide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.3.4 Treat Business and Decision Problems not as True Risks . . . . . . . . . . . . . . . . . . . 59
3.3.5 Don’t Let Reputation Risk Fool You . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3.6 Focus on Management Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.3.7 Conduct One-on-One Interviews with Key Stakeholders . . . . . . . . . . . . . . . . . . . 76
3.3.8 Complement with Traditional Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . 83

3.4 Assess Key Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.4.1 Identify Key Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.4.2 Quantify Key Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.4.3 Support Decision-Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.4.4 Differentiate between Decisions and Outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.4.5 Overcome the Regulatory Risk Management Approach . . . . . . . . . . . . . . . . . . . . 115
3.4.6 Overcome the Separation of Risk Analysis and Decision-Making . . . . . . . . . . . . 116
3.4.7 Assess Impact on Relevant Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
3.4.8 Avoid Pseudo-Risk Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
3.4.9 Develop Useful Risk Appetite Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
3.4.10 Make Uncertainties Transparent and Comprehensible . . . . . . . . . . . . . . . . . . . . . 128
3.4.11 Exploit the Full Decision-Making Potential of ERM . . . . . . . . . . . . . . . . . . . . . . 133
3.4.12 Align ERM with Business Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
3.4.13 Replace Standard Risk Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
3.4.14 Disclose Risks Appropriately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

3.5 Assess and Improve ERM Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
3.5.1 Test ERM Effectiveness Appropriately . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
3.5.2 Increase ERM Maturity Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

50 3 Creating Value Through ERM Process

Learning Objectives
When you have finished studying this chapter, you should be able to:

• differentiate between intuition and rationality
• know how the ERM process works
• explain how ERM can add value to the company
• assess risks and develop quantified key risk scenarios on your own
• understand the importance of integrating risk information into decision-making

processes
• asses the maturity level of an ERM programme

3.1 Balance Rationality with Intuition

In practice, many company decisions are based on both intuitive and rational input, often
with different weights between them. Effective ERM should be designed to reduce the
intuitive and increase the rational input into decision-making processes. It goes without
saying that fully intuitive, qualitative procedures in risk management are not capable to
improve rational decision-making. However, risk management itself is prone to many
well-known motivational and cognitive biases (Chap. 2) and relies often on informal,
intuitive assessments. Such unstructured risk assessments comprise high portions of gut
feel, professional experience and suffer from transparent, objective decision criteria. In
addition, intuitive assessments often lack the consideration of diverse opinions within
the company which could increase reliability. Intuitive approaches to risk management
and subsequently to decision-making may not be wrong or are even highly efficient and
effective under certain circumstances. In situations, where decision-makers face frequent
and insignificant or urgent decisions for which they have many years of relevant experi-
ence, intuitive decisions may be indeed the best choice (see similar Rees 2015, p. 7).

We have to pay attention concerning the use of the term “rational”. It may be mislead-
ing in the context of ERM. Amongst many other definitions, “rational ERM” focus on
“accuracy of beliefs” and the full exploitation of the best available information. Intuition
is usually understood as a decision-making process that relies on non-conscious and
rapid recognition of associations and patterns to make affective judgements (Dane and
Pratt 2007). In this respect, a person or a group who does not act rationally, has beliefs
(e.g. about the impact and probability of a specific risk) that do not fully consider all rel-
evant information at hand and do not follow a linear, step-by-step and analytical process
which can explained ex post (Simon 1987). Thus, even best-practice rational ERM is
prone to subjective and intuitive risk assessments. However, rational ERM aims at reduc-
ing subjectivity and intuition as far as possible.

51

For the purpose of this textbook, we define rational risk management as the approach
to

• consciously decrease the impact of cognitive and motivational biases on risk assess-
ments as much as possible

• collect as much as possible relevant information (Dean and Sharfman 1996)
• rely on structured, step-by-step risk analysis methods as e.g. scenario analysis
• quantitatively assess and aggregate key risks and assess the effect on key success met-

rics to identify interdependencies between risks
• combine intuitive input (management judgement) with objective, data-based input

where appropriate
• increase transparency of decision criteria (make decisions reproducible)
• apply rules which are known to analytically work (e.g. cause-effect analysis)
• accept decisions that mainly base on intuition where appropriate.

Cleary, in practice, intuition in decision-making processes overrides rational ERM many
times. Even if the results of a “rational risk analysis” unambiguously contradicts the
gut instinct of management or board, decisions are made anyway, arguing that the risk
analysis may be wrong (e.g. pseudo-accuracy of risk quantification) or at least omitted
relevant factors and uncertainties. Another reason not to use rational input is owing to
the fact that creating “rationality” is time-consuming, costly, may be considered as too
complex and is not in line with how the human brain is wired (fast and intuitive deci-
sions). In other situations, intuition and rationality can create a paradoxical tension
because these two approaches are fundamentally different and inconsistent. Thus, their
conjoint application may results in tensions. This tension may be solved in a not very
ideal way, e.g. a rational manager may disregard intuition because of its biases and focus
solely on rational and analytical procedures (Calabretta et al. 2016, p. 4). Eventually,
management judgement cannot be fully replaced by the “best” rational decision-making
tools. Complex and rare risk events for example cannot get fully captured by any for-
mal risk analysis and still need a considerable amount of intuition and judgement by the
decision-maker.

After all, rational risk analysis is designed to reduce well-known biases in risk
analysis activities and to support an adequate balance between intuitive and rational
approaches in significant decision-making processes. In that sense, formal risk analysis
in an ERM approach can support decisions by developing reasonable quantitative risk
scenarios which cover the full range of potential future outcomes and ultimately, increase
the decision quality by challenging strategically relevant management assumptions.
Increased decision quality in turn can enhance performance (e.g. increase in company
value) by selecting promising projects, investments and efficient risk mitigation meas-
ures (Rees 2015, p. 19).

3.1 Balance Rationality with Intuition

52 3 Creating Value Through ERM Process

3.2 Embrace Uncertainty Governance as Part of ERM

Too often, risk management is primarily understood as a regulatory approach which aims
at safeguarding corporate value. However, this approach does not go far enough from a
modern corporate governance perspective. Good corporate governance not only focuses
on asset protection, but also on increasing corporate value (Filatotchev et al. 2006). This
requirement is fully in line with the modern ERM approach which is ultimately geared
to increase corporate value. In traditional risk management, the focus is on securing pro-
cesses and systems; the support of value-creating decision-making processes is up to the
management. In this traditional sense, risk management is not a very creative manage-
ment tool and hardly concerned with the future development of the company. It essen-
tially deals with the efficiency of established processes and projects and the complying
with laws and regulations. In addition, traditional risk management predominantly cares
about “well-known” risks which have a sufficient data basis or the company has enough
experience to assess these risks by means of probabilities and impact, e.g. financial risks.

It immediately becomes clear that traditional risk management fails in rare, unique
and complex decision-making situations. New projects or major investments in new
products, the expansion into new markets and mergers and acquisitions, for example, are
often excluded from traditional risk management because it is not able to methodically
deal with this type of complexity and high uncertainty regarding probability of occur-
rence and impact. If successful, these complex decision-making situations all contribute
to an increase in company value. Precisely this is the claim of modern ERM—to cre-
ate value. How can this gap between traditional, value-preserving and modern, value-
enhancing ERM be closed? To put it simply, one answer is that companies have to
promote a good uncertainty governance (see Casas i Klett 2008, pp. 26–30). What does
that mean? A basic distinction can be made between the terms uncertainty and risk.
In traditional risk management, it is often implicitly assumed that risk or the underly-
ing probabilities are reasonably measurable. This means that decision-makers have an
a priori knowledge of the distribution of probabilities, e.g. based on historical data.
Uncertainty, on the other hand, is qualified as not measurable and highly subjective and
is therefore not suitable as a rational decision criterion.

Uncertainty governance is based on the theory of behavioural economics, which was
founded by the two famous authors and researchers Kahneman and Tversky. It stipulates
that subjective assessments in decision-making situations can be a misleading guide. As
a result, decisions under uncertainty may become even more uncertain due to the human
factor. This contradicts the main requirement that risk management reduces uncertainty
associated with decision-making processes. Does this mean that complex, potentially
value-adding decisions should not be made from a risk management perspective? The
following arguments would argue in favour of this:

• Lack of data to reasonably assess probabilities
• No previous experience with comparable decision-making situations

53

• Human assessments are subject to different biases
• Outcomes are highly uncertain.

Certainly not. Such decisions must be made in order to create corporate value. It is dif-
ficult to imagine companies that reject all potentially value-creating projects and invest-
ments because no reliable (i.e. missing a priori knowledge of probabilities of success)
risk assessment is possible. Such decisions, which have been carefully prepared, can
lead to high growth and added value in a positive case. They are thus definitely neces-
sary. Can this problem be reconciled with the modern ERM approach? Are decisions that
have unmeasurable and often low probabilities of success compatible with risk manage-
ment? The answer is clearly yes. ERM can methodically support the conscious handling
of uncertainty, there is no contradiction. Accordingly, modern ERM implies appropriate
uncertainty governance.

In principle, risk management can also be valuable in such complex decisions
involving a high degree of uncertainty. Uncertainty governance also means that larger
losses are accepted if the decision quality was high at the time the decision was taken.
Modern ERM can make the following important contribution to increasing the quality of
decisions:

• Firstly, it is important to recognise and transparently disclose that such decisions are
indeed highly risky and that if successful, the company can make significant progress
(to be defined differently depending on the company context). In the event of a loss,
however (e.g. product launch fails), the entire investment can become worthless.

• With the methods of modern ERM, various plausible (e.g. very pessimistic) scenar-
ios can be developed despite high uncertainty and lack of data. These scenarios show
openly and transparently that the degree of uncertainty is high and that one specific
probability of occurrence cannot be assigned meaningfully. A better way to deal with
that issue is introducing probability ranges which are capable to express the degree of
uncertainty transparently and quantitatively.

• Modern ERM seeks to increase rationality by using measures to reduce cognitive and
motivational biases (see Chap. 2).

• Modern EMR focuses on the human being. Leadership qualities and human judge-
ment are regarded as valuable sources of risk assessment and scenario developments.

Somewhat different from Casas i Klett (2008), we do not consider risk management and
uncertainty governance as two different main concepts of corporate governance in this
textbook. These concepts only remain fully different if risk management is understood
in its traditional form as a regulatory monitoring instrument to protect the value of the
company and to ensure process and system efficiency. But the boundaries dissolve when
we talk about ERM. This approach combines the best available data and information for

3.2 Embrace Uncertainty Governance as Part of ERM

54 3 Creating Value Through ERM Process

risk assessments. In some cases, these are large amounts of financial data that allow sim-
ple derivation of probability distributions. In other cases, risk management increases the
decision quality of risky, value-enhancing investments and projects by processing peo-
ple’s assessments and judgements in the best possible way (i.e. largely unbiased) into
plausible risk scenarios. Figure 3.1 summarises our understanding of risk management
and uncertainty governance.

It draws on the basic considerations of Casas i Klett (2008), but has been adapted to
the extent that uncertainty governance is not understood as an independent main concept,
but as an integral part of the modern ERM approach.

3.3 Collect Risk Scenarios

Key risk identification is the very first and critical step in the ERM process, which is a
continuous, enterprise-wide and integrated process. Risks are identified by source, for a
certain timeframe, and for each of the different risk categories. The result of that step is a
risk identification of all key risks. It is important that a risk manager is aware of the criti-
cal practical challenges before starting the process.

Traditional Risk
Management

Risk

Uncertainty Governance

Uncertainty

Data-driven,
regulatory-driven

Subjective judgment
of executives

Protecting
firm value

Increasing
firm value

C
orporate

G
overnance

Securing and
monitoring processes,

systems

People-driven,
Creativitiy-driven

Modern ERM-Approach

Fig. 3.1 Uncertainty governance as a part of ERM

55

3.3.1 Identify Sources, Events and Impacts of All Risks

In risk assessments (personal interviews, risk workshops or the request to fill in a tem-
plate), many people tend to think about the (financial) consequences of risks first: What
happens if a risk occurs? What impact does it have on my area of financial responsibil-
ity? For example, what is the potential impact on liquidity (e.g. excessive inventories),
earnings (e.g. bad debt losses) or costs (e.g. development of new services)? Of course,
every risk (independent of the source) has financial consequences and is often incorrectly
categorised as “financial risk”. Specifically, people with a strong financial mindset (e.g.
Financial Analyst, CFO) are prone to that way of thinking about risks. However, from an
ERM perspective, the identification of the risk sources is far more relevant for the devel-
opment of effective, preventive risk mitigation measures. What may be causes of a risk
to occur? Where must preventive measures be implemented to prevent financial impact
(e.g. shortening storage periods, introducing debt recovery, carrying out market analy-
ses)? Thus, risks must be developed in the form of a plausible story, i.e. in a so-called
cause-effect chain. The cause at the very beginning of that risk story is often the starting
point for defining effective risk mitigation strategies.

For example, the risk of a ratings downgrade is often found in the risk registers of
companies funded with public debt. However, a ratings downgrade may be seen as a risk
event, which is embedded in a story of different causes and impacts. In this case, poor
relations to the rating agency or a poorly executed strategy may be the sources of that
risk. Of course, debt ratings determined by rating agencies may have positive or nega-
tive impact on capital costs, and thus, have also a financial impact (effect). Another risk
story based on an everyday life situation is displayed in a simple tool for visualizing such
cause-effect stories called bow-tie analysis (see Fig. 3.2).

The risk events can be found in the middle of the bow-tie diagram. An overtired
taxi driver collides with stones on the motorway, skids and overturns. The incident is
recorded by the media, which puts the taxi company in a bad light. In addition, legal
requirements are violated, because the taxi driver did not have a sufficiently long recov-
ery time before his drive. On the left side of the fly are possible causes listed that led to
these incidents. The rockfall, the poor visibility due to rain and twilight, a broken head-
light and an overtired, sickly taxi driver are responsible for this collision. On the right
part of the display, we can see the consequences of this accident. As we can easily rec-
ognise, the risk story always ends with financial losses. Thus fines and deductibles of
insurances become due. Due to the damage to their reputation, customers switch to a
competitor, which leads to lower revenues.

The lessons learned from these two examples are clear: Although both risks ultimately
lead to negative financial impact, they are not financial risks. The causes of both risks
lie in the operational and strategic environment. These risks must be categorised accord-
ingly, otherwise sources and impacts of risks are confused and thus consistency of the
risk identification and risk categorization process is violated.

3.3 Collect Risk Scenarios

56 3 Creating Value Through ERM Process

3.3.2 Develop an Effective and Structured Risk Identification
Approach

In practice, many risk management systems lack a well-developed and well-structured
approach to risk identification. A failure of a applying a structured and well-developed
risk identification process can lead to serious problems:

• Risk identification is not linked to the achievement of business objectives and created
only for the sake of a risk inventory

• Relevant key risks with a major impact on business objectives are not identified
• Uncoordinated risk identification leads to higher costs and less credibility of the over-

all ERM programme
• Risk identification is too operationally focused and too less strategically oriented, i.e.

risks are considered only after plans and strategies have been approved by manage-
ment and major decisions have been made.

• Relevant stakeholders of ERM are not involved, leading to lower acceptance of over-
all ERM

• Best available sources for risk information are not considered
• Risk identification is too narrowly focused on internal risks (no environmental

scanning)

Causes Events Impact

Rocks on street

Broken
headlight

Sick driver

Low visibility

Car passenger
injury

Taxi damage €

Reputation
impact

Reduced
revenues €

Fines €

Compensation €

Driver
fatigue

Tipping

Media
coverage

Regulatory
breach

Collision

Obstacle
overlooked

Fig. 3.2 Bow-tie analysis: separation of causes, events and effects. (adapted from Protecht 2013)

57

ERM is a strategic management tool that has to deal with strategy-relevant risks and
opportunities. A systematic and an “as complete as possible” risk identification can be
achieved by considering and combining various tools and taking into account external
and internal perspectives. A clever filter function within the risk identification process
prevents minor, non-relevant risks from being included in the subsequent risk assessment
process. All the following information and explanation within the risk identification par-
agraph serve to make risk identification more effective and efficient and thus to create a
basis for credible ERM that is accepted by the company and creates value.

3.3.3 Identify Risks Enterprise-Wide

Many companies have already implemented a kind of enterprise risk management and
declare it accordingly as “ERM” in their annual reports. If you take a closer look, how-
ever, risks are not always identified, assessed and managed enterprise-wide. In some
cases, business areas are completely excluded from risk analysis, sometimes the focus
is only on financial or operational risks, and sometimes only risks that have their sources
internal to the company are identified. There are basically five reasons why companies
fail to implement ERM enterprise-wide. These reasons are depicted in Fig. 3.3 and are
subsequently described below (see similar Segal 2011, pp. 25–27).

3.3 Collect Risk Scenarios

R & D

Board

Profitable
Business Unit

Divison Product
X

Divison Product
Y

Divison Product
Z

CEO

Marketing

Finance

R & D

Marketing

Finance

R & D

Marketing

Finance

Missing
Strategic

Focus

Excluded
Business Unit

Financial Risk Focus

Missing
External
Focus

Fig. 3.3 Reasons not to implement ERM enterprise-wide

58 3 Creating Value Through ERM Process

1. Profitable Business Unit: Companies can be deliberately reluctant with an in-depth
risk analysis in areas of business that are very profitable, fast-growing and may be
capable to offset less profitable business units. Often risk management is still per-
ceived as a “business barrier” because only the downside risk is addressed. This may
give cause for concern that a thorough risk analysis could slow the growth and profits
of the successful business unit. Thus, it may be the case that management implements
ERM first in areas that are less critical to the company’s financial performance.

2. Excluded Business Unit: Very often, risk management implementation is started with
a pilot project (e.g. with a first business unit), followed with an enterprise-wide, step-
by-step roll-out plan. However, this can lead to the roll-out being repeatedly delayed
due to other priorities. The result is incomplete ERM implementation. In many com-
panies, risk management does not enjoy top priority on the management agenda.
Often, scarce resources or promising other, directly profitable projects are more
important and urgent than ERM.

3. Missing strategic focus: The focus of risk management often lies on the operational
area of the company. Paradoxically, the management of operational risks is equipped
with relatively high resources (e.g. process risk management, internal control sys-
tems), while a full integration of strategic risks into the ERM is often missing or is
methodically implemented at a significantly lower level (e.g. only qualitative, infor-
mal risk assessments). Numerous studies clearly show that strategic risks should be
the most important risk category for the non-financial industry (Segal 2011, p. 29).
For example, significant company value losses are primarily attributable to the occur-
rence of strategic risks, not to operational or financial risks. There are three important
reasons why companies often fail to treat strategic risks holistically and as a priority.
Firstly, companies often lack methodological knowledge of how strategic risks can
be quantitatively assessed, which means that the analysis often remains at an unstruc-
tured, qualitative level. Secondly, it is argued that strategic risks are too complex to
be assessed and that no data is available. Thirdly, often risk managers have no access
to the strategy document or are not invited to the strategy table at all. This may be
related to the too low hierarchical position of the risk manager. He or she is often not
a member of management and thus not directly involved in strategic issues.

4. Missing external focus: Experience shows that ERM often has a strong internal focus.
This means that risks are identified by internal subject matter experts and internal
risk owners. This leads to a risk identification that primarily captures risks internally
(risk source is within the company). Many risk owners identify risks for their spe-
cific, internal area of responsibility, which are then aggregated and reported to man-
agement and board. A structured analysis of the environment for the purpose of risk
identification using simple tools such as PEST analysis is missing. Many significant
risks sources actually emerge outside the company. Of course, ERM is not designed
to accurately predict the future concerning political, economic, social and techno-
logical developments and the corresponding risks and opportunities. Nobody owns a
working crystal ball. However, an analysis of the environment can help to identify

59

some potential risks and opportunities as early as possible that could arise from the
environment. Risk related information from the WEF’s global risk report, the analysis
of surveys and studies on emerging risks, reading professional journals, attending risk
management related research conferences, exchanging information in risk manage-
ment associations, analysing risk disclosures in annual reports or in SEC filings (Form
10-K), for example, can all help in this.

5. Financial risk focus: Historically, risk management has evolved from insurance and
financial risk management. Many sophisticated quantitative methods for risk assess-
ment have been known for more than half a century. To this day, many education and
training programmes are specialised in financial risk management. Many courses
in the area of financial management also focus on risk management, but primarily
from a narrow financial perspective. Thus, today we face the problem that many pro-
spective risk managers bring a strongly finance-oriented mindset into the company.
Unfortunately, methods and techniques of risk identification and risk assessment used
in financial risk management can not easily be transferred to other risk categories
(especially strategic risks). As a result, many risk management systems focus on the
financial risk category due to the missing knowledge and the educational background
of risk managers.

3.3.4 Treat Business and Decision Problems not as True Risks

It is clear that in many risk management workshops or in one-on-one interviews with the
risk manager, not only true risks (see definition in Sect. 1.3) are identified. Many of the
risks articulated in risk identification endeavours tend to concern existing weaknesses or
concerns about unfavourable conditions in the company (Rees 2015, p. 34). At the opera-
tional level, for example, an inadequate and inefficient business process can be mentioned.
Since a business line manager perceives a deviation from his or her expected efficiency
level, this gap is often classified as a “business risk”. Of course, a vast amount of measures
can now be discussed to close this gap and make the process more efficient, e.g.:

• Process re-design
• Assign accountability of the process to one single person
• Increase IT support of the process
• Focus on few and most important key controls
• Reduce non value-creating process activities (getting rid of activities that waste time

and resources)
• Outsource that specific process to increase overall efficiency.

Important for risk managers to know is that the current low efficiency level of a process
per se is not a risk, but a business problem. The true risk which is in accordance to our
risk definition in this example lies in the fact that the planned actions to improve the

3.3 Collect Risk Scenarios

60 3 Creating Value Through ERM Process

process efficiency do not have the desired effect (remember—deviation from what was
expected or planned is risk).

At the more strategic level, for example, the low growth rate of a new business area
can pop up in a risk workshop. Again, many potential actions can be taken to improve
the growth rate to an expected or ideal level:

• Closely monitor the competitors
• Create a new marketing campaign
• Invest in talented people
• Increase social media activities
• Tone at the top: Communicate the importance of sales to all employees
• Develop new products or services

The true risk here is not the weak growth rate per se, but again rather that the planned
activities do not successfully resolve the issue at hand to a required or expected growth
rate level. Of course these business problems may be of great importance for the com-
pany, but from a risk management perspective they should not be directly included in the
further ERM process. The problems per se are already existing weaknesses and do no
longer represent risks which may materialise in the future. If, however, corresponding
measures are taken to resolve or improve these business problems, new (real) risks may
arise in the future. These risks include the aforementioned uncertainty as to whether the
planned measures will actually have the expected impact or not.

Another stumbling block of the risk identification process is to distinguish between
decision problems and “true risks”. Again, in risk workshops, participants may identify
risks in the form of pure decision issues. Let us consider the situation where a manager
is concerned about an upcoming decision with regard to the implementation of a new
Enterprise Resource Planning (ERP)-system. She believes that it might be a risk that this
IT-project may be rejected due to too low priority. From her perspective, the new ERP-
system would significantly improve the efficiency of many business processes and ulti-
mately, be a competitive advantage. From a risk management perspective, this is not a
traditional risk. The reason is because that decision is fully controllable by the company
itself, i.e. no unexpected or uncontrollable variability is associated with that decision.
An easy test here to asses if it is rather a decision problem than a true risk is to answer
the following question: Does it make sense to assign a probability of occurrence to an
alleged risk? If the answer is “no” because the result is fully controllable by the com-
pany’s decision, then it is certainly not a true risk. True risks have usually a variability
attached to them even if nothing is decided at all. Decision problems only vary in the
sense of the difference between the pre- and after decision state, but they may be as cru-
cial for the success of a company and its risk profile as traditional risks too (Rees 2015,
pp. 34, 40).

What can we conclude based on that distinction of risks and decision problems? Of
course, upcoming business decisions are not meant to be ignored, in fact they must be

61

identified and classified as such for further assessment of the most effective actions to
take, this could be either to implement risk measures or to make a business decision.
The lesson learned here is to consider not only the volatility of risks and their probabili-
ties in decision-making about mitigation strategies, rather to include potential changes
of the baseline (plan) values through different business decision options (Rees 2015,
pp. 40–41).

3.3.5 Don’t Let Reputation Risk Fool You

An excellent reputation is crucial for most, if not all, companies. It enhances credibility,
loyalty, attractiveness and preference (Bunnenberg 2016). These attributes may have a
positive impact on costs and revenues. For this reason, a company’s reputation is a valu-
able asset to actively manage. However, while there is a broad consensus on the impor-
tance of reputation, not a single comprehensive definition has yet been found. According
to Fleischer (2015), this is because the question of how reputation is created has not yet
been fully answered. As long as there is uncertainty about what actually causes good rep-
utation, it cannot be conclusively defined (pp. 54–55). On the other hand, the lack of a
broadly accepted definition is owed to the fact that the term has been the subject of schol-
arly and academic discourse for decades. It has literally been broken down into its indi-
vidual parts since it has found its way into numerous economic disciplines on the basis
of American authors. So far, it has not been possible to combine these individual parts
into a definition that is acceptable for all economic disciplines (Kirstein 2009, p. 25).
With this knowledge in mind, we agree for the purpose of this textbook on a more recent,
evaluation-oriented definition. The following definition is different from many others in
the sense that it focuses on a more evaluative definition rather than on a perception-based
one. It serves as a good basis for establishing a relationship to reputational risk.

u Corporate reputation may be understood as the observers’ collective judgements of a
company based on the assessments of the financial, social, and environmental impacts
attributed to the company over time (Barnett et al. 2006, pp. 34–36).

Since products and services of many companies hardly differ from each other, 70 to
80% of company value today is created by intangible assets (Eccles et al. 2007). This of
course includes also the value of good reputation. Reputation has gained in importance
and represents a central success driver of most companies. Particularly in today’s world,
companies are primarily regarded as “social organisations”. Companies have long since
been understood not only as economic and technical systems, but must also create social
acceptance and prestige. Today, economic success is a well-balanced mix of products
and social acceptance (Buss 2007, p. 233).

The whole process of creating good reputation is reinforced by globalisation and the
associated internationalisation of markets and by industries at the end of their life cycles.

3.3 Collect Risk Scenarios

62 3 Creating Value Through ERM Process

These developments pose major challenges for companies. Specifically in difficult times
and during economic crises, media interest in stumbling companies is even greater. In
addition, the internet and social media can quickly turn a previously local event into a
national or even international affair. As the boundaries between the inside and outside
world dissolve and the pressure for transparency increases, reputation is becoming
increasingly important. Thus, companies with a high reputation are more resilient to
survive crises, as stakeholders perceive the company as less interchangeable (Hillmann
2011, p. 5).

So far we have learned that corporate reputation creates value that needs to be pro-
tected or even expanded. Of course, everything that is valuable is also subject to the risk
that this value could be negatively impacted. At this point, we must link corporate repu-
tation to reputational risk. Similar to the vast amount of different definition of reputa-
tions, no market standard has yet been established for a uniform definition of reputation
risk (Deloitte 2015, p. 5). For our purposes, we define reputation risk as follows:

u Reputation risk is the risk of unexpected loss due to a change in the observers’ col-
lective judgements of a company based on the assessments of the financial, social, and
environmental impacts attributed to the company over time (based on the definition of
corporate reputation by Barnett et al. 2006, pp. 34–36).

Reputation risk is a very company-specific risk and varies depending on the product or
service the company offers. Some companies are more susceptible and have to expect
faster and larges losses of trust than others. For this reason, every company should assess
reputation risks differently. Let us briefly consider what the current literature learns us
about what reputation risk is. We are faced not only with disagreement on the defini-
tion, but also with disagreement on the characteristics of reputation risk. As Roth (2015)
points out, a reputation risk is a so called secondary risk with other, preceding risks
occurring first. She identified three triggers which can cause reputation risk:

• Non-compliance: Reputation risk can be triggered from non-participation in regula-
tory trends, for example if unlawful conduct becomes publicly known. Such primary
risks can be a breach of tax law, a financial accounting scandal or disregard for envi-
ronmental regulations (Sieler 2007, p. 6).

• Unethical practices: Violations of ethical and moral rules also increasingly triggers
reputation risk (Bunnenberg 2016). Such risks include fraud, corruption and inhuman
working conditions.

• Event risks: Finally, unforeseeable events can also impact a company’s reputation. For
example, preceding risks can be a hostile takeover bid, restructuring or occupational
accidents (Sieler 2007, p. 6).

This understanding of reputation is predominantly found in companies which have
already an ERM in place. In these companies, reputation risk is treated as an additional

63

dimension of impact. Other approaches to manage reputation risk is to consider it as
a separate risk category. As such, reputation risk does not have to be related to other
risk categories or it can even trigger subsequent risks (Chapelle 2015, p. 38; Romeike
and Weissensteiner 2015, p. 20). For example, the subsequent risk of not having access
to debt capital or problems in personnel recruitment can occur due to a bad reputation
(Weissensteiner 2014, p. 35). Consensus in literature can be found about the fact that
reputation risk management is indispensable due to the enormous importance of good
reputation as an asset and competitive advantage. Reputation risk must be integrated into
the general ERM process.

After having touched on the terms of reputation and reputation risk, we now turn to
the main problem of dealing with reputation risk in practice. In most risk inventories,
reputation risk is listed as one of the key risks. The problem with this is that reputation
per se is not correctly defined as risk. If we consider the discussion above on the distinc-
tion between causes, events and impact, it quickly becomes clear that reputation risks are
never properly defined by its sources. Let us have a look at Fig. 3.4.

Reputation risk is an event that can be placed in the middle of a risk scenario develop-
ment using bow-tie technique. First of all, potential sources have to be identified that can
lead to a subsequent reputation risk. These sources can often be identified in the opera-
tional risk category. Internal embezzlement, poor product quality or the exploitation of
employees can be causes that subsequently lead to e.g. criminal prosecution and/or high,

3.3 Collect Risk Scenarios

Causes Events Impact

Non-compliance

Hostile takeover
bid

Poor product
quality

Unethical
practices Cost of capital €

Reduced
revenues €

Lower
company value

€

Fines €

Reputation
risk

Media
coverage

Strategic
risk

Prosecution

Fig. 3.4 Reputation risk

64 3 Creating Value Through ERM Process

negative media attention. These risks themselves may cause a negative impact on reputa-
tion, which—in the worst case—can evolve into a strategic risk for the company. The
consequences of a reputation risk must also be analysed in detail. Reputation losses can
lead to higher capital costs, lower revenues and ultimately lower company value. The
final impacts of reputation risk are always financial consequences. Thus, it is of no use
to consider reputation as an independent risk per se, but it must be embedded in one or
more risk scenarios that identify causes and impacts of reputation risk. Reputation risks
found in company’s risk registers are wrongly stated risks because they cannot be man-
aged as such if the sources have not been identified. Accordingly, reputation risk does
not lead to concrete actions, as it is not correctly defined in the form of a cause-and-
effect analysis that enables a management of that risk.

3.3.6 Focus on Management Assumptions

This textbook on ERM does not focus primarily on strategy development and strategy
implementation. For these topics, many very good standard textbooks are available (e.g.
Barney and Hesterly 2006; Collis and Montgomery 2004). However, we can not com-
pletely do without discussing explicit references to strategic management. A central con-
cern of modern ERM is the integration of risk analysis into strategic activities. In this
respect, risk management cannot be separated from strategic management. However,
the following explanations on strategic management are now clearly geared to the risk
management perspective. It is demonstrated at which interfaces and with which methods
a risk manager can create added value to the classical strategic management processes
which are mainly based on uncertain management assumptions.

One step of utmost importance to implement a successful ERM programme is to
understand the basic strategic risk assessment process and the role of the risk manager
within it. Strategic risk assessment should be clearly owned and embedded by the man-
agement as their indispensable part of the overall strategic risk management responsibil-
ity. Strategic risk assessment is a systematic and ongoing process for assessing relevant
risks that could endanger the longevity of a company. Performing an initial strategic risk
assessment is a useful activity for management and the board. It is a responsibility that
cannot be delegated to lower hierarchical levels. Both the board and management need to
understand the company’s strategy and the associated strategic risks. The following sec-
tions discuss the distinct steps of risk identification and its practical challenges.

3.3.6.1 Start with Understanding the Business Strategy and Strategic
Risk

The development and promotion of strategic risk management processes and compe-
tencies within the organisation can create a strong foundation for the improvement
of risk management and general corporate governance (Frigo and Anderson 2009).
Strategic risk management can also add value to the company in constantly analysing the

65

company’s strategy, the corresponding assumptions and proactively developing appro-
priate measures for countering the most relevant risks that could endanger the achieve-
ment of strategic objectives. As a result, the management, the board and the risk manager
must challenge all strategically relevant assumptions (by the means of both intuitive and
rational techniques) to increase the effectiveness of strategic risk management. However,
from an ERM perspective, every risk manager needs a good understanding of the compa-
ny’s strategy and business model. Thus, the initial step in the risk identification process is
to gain a deep understanding of key business strategies, its components and all underly-
ing assumptions. Not all companies have well-developed and well-documented strategic
plans and objectives, many companies undertake a more informal way regarding their
documentation and articulation of strategic goals. However, surprisingly few companies
are capable to clearly state their strategy and competitive advantage in a few sentences.
Collis and Rukstad (2008) point out that “most executives cannot articulate the objective,
scope, and advantage of their business in a simple statement. If they can’t, neither can
anyone else” (p. 1). Thus, very often, the basic precondition to conduct a strategic risk
assessment is (partially) missing. Every company needs to develop an overview of key
strategies and business objectives in order to identify specific strategic risks associated
with them. This crucial step will also serve as the foundation to align risk management
with strategic management. A useful approach which facilitates and provides structure to
strategy formulation is suggested by Collis and Rukstad (2008).

Strategic risks are often not quantitatively assessed due to their high complexity and a
lack of knowledge and data. Of course, companies usually do not have much experience
with the same type of strategic risks over time. Strategic risks usually emerge abruptly
and hit many companies only once in their life cycles. In addition, it is challenging for
companies to identify, interpret, assess and prepare for such risks. These often low prob-
ability and high impact risk can escalate quickly, leaving companies confused, paralysed
and often prone to error (Deloitte 2017). Strategic risks are proven to be those risks that
are most critical to the company’s ability to successfully execute its strategy and achieve
its various strategic objectives (Frigo and Anderson 2011). Strategic risks can manifest
themselves in various forms, such as pursuing an inappropriate strategy by misjudging
the demand for a specific new product. Even with the “correct” strategy, a risk is not
being capable to implement a strategy successfully. Other strategic risks may be missing
out on important market trends, fast changing customer trends and disruptive innovation
risk. For the latter strategic risk, an example is described below.

Example
With disruptive innovation, a service or a product displaces established suppliers on
the market. As a rule, the offer first penetrates the lower market segment with simple
applications and then rapidly gains market share.

Companies tend to innovate faster than customer needs evolve (e.g. from CD to
DVD to Blueray). As a result, services and products come onto the market that are
too expensive and demanding for many people. But they serve the higher levels of

3.3 Collect Risk Scenarios

66 3 Creating Value Through ERM Process

their markets and the customers who always want the best alternative. As the margins
in these sub-markets are high, the companies achieve a correspondingly high level of
profitability.

However, this mechanism for success opens the door to “disruptive innovations” in
the lower market segments (e.g. streaming services). Disruptive in this context means
addressing new consumers who could not previously afford a service or product.
Disruptive companies often start with low margins, small target markets and simpler
products compared to existing solutions (see the price of a song on Spotify). Such
“disruptive companies” may pose a strategic risk for an established company.

Due to the low margins, they are unattractive for established companies that focus
on the upper market segment. This creates space at the lower end for disruptive com-
petitors. Some examples of disruptive innovation, which can lead to disruptive inno-
vation risk for established companies, include (see Clayton Christensen (n. d.):

Disruptor Disruptee

Smartphones Cellular phones

Discount retailers Full-service department stores

Retail medical clinics Traditional doctor’s offices

Streaming service Compact disc

3D printing Lathes and milling machines

Cloud computing On-premises

Mini mills Integrated steel mills

An interesting approach to classify sources of strategic risks can be found in one of the
very rare papers on strategic risks. Slywotzky and Drzik (2005) developed seven major
strategic risk areas. In each of these risk areas, different types of strategic risks can arise:

• Industry risk (margin squeeze, rising R&D or capital expenditure costs, overcapacity,
commoditization, deregulation, increased power among suppliers, extreme business-
cycle volatility),

• Technology risk (shift in technology, patent expiration, processes that become
obsolete),

• Brand risk (erosion, collapse),
• Competitor risk (emerging global rivals, gradual market-share gainer, one-of-a-kind

competitor),
• Customer risk (customer priority shift, increasing customer power, overreliance on a

few customers)
• Project risk (R&D, IT, business development or M&A failure)
• Stagnation risk (flat or declining volume and weak pipeline).

67

Of course, the paper published by Slywotzky and Drzik (2005) does not improve strate-
gic risk management in companies per se, rather it can be used to challenge the own stra-
tegic environment and supports strategic risk identification by helping to trigger the right
thoughts, e.g. in risk workshops. Having gained a good grasp of the company’s strategy,
its businesses and the term “strategic risk”, the risk manager can now advance to the next
step on his or her journey to identify all key risks.

3.3.6.2 Collect All Management Assumptions
In practice, many companies face the challenge of not knowing how they can effec-
tively and efficiently identify their most relevant risks. Surprisingly few textbooks on
ERM actually present techniques and methods to focused, strategy-relevant risk iden-
tification. Checking and questioning all assumptions made at management and board
level is the first and most important step of a focused risk identification process (see
similar Sidorenko and Demidenko 2017, p. 86). A risk manager have to elicit and col-
lect assumptions made by management and board on key strategic risks inherent with
the company’s strategy and objectives. This step provides also the opportunity to chal-
lenge key individuals’ assumptions regarding potential emerging strategic risks. Critical
assumptions about developments in the technological, political, social and economic
environment (e.g. currencies, market growth, customer behaviour, regulatory framework)
can quickly become obsolete. In checking these assumptions, a risk manager can make a
valuable contribution through a targeted risk analysis in which he or she can introduce an
additional, usually more rational perspective to these assumptions. Most of these man-
agement assumptions about the company’s future success are clearly of strategic nature.
These assumptions relate to the strategy development and strategy implementation pro-
cess. It is thus of crucial importance that appropriate attention is paid to strategic risk
management.

The analysis of strategic management assumptions should begin with a breaking
down of strategic objectives into operational objectives and key performance indicators
(KPIs). Specifically, in larger companies, strategic objectives are already present in the
form of measurable targets and thus serve as a good basis for the risk manager to under-
take a risk analysis. Of course, it is of crucial importance that a risk manager has access
to the strategy documents (which is not always the case), the financial plan, the business
plan and the budget to assess all key assumptions of the management (Sidorenko and
Demidenko 2017, pp. 8–9). What remains is the question of how companies can translate
strategic goals into measurable, action-oriented criteria. Basically, there are many strate-
gic instruments that cover the interface between strategic and operational focus.

One of the well-known tools is the Balanced Scorecard (BSC). It comprises a num-
ber of structural similarities and interfaces with ERM: The structure of the BSC as a
planning, management control and information tool provides an appropriate basis for
challenging management assumption on a more tactical level. Both ERM and BSC are
designed to achieving strategic goals. Both management tools consider the strategy from

3.3 Collect Risk Scenarios

68 3 Creating Value Through ERM Process

an enterprise-wide perspective and focus on almost all (risk) areas and their critical value
drivers. One of the main advantages of the BSC lies in the fact that the recommended
maximum amount of key measures (“twenty is plenty“) with specific target values are
directly derived from strategic objectives. These measures, defined for example as “our
revenues are expected to grow faster than that of the strongest competitor in order to fos-
ter our market position”, are subject to many uncertainties which require a thorough risk
analysis from an ERM perspective (Hunziker et al. 2018, p. 55). Let’s make a concrete
example of how a measurable target based on the BSC can serve as a basis to identify
assumptions and ultimately identify risks.

Figure 3.5 shows the financial perspective of a balanced scorecard from a ski and hik-
ing company. Within this perspective, several tactical performance indicators have been
defined. One of these relates to the sales target. The company aims to achieve a 10%
increase in sales compared to the previous year. The minimum acceptable limit is 6%.
The sales target must now be subjected to an assumption analysis. This means that the
risk manager has to identify all uncertain assumptions for the three product groups Ski,
Skiwear and Hiking that could have an impact (positive or negative) on the achievement
of this target. Examples of such uncertain assumptions are the expected impact of a mar-
keting campaign, expected inflation rate, expected competitor behaviour and expected

Skiwear Skis Hiking gear

Finance
Strategic Target Key Figure Unit Bottom

Tolerance
Target
Figure

Increase return on investment Return on Investment % 20.00 30.00

Increase revenue Increase of revenue
compared to previous year

% 12.00 20.00

Increase contribution margin Average contribution margin
per customer

$ 140.00 180.00

Improve cash flow Average cash flow $ 40’000.00 50’000.00

Identification of management assumptions

– Customer acquisition (marketing campaign) + 10 %
– Stable exchange rates
– No new competitor
– No inflation
– Good to very good snow conditions

– Customer acquisition + 5 %
– Stable exchange rates
– No new competitor
– No inflation
– Good to very weather conditions

Management assump�on = uncertain�es = risks = require risk analysis

Fig. 3.5 Break down of strategic objectives

69

weather conditions. From an ERM perspective, all these assumptions are risks with vari-
ability attached that need to be collected and analysed as part of the risk identification
process step.

3.3.6.3 Use Strategic Tools to Complement Assumption Analysis
Having analysed all management assumptions of strategic goals, the risk manager needs
to complement the strategic risk identification for the sake of completeness. For this pur-
pose, it is strongly recommended to use well-known strategic tools to analyse the busi-
ness environment more thoroughly. In the following, a number of important and useful
strategic management tools which support strategic risk identification will be briefly
introduced. Although we know that it is very difficult, if not impossible, to predict the
future and to foresee relevant trends, critical risk scenarios can be developed with a care-
ful analysis of the environment. It may thus be worthwhile for companies, despite the
high degree of uncertainty, to think about future trends and weak signals which may
slowly emerge in the environment, in order to develop (even very negative) risk scenarios
based on this environmental scanning and prepare for them. However, such predictions
based on environmental analyses partly fail in practice because often, abrupt and drastic
changes (e.g. US financial crisis in 2007) are not included in the risk managers’ scenarios
(see also Taleb 2007).

The risk manager can significantly contribute to the successful development of the
company in this process step, too. Companies need to scan the environment to be capable
to understand external changes and trends in order to develop effective risk mitigation
measures to secure the company’s longevity or to increase company value (Choo 1999,
p. 21). The previously performed assumption analysis of the strategic objectives can now
be supplemented by a general environment analysis (often, this is called “environmental
scanning”). New risks that have not yet been discussed can thus be identified or risks that
have already been identified can be enriched with further information from this process
step. According to Choo (1999), four different approaches of such environmental scan-
ning to identify new trends and developments can be applied (p. 22):

1. Undirected viewing (sensing). The aim of this first approach is to search the environ-
ment as broadly as possible for any unknown developments and trends. There are no
clear guidelines for this kind of environmental analysis. It is not a question of tracking
down and confirming ex-ante presumed developments or trends. Rather, companies
try to gain a sense for possible weak signals or emerging developments. Undirected
viewing is a process of detecting and viewing of already existing information in a
completely unstructured way.

2. Conditioned viewing (sense-making). Compared to undirected viewing, a company
may view at information about pre-selected topics, concerns or developments. Still,
this is a much unstructured procedure, but with a more pre-defined scope to look at
information within. The goal is to assess the potential impact of the pre-selected top-
ics on the company in a cost-effective manner. If the potential risks attached to the

3.3 Collect Risk Scenarios

70 3 Creating Value Through ERM Process

presumed developments may be of high importance, the approach can be changed
from conditioned viewing to actively searching for further information, the next two
steps.

3. Informal search (learning): A company searches actively for further information to get
a better grasp of the issue or trend at hand. For example, a potential very negative
risk scenario needs a deeper understanding to be able to assess it more accurately and
to formulate any subsequent queries. Informal at this stage means in an unstructured
manner and with limited resources. Clearly, the goal of this step is to collect sufficient
information to learn if a specific risk scenario under scrutiny may need any specific
course of action by the company or not. If a risk manager perceives that a company
needs to decide about the implementation of any preventive risk measures to counter
that risk, a more formal search (approach 4) may be required.

4. Formal search (deciding). This last approach aims at finding information in a struc-
tured and planned manner. The goal of this fourth approach is to get as much informa-
tion as needed to decide on a specific course of action, e.g. to decide to preventively
mitigate a specific risk. Formal searches are fine in granularity, more time-consuming
and targeted to use its information for acting and deciding.

The challenge for companies is to find a balance between more limited, well-structured
and less limited, unstructured approaches. If the focus is too strong on undirected view-
ing, it can ultimately become very expensive without finding decision-relevant infor-
mation. Moreover, with this method the amount of data quickly becomes large and
confusing. If the focus is too strong on structured, narrowly limited analyses, there is a
danger that relevant trends and risks will not be identified at all (Andersen and Winther
Schrøder 2010, p. 148). In essence, there is no best practice as to how such an analysis
of the environment should be carried out. The consideration and combination of various
established tools from strategic management can be a promising approach. A distinction
must be made between general environmental risks, industrial risks and company-
specific risks. For all of these three layers, corresponding tools are available. As there are
very valuable basic strategic management textbooks available, only a few very helpful
tools are briefly introduced in this textbook.

Structured Analysis of Competitive Climate
Porter’s five forces model (1980) is a well-known and typical framework in order to con-
duct industry analysis stemming from different forces as changing customer preferences,
new product developments, industry regulations and process innovations and many more.
Furthermore, the tool is adequate to assess own strategies and moves of existing and
potential competitors with the respective consequences. The following example shows
the results of a practical application of the five forces model.

71

Industry threats and opportunities in ski manufacturing
An analysis of the profit dynamics in the industry can benefit from Porter’s five forces
model. The model makes assessments about the industry’s attractiveness based on the
effect of five key forces, namely: (1) the threat of new entrants; (2) the bargaining
power of buyers; (3) the bargaining power of suppliers; (4) the threat of substitute
products or services; and (5) the intensity of competition in the industry. Each of these
points is examined below.

1. The risk of new competitors is rather low. The production of skis is utility-inten-
sive, which requires a considerable initial investment. In addition, established com-
petitors have a know-how advantage and a close connection to professional sport.
There are smaller ski manufacturers that are pushing their way into the market.
However, these only produce small quantities and satisfy a selected segment of
usually premium customers. Finally, existing patents for innovative suppliers pro-
tect their products from being copied, e.g. a specific ski boot plate.

2. The consumer has comparatively high bargaining power. This is illustrated by the
high discounts granted on newer models in the second part of the ski season. Since
accessories such as ski bindings and ski pieces can be combined almost at will,
the consumer is not tied to a single brand (see, for example, the coffee capsule
market). It should not be neglected that skis are usually durable and the purchase
decision can be postponed by one or more years. After all, it is easy to change
suppliers.

3. Suppliers have only limited bargaining power. Many of the input materials are
standard products and are offered by a large number of companies. Since ski
manufacturers usually purchase large quantities, suppliers are often prepared to
make certain concessions. Because these are standard products with little poten-
tial for differentiation, a market price will be established that includes only a small
margin.

4. Ski touring, snowboarding or sledging can be regarded as direct substitutes for ski-
ing. In the wider environment, there are numerous ski sports such as cross-country
skiing, snowshoeing or ice skating as possible alternatives. The risk of substitution
is relatively high. However, consumers often commit themselves to one or more
winter sports at a young age and remain loyal to them in the long term.

5. The market is dominated by large suppliers such as Rossignol, Atomic, Salomon,
Völkl and Head. The intensity of competition in the ski industry is relatively
high, as the products are similar in many respects. The intensity of the market is
reflected in the fact that every year numerous new and revised models are placed
on the market every year.

3.3 Collect Risk Scenarios

72 3 Creating Value Through ERM Process

Interestingly, the Porter’s five forces model in particular has not established itself well in
practice, for example in contrast to SWOT analysis. Grundy (2006) recognises several
reasons for this:

• The model is relatively abstract and very analytical.
• The language is relatively technically and micro economically focused.
• The practical implications are not easy to recognise, the model is relatively difficult to

implement.
• The logic of the model is not easy to understand and cannot be easily transferred to

the own context (p. 214).

However, the contribution of this model to the practical analysis of the business environ-
ment is very high. If the model is somewhat adapted and more “practical”, it can be very
useful for strategic risk and opportunity identification. In addition to all the criticism and
limitations of this model (see Grundy 2006, p. 215), it is one of the most important tools
for assessing the forces which determine the profitability of an industry.

One aspect in the discussion about the practical relevance of Porter’s five forces
model is its dependence on other strategic management tools. A paper by Grundy (2006),
which is very valuable for practitioners (e.g. risk managers), shows how the five com-
petitive forces can be embedded as a puzzle piece in a superordinate strategic analysis
model. Specifically, it is recommended to combine Porter’s five forces model with a sec-
ond, also very popular strategic management tool named PEST analysis.

The acronym PEST refers to political, economic, socio-economic and technological
factors. By the means of this tool, companies are able to assess the general environmen-
tal risks which comprise many exogenous factors outside the control of corporate man-
agement. It is clearly a useful tool to conduct strategic risk analysis and provides a broad
overview of the most important macro-environmental factors to analyse. Several variants
have emerged over time, one of the most well-known enhancements is PESTEL which
includes environmental and legal factors. An example of how the results of a PEST anal-
ysis could look like is shown below.

Drivers of change in ski manufacturing
Political issues: Numerous safety regulations also apply to ski manufacturers and
sportswear manufacturers. High tariffs on individual product groups may reduce the
attractiveness of individual overseas sales markets. Environmental associations are
more critical of mass tourism in high alpine areas, which may also reduce the attrac-
tiveness of skiing.

Economic issues: As the number of skier days tends to decrease due to global
warming, more skis are hired instead of bought. It is also to be expected that only
high-altitude ski resorts will be profitable in the long term. Lower-lying ski resorts
close to conurbations are thus likely to disappear more and more. From a global
perspective, growth markets, especially China, Russia and India, will significantly

73

increase the demand for skis, clothing and accessories. The market is highly seasonal
and saturated. Especially in spring, consumers expect high discounts.

Social issues: Urbanization is increasing more and more and the possibilities for
leisure activities are becoming more diverse. Accordingly, skiing competes with
leisure activities that are less weather-dependent. The ageing of the population can
potentially act as a brake on growth. In general, Western Europe is sceptical about
mass tourism in ski resorts, especially the intensive snowmaking for slopes.

Technology issues: The spread of the Internet makes it possible to make a detailed
price comparison between ski and ski equipment manufacturers. In addition, various
factors, such as the Internet, are driving the need for individual products. However,
there are no signs of any disruptive manufacturing processes or materials. The
demand for sustainably manufactured skis is likely to increase.

The growth drivers act as a link pin between the environmental analysis (PEST) and the
industry analysis. If, for example, the environment changes unfavourably, this can lead to
growth brakes, which in turn make specific industry forces more relevant (Grundy 2006,
p. 217). Figure 3.6 graphically depicts a sort of “onion model” which begins with a PEST
analysis and ends with the analysis of the own company in the competitive environment.
This onion model can significantly improve the identification of potential key risks.

SWOT Analysis (Andrews 1971)
A company can apply a SWOT analysis in order to conduct a strategic analysis by iden-
tifying strengths and weaknesses in the internal company environment on the one hand,
and opportunities and threats in the external market environment on the other hand.

Current
customers &
competitors

Life cycle of
own industry

N
e
w

e
n
tr
a
n
ts

Bargaining
power of
customers

Bargaining
power of
suppliers

Technological change Political change

Economic change Social change

Life cycle of
own industry

Growth driver

N
e
w

s
u
b
s
ti
tu

te
s

Fig. 3.6 Competitive mapping. (own depiction based on Grundy 2006, p. 217)

3.3 Collect Risk Scenarios

74 3 Creating Value Through ERM Process

It is probably the most well-known strategic analysis tool in theory and practice. The
outcome of this strategic analysis can help to identify strategic risk factors. Especially
for SMEs, the use of a SWOT analysis is helpful. The fact that it is a very straightfor-
ward tool that incorporates both internal and external (uncertain) developments is very
valuable. In addition, the SWOT analysis links the relevant problem areas within compa-
nies with the corresponding business objectives. In the following, a simple SWOT analy-
sis of a ski manufacturer is illustrated.

Results of a SWOT Analysis (ski manufacturer)

Strengths Weaknesses

• Qualified and long-standing employees who
know the processes and products

• Existing customer base that appreciates the
quality of the brand

• Own sales channels that reduce dependence
on intermediary trade

• Financially less dependent on lenders

• Lower economies of scale compared to
larger competitors

• Awareness strongly limited to Western
European area

• Strong focus on alpine skiing, little expe-
rience in the touring ski and snowboard
market

• Strong focus on functionality and less known
for high quality designs

Opportunities Threats

• Digitization of the ski product and its
accessories

• New overseas markets with high growth
potential

• Individualization of products (skis, ski
boots, bindings, etc.)

• Proximity to the Ski World Cup to benefit
from partnerships and feedback

• Quality risk due to production in Eastern
Europe

• Global warming reduces number of snow
kilometres on skis

• Strategic wrongly assessed attractiveness of
skiing

• Entry of a new competitor in the near pre-
mium or premium segment

Return Driven Strategy Framework (Frigo and Anderson 2011)
This framework is applied to analyse the components of a company’s strategy. It also
provides an opportunity to see how different elements of the strategy are linked together
and drive value creation. Furthermore, it offers the perspective on the identification of
risk areas in the strategy. The return driven strategy framework has been applied as an
effective technique for the integration of strategic and risk management goals. This tool
consists of eleven core tenets and three foundations that combined establish a hierarchy
of interrelated activities which have to be followed to achieve superior financial perfor-
mance. Executives not only adopt this framework to evaluate strategies but increasingly
use it to identify risk areas as part of the company’s strategic risk assessment.

Strategic Risk Management Framework (Beasley and Frigo 2007)
This tool provides a structured guideline and areas of focus to identify, link and priori-
tise a company’s strategic risks that include for instance customer risk, supply chain risk,

75

employee engagement risk, reputation risk (remember—not a risk in the strict sense),
innovation risk, financial risk among many others. The elements of the strategic risk
management framework correspond to the tenets of the previously introduced return
driven strategy framework. Hence, the discussion and analysis can be based from the risk
areas of the strategic risk management (SRM) framework associated with the strategy
classification.

VRIO Framework (Barney 2002) and Value-Chain Analysis (Porter 1985)
The application of these tools can support the company to deal with risk factors which
are endogenous and caused by the company’s processes, people and technological sys-
tems. Risks such as inability to observe and react to market changes, operational dis-
ruptions and technological breakdowns are included as well (Andersen and Winther
Schrøder 2010).

3.3.6.4 Risk Identification: Mission Accomplished?
The strategic management tools, such as the classic SWOT analysis, are undoubtedly
valuable tools for identifying and documenting relevant developments in a structured
manner. They can be considered essential tools for any risk manager. Another advantage
of using such tools is that they can build bridges (linguistic and cultural) between corpo-
rate management and risk management. Since these tools were primarily developed from
strategic management, they are widely accepted and known to many in practice. In addi-
tion, these tools are directly linked to long-term future plans as opposed to many other
tools focusing predominantly on short-term, operational issues. It thus makes sense for
risk managers to make use of these tools as well.

However, the process of risk identification is not yet complete in the sense of ERM.
This is illustrated by the example of the SWOT analysis:

• The results are classified into opportunities, threats, strengths and weaknesses. As we
have learned, weaknesses and strengths are not real risks, but already real conditions.

• From an ERM perspective, the opportunities and threats have not yet been classified
or prioritised. At this point, it is still unclear what relative, potential impact they can
have on the company’s objectives.

• It is not yet clear how probable the individual opportunities and threats will material-
ise in the future.

• Often, the degree of abstractness in a SWOT analysis is too high. Opportunities and
threats exist in keyword form, but it is unclear which concrete scenarios are behind
them (each opportunity can have several scenarios with different probabilities). From
an ERM perspective, concrete, plausible and comprehensible scenarios would have to
be developed on the basis of the SWOT analysis.

• The SWOT analysis focuses primarily on strategic risk factors. Operational and finan-
cial risks are in most cases (partially) excluded and must be identified using other
instruments.

3.3 Collect Risk Scenarios

76 3 Creating Value Through ERM Process

• Even if a SWOT analysis is performed by relevant stakeholders of an ERM pro-
gramme (management and board level coverage), it does not include all available
information (and thus probably not all strategic risks). A SWOT analysis must be
complemented by other important subject matter experts, internal or external to the
company.

• Group-specific biases (Sect. 2.3) may pose a significant threat for transparent, objec-
tive and comprehensive risk identification by the means of SWOT analysis.

The next step in the risk identification process is to conduct qualitative interviews with
key stakeholders to enhance the process of challenging management assumptions and
information gathered by strategic management tools.

3.3.7 Conduct One-on-One Interviews with Key Stakeholders

How can we proceed in practice with effective risk identification, who needs to be
involved and how does the risk manager need to prepare? In the case of an initial imple-
mentation of ERM, it is certainly very advantageous if management, preferably the Chief
Executive Officer (CEO), informs in advance about the relevance of the new ERM. As
is well known, the “tone at the top” is very important so that the corresponding commit-
ment on the part of management is noticeable enterprise-wide.

3.3.7.1 Prefer Interviews Over Templates and Surveys
In practice, it is evident that the supposedly simpler and more cost-effective option of
querying risks via e-mail and ready-made templates does not work. Unfortunately, this
procedure is still practiced relatively frequently. The main reasons why personal inter-
views are preferable to sending templates are the following:

• Low involvement and commitment by the recipients
• Often not taken very seriously because recipients do not know exactly what is hap-

pening to their information.
• The necessary time is often not spent on it. As a rule, such templates are filled out

quickly and with low priority.
• There is a high risk that last year’s list will be copied and that only few creative

thoughts will flow into risk identification.
• The risk manager cannot be asked any questions. The recipient fills in “something” to

the best of his knowledge and belief.
• The risk manager cannot guide the development of complex scenarios. It may not be

possible to reduce relevant cognitive or motivational biases in this way.

Figure 3.7 shows an example of a simple template used in this or a similar way for risk
identification purposes. In the subsequent years after ERM implementation, the template

773.3 Collect Risk Scenarios

R
IS

K
M

A
N

A
G

E
M

E
N

T
TE

M
P

LA
TE

R
is

k
ow

ne
r

na
m

e:

B
us

in
es

s
U

ni
t:

D
at

e:

ID
R

is
k

T
itl

e
R

is
k

Im
pa

ct
P

ro
ba

bi
lit

y
of

O
cc

ur
en

ce
R

is
k

M
ap

A
re

a
R

is
k

D
es

cr
ip

tio
n

R
is

k
C

at
eg

or
y

H
is

to
ric

D
at

a
R

is
k

S
ou

rc
es

R
is

k
In

te
r-

de
pe

nd
en

ci
es

M
iti

ga
tio

n
in

P
la

ce
E

ffe
ct

iv
en

es
s

of
M

iti
ga

tio
n

R
is

k
O

w
ne

r

M
ed

iu
m

Lo
w

H
ig

h
M

ed
iu

m

Lo
w

Lo
w

Fi
g

. 3
.7

E

xa
m

pl
e

of
a

r
is

k
m

an
ag

em
en

t
te

m
pl

at
e

78 3 Creating Value Through ERM Process

will be sent again with the request that the risk owner updates it and adds new risks if
necessary. In this textbook, we will completely abandon this approach and show a more
effective and beneficial approach.

The use of one-on-one interviews to complement risk identification is a very impor-
tant step for the following reasons:

• The involvement of employees, department heads, team leaders, etc. creates greater
acceptance for ERM.

• Personal interviews clearly prevent the “not-invented-here” syndrome. Decisions to
introduce new ERM measures are better accepted if employees are involved in the
decision-making process.

• Risks that have not yet been identified (specifically more operational risks) can be
identified. Not all risks are covered by the assumption analysis and strategic environ-
ment analysis.

• The involvement of specific experts (e.g. internal audit, external audit, and external
specialists) on specific topics creates a further perspective.

• The interviews with various ERM stakeholders allow several perspectives on the same
risk and thus promote discourse in the (common) case of divergent opinions.

After this advance information, the risk manager must consider with whom he or she
would like to conduct the interviews. The goal must be to obtain the most representative
(risk) view possible of the entire company. The hurdles and challenges that arise have
already been discussed in Sect. 3.3.2.

3.3.7.2 Select and Inform Interviewees Carefully
Since interviews are resource-intensive, it is important to select the interviewees care-
fully. Who can bring in which risk perspective to represent a specific area of expertise, a
business area or a cross-sectional function? As a rule, only a few interviews are enough
to obtain a company-wide risk profile. Irrespective of the company size, experience has
shown that 10 to 20 interviews may be sufficient in most cases.

Figure 3.8 shows an example of a company that conducts 13 interviews to enable
company-wide risk identification. As can be seen from the organisation chart, differ-
ent hierarchy levels are represented. From the operative business, the risk manager has
selected three experts who have a particularly high level of industry knowledge and can
thus contribute valuable information to possible industry risks. Internal audit can provide
valuable information based on their audit activities. Board members can add to the strate-
gic risk analysis by assessing environmental risks or industry specific risks.

Once the relevant experts have been identified, they should be informed in advance
about the upcoming interviews. It is important that this information contains the follow-
ing elements:

79

• ERM and its purpose (e.g. enhancing company value, improving decision quality)
• Importance of experts for the success of ERM (valuable experience, significant contri-

bution to risk assessment)
• Information handling (e.g. who receives the interview information? What happens

with this information? What is reported back to the expert? What kind of conse-
quences may the interviewee expect?)

• Importance of interviewees answering honestly and transparently (e.g. creating incen-
tives that promote truthful answers).

• Interview procedure (e.g. duration of interview, recording of interview, identification
of three or five most important risks, assessment of very pessimistic scenarios, devel-
opment of scenarios with the help of the risk manager)

• Acknowledging and reaffirming that the expert is part of the successful business
development.

The next step is now to arrange the individual appointments with the experts. It is impor-
tant to allow enough time for the meeting, especially for the very first one. Experience
clearly shows that, as a rule, too little time is available for more detailed discussions
of individual risk scenarios. The time factor often leads to hasty decisions and poorly
reflected risk assessments.

3.3.7.3 Elicit Feedback on Major Risks
During the interviews, the risk manager must pay attention to the individual biases and
try to minimise them through skilful conversation (Chap. 2). Experience has shown that
interviews should focus on identifying the three or five major risks at most. The princi-
ple of “relevance over quantity” applies here. If the expert is asked about the 10 most

R & D

Board/AC

3 Division
Managers

Divison Product
X

Divison Product
Y

Divison Product
Z

Management

Marketing

Finance

R & D

Marketing

Finance

R & D

Marketing

2 Board
Members

CEO/CFO/
CRO/CTOInternal AuditHead IA

Expert with
Experience

Expert with
Experience

Expert with
Experience

Fig. 3.8 Enterprise-wide risk perspectives

3.3 Collect Risk Scenarios

80 3 Creating Value Through ERM Process

important risks, there is a danger that he will focus his time on some risks that are highly
unlikely to be relevant from an enterprise-wide perspective.

If possible, interviews should be recorded electronically and conducted face-to-face.
This allows the risk manager to concentrate better on the conversation, to ask questions
and also to better understand the non-verbal language. After the interview, he or she can
transcribe it in detail and no important information is lost. What can be helpful for the
conversation and as a thought support in risk identification is a sheet of paper showing
the basic structure of a bow-tie diagram. This makes it easier to think through the scenar-
ios in terms of causes, events and impacts. Figure 3.9 shows a corresponding template,
which can be printed out and brought to the interviews. It is important that the risk man-
ager briefly explains the scenario analysis and proactively refers to the causes, events and
impacts in the conversation.

3.3.7.4 Focus on Plausible Stories, not on Numbers
As part of risk identification, it is important to develop risk scenarios that are as plau-
sible, complete and representative for the possible range of uncertainty. Risk identi-
fication interviews should start with developing very pessimistic scenarios. Does this

Causes Impact

Events

–
–
–
–

–
–
–
–

–
–
–
–

Fig. 3.9 Bow-Tie documents for interviews

81

not contradict the modern approach according to which ERM can create value for the
company? Should not very optimistic, value creating scenarios be developed first? The
answer in both cases is no and can be justified as follows:

• It goes without saying that management must know all the scenarios that can endan-
ger the existence of a company. These are scenarios that can lead a company into
over-indebtedness or illiquidity.

• Moreover, the effect of such negative scenarios on relevant performance indicators,
e.g. on EBIT or company value, must be assessed later in order to create a basis for
decision-making on how to deal with these risks.

• If opportunities scenarios are discussed first, this can have a “euphoric” overshadow-
ing effect. This means that downside risks are then given too little weight and dis-
cussed too little in the subsequent discussion. It is thus always worth starting with the
negative scenarios first.

• As a general rule, scenario development can be used to adequately represent all pos-
sible future realities in the form of a “distribution”. This requires an equal assessment
of pessimistic and optimistic scenarios.

The risk manager should ensure that risk scenarios are developed as complete as possi-
ble. Complete in this context means:

• Are there one or more causes that lead to the risk event? One should not limit oneself
too quickly to the first, plausible cause.

• Are these causes independent of each other or do they only lead to the risk event in
combination? If the causes are independent, two different risks have been identified.

• Are there causes of the causes? The “why” should be asked until the origin of the
cause has been found. Preventive measures are the best way to manage risk.

• What are the sequences of the risk event? Does this event trigger a follow-up risk?
If so, should it be incorporated into this scenario? Correlations with other risks can
already be integrated via scenario development.

• Are there short- and long-term consequences? It is well known that strategic risks in
particular may arise abruptly, but have an impact over several years. These effects
must be taken into account in scenarios.

• In addition, the financial impact of the scenario must be considered. It can have
impact on different line items in the financial plan.

• Risk scenarios should be as debiased as possible. For example, the risk manager
has to ensure that no hindsight biases are included in the prospectively-oriented risk
scenarios.

In this phase of the ERM process, as already mentioned, the three to five most impor-
tant risks are to be discussed. In addition to the very pessimistic scenario, consideration

3.3 Collect Risk Scenarios

82 3 Creating Value Through ERM Process

should also be given to what a very optimistic scenario (best case) could look like. Two
cases have to be distinguished:

• For many operational (event) risks, there is no actual optimistic scenario according
to our risk definition (deviation from plan). This applies in the case where the plan
anticipates the non-occurrence of a risk. For example, the risk of a flood catastrophe
is not taken into account in the financial plan because the probability of occurrence is
relatively low. The optimistic risk scenario would be: No flood catastrophe occurs. A
better scenario of flood risk, which even generates value, does not exist in this case.

• With strategic and many financial risks, there are realistic scenarios that can turn
out better than expected. These are usually so-called distribution risks, which can
assume several or many realities. For example, a very optimistic scenario could be
that, despite a competitor entering the market, one’s own market position can be sig-
nificantly strengthened because the competitor fails and one’s own company emerges
stronger from this situation.

The reason for capturing not only very negative but also very positive scenarios is the
opportunity of obtaining an initial overview of the ratio between rewarded and unre-
warded risks. Unrewarded risks are events that do not include any opportunity poten-
tial. These include many operational risks such as flooding, fire, machine breakdown.
As a rule, it is not worth taking these risks consciously. In contrast, rewarded risks are
generally associated with potential opportunities, usually strategic or financial (e.g.
interest rates, currencies) risks. This procedure provides an initial indication of which
risks are generally more likely to be avoided or minimised and for which conscious risk-
taking makes it possible to exploit potential strategic opportunities (and to create value
accordingly).

Up to this stage, we have now collected three to five potential risks from each expert.
These are available in the form of very pessimistic scenarios. Where appropriate, very
optimistic scenarios have also been developed. All scenarios have been thought through
by the means of the bow-tie technique to the extent that the cause(s) and final financial
impacts on consistent financial performance indicators such as EBIT, cash flow, equity
or company value are known. In order for risk identification to become a consistent and
high-quality process, the following important aspects must be observed:

u The following points in risk identification must be considered:
• Only as much information as necessary should be collected by the experts.

This means a fully thought-out scenario per risk with an initial rough esti-
mate of the financial impact is sufficient.

• The scenarios should be developed on a net basis. This means that all exist-
ing risk mitigation measures should be included in the scenario devel-
opment. Gross risks are “pseudo risks” and prevent (or overestimate) a
realistic risk assessment.

83

• It must be clear what the financial impact refers to, e.g. EBIT, free cash flow
or company value. This performance measure should be used consistently
so that risk scenarios can be compared at later stages.

• An assessment of the probability of occurrence is not yet necessary at this
point. All key risks are basically “rare” events. Frequency losses that can
often occur with a high probability (such as process risks) are generally not
key risks. Potential key risks should therefore be selected exclusively on the
basis of loss potential. Companies must know the absolute loss potential of
each risk, regardless of the probability of occurrence. Diluting the real risk
by calculating an expected value is dangerous and misleading.

• Quality over quantity: Few, but relevant risks should be recorded com-
pletely and comprehensibly.

3.3.8 Complement with Traditional Risk Identification

By means of the assumption analysis and the qualitative interviews, most of the risks
relevant to the company (i.e. decision-relevant risks with reference to specific business
objectives) can usually be identified. Of course, there are numerous other risk identifica-
tion methods that can be useful as a supplement. However, these methods often refer to
rather operational risk management, which is not ERM. This textbook focuses on strat-
egy-relevant, company-wide risk management. For this reason, it does not present indi-
vidual risk identification methods in a comprehensive way. In the following, however, a
few techniques are introduced that are relatively important in practice and can contribute
to supplementing the ERM process.

3.3.8.1 Conduct Risk Workshops Carefully
Workshops bring risk experts from different functions and hierarchical levels together
to exploit the collective knowledge of the group and develop or complete a list of risks
related to the company’s strategy and the corresponding business objectives (COSO
2017, p. 70). Although risk workshops are a very popular instrument to develop and
collect risk scenarios in practice, many of them fail to produce reliable and relevant
risk information. Apart from the well-known biases to counter in group meetings (see
Chap. 2), other common organisational key aspects are often neglected.

Of course, the risk manager should be familiar with current risk policies, risk appetite
statements, risk exposures and all other risk related guidelines. Next, a sound preparation
of a risk workshop is crucial. Ideally, the risk manager contacts all participants of the
workshop in advance to inform about the key objectives of the meeting, e.g. to identify
relevant risks which might have an impact on the company’s strategy. Workshops usu-
ally take more time than planned. It is important to allow enough time for the work-
shop, otherwise decisions could be driven by a lack of time rather than by appropriate
reasons. Moreover, the risk manager should facilitate effective discussion by booking

3.3 Collect Risk Scenarios

84 3 Creating Value Through ERM Process

an appropriate meeting room with round tables. To avoid hiding in the group and to be
capable to lead the discussions efficiently, the number of attendees should not exceed
eight to ten attendees.

It might be helpful to provide to all attendees an overview of possible risk areas prior
to the risk workshop. This promotes creative thinking and prevents thinking blockades
(empty sheet syndrome). An example of such a risk area sheet is provided in Fig. 3.10.

In addition to the sharing of the risk areas, the risk manager can provide the latest ver-
sion of risk analysis performed, e.g. on strategic management assumptions. This can pro-
mote the relevant discussions right from the beginning of the workshop and is preferable
to start with a blank risk identification sheet.

At the very start of the workshop, the risk manager should briefly introduce the state
of the ERM process, the objectives of the workshop, and the relevance of the experts
attending the meeting, the planned time schedule and an outlook of the next steps past
the risk workshop. During the discussions, the risk manager acts as a facilitator and
should be a neutral moderator. The crucial part is to counter specific group biases by e.g.
starting with discussing risks prior to opportunities, deliberately eliciting a second solu-
tion to every risk assessment, assigning somebody to play devil’s advocate and introduc-
ing the difference between business issues and real risks. The role of a moderator can be
very challenging. In the following, a few key aspect are to be taken into account:

• Keep a close eye to time management. Focus on high level risk scenario development.
Detailed risk analysis including discussing risk mitigation options is very time con-
suming and could be done afterward by subsequent interviews with risk owners

Ecology Procurement Production Sales
indicators

• environmental
sustainability
• of the products
• of the additives
• of the production

processes
• environmental trends

indicators

• prices
• conditions
• supply volume
• quality level
• punctuality of

suppliers
• size of order
• order routes

indicators

• component diversity
• occupancy rate
• inventories
• reject rate
• output change
• setup times
• setup costs

indicators

• new orders
• backlog
• order/purchase

behaviour
• price/program policy of

the competition
• image of own and

competitor products
• complaints rates

Macroeconomics Demography Politics Technology
indicators

• interest rates
• exchange rates
• economic indices
• union wage level
• money supply

indicators

• population growth
• demographic structure
• human resources
• unemployment rate

indicators

• law preparation
• political parties
• political stability
• election results

indicators

• innovations
• development of

materials
• trends of change in

production and
process technology

Fig. 3.10 Example of possible risk areas. (adapted from Diederichs 2013)

85

• Make sure that risks are described enough specific, i.e. develop plausible stories, start-
ing with risk causes.

• Guide the discussions to external (environmental) risk identification. Usually, the
focus lies too much on internal business issues rather than on external emerging risks.

• Avoid risk management jargon, try to speak business language to increase credibility
and acceptance. Do not ask for probabilities of risks, there is no need to do so at this
stage of the ERM process.

• Do not get into details more than what is needed. As a facilitator, the task of the risk
manager is to lead participants through a process of group knowledge capturing.

• Make sure attendees understand the concept of uncertainty. This is not a single num-
ber, rather a range which expresses the degree of uncertainty. Usually, participants are
reluctant to guess at specific numbers.

• Follow the rules for brainstorming quite closely: Risk managers shall not evaluate any
ideas. The goal is to collect everything first. The discussion of any risks will follow
later.

• For brainstorming to be effective, create a diverse workshop group covering different
areas of business and invite external subject matter experts if useful.

• Appreciate all contributions to risk identification. It is important to create an atmos-
phere where no answer is wrong. Risk managers should promote disagreement, this
can enrich the perspectives to existing risk assessments.

• Prepare some good examples of well-developed risk scenarios, explain the differences
between sources, events and impacts.

• If the risk manager thinks that an appropriate amount of risk scenarios have been
developed, he or she can switch to the next process step. The risk manager should
summarise all the ideas from the participants into a structured form, specifically
pointing to risks with much disparity. This can be done in a coffee or lunch break.
After the break, the risk manager shares his or her summary with the participants to
start the follow-up session. The aim of this follow-up session is to reach some degree
of consensus regarding the causes and specifically the (financial) impact of risks.

• At the end of the workshop, explain in detail what happens with all the collected risk
scenarios. Risk managers should share the results of the workshops in a comprehensi-
ble way with all participants.

In summary, risk workshops can be a useful complement to the analysis of management
assumptions if the above described success criteria are followed. In practice, certain
biases dominate so greatly that risk workshops are inadequate as the sole instrument for
identifying risks and in the worst case even do more harm than good. In addition, the risk
manager must be highly skilled at moderating such risk workshops.

3.3.8.2 Consider Process-Based Risk Identification
Basically, ERM should not be the driver for process management in the company, there
are more rational reasons. However, if a company has already described and visualised

3.3 Collect Risk Scenarios

86 3 Creating Value Through ERM Process

its processes (e.g. ISO 9001), these can be a useful basis for complementing risk identifi-
cation. However, it must be clearly stated that process analyses generally do not produce
any strategy-relevant risks in most cases.

In the context of the introduction of an internal control system, which is primarily
designed for process assurance, process-based risk identification can be a very reason-
able procedure. The first step is to consider which processes should be subjected to a risk
analysis based on relevant criteria (scoping). This can be done on the basis of quantita-
tive (based on balance sheet and income statement items) or qualitative criteria (com-
plexity, importance, criticality). Once the processes have been selected, a risk-based
analysis of the individual process activities is carried out. An example of such an analy-
sis is shown in Fig. 3.11. Together with the risk manager, the process owner can analyse
“what can go wrong” in the individual process activities. If potential process weaknesses
are identified and there is no corresponding effective and efficient process control, this is
an indication of potential risk.

3.3.8.3 Use Risk Checklists with Caution
Checklists use the knowledge of other institutions such as risk management associations,
universities or consultants. Basically, it is very tempting to use risk checklists that are as

order
intake

material
shortfall

demand
generated

x

o orderplacement
material

availability
check

capacity
planning

+ special order purchase order

incoming
goods
control

goods
delivery

+

o

warehousing

fabrication
special order

quality
control

feedback

x quality control positive
quality control
negative

incoming goods
control positive

rework

return
goods

incoming
goods
control
negative

What can
go wrong?

x
What can
go wrong?

What can
go wrong?

What can
go wrong?

What can
go wrong?

Fig. 3.11 Process-based risk analysis

87

comprehensive as possible. This makes risk identification significantly faster and more
cost-effective. In addition, experience from other companies in the same industry can be
used. Such checklists can be supplemented with further, company-specific risks.

It appears that checklists are actually an ideal instrument for risk identification.
However, this also entails significant disadvantages:

• Checklists prevent your own thinking or creativity. Risk identification thus quickly
degenerates into a ticking-off exercise

• Checklists are incomplete, specifically company-specific risks are only insufficiently
covered

• Many risks on the checklist are not relevant and may thus distract from actual risks
• Checklists only show negative risks, the opportunity potential is not taken into

account
• Checklists do not establish a direct reference to business objectives
• Strategic risks can hardly be found on a checklist because they are very

company-specific
• Checklists do not always define risks consistently according to causes, often one finds

a mix between causes, events and impacts.

Risk checklists should never be solely used to identify risks. If a company decides to
use checklists, they should be used as supplements after the assumption analysis and
qualitative interviews have been carried out. Such checklists have not be confused with
predefined risk categories. It may make sense, for example, to predefine risk categories
for all interviewees in qualitative interviews. This is even very advantageous in order to
achieve a certain consistency in the identification process. Risk categories have a sig-
nificantly higher level of aggregation than concrete, individual risks. They are more com-
parable to risk areas, e.g. strategic, operational and financial risks are three broad risk
areas. Currency fluctuations of the CHF/EUR currency pair are a concrete risk within the
category “financial risks”. Figure 3.12 shows the difference between a risk checklist and
a meaningful presetting for e.g. a risk workshop or a risk interview to trigger the identifi-
cation of relevant risks within the broader risk categories.

3.3.8.4 Try Fault Tree Analysis (FTA) for Critical Processes and Systems
Fault tree analysis (FTA) has its roots in the aerospace and reactor technology sectors
and is mainly used in complex, safety-critical processes and systems. The method was
first used in 1961 to investigate a missile launching system. It is used both to search for
potential sources of error and to optimise and assess safety. The aim of FTA is the sys-
tematic identification of all possible failure combinations, understood as causes that lead
to a given result. This includes the creation of a graphical system model in which the
undesirable situation is at the top and the possible sources of error are at the base and are
linked with Boolean operators.

3.3 Collect Risk Scenarios

88 3 Creating Value Through ERM Process

Following this rather general definition of the FTA, an attempt is now being made to
establish a link to business risk and quality management. An example of this is product
reliability, with the focus on that part of the integrated product lifecycle where manufac-
turing companies have little impact on products. This corresponds to the period shortly
after the market launch, where it will become apparent to what extent the products actu-
ally contribute to satisfying the needs of the customers. If an error occurs here, this can
have serious consequences for the company. Ideally, product defects and the associated
risks are thus already recognised in the development cycle, either in the planning phase
or at the latest in the test phase, in which the risks and functionalities of the prototypes of
the products to be produced are checked. Within the framework of product reliability, the
FTA is of considerable importance as an analytical instrument for the structured identifi-
cation of product-related risks.

In the first phase of the FTA, the aim is to identify as many causes as possible on the
basis of an identified problem and to depict them graphically in a cause system. A so-
called fault tree is used in the FTA to represent the cause system. The fault tree is a top-
down analysis technique. It is a method in which, starting from an identified problem or
risk, causes are gradually linked to the causes of causes, until the cause system has been
mapped as completely as possible.

Basically, two main groups of symbols of the FTA can be distinguished: Events
(labelled symbols) and logical links (unlabelled symbols). In the top-down procedure,
the risk event “engine of a machine cannot be stopped” (risk to be analysed—also
called top event) is assumed and all possible causes (“emergency stop switch system”
and “alternative power supply for engine”) and causes of the causes (“switch 1 fails”
and “switch 2 fails”) for this risk are graphically displayed. Ideally, the FTA searches for
groups of events (so-called cut sets) that cause the top event to occur. The more events

Risk
Category

Risk
Subcategory

Risk Checklist Risk
Present?

Financial Market Currency risk
…
…

YES NO
YES NO
YES NO

Strategic Supply Chain Delivery interruption
…
…

YES NO
YES NO
YES NO

Strategic Rivalry Market entry of competitor
…
…

YES NO
YES NO
YES NO

Operational HR Untrained staff
…
…

YES NO
YES NO
YES NO

«Ticking-off
excercise»

Single risks
Meaningful prese�ng for

workshops / interviews

Fig. 3.12 Risk categories vs risk checklist

89

in such a cut set, the less likely it is that the top event will occur. This means that risk
managers search specifically for so-called minimal cut sets, that is, for groups of events
that have as few individual events as possible. To put it simply, minimal cut sets are the
most likely constellations for a top event to occur. Of course, the fault trees are much
more complex in practice than in the example above. Therefore, there are special soft-
ware packages that make it possible to analyse the error trees especially with regard to
the cut sets (Rautenstrauch and Hunziker 2011).

3.3.8.5 Prevent Costly Errors with Failure Mode and Effects Analysis
(FMEA)

The FMEA was developed by NASA in parallel to the FTA in the 1960s and was used
for the first time in the Apollo programme. The method was later widely used in the
automotive industry through power plant construction. Meanwhile, the FMEA is used
for the development of new products, the use of new production processes, products with
safety requirements, changes to the product, material or process, changes in the condi-
tions of use of known products, complaints and requirements by the customer.

In contrast to FTA—which is a representative of top-down instruments—Failure
Mode and Effects Analysis (FMEA) is one of the bottom-up analysis forms. FMEA and
FTA are related instruments which complement each other and, in combination, have
their greatest effect in terms of risk identification. Instead of examining which product
components could cause a given error or risk situation (top event), the FMEA tries to
find out what type of error or risk is triggered by the given product components. Within
the framework of quality management, the FMEA is thus used to minimise the risk aris-
ing from the occurrence of errors. Potential errors in systems, designs and processes are
analysed and measures defined to detect them as early as possible.

The FMEA is motivated by the knowledge of the connection between the costs of
eliminating faults and the time of their discovery. As a rule of thumb, the so-called rule
of ten1 is often mentioned, which states that the costs increase tenfold from one process
step to the next. For this reason, FMEA follows the idea of preventive error prevention
instead of subsequent detection or correction.

Depending on the different hierarchy levels of the application of an FMEA, the
FMEA is classified into three subgroups. The classic distinction is based on a system
FMEA (product concept), a design FMEA (examination of products for weak points in
design or layout) and a process FMEA (manufacturing process). The findings from the
investigation at system level serve as the basis for the design FMEA, the results of which
flow into the considerations at process level. As a result of cause and effect, a hierarchi-
cal shift results for the different FMEA types, in which the error cause becomes the error
type and the error type becomes the error effect in the subsequent investigation.

In order to create an FMEA, an FMEA team is formed within the company, consist-
ing of employees from all departments concerned, in order to ensure a common view
from different perspectives. An important role in this process is played by the team

3.3 Collect Risk Scenarios

90 3 Creating Value Through ERM Process

leader, who must bring all results together and then document them. The team will use
an FMEA form to answer the following questions:

• Where can an error occur?
• How does the error manifest itself or how does it occur?
• What kind of error sequence can occur?
• Why can the error occur?

The following is a brief explanation of the individual steps involved in answering the
above questions. In the first step, the system (product) is delimited and described. This
results in a division into individual system elements (end products, assemblies and com-
ponents) and the determination of the individual interfaces between the elements. In the
subsequent error analysis, potential errors are assigned to the individual system elements
that are defined as restrictions or non-performance of system functions. The central
result of the analysis of the error sequence is the effect of the error on the end user of the
product. In the final step of the analysis, all causes that could lead to the described error
are described. Then measures to avoid or detect the individual errors and their causes are
listed.

In the subsequent risk assessment, the probability of occurrence, the significance of
the consequences and the probability of detecting the individual faults are discussed. The
evaluation of errors is calculated using the risk priority number: probability of occur-
rence multiplied by significance of consequences multiplied by probability of discovery
(problems with this approach are discussed in Sect. 3.4.1.4). If the risk priority figure
exceeds a threshold value defined within the company, countermeasures are to be taken.
Ideally, such measures should aim at error prevention instead of error detection. Finally,
the effectiveness of the individual measures to reduce errors is to be assessed. The risk
priority number prior improvement is compared with the risk priority number of the
improved system (Rautenstrauch and Hunziker 2011).

3.4 Assess Key Risk Scenarios

Probably one of the most challenging steps in the ERM process is to develop appropriate
criteria to differentiate between key risks and all other risks (Rees 2015, p. 36). To carry
out this important step, we need to reconsider what is fundamentally a key risk—and
what happens to all other risks. It is obvious that applying the wrong selection criteria
can lead to a more or less false understanding of the current risk exposure.

First, it is important to understand that ERM is primarily concerned with risks and
opportunities that may have a relevant impact on the achievement of objectives. In most
companies, financial performance is the most important indicator of short- and long-term
target achievement. Finally, the company’s financial situation is of crucial importance for

91

its long-term existence. Thus, the assessment of a risk in terms of its impact on financial
targets must be an important criterion for most companies.

Should risks be excluded from further analysis that do not exceed a certain minimum
loss potential? The answer depends on the perspective. From an ERM point of view, it
is necessary to define clever filters so that only relevant risks are subjected to a detailed,
more complex assessment. Risk quantification and risk simulation based on key risk
selection is much more cost-efficient and less complex to set up and maintain if only a
few important risks are taken into account.

u The selection of a few, relevant risks is decisive as to whether ERM systems can
be used meaningfully in practice in the long term or whether they will not sur-
vive due to their complexity and high costs. The flexibility and strategic orien-
tation of ERM systems for ad hoc decision support is a key success factor.

However, risks that are filtered out from an ERM perspective should not simply be
“deleted”. These risks could become key risks over time, so they need to be monitored
and regularly reassessed. It is thus important to store all risks in a database and to cre-
ate a kind of a “watch list”. However, these “watch-list” risks may be relevant from an
operational risk management perspective. Depending on whether a company runs opera-
tional risk management in addition to ERM, these risks can be managed decentrally and
coordinated with other assurance functions (e.g. internal control).

Of course, focusing on key risks has one major caveat: It may lead to an underestima-
tion of the current risk exposure if many “minor” risks are excluded from further risk
analysis. In addition, the relative importance of a risk does not directly include the rela-
tive relevance of possible risk mitigation measures. For less important risks, there may
exist simple and cost-effective measures to reduce or eliminate them completely. There is
no reason to not think about risk mitigation even for small or unimportant risks. This in
turn can significantly reduce the company’s overall risk exposure.

On the other hand, it may also be the case that risks being considered unimportant
can trigger other risks and accumulate to relevant risks due to risk interdependencies.
Figure 3.13 shows the basic challenge of this ERM process step. After having collected
risks (uncertainties) from various sources, they have to be consistently assessed for fur-
ther prioritization. Companies may apply different filters to select key risks from the
“risk universe”. Eventually, the risk manager has to create a key risk list for further risk
analysis (quantitative scenario development).

3.4.1 Identify Key Risk Scenarios

In the following some filters are discussed critically. The first two filters aim to exclude
“fake” risks. On the one hand, this concerns unrealistic scenarios against which no mean-
ingful measures can be taken. On the other hand, as already mentioned in Sect. 3.3.4,

3.4 Assess Key Risk Scenarios

92 3 Creating Value Through ERM Process

pure decision-making problems that are entirely within the control of the company must
be recorded in a separate list. The two subsequent selection criteria describe filters that
are very common in practice. However, it should be kept in mind that some filters for
risk prioritisation can do more harm than good. Subsequently, we explain a simple but
very useful filter for creating a key risk list at this stage of the ERM process.

3.4.1.1 Exclude Unrealistic, Devastating Risks
To ensure that ERM remains credible and is taken seriously by its stakeholders, no unre-
alistic, irrelevant risks should be included in the key risk list. However, the question of
how to distinguish realistic and unrealistic risk is not so easy to answer. Let us assume
a very bad risk scenario that can be devastating for all projects and all business areas of
a company and in addition, for all companies in a specific industry, in a country or even
worldwide. Let us label it “Aliens take over world domination”. Such a scenario is prob-
ably untrustworthy in the sense of being purely speculative and not reaching consensus
among experts. In addition, alien invasion has of course a very low probability of occur-
rence. No company can meaningfully prepare for this event nor can it implement meas-
ures to minimise the impact to a reasonable level.

Key risks

Risk universe

Filter I

Filter II

Filter III

One-on-one interviews

Management
assumption analysis Traditional risk

identification

Fig. 3.13 Application of smart filters to create a key risk list

93

Other, similar implausible scenarios can be, for example, risks that make life on earth
impossible, e.g. a devastating meteorite impact, deadly global diseases, global cyber war,
robotic takeover of mankind, world war III, fundamental shift of the political system
from democracy to dictatorship. To enable risk-based comparability of the risk exposure
between projects, business areas and strategic options in a company, such unrealistic sce-
narios must be consequently excluded in all risk analyses.

Unrealistic, devastating risks, which usually affect an entire economy or even the
global economy, should not be confused with very rare, company-specific risks for which
individual companies can prepare by implementing appropriate risk mitigation measures
(to some extent). These very rare, but plausible risks may “only” affect individual busi-
ness areas in certain regions or “only” affect some, but not all strategic initiatives. An
example of a plausible, very rare and very pessimistic risk scenario is a flood disaster in a
certain region where the company has a production site for a specific product that is only
produced at this facility. Even if this risk is very rare (e.g. 0.005% annual probability) but
has a destructive impact (production site is completely destroyed), it must be included in
the risk analysis for the following reasons (see similar Rees 2015, p. 38):

• The risk is partially manageable, it can be insured, for example, and preventive meas-
ures (protective walls, early warning systems, redundant production site) can be
implemented.

• The risk is a realistic, if rare, scenario. There is broad consensus that it will happen at
some point in the future.

• The risk only has a company-specific impact and a company may be disadvantaged
relative to its competitors when it occurs (e.g. loss of market share).

• The risk only affects one product line (and is as such maybe more risky as other prod-
uct lines, everything else held constant) and can be managed with some effort in the
case it occurs (the existence of the whole company is not at stake).

3.4.1.2 Separate Pure Management Action Items
In Sect. 3.3.4, we briefly discussed the differences between decision problems and real
risks. Now we are so far advanced in the ERM-process that we have to consider how
to deal with pure decision-making problems, which can also have an impact on the risk
exposure (pre- and post-decision risk exposure). Shall risk managers deliberately exclude
decision issues from their risk identification process? One could argue that such decisions
should be left to the responsibility of management. If so, no choice has to be made about
risk prioritization at this point. However, the answer is clearly no. One of the crucial
steps to improve the overall ERM effectiveness is to be aware of the existence of decision
problems and their relation to traditional risks (see similar Rees 2015, pp. 34–35, 40–41).

Next, risk managers should develop a process or a scheme to enable the compari-
son between decision problems and risks with uncertainty attached (“real” risks).
Thirdly, from a risk assessment perspective, this distinction between fully controllable
decision and non-controllable (or only partially controllable) risks is crucial to make.

3.4 Assess Key Risk Scenarios

94 3 Creating Value Through ERM Process

Subsequent risk models based on key risks should be capable to capture both effects
of pure (management) decisions and truly risky items. Straight ahead: A best-practice
ERM approach is to display pre- and post-decision values for all types of decisions, be
it the decision about a measure to reduce the probability of occurrence of a specific risk
or a management decision which only impacts the baseline expectation (plan).

ERM is of course not responsible for recording, evaluating and reporting pure deci-
sion-making problems in a holistic manner. However, risk management workshops and
interviews may exclusively address such aspects. It thus makes sense for the risk man-
ager to record these in a structured manner and make them available to decision-makers.
Pure decision-making problems do not have to be subjected to a more in-depth, quanti-
tative scenario analysis. It also does not make sense to assign different probabilities for
these decisions, since the decision lies in the full control of management. This makes it
obvious that they do not correspond to the definition of “uncertainty” and thus cannot be
included in a classical risk model. However, they also have an impact on financial perfor-
mance, which can be estimated similarly to a real risk. In contrast to the quantitative sce-
nario analysis of real risks, however, not the potential deviations from the planned value
are assessed, but the potential change of the planned value itself. We will learn more
about this difference in the chapter on risk quantification.

3.4.1.3 Avoid Risk Maps as Selection Criterion
A widely used approach for risk assessment and subsequent risk prioritisation is the
risk map (or heat map). It serves as visualised communication aid for corporate risks
and form the basis for decision-making support and prioritising which risks need to be
addressed with which urgency. Based on the prioritisation process, corresponding risk
mitigation measures are derived (Hunziker and Rautenstrauch 2015). Many consulting
firms and training centres with risk management certificates train this approach as a cen-
tral risk assessment instrument. Various international organisations that publish standards
and frameworks for risk management, such as COSO II, National Institute of Standards
& Technology (NIST) or CobIT, also recommend such an evaluation approach. In prac-
tice, it is probably the most widely used approach to risk assessment and prioritization
(Hubbard 2009, pp. 120–121).

In principle, a risk in the risk map is assessed as a product of the probability of occur-
rence and impact-on-occurrence (probability-impact matrices). Risk maps usually use a
kind of scoring system based on ordinal scales. This means that relative gradations are
made on the basis of a value range of e.g. 1–5, where 1 is classified as “very low impact”
and 5 as “catastrophic impact”. Other gradations with value ranges from 1–3 to 1–10
can also often be found in practice. It is usually assumed that the distances between the
individual values are equal, i.e. a risk with score 3 is assessed as three times more serious
than a risk with a value of 1. Figure 3.14 shows an example of a risk map as it is often
used in practice.

Caution is needed when using such risk prioritization instruments. Risk manage-
ment experts such as Cox (2008) or Hubbard (2009) even describe them as useless or

95

counterproductive, as they can lead to wrong decisions. The following problems with
risk maps must be taken into account when using them. Some can be reduced or elimi-
nated by certain measures, others are inherent in the instrument.

The use of risk maps is very simple. In the risk map illustrated in Fig. 3.14, the risks
must be assigned to one of the nine fields, which require a rough relative assessment of
the probability of occurrence and the impact. Colour gradations are often used, whereby
the risks in the red fields at the top right are assessed as “unacceptable”. Red risks
require priority treatment, i.e. risk reduction measures must be defined. The orange fields
contain “critical risks”, although it is often not clear whether there is a need for action,
but this is less urgent in terms of time than with the “red risks” or whether the risks are
tolerated and observed more closely. However, the colouring fails to provide a realistic
assessment of the risk. The red fields at the top right can be described as pseudo risks
(or phantom risks, see Samad-Khan 2005, p. 3). It is simply not possible that there are
business risks that threaten companies as a whole with a very high frequency. Thus, in
practice, real “red risks” at the top right exist very seldomly.

The focus of risk maps is in many cases risk prioritisation with respect to an aver-
age value, i.e. expected value. This equals a probability-weighted impact. Averaging such
risks may lead to serious false risk assessments which in turn may lower decision quality
significantly. For example, an expected value of the impact of raw material price volatil-
ity may be close to zero. However, the upside and downside potential (e.g. on a 95%
confidence interval) of price volatility may be important for decision-makers. Related to

low

P
ro

ba
bi

lit
y

of
o

cc
ur

er
nc

e
in

%

Impact in €

medium

high

low highmedium

green green

green

yellow

yellow

yellow red red

red

Fig. 3.14 Risk map

3.4 Assess Key Risk Scenarios

96 3 Creating Value Through ERM Process

the expected value problem, a risk with a very small probability of occurrence and a dev-
astating impact-on-occurrence does not necessarily fall into the “red area” of the risk
map.

In the best case, the verbally anchored scales of the risk map are stored with quantita-
tive values (e.g. “low” with an annual probability of occurrence of 1–20% and an extent
of damage of 0–50,000 €). In the worst case, the verbal risk assessment is not linked to
any quantitative values. Studies have shown that verbal, subjective scales such as “low” to
“high” or “unlikely” to “very likely” are “translated” by people into highly divergent per-
centages, which can make the classification in one of the fields almost unusable (Budescu
et al. 2009). Subjective scales are further subject to many cognitive biases: Hubbard and
Evans (2010) state that individual experiences, overconfidence, confirmation bias and
optimism bias may significantly impact the assessment of probability and impact.

As risk matrices display discrete categories of impact and probability, the resolution
is defined by the number of categories. Cox (2008) concludes that the limited resolu-
tion is an inherent disadvantage of risk matrices. In this sense, the selected scales in risk
maps are too “compressed”. For example, two different risks have annual probabilities
of 0.5% and 19%, respectively. In the above example, both risks are consequently “com-
pressed” to the value 1 (“low”), although both probabilities differ considerably (risk
occurs once every 5 years or once every 200 years). The same applies to the assessment
of the impact. The multiplication of both variables into one expected value leads to a
further compression of the information and thus to very inaccurate (or dangerous) risk
assessments.

Furthermore, the correct risk definition is repeatedly violated in the application of risk
maps. The application of a risk map assumes that a risk can be meaningfully described
by one probability of occurrence and one single impact: The risk either occurs or it
does not occur. And when it occurs, it always does so with the same probability. For the
majority of risks, this probability description is not appropriate or simply wrong. The
example of interest rate risks is intended to illustrate this: Interest rate or currency pair
changes can actually occur with any number of possible values (see the concept of vola-
tility), but not every change is equally probable. Such a risk can no longer be described
as a “risk event” and thus cannot be deducted from the risk map. Here, for example,
a volatility (fluctuation) would have to be depicted using various estimated scenarios.
Many operational risks, such as a machine breakdown, can also be poorly described as
a risk event, as several consequences are conceivable. Furthermore, the risk map usually
only shows the “negative risk”, positive potentials (opportunities) are completely ignored
in most cases.

Further, risk interdependencies are also ignored by the risk map. If, for example, two
risks assessed as “medium” (e.g. “fire causes loss in warehouse” and “interruption of
production process due to loss of personnel”) occur simultaneously due to a hurricane,
they can no longer be assessed as independent events. Such dependencies cannot be
meaningfully modelled in a risk map. Finally, the risk map also reflects challenges that
are only indirectly related to the instrument itself. For example, different practices for

97

developing the final impact of a risk event are observed. Three possibilities are applied in
practice (see Duijm 2015):

• The impact is represented by a risk event causing the worst case scenario and the cor-
responding probability of that event.

• The impact is represented by the most likely consequences (e.g. based on average of
past losses, similar to an expectation value) and the corresponding probability is the
probability that the most likely event occurs.

• The impact is represented by different impact scenarios, each may be in another
impact category of the risk map and the corresponding probabilities are the probabili-
ties that each of those scenarios occur.

Of course, each of those possibilities may lead to different risk assessments. Having said
that, we can draw the following conclusions: Possibility 1 may lead to overly conserva-
tive outcomes, further, less pessimistic scenarios are neglected. Possibility 2 violates our
definition of risk (risk is deviation from expected, the “representative” impact is quite
similar to expected value) and thus may underestimate true risk, companies may face
overly optimistic impact assessments. Option 3 is basically preferable to the other pos-
sibilities in that it also enables addressing different realistic scenarios of the same risk
event. However, this may lead to many entries in the risk map when several events with
several scenarios are considered (see Duijm 2015).

3.4.1.4 Avoid Expected Values as Selection Criterion
As just discussed, in risk maps the individual risks are generally assessed according to
probability of occurrence and impact and graphically represented as expected loss in the
matrix. As simple and understandable as this procedure may seem, the expected values
of the individual risks are subject to considerable limitations. However, expected values
also have meaningful applications if they are used correctly. In the following, this will be
discussed first.

On the one hand, the tangibility and calculation of expected values is relatively sim-
ple. The two variables “probability of occurrence” and “impact” can be derived either
from historical data or expert judgements. Quantifying the individual risks with proba-
bilities and financial impact is in practice very often essential for subsequent aggregation
of the individual risks across individual business areas or hierarchical levels to gain an
enterprise-wide risk exposure. It is thus not adequate to group risks only in risk classes
such as “small, medium and large risks” in order to be able to assess or aggregate them
reasonably later.

A further advantage of applying expected values lies in the option of pooling indi-
vidual risks in order to calculate overall risk exposures at different corporate levels.
Because of the additivity of the expected values (i.e. it is mathematically correct to add
the expected values), the sum of the expected values of individual risks is precisely the
expected value of the overall risk exposure. For example, it may make sense to assess

3.4 Assess Key Risk Scenarios

98 3 Creating Value Through ERM Process

the effectiveness of risk mitigation measures over time on the basis of the overall risk
exposure of, for example, individual business units. The expected value is thus a par-
ticularly useful risk measure if the primary objective of risk management is to assess
the effectiveness of risk mitigation measures to manage risks. Effectiveness in this case
means that average expected losses (sum of all expected values of the individual risks)
are smaller than, for example, in the previous business year.

However, expected value is not a risk measure. The reason for this claim is fairly
simple. We need to recall the definition of “risk”: risks are unexpected, random devia-
tions from planned values. Though, this is in complete contradiction to the risk measure
“expected value”. The expected value of a risk is neither unpredictable nor random—it
is a known factor in advance and is thus by definition not a measure for defining a risk.
From a risk management perspective, the expected (i.e. known) loss must thus certainly
not be the top selection criterion. On the contrary, the potential unexpected deviations
from the expected value, i.e. the distribution of possible losses in a range around the
expected value, are much more relevant. In particular, the worst case scenario may be
completely underestimated (or neglected) by expected values. The expected value merely
provides an indication of the average losses over an infinite period of time. From a com-
pany’s perspective, however, it is of no interest whether it could bear the losses on aver-
age. Rather, the worst deviations from the expected loss that could cause a company to
become insolvent are essential. A simple numerical example is provided to illustrate this.

The two risks X (probability of occurrence of 1% and impact of EUR 10,000,000)
and Y (probability of occurrence of 50% and impact of EUR 200,000) have the same
expected value of EUR 100,000. However, if risk X actually occurs, the impact to be
born is significantly higher than with risk Y. It is thus of no use to a company to survive
on average in the long run. The expected value is not a real risk and underestimates the
relevance of rare, but serious risks. For risks with the same expected value, the risk map
tends to suggest risk neutrality. In practice, however, this neutrality is hardly present,
because decision-makers often care whether they can generate a profit opportunity (loss
possibility) of, for example, EUR 10,000,000 with 1% probability or EUR 200,000 with
50% probability Thus, companies usually behave risk averse in decision-making pro-
cesses, not risk neutral as expected values imply (see e.g. Jonkman et al. 2003).

What do we learn from this insight? In fact, it is very astounding how persistently
expectation values remain in practice as a major decision criterion for risk selection or
risk prioritization. As this is such a crucial aspect to understand the learnings are summa-
rised in the following box.

u Expected value is not a suitable measure for the selection of key risks. It is not
possible to identify risks that could threaten the survival of the company. The
multiplication of probability of occurrence and impact seems simple at first,
the resulting single number (e.g. called risk priority number) can be put into
an easily understandable order. Unfortunately, this method does not increase
decision quality, often the opposite is the case. Expected value fully contra-
dicts with our definition of risk in the ERM approach.

99

3.4.1.5 Prefer Impact Over Probability
In practice, the probability of occurrence of a risk is an indicator often used to distin-
guish between important and unimportant risks. As we have learned, it is often used to
calculate expected values. The simultaneous consideration of probability of occurrence
and impact is probably one of the most widespread approaches for prioritizing risks in
the non-financial industry. The disadvantages of expected values have already been dis-
cussed in detail in the previous paragraph. At this point, we would like to ask whether it
makes sense to consider the probability of occurrence as a criterion to select individual
key risks. It is often seen in practice that very rare risks with a very high impact are not
defined as key risks. In risk maps, the “relevance line” is often set so that very rare risks
are never positioned in the red area. Is this a legitimate procedure? In the following, a
few thoughts are presented that shed a critical light on probabilities as a filter criterion.

Firstly, it is important that decision-makers are aware of all the risks that can have
a significant impact on the company’s objectives. This provides the basis for manage-
ment to fulfil its responsibility to discuss as many risks as possible that could threaten
the existence of the company. In this context, it is irrelevant how high the probability of
occurrence is. It is important to consider whether the company is prepared in the event of
a risk occurrence or whether measures need to be taken if necessary. Of course, manage-
ment can also decide to accept a significant risk, which it considers to be very rare. In
this case, it is a well-informed decision to accept a key risk if the associated potential for
success justifies it. If, however, probabilities are actually used as filters, it can happen that
the management is not even aware of them and thus blind spots arise, which can be very
serious. Very rare risks with a high impact are consequently not discussed at management
level because they are not included in the risk reporting. In the case of a risk occurrence,
it is of little use to the management to refer to the rarity of an event. In this respect, this
procedure can be considered as a breach of duty not to have dealt with all the risks that
threaten the existence of the company (irrespective of the probability of occurrence).

Secondly, it is very difficult to reliably assess probabilities and, depending on the
assessment, this can lead to completely different key risks. People find it difficult to
assess probabilities. In principle, probabilities for risks with which a company has no
experience cannot be easily assessed. In the area of strategic risks, it is thus challenging
to estimate the probability of occurrence as accurately as possible. An example illustrates
the problem attached to that: depending on the probability with which an interviewee
expects a new competitor to appear on the market, this risk becomes a key risk or not.
For example, it may be that a company sets the filter in a risk map at 5% probability
of occurrence for the next year. If a board member now assesses this risk at 3%, it falls
below the threshold and is not reported and discussed as a key risk. However, these 3%
are difficult to verify. It could also be 7% or 10%, which can also be considered plausi-
ble. A mitigation of this problem could be that impact and probabilities are recorded and
reported separately, but the key risk list is only generated on the basis of impacts. The
probabilities would then serve as additional information and a basis for discussion, but
are not an equally weighted selection criterion.

3.4 Assess Key Risk Scenarios

100 3 Creating Value Through ERM Process

A third reason why the probability of occurrence is not a good selection criterion can
be illustrated by the following example. Let us assume our key risk list contains of 25
risks. The risk manager analyses the selected risk scenarios and concludes that each key
risk scenario has a very low probability. For the sake of simplicity, we assume that all
risks have an equal estimated probability of occurrence of 1% (p). In other words, each
risk is expected only once in a hundred years. Are we confident that none of the top risks
will occur next year? Can we inform our board that there will be no unpleasant surprises
next year due to the very low probabilities? Let us assume that the 25 (N) top risks are
uncorrelated. This assumption may be quite realistic, since the risk interdependencies
are already incorporated during the individual scenario developments. What is the prob-
ability that at least one of the rare risks will occur next year? The math is as follows:
1-(1-p)N. If we use our figures (p = 1%; N = 25), we calculate a probability of 22.2%.
This value is relatively high and is usually underestimated in traditional risk management
systems based on individual risk assessments (e.g. by means of risk maps). If we extend
the time horizon to e.g. 5 years (according to the achievement of the strategic objectives),
this probability already increases to 71.5%. In the long term, rare risks are thus very
much to be expected. The lesson here is that very low probability-risks should not be
excluded from the key risk selection process.

u At this point, it is important to understand that probabilities in the ERM
approach are still highly relevant. Probabilities are particularly relevant when
assessing the impact of multiple risks on a particular business objective. For
the selection of key risks, however, we need filters that prevent threatening
individual risks from being excluded or not taken into account in the more
detailed risk quantification. We thus strongly recommend that the key risk list
is primarily based on the impact of risks and that probabilities of risks may be
included in the risk list as additional information, if available.

3.4.1.6 Distinguish Between Key and Non Key Risks
We have reached the culmination of the first and important process step of risk identifi-
cation. We remember that the aim was to create an overview of key risks. This list is the
first important outcome, which is then subjected to a quantitative scenario assessment
in a subsequent step. The assessments of the individual impacts are to be deemed provi-
sional. They have only helped us to distinguish between key risks and non-key risks (see
similar Segal 2011, pp. 151–152).

The following figure shows a corresponding procedure. It shows an excerpt of pes-
simistic risk scenarios of a company in relation to the defined EBIT target. The expected
EBIT amounts to EUR 5 million. All significant deviations from the plan are thus of
interest, which is in line with our risk definition. If a risk scenario has a loss potential
higher than EUR 2 million, it is taken into account in the further risk analysis. It is thus
included in the key risk list. As you can see from the chart, probabilities of occurrence
are missing. If these were already collected during risk identification, they could be

101

added as a supplement to the individual risk scenarios. In our approach to risk identifi-
cation presented so far, however, we have deliberately refrained from collecting prob-
abilities. These will only become relevant in the subsequent quantitative risk scenario
development Fig. 3.15.

Remember that a risk database must be populated also with all non-key risks to cre-
ate a so called “watch-list”. This list can be provided as a supporting tool for operational
risk management or internal control systems. In addition, all non-key risks shall be mon-
itored on a regular basis in order to recognise emerging key risks as early as possible. It
is assumed that only a few watch-list risks will qualify as key risks at later points in the
future. Nevertheless, as business models can change quite quickly due to e.g. changes in
customer needs, some risks deemed minor can become strategy-relevant later on.

At this point, it is important to note that the key risk list per se is not yet an instrument
relevant to decision-making. One could say that in traditional risk management such a
list is often the key result of the risk management process. From a modern ERM perspec-
tive, this list should be understood as a kind of database in which risks are collected and
adjusted over time. Only the subsequent quantification of the individual risk scenarios
and the integration into decision-making processes provide the desired added value of
ERM.

3.4 Assess Key Risk Scenarios

RScen1

4 –

-6 Mio €
Key Risk

3 –

2 –

1 –

0 –

-1 –

RScen2 RScen3 RScen4 RScen5 RScen6

-3.5 Mio €
Key Risk

-3 Mio €
Key Risk

-2 Mio €

-1.5 Mio €

-1 Mio €

EBIT Plan
(5’000’0000 €)

Filter
(3’000’0000 €)

Fig. 3.15 Key risk scenarios

102 3 Creating Value Through ERM Process

u The mere creation of a key risk list as the basis for risk reporting to manage-
ment and the Board of Directors does not provide any added value. The risks
on this list are merely isolated individual risk assessments that are not (yet)
included in decision-making processes.

3.4.2 Quantify Key Risk Scenarios

The next step in the ERM process is a quantitative risk assessment of all key risk sce-
narios. Its aim is to reflect the uncertainty associated with key risks as holistically and
realistically as possible. Only quantification makes a meaningful comparison of differ-
ent risks and opportunities possible. However, a misunderstanding must be cleared up
at this point: It is not a question of “calculating” a precise truth with risk quantifica-
tion. We all know that this is not possible because nobody can predict the future exactly.
With the help of reasonable evaluation methods, however, we can express the degree of
uncertainty more objectively and transparently than will ever be possible with qualita-
tive methods. It is thus not a question of producing illusory precisions, but of developing
“ranges of uncertainty” on the basis of plausible quantitative risk scenarios.

As discussed previously, an ERM programme must assess all risks (independent
of their source) with the same care. In particular, strategic risks are often not assessed
quantitatively in practice. Practitioners often claim that the complexity of risks or their
sources and a lack of data impede quantitative risk assessments. However, this translates
to the following important statement:

u ERM programmes that quantify only financial risks and (partially) operational
risks, but assess “non-quantifiable risks” (strategic risks) only qualitatively, fail
in making reasonable statements about how risk exposures may impact busi-
ness objectives. This in turn impedes the supporting role of ERM in risk-ori-
ented decision-making. It is thus strongly recommended to adopt an ERM that
is methodologically capable of assessing all risk categories quantitatively.

The problems of pure qualitative risk assessments are manifold and have already been
addressed in previous paragraphs. However, it is also important to notice that quantitative
assessment methods are not per se superior to qualitative techniques because they look
more complex, mathematical and “accurate”. In practice, quantitative models are often
incomplete and neglect relevant risks, particularly strategic risk where data availabil-
ity is scarce. Interestingly, operational risks at lower hierarchical levels and specifically
financial risks are usually quantified using state-of-the-art stochastic methods. Hubbard
(2009) calls this observation in practice a “risk paradox”: relevant, strategic risks are
often assessed by qualitative, simple scoring methods, whereas operational low-level
risks are often included in quantitative risk models (p. 174).

103

Furthermore, data quality is crucial for the quality of quantitative analysis: the finan-
cial crisis has clearly shown that model assumptions based on classical financial market
theory can not withstand reality. Extremely rare, but devastating scenarios have been reg-
ularly underestimated (so-called tail risks). Stochastic models require a sound data basis,
which is often not the case, specifically in the area of strategic and operational risks. As
a consequence, either unrealistic scenarios are estimated or some risks are completely
ignored. Finally, it is questionable whether complex stochastic models are actually
applied correctly in practice and understood by management. These “black box” models
are often difficult to communicate to decision-makers and cannot be understood without
appropriate know-how (Hunziker 2018, pp. 18–19).

The critical question now is, which approach shall we present in this textbook on risk
quantification? There are many good textbooks on stochastic risk modelling available.
However, the procedures and approaches recommended in these books do not (at least
not yet) seem to prevail in the non-financial industry. From a practical point of view, this
can have several (partly false) reasons:

• Stochastic risk modelling is reserved for the financial industry, the methods are not
transferable to non-financial risks.

• The procedure is considered too complex, one is content with simpler methods that
are easier to understand (e.g. qualitative risk management).

• Data is missing so that appropriate models can be created.
• The maintenance of such models is often considered too complex.
• The benefits of quantitative approaches are called into question because it is assumed

that models are fundamentally wrong (the image of quantitative risk models has suf-
fered at the latest since the financial crisis).

• The basic assumptions of normalised returns are increasingly criticised; correspond-
ing statistical distributions no longer correspond to reality.

Two questions at this point arise: What information should risk quantification be based
on? Should stochastic or deterministic risk scenarios be quantified? Risk quantification
is based on the principle of using the best available information, depending on the risk
category. These can be historical data as input for the assessment of financial risks or pri-
marily expert assessments in the area of strategic risks. Thus, the quantification approach
discussed in this textbook combines different data sources within the scenario quantifica-
tion approach. Pure stochastic modelling as input for risk simulation is not used for the
aforementioned reasons.

Subject matter experts who are “closest to the risk” in the company are explicitly
included in the risk assessment (as they already have been in the risk identification pro-
cess). A properly performed risk quantification with the risk manager as enabler and
discussion facilitator together with board members, business, divisional and department
heads usually leads to more reliable (tail) scenarios than a pure stochastic evaluation
based on (often insufficient) historical data. Moreover, a deterministic risk assessment

3.4 Assess Key Risk Scenarios

104 3 Creating Value Through ERM Process

approach which is based mainly on expert judgements rather than relying solely on pure
stochastic (black box) models supports the acceptance of ERM and enhances an appro-
priate risk culture.

In the following, we learn why quantified risk models still matter, how to effectively
develop quantified risk scenarios and how to (not) aggregate single risks which may have
a simultaneous impact on a specific business objective.

3.4.2.1 Why Risk Quantification Matters
As already touched on, criticism of risk modelling has increased considerably in recent
years. There is now a long list of counterarguments why companies should not use quan-
titative risk models. However, it still remains to be clarified what might be better alter-
natives. Unfortunately, there are no such alternatives as we learn in this textbook. An
excerpt of the opponent’s list why risk models could fail are briefly listed here:

• The past has shown that risk models are wrong. So are they in the future.
• There is no or too little data available for such models. The quality of the models is

thus poor.
• Nobody understands risk models, in the best case the risk manager him- or herself.
• Risk quantification and subsequent risk aggregation produce false accuracies, hence a

qualitative evaluation must be better.
• Risk models fail due to effort and complexity.
• Basically, human experience and intuition is stronger than risk modelling
• Garbage in, garbage out as a killer argument

Taking into account the above arguments, we believe that opponents of risk models
sometimes have false ideas about what they can or cannot do. At this point, we would
like to clarify this and argue that there are currently no approaches superior to risk mod-
elling (see similar Rees 2015, pp. 91–92). First of all, we need to consider why a com-
pany should be concerned with risk models at all. Principally, quantitative risk models
deal with situations (expectations about the future) that cannot be perfectly understood
or anticipated because they are subject to uncertainty (risk). If this uncertainty did not
exist (e.g. regarding the net present value of a strategic project), risk models could be
entirely ignored. Of course, if a company is not willing or able to develop meaningful
assumptions regarding risk causes and risk interdependencies in the form of scenarios,
risk models do not make sense either. They do not replace the skills of developing realis-
tic assumptions of how the future might unfold.

We all are aware today that risk models are a simplification (in some cases, an over-
simplification) of the reality and that quantified risk assessments are never accurate or
only coincidentally correct (because they deal with the future). They ultimately reflect
opinions and assessments of subject matter experts, partially combined with historical
data where available. In this sense, the killer argument that all quantitative risk models
are wrong by definition is perfectly correct.

105

However, companies should accept that skilfully led discussions during risk assess-
ment interviews or workshops are often very fruitful. The process of discussing and
creating a quantitative risk model is often more useful than the (false) outcome per se.
During this process, assumptions are questioned, new views and ideas generated, new
discussions initiated and possible future risk potentials identified and assessed more
systematically. Quantification sometimes requires uncomfortable transparency, which
is, however, much more important as a basis for discussion than qualitative (verbal, use
of qualitative scales) assessments. Figures are not subject to interpretation. No matter
whether they are wrong or correct, they are the better basis for fruitful discussion.

Hiding or concealing vaguely formulated risk assessments is no longer easily possi-
ble. Consensus amongst management ultimately represented in the quantified risk model
serves as an important decision-making basis and promotes further discussions regard-
ing model assumptions and risk appetite confrontation. An aggregated model which is
totally implausible to management can also show that there is something wrong with the
assumptions about the future. For example, a risk model that displays a new strategic
option (e.g. new market entry) as a risk simulation result only with positive, profitable
scenarios would probably have to be critically questioned (maybe the true downside risk
has not been fully reflected in the model).

ERM can only be linked to value-based management if quantified risk scenarios
are available. An integration of ERM into strategic planning, budget processes or other
decisions is only possible if there is a common ground, usually this is the connection
with financial performance management. Qualitative risk management clearly fails in
this case. In the context of multi-scenario planning, which may credibly reveal risk and
opportunity impacts on objectives, qualitative risk management is not relevant.

The quantification of risk scenarios primarily enables transparency, a sound discus-
sion basis, prioritisation and comparison with other risks. It also supports the identifica-
tion of risk interdependencies and objective-based risk aggregation. It forces companies
to think through a risk scenario holistically and to check its plausibility by means of
quantification. If risks are classified purely verbally or only in rough risk classes, the
underlying scenario development is often carried out relatively imprecisely and too
broadly.

u Peter Drucker is credited with one of the most important quotes in busi-
ness management. “If you can’t measure it, you can’t improve it.” This quote
is specifically true also for ERM. If companies are reluctant to express their
uncertainty attached to business objectives quantitatively, then they can not
possibly improve risk-based decision-making.

In summary, we are convinced that modern ERM is only possible on the basis of quan-
titative risk assessment. It is important to understand that risk quantification is only
a small but crucial part of the ERM puzzle. Properly understood and applied, risk
quantification creates the best possible discussion about uncertainty in the future.

3.4 Assess Key Risk Scenarios

106 3 Creating Value Through ERM Process

Incorrectly applied, it leads to little credibility and a high potential for frustration. In
practice, it is now a question of reducing these hurdles through the success stories of
companies that benefit from quantitative risk management. Risk quantification outside
the financial industry is still very critically assessed or partially demonised in prac-
tice. It is a well-researched subject area that has been waiting for years to diffuse into
practice. This textbook encourages students to perhaps introduce this approach later in
their professional lives, or at least to take a positive stand for it.

3.4.2.2 Develop Quantitative Key Risk Scenarios
At this point, it makes sense to clarify precisely what we mean by quantitative scenario
development. In particular, questions of how this approach differs from other risk assess-
ment methods in the area of risk management or common corporate planning and budg-
eting. First, we want to differentiate quantitative risk analysis from simple sensitivity
analyses applied in budgeting processes. In practice, it is usually put forward that finan-
cial plans and budgets are supplemented with a pessimistic (lower bound, e.g. 90% of
planned values are achieved) and optimistic (upper bound, e.g. 110% of planned values
are achieved) “risk” scenario, and that risk analyses thus has been already applied.

Although such simple sensitivity analyses have their legitimacy, they are subject to
some significant disadvantages from an ERM point of view (see similar Rees 2015, p. 89):

• Very pessimistic or very optimistic scenarios (extreme values) are often not incorpo-
rated, thus such plans usually cover only a part of the entire risk distribution.

• Usually, no probability assumptions are included in such sensitive analyses, thus no
comparisons can be made with the risk appetite statements (if appropriately defined)
and no probabilistic risk aggregation can be performed. Moreover, it remains unclear
how much uncertainty is attached to the different scenarios.

• It is not clear if the lower and upper bounds (sensitivities) comprise only true risks or
whether the plan could be optimised by simple management decisions.

• The expected value of the plan is unknown. Expectation values usually differ from the
most probable outcome (which is the plan).

• The different risk sources which may impact the plan are not fully known and are
separately identified and recorded.

Now that we have briefly clarified that sensitivity analyses are no substitute for genuine
risk quantification, we would like to briefly address the traditional risk quantification by
means of probability of occurrence and impact. As previously discussed, several prob-
lems are attached to that simple procedure. The majority of the risks cannot be com-
prehensively described as “single risk events”. For example, it is obvious that interest
rate changes, oil price fluctuations, fluctuations in sales, market entry of competitors and
many more risks can have different consequences. Even risks that are supposedly consid-
ered as binary risk in practice (either risk event occurs or not) are more complex in fact.
A risk of a machine breakdown can manifest in different states, e.g. only one machine

107

break down for a very limited time with minor consequences or several machines have a
more significant defect at the same time which leads to production downtimes. These dif-
ferent states are called “risk scenarios”.

u The basic idea with scenario development is to produce a robust and reliable
range of the most relevant possible future states of the same risk. In many
cases, it is not possible to define only one state of a risk, assuming a risk has
exactly one probability of occurrence and exactly one impact. Thus, we need
to develop so called “risk distributions” which cover very pessimistic, but also
very optimistic scenarios and some scenarios in between with different prob-
abilities of occurrence attached to every scenario.

Another reason why there is need to fully quantify all future risk states, independent of
their source, is due to integration purposes. In order for risk management and corporate
planning to be integrated, a common ground must be found, i.e. risks must be quanti-
fied. A true integration of risk management and corporate planning can only be achieved
through linking the financial impacts with financial plans. This enables that plan devia-
tions caused by potential risks can be made transparent and visible. These potential
deviations should be discussed by management and can either be accepted (if within
risk appetite or if corresponding upside potential is high) or actively manage toward an
acceptable level (if risk appetite is exceeded). In other words, quantitative risk scenarios
ultimately support decision-making processes.

As previously mentioned, risk scenario analysis is a practical, highly effective tool to
conduct risk assessments. It supports the identification of cause-and-effect chains when
thinking through individual scenarios and thus incorporate interdependencies (correlations)
with other risks (e.g. a volcanic eruption scenario leads to an economic downturn which in
turn leads to a loss of sales which ultimately reduces free cash flow in year 201X).

The question at this point is: How many risk scenarios per risk have to be developed
to produce a “robust risk distribution”? The answer is not straightforward and is related
to our deterministic risk assessment approach. Let us assume that we assess the risk of a
new competitor entering the market. We have already captured the very pessimistic sce-
nario as part of the risk identification process and assessed it with a rough loss potential.
It qualified as a key risk and thus is considered for detailed quantitative risk scenario
development. The following example is the result of an interview with a strategic man-
agement representative. It describes a quantified, very pessimistic risk scenario with a
probability of occurrence attached and an EBIT amount in EUR.

Example
Mr Grob (risk manager) and Ms Frozen (strategic management representative) devel-
oped during the risk quantification interview the following very pessimistic risk sce-
nario: Next year, a new competitor will enter the market that can take market shares
of up to 40% from us next year and 20% the year after next. After three years, our

3.4 Assess Key Risk Scenarios

108 3 Creating Value Through ERM Process

innovative products, which are currently in the development phase, will enable us to
push this competitor out of the market again. Based on my industry experience, this
can happen with a probability of 3%. If we lose 40% and 20% of market share in the
next two years, this would have a cumulated negative impact on revenues (EUR -5
million), but also a positive impact on costs (less personnel needed, EUR +1 million).
Ultimately, EBIT of this product line is reduced by EUR 4 million.

The next step is to quantify the very optimistic scenario in the same way. Three different
quantified scenarios are then available:

• Very pessimistic scenario (probability of occurrence <probability of plan)
• Plan (no real risk scenario as it is expected).
• Very optimistic scenario (probability of occurrence <probability of plan)

From a stochastic perspective, these three scenarios could be input parameters for a so-
called triangular distribution. However, since we do not use stochastic distributions, we
use these three risk scenarios as deterministic individual risks that must be drawn mutu-
ally exclusive in a simulation model. All three scenarios have their own, pre-defined
probability of occurrence. We assume for simplicity that the planned values are in line
with expected values. In practice, plan values often correspond to the values that are
most likely to be realised. This makes sense from a management perspective. It is coun-
terintuitive from a planning perspective not to plan with values from which it is assumed
that they have the highest probability of realisation. However, such plan values are not
identical with (statistical) expected values. The consideration of probability-weighted
risk scenarios can lead to a deviation from planned values (based on most likely cases)
and expected values of the plans (after simulation). In principle, this probability-
weighted deviation could then flow back into the planning and lead to an adjustment of
the planned values. In an ideal world, this would be the best approach. The more prag-
matic view is to accept this “statistical error” and to leave plan values as they originally
came about: as the most probable values.

From a logical perspective, it makes no sense if the individual risk scenarios of one
risk have a higher probability of occurrence than the plan. In this case, it can be assumed
that the plan is unrealistic (perhaps too optimistic, but certainly not in line with expec-
tations). However, it may well be that the probability of occurrence as the sum of all
risk scenarios is higher than the plan. This can also be easily checked for plausibility: In
practice, the uncertainties associated with planning are so high that it is very likely that
the planned value will not be realised. Or to put it another way: the probability that the
plan can be executed 100% perfectly is extremely small.

From a risk perspective, it is certainly crucial to know the very pessimistic sce-
nario and to compare it with an optimistic risk scenario (risk-reward management). As
a rule, however, these two deviations from the plan are not yet sufficient to anticipate
the future as comprehensive as possible. Often there are one or two less negative or less

109

positive scenarios that are very realistic. For example, a less pessimistic scenario could
be developed by Ms Frozen regarding the potential competitor entering the market: the
competitor enters the market, but can only take 15% of the market share from us in its
launch phase, but cannot establish itself in the market in the longer term. After one year,
the competitor will have disappeared from the market again. In this case, EBIT is only
reduced by EUR 2 million.

Figure 3.16 shows the previously discussed risk of “competitors entering the market”
in five different scenarios. The risk manager developed and evaluated these scenarios
together with the strategic management representative (or anybody else close to the risk).
The figure also shows that the five scenarios “imitate” a discrete statistical distribution.
The middle scenario corresponds to the plan; the two scenarios to the left and right of it
are probability-weighted deviations from the plan. The dashed line indicates that these
five scenarios do not represent a continuous distribution, but that the deterministic sce-
narios represent individual “events” from this distribution.

Of course, this type of deterministic risk modelling must also be viewed critically.
Quantitative risk modellers will highlight some points why this approach might be prob-
lematic. Let us reconsider the above example of the risk of a market entry. Let us further
assume that we have quantified this risk by the means of five discrete risk scenarios, as
shown in Fig. 3.16:

• Very pessimistic scenario, probability 5%, impact −EUR 4 million on EBIT
• Pessimistic scenario, probability 20%, impact −EUR 2 million on EBIT

3.4 Assess Key Risk Scenarios

10% –

3%

Probability of
occurrence

Impact (EBIT)

20% –

30% –

-2’000 -1’000 0 1’000 2’000 3’000 4’000 5’000

– – – – – – – –

5%

20%

Plan
Budget

52%

20%

Downside Risk Upside Risk

Fig. 3.16 Example of quantitative scenario development

110 3 Creating Value Through ERM Process

• Plan (no real risk scenario as it is expected), probability 52%, impact EUR 0 (plan
perfectly achieved)

• Optimistic scenario, probability 20%, impact +EUR 1 million on EBIT
• Very optimistic scenario, probability 3%, impact +EUR 2 million on EBIT

The individual probabilities of all scenarios must add up to 100%, otherwise we create
a logical error. Why is this the case? Firstly, the four probabilities of the risk scenarios
(deviations from plan) add up to 48% (5% + 20% + 20% + 3%). The conclusion based on
that is that there is a 48% probability that the estimated impacts on EBIT are either −4,
−2, +1, +2 EUR million. So there is still a 52% probability that no risk scenario occurs.

Quantitative risk modellers could argue that this discrete risk distribution does not
provide any information about the remaining 52% probability that no risk scenario
occurs at all. However, for pragmatic reasons, we may assume that this remainder of the
100% (i.e. 52%) corresponds to the probability of achieving the plan. This can be justi-
fied by the assumption that the plan should have the highest probability of occurrence
compared to all other single risk scenarios.

One might further argue that it is too simplistic or simply wrong to assign a probabil-
ity of occurrence to one deterministic outcome (impact on EBIT). From former statistic
courses, you may probably be familiar with continuous distributions and their character-
istics. Specifically, the probability of a realisation of any specific value in the distribu-
tion under investigation is defined as the integral of the probability density function over
that data set. The integral of a real valued continuous distribution over one specific point
(one specific value) equals zero. Thus, we face the situation that an outcome equal to any
particular point (our deterministic risk scenario) of the sample has a probability of occur-
rence of zero, but is in fact not an impossible outcome (Levine 2015, pp. 8–9).

What does that mean for our example with five discrete risk scenarios? With statis-
tics about continuous distributions in mind, the probability of occurrence of a discrete
risk scenario to occur is zero. This is definitely counterintuitive of how we developed
that scenario: We assigned for example a probability of occurrence of 5% for the very
pessimistic scenario. How can we resolve this apparent contradiction? In practice, risk
management must provide a realistic and reliable distribution including very pessimis-
tic scenarios and very optimistic scenarios, thus a mapping of a realistic full range of
a risk. The single estimated impact numbers (e.g. −EUR 4 million on EBIT) are not
meant to be precisely true, but rather represent some meaningful averages of—in an ideal
world—mutually exclusive impact intervals which in sum cover the full range of poten-
tial impacts:

• Very pessimistic scenario, probability 5%, impact interval −EUR 4 – −EUR 3 mil-
lion on EBIT

• Pessimistic scenario, probability 20%, impact −EUR 2.9 – −EUR 1 million on EBIT

111

• Plan (no real risk scenario as it is expected), probability 52%, impact EUR −0.9 –
+EUR 0.9 (plan perfectly achieved)

• Optimistic scenario, probability 20%, impact +EUR 1 – +EUR 1.9 million on EBIT
• Very optimistic scenario, probability 3%, impact +EUR 2 million or more on EBIT

With these five different scenarios, we have basically fulfilled the MECE principle devel-
oped by Barbara Minto in the late 1960s: The scenarios are mutually exclusive and col-
lectively exhaustive. In other words, the scenarios defined in this way do not overlap
and together contain all possible future impacts of a risk (i.e. the “full range” defined by
the subject matter experts). From a simulation perspective, one of the five probability-
weighted risk scenarios could now be chosen randomly. Within the chosen scenario’s
interval (e.g. −EUR 4 – −EUR 3 million), a pre-defined statistical distribution (e.g. tri-
angular distribution) could determine a discrete impact value (e.g. −EUR 3.35 million).

Quantitative risk modellers would certainly be more satisfied with this approach than
with our simpler, deterministic modelling approach. From a purely statistical point of
view, this approach would definitely be preferable. Ranges of impacts are defined prop-
erly and the assignment of probabilities of occurrence is logically consistent (Levine
2015, p. 9). But we would like to remind ourselves again why we accept to annoy the
purists of statistical modelling with our simplistic approach:

• We do not want to create “black box” models which only risk managers understand.
Thus, we rely on assessments of subject matter experts, supplemented with data if
available. Our deterministic quantification approach is intuitive and can be understood
by decision-makers. Stochastic models often cause discomfort and are not supportive
of the company’s risk culture.

• In many cases, subject matter experts can assess “risk distributions (i.e. probability-
weighted full ranges of potential risk impacts)” more realistically than available sta-
tistical distributions can (e.g. the normal distribution regularly underestimates tail
risks).

• The simplicity of the deterministic approach is its strength: it does not require pre-
defined distribution functions for every different risk scenario. The “statistical” distri-
bution emerges from the scenario development itself.

• Ultimately, it is all about guessing at the most realistic possible range of each indi-
vidual key risk that can provide a solid basis for decisions. It is of lesser importance
that, from a theoretical point of view, a deterministic scenario cannot occur exactly
with the probability estimated by the expert. A certain theoretical statistical inaccu-
racy, which is undoubtedly associated with our approach, is consciously accepted for
pragmatic reasons.

3.4 Assess Key Risk Scenarios

112 3 Creating Value Through ERM Process

3.4.2.3 Store Key Risk Scenarios in a Database
This step brings us to the end of the assessment of all key risk scenarios. Once the key
risks have been identified and quantified using the scenario technique, the following
information is available for the next step in the ERM process:

• Very pessimistic, pessimistic, optimistic and very optimistic scenarios were devel-
oped for each risk. The planned value (expected scenario) is also available. Please be
aware that for some risks, the optimistic and very optimistic scenarios do not exist (no
upside potential).

• All scenarios were described verbally by means of plausible cause-effect stories. Care
was taken to develop scenarios that are as precise and complete as possible and do not
allow any room for interpretation. In practice, risks are unfortunately often described
on a too summarised and too aggregated level.

• All scenarios have been assigned a probability of occurrence. The probability of
occurrence must be defined consistently. It corresponds to the “holding period” of the
risks and is often one quarter or one year in many industrial companies.

• Impact values must be consistently related to relevant performance measures. The
best available measure would be internal company value. Only internal company val-
uation (i.e. discounted cash flow approach) is capable of capturing all future (includ-
ing long-term) risk-related impacts. In reality, however, short-term measures such as
EBIT or net profit will be more relevant, as many companies do not conduct internal
company valuations. A good alternative to the often missing internal company value
is the analysis of the impact of risks on at least the next three expected operational
financial figures (e.g. EBIT). This also allows risks that may have an impact beyond
one year to be assessed meaningfully.

This information on all quantified risk scenarios must be easily accessible and stored.
Simple software applications such as MS Excel are sufficient at this point. Table 3.1
illustrates an example of how relevant quantified risk scenario information could look
like.

Is this information collected by the ERM process already sufficient to support the
subsequent ERM step “decision-making” in a reasonable way? Have we overlooked
something? What about interdependencies between all individual risk scenarios? In order
to make appropriate decisions, do we need to calculate the correlations between indi-
vidual risks? And if so, can we even calculate these correlations without historical data?
Assuming we have identified 50 individual risk scenarios, we would have to estimate
1125 correlations ((50*50–50)/2). Have we thus discovered a problem that fundamen-
tally questions our simple, man-made deterministic scenario approach? The good news
is: No. Although assessing correlations is important in our approach, it is not crucial. The
reasons for this are as follows (see similar Segal 2011, pp. 208–215):

113

• The past has shown that historical correlations do not have a good predictive power
for the future. Calculating historical correlations with partly insufficient or outdated
data often leads to a false accuracy that has little to do with reality. Overall, the qual-
ity of the ERM model is not primarily dependent on individual accurate correlation
coefficients. Exact correlations play a subordinate role in our ERM approach.

• Most positive correlations are already included in the scenario development. Cause-
effect chains contain individual risks, which in turn trigger other risks. Hence, we can
conclude that within scenarios various individual risks have been linked by positive

3.4 Assess Key Risk Scenarios

Table 3.1 Quantified risk scenario database

Key risk Key risk scenario Verbal description Probability
(Per Year)

Impact (EBIT)

1. Competitor
Risk

1.1 Very
pessimistic

Next year, a new competitor
will enter the market that can
take market shares of up to
40% from us next year and
20% the year after next….

3% −EUR 4 million

1.2 Pessimistic Next year, a new competitor
will enter the market that can
take market shares of up to
20% from us next year and
10% the year after next….

20% −EUR 2 million

1.3 Plan No competitor entering the
market (expected)

54% EUR 0

1.4 Optimistic Competitor enters, but is
unable to succeed in the mar-
ket and exits after 1.5 years
again. Our company will be
able to position itself a little
better than before, which will
lead to a moderate increase in
sales over the next two years

20% +EUR 1 million

1.5 Very
optimistic

Competitor enters, but is
unable to succeed in the mar-
ket and exits after 6 months
again. Our company will thus
emerge stronger and be able
to position itself even better,
which will lead to a signifi-
cant increase in sales over the
next three years

3% +EUR 2 million

2. Interest
Rate Risk

2.1 …. …. …. ….

114 3 Creating Value Through ERM Process

correlations. These links were developed on the basis of plausible “risk stories” by
experts and not on the basis of historical data.

• However, some correlations may still exist between the key risk scenarios. For our
purposes, it is sufficient to roughly determine whether and in which direction indi-
vidual scenarios correlate. If two scenarios correlate completely positively (+1), they
can be combined into one scenario. If two scenarios correlate partially positively or
partially negatively (+0.5; −0.5), this can be taken into account in the subsequent risk
simulation via an adjustment factor. If scenarios do not correlate (0), nothing needs to
be done. Such adjustment factors (+0.5; −0.5) could be incorporated in Table 3.1 as a
separate column.

• Generally, experience shows that most key risk scenarios are not interdependent at all
(0). In fact, assessing correlations at the key risk scenario level is not a daunting task
as one might first suspect.

With this information at hand, we can now take the next important step in the ERM pro-
cess: We use all the quantified risk scenarios to support decision-making processes in the
best possible way.

3.4.3 Support Decision-Making

As already mentioned, the most important benefit of ERM is improving the quality of
decisions under uncertainty. ERM has to actively support decision-making processes by
creating a balance between management intuition and rationality provided by risk man-
agement. Often, however, ERM programmes are too concerned with simple risk minimi-
zation and isolated risk reporting, lack the link to real decision-making processes, and
hence miss to add value to the company and its stakeholders. Modern, effective ERM
aims at enhancing management confidence in achieving objectives, making uncertainty
transparent and supports rational, risk-based decision-making.

Only if ERM is fully integrated in the decision-making processes of the organisation,
we can even refer to it as a “positive risk culture”. The Swiss Post for example defines
this relationship in its risk policy as follows: “the risk management makes […] an impor-
tant contribution to decision quality and to increase the value of the company.” And the
Chief Risk Officer of the Gotebank concluded a few years ago: “one of the things we
have been struggling with over the last couple of years is how best to integrate mean-
ingful high-level risk information into the strategic planning process. […] The reason,
why the risk management function is called ‘strategic’ is that the purpose should really
be top-level coverage.” Both statements point to the importance of ERM integration
(Hunziker and Meissner 2017, p. 52).

115

In the following paragraphs, we discuss a few important preconditions of integrat-
ing risk information into decision-making processes and provide examples of how ERM
information can be effectively visualised and integrated into strategic decisions and busi-
ness planning.

3.4.4 Differentiate between Decisions and Outcomes

In practice, there is a latent danger of confusing a good or bad decision (high or low
decision quality) with a good or bad outcome of a decision. Among other things, this can
lead to wrong conclusions regarding the performance and quality of a risk assessment.
Interestingly, not only are good decisions often equated with good results internally, but
also externals such as politicians, consultants or journalists tend to differentiate too little
between decisions and results (see similar Spetzler et al. 2016, p. 6).

Assumption a strategic decision to enter a new market leads to a negative result. The
market launch has failed, which corresponds to the quantified worst case scenario dur-
ing the risk assessment process. Has this wrong decision been made based on our ERM
approach? If risk assessment was carefully created, and risk-reward profile presented by
risk manager led to a rational decision (which lies within risk appetite), decision was not
based on our ERM approach. The decision was correct, although the result is obviously
negative.

The quality of a risk assessment in practice must be evaluated at the time the decision
is taken. The reason for this is simple: decisions can be fully controlled by management,
risk-related scenarios that occur as a result of this decision can no longer be controlled.
Unfortunately, reality often looks different: in retrospect, supposedly incorrect or inad-
equate risk analyses are used to justify poor results. This would only make sense if there
were no uncertainty associated with the decision. And we know that in the vast majority
of cases, this is an unrealistic assumption in the business environment.

3.4.5 Overcome the Regulatory Risk Management Approach

One of the most dangerous obstacles to value-creating risk management is the exclusive
adherence to a defensive, regulatory risk management approach. What does that mean?
Traditionally, many risk management systems have been designed to comply with cer-
tain legal regulations, such as KonTraG in Germany or the Swiss Code of Obligations in
Switzerland. In order to facilitate the legally compliant implementation of risk manage-
ment, frameworks and standards such as COSO ERM or ISO 31000 are used. In many
cases, consultants are engaged to implement or optimise risk management so that the
legal requirements are met.

Regulatory risk management thus means that the risk management process and the
resulting reporting primarily serve to comply with external requirements. Regulatory risk

3.4 Assess Key Risk Scenarios

116 3 Creating Value Through ERM Process

management is usually defensive risk management. The dominant focus is on security
and avoidance of errors and risks. Risks are treated negatively in the sense of “what can
go wrong?” They are to be minimised or transferred as far as possible. Of course, defen-
sive risk management is of high importance for corporate management in order to prove
that risks are systematically identified and evaluated and that it complies with law. Under
certain circumstances, this may eliminate personal liability of decision-makers. The deci-
sive question in this case is whether the relevant information and risks have been ade-
quately taken into account at the time of the management decision. Such regulatory risk
management systems are often isolated, independent processes that are not coordinated
with decision-making processes.

It thus becomes clear that regulatory risk management is important and can pro-
tect decision-makers to a certain extent. Every risk manager should thus be familiar
with country-specific laws and requirements and take them into account accordingly.
However, such a regulatory risk management approach is not sufficient to increase the
quality of decision-making in a company. A number of steps need to be taken to achieve
this, which are briefly listed below. The list is by far not complete, but in practice they
are often the most important levers for shifting from regulatory risk management to
value-creating ERM.

• Management assumptions and corporate strategy are regularly challenged by risk
manager

• Risk is redefined: risks are uncertainties which can have an upside potential, too.
• Risk manager is welcomed at the strategy table
• Integration of risk information at the time decisions are taken
• Alignment of risk management process with strategy development and strategy

execution
• Quantification of all risks, independent of their source
• Focus is on strategic risks, not on operational and financial risks
• Focus is on management of objectives, not on isolated risk management
• Risk management is understood as a service for decision-makers, not as a cost-burden

The fulfilment of these requirements serves as an important basis for shifting from a
defensive, regulatory risk management approach to a decision-relevant ERM programme.

3.4.6 Overcome the Separation of Risk Analysis and Decision-
Making

Specifically in medium-sized and larger companies, decisions are made at management
level, however, necessary risk-relevant information is often processed at lower hierar-
chical levels and is thus separated from decision-makers. This separation increases the
risk of management relying primarily on intuition, personal preferences and experience,

117

although more rational information could be used to support decision-making. This
“decision opacity” may well be desired by management. For example, management
may prefer very simple, qualitative risk assessments that do not reveal or even disguise
the “true” risk exposure. The reason for this depends on the outcome of the decision:
If a decision leads to a positive outcome, it is often justified with high “management
quality”. However, if the result is unfavourable, poor and incomplete risk analyses from
lower hierarchical levels can be held responsible. The following example illustrates such
a case:

Example
A major manufacturer of medical products has to decide what its product portfolio
should look like in the future. Management is aware that the strategic risks can result
in a complete failure of the chosen strategy. Thus, the decision to introduce a new
product line for medical implants must be subject to careful risk analysis. The risks
and opportunities are discussed in a management meeting. The management comes
to the conclusion that the new product line should be introduced. Based on their expe-
rience, the decision-makers assess the expected returns significantly higher than the
associated market risks.

Specific risk-relevant information from the risk manager was not taken into
account for this decision. The risk manager is not a member of the management team
and is not directly involved in relevant decisions. The half-yearly risk reporting to
management and the board does not take place until two months later. By then, the
risk manager will probably have taken notice of this strategic decision and included
the risk in the risk inventory.

Risks at this company are assessed qualitatively on a scale of 5 with probability of
occurrence and impact. These measures are used to calculate an expected risk value.
The reason for qualitative risk management is that strategic risks in particular are
deemed not quantifiable due to their high complexity.

A few months after the introduction of the new product line, management has
to admit that it made the wrong decision. The market was incorrectly assessed and
the sales figures remained well below expectations. The market launch of the medi-
cal implants was a complete failure. The reason for the wrong decision was quickly
found: The risk was wrongly and inaccurately assessed by the risk manager. The
expected value disguised the true extent of the potential impact. Management stated
in its report to the board that an inaccurate and incomplete risk analysis was the rea-
son for the failure of the launch.

If a scenario-based risk assessment had been integrated into management’s decision-
making process at the manufacturer of medical products, this poor result would have had
to be considered as a negative scenario (among all other scenarios, including positive
ones). It is no longer possible to allocate responsibility for the poor and incomplete risk
management approach.

3.4 Assess Key Risk Scenarios

118 3 Creating Value Through ERM Process

The integration of risk-relevant, transparent information into decision-making pro-
cesses is obviously also a question of corporate culture or risk culture. An appropriate
risk culture that prevents qualitative risk assessments or very simple, static risk analyses
increases management’s responsibility for bad decisions. Even such a positive risk cul-
ture is desirable from a company’s point of view (including relevant stakeholders like
shareholders), it may not be in favour of the management’s point of view.

3.4.7 Assess Impact on Relevant Objectives

So far, we have dealt with the assessment of individual risk scenarios and stored them
in any kind of a database. Using a filter function, the top risks were selected and quanti-
fied applying the scenario technique. These “intermediate steps” have already produced
very important results, above all quantified key risk scenarios. Thus, every company
has already engaged in valuable discussions about probabilities of occurrence, possible
impacts on revenues and costs, and dependencies of individual risks with other risks as
part of the scenario development. This in-depth analysis of various scenarios has already
led to a significantly better understanding of risk compared to a purely qualitative
approach. Initial considerations as to whether specific risks can be accepted or whether
mitigation measures are beneficial can thus already be undertaken. The next, very impor-
tant step is to analyse the impact of several risks and their risk scenarios on business
objectives using the most sensible approach possible. Basically, there are many good rea-
sons to deal with simulated risk aggregation:

• Risk aggregation supports decision-making processes on the execution of strategic
initiatives or projects: does the risk taken justify the expected return? How does add-
ing or mitigating risk exposure change the overall risk to a business objective?

• Risk appetite statements (see Sect. 3.5.6) can only be meaningfully applied when
compared to overall risk exposures related to specific business objectives.

• The uncertainty attached to the achievement of business objectives can be presented
more transparently and comprehensively. All risk scenarios that affect simultaneously
one or more specific objectives can be assessed by looking at an overall risk distribu-
tion. Decision-makers can get a good grasp of the “full risk range” (downside and
upside risk) related to a specific decision or objective.

• Risk interdependencies can be incorporated in aggregated risk models. Diversification
effects can thus be taken into account.

• The prioritisation of risk mitigation measures can only be carried out meaningfully
if the relative benefit of the measures can be assessed. It is not very helpful to effec-
tively manage individual risks if the relative contribution to the overall risk exposure
does not justify this.

• Theoretically, a fully aggregated risk model at the highest corporate level could be
applied to compare the current risk exposure with available equity capital. This would

119

make it possible to include risk-bearing capacity considerations similar to those in
financial institutions. Since, however, securing the company’s existence is not the
main objective of our understanding of ERM (remember: it is increasing the qual-
ity of decision-making under uncertainty) and the calculation of a single aggregated
risk measure is associated with considerable problems, we will not go into any further
detail.

• After all, properly conducted risk aggregation supports the creation of a balance
between intuitive assessments by management and more objective, rational informa-
tion provided by risk analysis in decision-making processes (Rees 2015, p. 62).

Basically, only simulation models are capable of meaningfully assessing the impact
of multiple risks on a specific business objective. However, in practice there is still a
great reluctance to specifically simulate risks (using Monte Carlo (MC) simulation),
although this is not justified. MC simulation is often accused of something “voodoo-
like” that leads to results that are unrealistic and incomprehensible. That is certainly
wrong. MC-Simulation only translates input in exactly the way it is fed in by humans.
It shows in a structured way what potential realities a company might face by calculat-
ing and representing all possible future uncertainties (entered into the model) in a prob-
ability-weighted way. This has not much to with “voodoo”. In addition, meanwhile,
computing power is no longer an issue. Simulations that deal with key risks (we remem-
ber—between 20 and 50 at most) or their scenarios usually only take a few seconds to
calculate the current risk exposure.

For the high complexity or the failure of many risk models in practice, MC simulation
is not the problem per se. Two reasons why we observe many overly complex risk mod-
els in practice are the following:

• Often, the important filter function within the ERM process does not properly work
or is inexistent. Practitioners tend to consider many (too many) uncertainties (risks)
as important and essential. This problem is particularly exacerbated when people are
involved in risk modelling who may be unfamiliar with the uncertainty to be assessed
(e.g. risk assessments in not well-led workshops). This can lead to as many risks and
opportunities as possible being included in a risk model so that nothing is “over-
looked”. The risk model can thus quickly become too cumbersome and complex and
no longer focuses on key risk aspects.

• Moreover, practitioners often wish to cover all uncertainty-related problems within
one single risk simulation model. This is often reinforced by extant literature on com-
paring total risk exposure (expressed in one single metric) to risk appetite to decide
upon the required equity cushion to bear a certain “risk level” (specifically in the
financial industry). However, such models attempting to aggregate all possible uncer-
tainties within one risk model often fail due to complexity.

3.4 Assess Key Risk Scenarios

120 3 Creating Value Through ERM Process

However, risk aggregation regularly poses major practical challenges. In practice, vari-
ous other methods than MC simulation can be observed, but these must be viewed very
critically. Two of them are briefly described below.

3.4.8 Avoid Pseudo-Risk Aggregation

In practice, very pragmatic methods of risk aggregation can be observed, but they fail to
achieve their goal or can be classified as dangerous because they lead to a distorted over-
all view of risk. Let us look at the five management assumptions of the ski manufacturer
from the example in Fig. 3.5:

• Customer acquisition (marketing campaign) + 10%
• Stable exchange rates
• No new competitor
• No inflation
• Good to very good snow conditions

These are five individual assumptions that were analysed in more detail within the scope
of quantitative scenario development. For simplicity’s sake, we will look only at the
respective very pessimistic scenarios of the five management assumptions which are all
uncorrelated (independent from each other). These were assessed as shown in Table 3.2.

The first method of risk aggregation of all pessimistic risk scenarios that can affect
the “ski sales” objective is the simple addition of all impact values (see similar Gleißner
2004, pp. 353–354). In this case, the overall impact on the sales objective would be
$2,550,000. However, this approach neglects the probability of occurrence of each single
pessimistic risk scenario. The amount of $2,550,000 is completely useless in decision-
making processes because it represents a significant overestimation of the true risk expo-
sure. This large $-impact represents a situation where all single risk scenarios occur in
the same year. Of course, this happens very unlikely. The probability that the five risk

Table 3.2 Very pessimistic risk scenarios

Uncertain assumptions Very pessimistic scenario Probability of occurrence Impact

Customer acquisi-
tion (marketing
campaign) + 10%

−20% customer base 5% (1/20) −$300,000

Stable exchange rates −10% $/€ 10% (1/10) −$200,000

No new competitor −25% market share 3% (1/33) −$1,200,000
No inflation 3% inflation 5% (1/20) −$350,000
Good to very good snow
conditions

Bad snow conditions 10% (1/10) −$500,000

121

scenarios in the example will occur simultaneously is only 0.000075%. If the risk man-
ager applies this aggregation method and includes the aggregated scenario of $2,550,000
in his or her risk reporting, then wrong risk mitigation measures may be adopted and
resources unnecessarily wasted. In addition, the risk manager weakens the credibility
and thus his or her position as a “source of rationality “.

The second method of risk aggregation involves adding up the individual expected val-
ues of the risks. We have already learned that expected values are not true measures of
risk. An aggregation with this method would result in a value of $296,000 (calculated as
follows: 0.05*300,000 + 0.1*200,000 + 0.03*1,200,000 + 0.05*350,000 + 0.1*500,000). The
major problem with this approach is that individual, rare risks with high impact potential
are “hidden” in the expected value, i.e. are no longer transparent. For example, the risk of
a competitor entering the market may impact revenues by -$1,200,000. Obviously, the sole
occurrence of this single risk has a much higher impact on the company’s performance
than the aggregated expected value of $296,000. From a mathematical point of view, an
aggregation of individual expected values is correct because expected values are additive.
However, a comparison of the risk tolerance of a project or a strategic objective with the
aggregated sum of expected values makes no sense. The amount of $296,000 is the aver-
age expected impact over an infinite period of time. Expected values are not suitable as a
measure for assessing individual serious risks that deviate from the expected risk levels.

Obviously, both methods are not suitable for risk aggregation, although they are very
simple and pragmatic to apply and do not require a simulation model. We remain con-
sistent with the principle in this textbook that we explicitly consider methods in risk
management to be unsuitable if they are known not to work, but are still applied in
practice.

3.4.9 Develop Useful Risk Appetite Statements

Risk appetite is currently probably one of the most controversially discussed topics in the
field of ERM. No other keyword makes policy makers, risk professionals and consultants
alike admit that the development of decision-relevant risk appetites is difficult and that
it is even more difficult to implement these in practice. Some fundamentally question
the definition of risk appetite, others simply prefer qualitative statements and still others
believe that risk appetite must be quantified. Few detailed and convincing examples have
been published that articulate risk appetite properly. It may be argued that companies
having defined risk appetite statements often are sensitive about sharing their methodolo-
gies with the larger community (RIMS 2012, p. 5).

How is risk appetite defined? Risk appetite is the amount of risk a company is willing
to accept in pursuit of its objectives and is directly related to the company’s strategy. It
may be expressed verbally or quantitatively as the acceptable balance between risk and
return. It is often claimed that without a clearly defined risk appetite, there is no objective
for the risk management process as to what it should focus on. Ultimately, some argue that

3.4 Assess Key Risk Scenarios

122 3 Creating Value Through ERM Process

the most important goal of ERM is managing the overall risk exposure as close as possible
to the defined risk appetite and keeping it within a certain tolerance limit. However, practi-
cal experience shows that risk appetite is often defined incorrectly, insufficiently, not at all
or not used for decision-making. In addition, one can observe a rather low level of maturity
of risk appetite dialogues in many companies.

The development of risk appetite statements seems to be very difficult in practice. Some compa-
nies formulate risk appetite in a few words, e.g. as “generally low”, while other consider quantita-
tive measures (limits, e.g. in relation to EBIT, enterprise value, cash flow) being more suitable.
According to a recent study of Lucerne School of Business and SwissERM, only 25% of Swiss
non-financial companies have fully documented risk appetite statements. Every fifth Swiss com-
pany does not state risk appetite at all. For the remaining 55 percent, risk appetite is only poorly
or partially documented. Results of a recent study by EY (Ernst & Young 2015, p. 8) show similar
results for the financial industry: although the definition of risk appetite is one of a CRO’s top pri-
orities according to the study, only slightly more than 40 percent state that they have determined
and successfully transferred risk appetite to business activity.

The following reasons may explain the problems with risk appetite in practice:

• It is often wrongly assumed that risk appetite can somehow be calculated and derived
directly from the ERM process. This, however, is completely wrong. Risk appetite
is a matter of judgment based on each company’s specific circumstances and objec-
tives. Risk appetite is independent from the current risk exposure a company faces. It
is rather a sound assessment made by management and the board of directors of the
maximum acceptable level of risk exposure from the perspective of the most relevant
stakeholders (in many public companies the shareholders). Experience has shown that
the definition of risk appetite is a very challenging process requiring a great deal of
discussion and consensus (KPMG 2008).

• Risk appetite statements are often used to communicate corporate values to stake-
holders rather than being an internal decision-making criterion. For example, state-
ments are made in published risk policies or in annual reports that risks relating to
personal harm are not accepted. From the point of view of the stakeholders, this reads
admirably and often matches with their own values. However, such qualitative, gen-
eral phrases hardly guide the company’s day-to-day actions. What does this mean, for
example, for a hospital not to accept any risks that might harm people? If this state-
ment were applied strictly, the core business of the hospital (e.g. surgeries on patients)
could no longer be carried out.

• Often the comparison between risk exposure and risk appetite is not possible because
the two factors are measured differently. Most companies do not quantify and aggre-
gate risks into a risk-oriented figure such as EBIT at Risk (EaR) or Cash Flow at Risk
(CFaR). Often risk registers only contain individual risks. It thus does not make sense
to define a risk appetite in relation to EBIT or cash because the key figures required
for comparison are not available.

123

• The quantitative definition of risk appetite creates potentially unpleasant transparency,
accountability and vulnerability not desired by management. If, for example, it turns
out that the current risk exposure significantly exceeds the defined risk appetite, this
can lead to unpleasant situations and requires justifications by management. A subse-
quent adjustment of the risk appetite to the current risk exposure will potentially con-
siderably reduce the credibility of the entire ERM programme.

• Risk appetite is sometimes confused with risk tolerance. Risk appetite is derived from
the company’s objectives; it is a statement of how much risk the company is willing to
take in terms of markets, services and products to achieve a required level of return by
the stakeholders. Risk tolerance, on the other hand, is the maximum risk a company
can bear in order to avoid becoming illiquid or insolvent, no longer complying with
legal requirements or no longer meeting its obligations to customers and suppliers.
Thus, risk appetite and risk tolerance are fundamentally different concepts.

• Risk appetite statements explicitly define the boundaries within which management
is expected to run the company, i.e. which decisions may be taken and which not.
It is thus crucial that everyone at the highest hierarchical level of the company is
involved in the process of risk appetite definition. However, very often, risk appetite
is not equally well known and accepted at executive and board level. In many cases
risk appetite statements remain ineffective, i.e. they have little or no influence on
decisions.

• Statements at a too aggregated level, which are formulated purely qualitatively, are
often not actionable. An example of this is: “risks that put the existence of the whole
company at stake should be avoided”. Basically, this reads nicely and is fully compre-
hensible. But how can the company concretely act on that statement? How is this risk
appetite statement actually implemented in day-to-day business actions? Which deci-
sions are actually affected by such a general risk appetite statement? Probably none.
Such statements are no guidelines for action.

In principle, it is beyond doubt that a thorough dialogue to establish risk appetite state-
ments is very important. It seems important that the risk manager can be present at these
discussions and, if necessary, answer initial questions on possible risks and their man-
agement. Research on risk appetite is still in its infancy. Empirically validated recom-
mendations for the definition of risk appetite cannot be provided. However, experience
shows that it is worth considering the following questions:

• What kind of risks should be accepted to successfully pursue our strategy? For exam-
ple, a company aims at increasing market share. A risk appetite statement could read
as follows: We will aggressively expand in the DACH region to meet our market
share objectives of 5% and heavily invest in these markets. Thus, we accept the risks
attached to that growth strategy.

• What kind of risks should we not accept? For example, a company tries to avoid
any sources of risks that can negatively affect corporate reputation: “In case a risk

3.4 Assess Key Risk Scenarios

124 3 Creating Value Through ERM Process

occurred which has the potential to harm our reputation, we will counteract as effec-
tive and efficient as possible”.

• What risks are our stakeholders willing to bear and to what risk exposure? For exam-
ple, “We will keep a certain level of free cash flow target. Thus, we will monitor capi-
tal expenditures and investments closely to achieve the required cash flow level”.

• Is our risk appetite aligned with the desired risk culture? Risk culture consists of a set
of shared attitudes, values and practices that defines how a company considers risk
in its daily activities. The risk culture itself is primarily derived from an analysis of
organisational practices, specifically rewards or punishments for risk-taking or risk-
avoiding behaviour (Collier and Agyei-Ampomah 2006). In a modern ERM approach,
risk management should encourage a balanced risk-reward management by defining
risk appetite statements which put emphasis on connecting risk with opportunities
(reward).

• Is our risk appetite aligned with risk tolerance? Basically, risk appetite should not
exceed the maximum amount of risk bearable from a risk capital (equity) perspective.

• Do our risk appetite statements facilitate consistency in the strategic planning pro-
cesses and budgeting processes? Do they actually guide these processes in the sense
of setting relevant risk boundaries to plan within?

• How do our competitors set their risk appetite? Is it higher or lower than our risk
appetite, and if so, why is this the case? (Proviti 2013, p. 3)

• Do we communicate externally about our risk appetite statements? This can signal
good, proactive ERM practices and corporate governance to stakeholders and thus
enhance reputation and trustworthiness of the company (Willis 2015, p. 5).

Of course, the answer to these questions is a very individual matter. There is no best
solution that fits all companies equally. Companies with a high risk appetite generally
focus more on the potential for a more aggressive growth in value and earnings. As a
result, these companies are willing to take a higher risk in return. High-potential, high-
risk growth start-up companies (must) have a high willingness to take risks and are gen-
erally willing to accept greater volatility. Conversely, companies with lower risk appetite
are generally more risk averse as they focus on stable growth and earnings. They tend to
hedge possible market fluctuations and are often strongly influenced by legal and regula-
tory requirements.

As Sidorenko and Demidenko (2017) point out correctly, most companies have
already defined many risk appetite statements for decision-making and pursuing objec-
tives even if they are not explicitly called “risk appetite statements” (p. 20). Indeed, if we
look at investment policies, internal control documentations, procurement policies and
board level policies, we usually can find a vast amount of different risk appetite state-
ments. For example, many internal control systems clearly define segregation of duties
and zero tolerance to fraud risk. Companies usually develop finance policies which for
example define the maximum amount of petty cash held on a daily basis. Investments
policies provide accurate guidelines for minimum ratings required by Standards and

125

Poor’s or Moodys for any investments or explicitly list prohibited investment practices
such as trading structured products.

In line with the recommendations contributed by Sidorenko and Demidenko (2017), we
recommend to collect all existing risk appetite statements within current guidelines, poli-
cies and other management tools such as quality management or internal control systems.
They should be reviewed and monitored on a regular basis. Monitoring in this context
means that the risk manager may assess these statements concerning the following aspects:

• Up-to-dateness. Do the risk appetite statements correspond to the current company
objectives and the current business model?

• Consistency. Are the individual company objectives and risk appetite statements com-
patible with each other? It is pointless to pursue an aggressive growth strategy and
at the same time formulate a risk appetite statement that investment risks should be
kept to a minimum. It is also useless to define the same risk appetite statements for all
investments, independent of the expected return (and risk) of each investment.

• Adherence. Are the individual risk appetite statements actually adhered to? Do they
impact decisions correctly? It is pointless to define concrete risk appetite statements
in a policy that is not even considered for decisions (e.g. outdated or unknown policy).

• Appropriateness. Are the individual risk appetite statements realistically defined?
Does it make sense to define them so narrowly or broadly under given strategic objec-
tives? For example, it is pointless for a hospital to define a statement that “allows zero
tolerance for harm to patients”.

• Specificity. Some companies use very general descriptions of risk appetite statements
such as “we adhere to a very low overall risk appetite” or “we accept a quite high
risk appetite to satisfy our stakeholders”. We consider such broad statements as too
vague to be effective. Specificity is very important whether risk appetite statements
are actionable on a daily basis. It often depends on whether statements are expressed
qualitatively or quantitatively. In the latter case, specificity is usually higher: It is eas-
ier to implement a statement that allows a maximum of 30% cash on a single bank
account than a statement which asks for adhering to low counterparty risk.

The critical question remains: Is it useful for any company to create and develop new
risk appetite statements not already covered in existing policies, documents and guide-
lines? In some cases, this might be true. For some risks identified by means of e.g. chal-
lenging management assumptions, no or not all risk appetite statements can be found
in corporate policies or guidelines. Usually, most of the missing appetite statements
relate to enterprise-wide, long-term, strategy-relevant risks, i.e. many key risks identified
through our ERM approach. In contrast, many of the already existing risk appetite state-
ments are more operational in nature.

To illustrate this, let us revisit the example of the maximum amount of cash allowed
in the company cash register per day. Clearly, this is a very operational risk and not criti-
cal to the company’s success. Petty cash risk will usually not qualify as a key risk and

3.4 Assess Key Risk Scenarios

126 3 Creating Value Through ERM Process

thus is not relevant for achieving the strategic objectives. So it may be of need to develop
further risk appetite statements which address key risks and their (aggregated) impact on
specific high-level performance goals or key performance indicators. Such risk appetite
statements can be defined multidimensionally and preferably quantitatively, for example
in terms of acceptable changes in company value, reputation, sales growth, cash flow
stability, earnings per share, rating level and EBIT. However, remember that too high-
level or too generally stated risk appetite statements are no longer actionable and moni-
torable, such as: “our overall risk appetite is as follows: we like to create a reasonable
rate of return at a low to moderate level of risk with a well-diversified project portfolio.”
The following example illustrates how such risk appetite statements can be formulated in
concrete terms and it summarises the discussions so far on risk appetite.

Example
The ERM committee of a Swiss travel company, consisting of five members (CEO,
head of division A, head of division B, risk manager, CFO) has been tasked with the
definition of risk appetite statements. A half-day meeting is scheduled to submit a
proposal to the board of directors. The risk manager has already clarified in previous
meetings with the management for which strategy-relevant objectives corresponding
risk appetite statements are to be defined. In addition, the risk manager has already
thoroughly analysed existing policies, guidelines and documents for risk appetite
statements and summarised them in a list.

The company applies internal company valuation as a risk-based decision-mak-
ing tool, by which risk-reward contributions of future investments and projects can
be assessed. The identified key risks for the travel company are incorporated in the
company valuation model (discounted cash flow method) and allocated to the indi-
vidual line items (i.e. sales, costs). Using a Monte Carlo simulation, key risks and
their effects on the planned company value can be simulated. The risk manager has
concluded that the existing policies and guidelines do not contain any statements
on risk appetite with regard to the two relevant objectives sales and company value.
These missing appetite statements refer to the company-wide, aggregated impact of
risks that are not present in existing policies. These risk appetite statements need to be
newly developed.

During the risk appetite meeting, the risk manager plays a decisive role in moder-
ating this delicate discussion. She is aware that the people present from the risk com-
mittee represent different roles, perspectives and interests, which can make consensus
finding a difficult task. After an intensive discussion, various risk appetite statements
were prepared. In Table 3.3, an excerpt of the results of this risk appetite meeting is
presented:

In a next step, the ERM committee assessed the different risk exposures for the
next twelve months. The risk manager prepared this information together with risk
owners before the meeting. The committee also decided to define soft and hard limits
with regard to the sales and company value targets. Soft appetite statements can be

127

temporarily exceeded if a profitable project can be realised with a certain expected
positive net present value and internal rate of return (IRR). Hard limits, on the other
hand, must not be exceeded at any time. If this is the case, the overall risk exposure
needs to be reduced accordingly.

It is probably the case that the currently hotly debated topic of “risk appetite” is some-
what overrated and is primarily promoted by academics and consultants. Basically, it is
desirable for management to consider which risks should be taken and to what extent
in order to achieve the business objectives. This discussion is very relevant and pro-
motes the general discourse on the company’s attitude to risks. Risk appetite statements
reflect the corporate culture and indirectly express the values and ethics of each com-
pany. However, risk appetite is often strongly influenced or even largely determined by
the business model (e.g. return requirements of investors) and the industry (e.g. high reli-
ability organisations versus financial institutions). The definition of risk appetite is thus
not completely under the control of each individual company, but is often dominated by
competition and market conditions.

3.4 Assess Key Risk Scenarios

Table 3.3 Risk appetite statements

Source Risk appetite
(yearly basis)

Limit (yearly basis) Current exposure Status

Newly developed
through ERM
model

No more loss than
25% of company
value

Soft: Probability of
10%
Hard:
Probability of 15%

Probability of 5% Within risk
appetite

Newly developed
through ERM
model

No more loss
than 15% of
sales (basis:
3-year-average)

Soft:
Probability of 10%
Hard:
Probability of 20%

Probability of
12%

Exceeds soft
limit

Finance policy Rating downgrade
of one level

Probability of 10% Probability of 5% Within risk
appetite

Finance policy Minimum
required rating
of AA for any
investments

Better than AA Full adherence Within risk
appetite

Board level policy No more loss of
reputation as 15
index points

Probability of 15% Probability of 5% Risk appetite
exceeded

Internal con-
trol system
documentation

Segregation
of duties for
all financial
transactions

Full adherence None Within risk
appetite

Code of conduct Zero tolerance for
child labour

Full adherence None Within risk
appetite

128 3 Creating Value Through ERM Process

3.4.10 Make Uncertainties Transparent and Comprehensible

Basically, a variety of approaches are available for presenting the quantified key risk sce-
narios in a meaningful way to decision-makers (tables, diagrams, graphs, text). First and
foremost, the aim is to produce visualizations that are easy to understand and communi-
cate and can support decision-making processes. It is tempting to produce complex and
overloaded visualizations that look pretty but distract from the relevant information. At
this point, we will briefly discuss the risk map again (the author promises to do this for
the last time in this textbook). Unfortunately, risk (heat) maps still persists today as a
visualization tool in risk reporting. We have already discussed the disadvantages of risk
maps in detail. But they are a good example of how creative risk managers, academics,
consultants and policy makers are when it comes to making a risk map as “sophisticated”
as possible. We have seen “advanced” risk map approaches such as:

• The size of the circles (risks on the risk map) implies a degree of consensus between
different experts.

• Different colours of the risk circles show different risk categories.
• Differently coloured arrows on the map show trends of risk (risk increases, decreases,

is stable)
• Inserting a third dimension into the risk map, such as the controllability of risks or

their probability of detection.
• More colours besides yellow, red and orange are used to further differentiate between

bad, somewhat bad and good risks.
• Two risk maps are placed side by side, each showing the downside and upside poten-

tial of the individual risks.

These sometimes very colourful approaches usually do not bring any additional benefit,
especially not for our main ERM objective: to improve the quality of decision-making. A
risk map remains a risk map, no matter how much it is “further developed”. Hence, other
approaches are needed to effectively visualise risks. The following examples are by no
means exhaustive. However, there are three simple, meaningful options that have been
well tested and work in practice. Working means in this context: The decision-makers
understand the visualizations (they are kept as simple as possible) and they are directly
linked to objectives and thus relevant for decision-making processes.

The first meaningful way to present the risks associated with business objectives
effectively and simply originates from the discipline of decision analysis. It is called
tornado diagram analysis. One of the first known publications where this is introduced
can be found in the work of Howard (1988). The tornado diagram usually shows in
descending order of importance the relative impacts of individual variables on an objec-
tive of interest such as company value, EBIT, net present value of projects or cash flow.
Basically, a tornado diagram is similar to a common bar chart applied in sensitivity
analysis for comparing the relative relevance of different variables. It helps to assess the

129

degree to which each risk impacts the objective being assessed when all other risks are
kept at their baseline values (planned scenario). Usually, a tornado diagram depicts all
risks at their base values (plan) on the Y-axis and the X-axis shows the range (e.g. confi-
dence interval of 90%) of potential impact of each risk.

A tornado diagram is quite easy to prepare and requires only all relevant quantified
key risk scenario values. The diagram is intuitive to understand and looks like a tornado
in profile, that is why the name “tornado diagram”. It supports the decision-maker to
focus on the most relevant risk areas and their relative impact on business objectives.
In addition, tornado diagrams contain downside and upside risk ranges. Thus, they are
basically in line with our risk definition (deviation from plan) and support risk-reward
decisions. Tornado diagrams may thus serve as a basis for prioritization of relevant risk
areas and the subsequent decisions on risk mitigation. However, one must be aware that
the diagram depicts no probabilistic information regarding the occurrence of each possi-
ble scenario on the range of each bar. Also, expected values (probability-weighted plan)
are not calculated by this method. The different bars only provide a good first general
impression of risky areas. Usually, the bars do not represent single risk scenarios, rather
contain one or more different risk sources which have an impact on relevant areas of
interest (e.g. line items of income statements, discounted cash flow statement or cash
flow statements). Narrower or wider ranges indicate relatively more or less uncertainty
given a pre-defined confidence level (see similar Porter 2018, pp. 85–89). Figure 3.17
depicts an example of a tornado diagram.

As we can quickly notice, the diagram resembles the shape of a tornado. In descend-
ing order, the individual uncertain areas of interest (variables) and their impact on the
planned EBIT are presented. Obviously, the price per unit shows the highest effect on
EBIT. In the very pessimistic case (once in ten years, if the confidence level refers to
one year) EBIT could fall below EUR 300. However, the price risk also includes a cor-
respondingly high opportunity potential. In the best case scenario, EBIT could almost
double (EUR 19,500) due to favourable price developments. However, it remains unclear
what influence the company actually has on price setting. If one assumes that the com-
pany is a price taker, this uncertainty cannot be actively managed. In contrast to the
price, the raw material risk, which has the second highest impact on EBIT, can be miti-
gated by appropriate hedging strategies. The vertical line in Fig. 3.17 is drawn through
the baseline value, i.e. the planned EBIT for the corresponding year which amounts to
EUR 10,000.

Even tornado diagrams can lead to wrong decisions if it is not clear on which input
parameters the individual ranges are based. Depending on which confidence level is set
for the individual risks, broader or narrower bars result. The decision maker must thus
know that in 10% of all cases reality is either (much) better or (much) worse than the bar
shows. And this is precisely where the key problem is: we do not know what the value
of EBIT will be if an extreme scenario (outside e.g. the 90% confidence level) occurs.
The EBIT could even become negative if an extremely pessimistic scenario occurs.
This leads us back to the risk appetite discussions. The crucial question here is: Are the

3.4 Assess Key Risk Scenarios

130 3 Creating Value Through ERM Process

risk-based EBIT fluctuations still within the defined risk appetite? Does management
accept, for example, that EBIT can fall below EUR 2,200 once in ten years if raw mate-
rial prices develop very negatively? Does the corresponding upside potential justify tak-
ing that risk?

A second effective visual presentation of the key risk scenarios complements the tor-
nado diagrams ideally: the representation of all very pessimistic scenarios, similar to
Fig. 3.15 which distinguishes between key and non-key risks. In contrast to the tornado
diagram, the key risk scenario diagram:

• Shows impact values based on worst case scenarios (very pessimistic scenarios) with-
out any consideration of probabilities (see similar Segal 2011, p. 198).

• Contains only the downside impact on company objectives (what can go wrong?)
• Is based on source-based, single risk scenarios taken from the risk quantification pro-

cess rather than based on specific line items which may be impacted by several risks
simultaneously.

The information offered in this diagram answers different questions than in the tornado
diagram in Fig. 3.17: What can happen if a very rare but very pessimistic risk scenario
actually occurs, independent of its probability of occurrence? One could argue more
technically that this chart takes into account so-called very rare “tail risks”. These risks

Price per unit

Raw materials

Production cost

Quality cost

Exchange rate

Machine breakdown

20
00

–

12
00

0
–

14
00

0
–

16
00

0
–

18
00

0
–

40
00

–

60
00

–

80
00

–

10
00

0
–

20
00

0
–

[email protected] (90% Confidence)
EBIT Forecast EUR 10000.-

9690 10300

6852

6200

7820 13575

140006900

2250 16100

180502200

300 19500

0
–

Marketing cost

Market share

Fig. 3.17 Example tornado diagram

131

fall outside the usually considered risks within a certain confidence level (e.g. 90% or
95%). In this case management is not interested in probabilities, but want to know what
can actually happen in the worst case and whether the company needs to be prepared for
it or not. Figure 3.18 shows an example of a representation of very pessimistic key risk
scenarios. As in the tornado diagram, the single risk sources are shown in descending
order of relevance, again related to the planned EBIT of EUR 10,000.

If we take a closer look at Fig. 3.18, we can observe the following:

• The very pessimistic risk scenario 1 of the price risk has the highest impact on EBIT
(may cause a plan deviation of—EUR 18,000)

• A moderately pessimistic risk scenario 2 of the same underlying price risk still has a
major impact on EBIT (−EUR 8,000).

• All bars represent single risk scenario which qualify as key risk scenarios, in this case
five different scenarios independent of their respective probabilities.

Both types of presentation of top risks discussed so far are already attracting a great deal
of management attention. The reason for this is the direct connection between risks and
business objectives for which management is responsible. Both graphs clearly show the
uncertainty attached with the company’s financial performance. As already mentioned,
management is primarily interested in the achievement of objectives, not per se in iso-
lated management of risks.

The third type of presentation is based on the result of a Monte Carlo simulation.
Basically, the same input is used as in the two former graphs. In MC-simulations, we can
additionally correct for some known correlations between risk scenarios. As discussed in

3.4 Assess Key Risk Scenarios

Fig. 3.18 Quantified very
pessimistic scenarios

8000 –

Price Risk
Scenario 1

Q
uality Risk

Scenario 16000 –

Price Risk
Scenario 2

Com
pe�tor Risk

Scenario 1

M
arke�ng Risk
Scenario 1

Planned EBIT EUR 10000

4000 –

0 –

2000 –

– 2000 –

– 4000 –

– 6000 –

– 8000 –

132 3 Creating Value Through ERM Process

Sect. 3.4.2, however, these correlation adjustments are not the crucial part of risk quan-
tification. In contrast to the depiction of sensitivities (tornado diagram) and individual
key risk scenarios, the Monte Carlo simulation shows a distribution of all future pos-
sible risk-based EBIT’s. It resembles a probability-weighted, multi-scenario planning
approach which considers all possible combinations of key risk scenarios simultane-
ously. Figure 3.19 shows the output of a simulation with all key risk scenarios.

The graphs depict all risk-based deviations from the planned EBIT of EUR 10,000.
The y-axis represents the probability function. Of course, achieving exactly the planned
value is close to zero because of the many possible other EBIT outcomes. The distribu-
tion is slightly left skewed. This is quite realistic because the downside risk (left part
of the risk distribution) is often greater than the upside risk. Some risks have no upside
potential at all, as we have learned. This is now also well reflected in this distribution.
What can also be seen is that the distribution has some “tail risks”. In a few cases the
EBIT can get as worse as—EUR 20,000. However, the probability of this scenario
becoming reality is also very low.

In this illustration, the individual risk sources cannot be assessed directly. In order to
determine the relative impact of individual key risk scenarios on the EBIT distribution,
individual scenarios can be included in the first simulation run and excluded in a second
simulation run. The delta between the two simulation runs shows the “risk contribution”
to the overall risk exposure of the respective risk scenarios. In this sense, “sensitivity
analyses” can be made based on the simulation model, which can serve as a basis for fur-
ther decision-making processes.

P
ro

ba
bi

lit
y

of
oc

cu
rr

en
ce

Impact (EBIT)
– 10,000 -5,000 0 5,000 10,000 15,000 20,000 25,000

– – – – – – – –

EBIT
Plan

Downside Risk Upside Risk

– – – — — –

– 20,000

Fig. 3.19 Example of multi-scenario planning

133

These three presented types of diagrams are all superior to simple risk maps and are
all connected to managing objectives. Hopefully these types of diagrams will soon make
isolated risk maps no longer necessary in practice. The next paragraph outlines which
decisions can be supported by the ERM information produced so far.

3.4.11 Exploit the Full Decision-Making Potential of ERM

The claim at this point is that integrating ERM information into decision-making pro-
cesses leads to better decisions at the time the decision is taken. One major goal of a
modern ERM is to actively manage the current risk exposure by designing and imple-
menting decision-making processes that are in line with the defined risk appetite
statements. In practice however, ERM programmes are too concerned with simply mini-
mizing risk (regulatory risk approach, see Sect. 3.5.2) instead of linking it to decision-
making processes. Outcomes of the ERM process such as the three types of diagrams
discussed in the previous paragraph are beneficial in the development, selection and
optimisation of larger investments and can support the achievement of business objec-
tives by making better decisions. Basically, we can differentiate decisions which are pri-
marily driven by value creation and decisions which are predominantly focused on risk
mitigation:

• Taking into account the full range of quantified key risk scenarios (by means of MC
simulation) can support risk-reward decisions and complement management’s infor-
mal judgement (i.e. balances intuition with rationality). The CFO of a company is
interested to know how the current (pre-decisions) and future (post-decisions) risk
profile is related to the risk bearing capital, namely equity. So every risk-reward deci-
sion ultimately adds risk to the company which must be assessed from a risk bear-
ing perspective: What strategic option has the relative best risk-reward profile from
an equity-based perspective? A well-informed CFO about current key risk scenarios,
risk appetite statements and aggregated risk impacts on specific objectives can lead
rational discussions about strategic options, risk appetite and risk-reward options with
the management and the board of directors. In addition, if the risk manager is not part
of corporate management, the CFO may become the most important representative
of providing rational, risk-based input to larger investment decisions at management
meetings. Thus, apart of the risk manager, the CFO may play a crucial role in inte-
grating modern ERM into decision-making processes at top management level (see
similar Liu and Pergler 2013, p. 5).

• Sound risk analysis can enhance business decisions by improving the comparability
of different strategic options and their attached risk-reward profiles and thus, create an
ideal business portfolio. Quantified key risk scenarios enable a sort of “stress test” for
non-financial companies by comparing different strategic decisions and their impact

3.4 Assess Key Risk Scenarios

134 3 Creating Value Through ERM Process

on risk exposures, such as entering new markets or investing aggressively in specific
product lines.

• In analogy to the financial industry (value at risk), non-financial companies may carry
out similar “company value at risk” calculations and compare them with a pre-defined
risk appetite. For example, a risk-based simulation of the company value may con-
clude that, with a probability of more than 10%, one third of company value may be
reduced in the next year. If this risk exposure exceeds the risk appetite, management
has to decide how to reduce current risk exposure in order to make shareholders more
comfortable again.

• Another example of how risk appetite statements based on a more operational meas-
ure than “company value at risk”, as for example EBITDA or EBIT, may support
risky business decisions: For instance, a strategic option to enter a new market has a
15% probability that a very pessimistic risk scenario reduces expected EBIT over the
next two years by two third. Depending on the set risk appetite, the strategic option
could either be approved or rejected.

• More effective decisions can be made about risk mitigation options because of a more
formalised assessment of mitigation measures, i.e. it allows companies to develop an
effectiveness ranking by the means of quantified cost-benefit-considerations. The cost
in this context refers to the implementation of a mitigation measure, the benefit is the
reduced amount of risk exposure.

• If risk appetite exceeds risk exposure, mitigation options must be assessed and
decided upon. Such mitigation options can reduce probability of occurrence and/or
reduce impact of a specific risk. The focus of risk mitigation should lie on risk pre-
vention, i.e. risk mitigation measures which lower the probability of occurrence of a
risk rather than reducing its impact (after-the-fact).

• A vast amount of standard risk management textbooks discuss the different options
of risk elimination, risk transfer, risk reduction and risk diversification. At this point,
it is not the aim of this textbook to reproduce all these approaches of risk mitigation
measures. Risk mitigation measures can reduce the current risk exposure to a level
which does not exceed risk appetite, enable a better credit rating (rating strategy), and
prevent a company from illiquidity and bankruptcy. Figure 3.20 shows an example of
decisions which can be taken towards risk mitigation as the primary goal. It depicts a
few risk mitigation options which are preventive (left side of the graph) and correc-
tive (right side) in nature. Usually, preventive risk measures are more efficient (lower
costs, less risk impact) than corrective ones. The bow-tie method has already been
introduced in Sect. 3.3.1 as an effective, easy-to-use tool to support scenario analysis
and the visualised reporting of full information on risks and mitigation measures.

• Business planning (e.g. budgeting) can be supported by incorporating information
provided by the risk management function, such as quantified scenarios regarding
sales, costs, etc. and contrast it with the company’s objectives. If it turns out that the
probability of the current plan to become reality is too low to meet management’s
objectives, further strategic options may be taken. The consideration of key risk

1353.4 Assess Key Risk Scenarios

C
au

se
s

E
ve

nt
s

Im
pa

ct

R
oc

ks
o

n
st

re
et

B
ro

ke
n

he
ad

lig
ht

S
ic

k
dr

iv
er

Lo
w

v
is

ib
ili

ty

C
ar

p
as

se
ng

er

in
ju

ry

Ta
xi

d
am

ag
e

€

R
ep

ut
at

io
n

im
pa

ct

R
ed

uc
ed

re
ve

nu
es

€

Fi
ne

s
€

C
om

pe
ns

at
io

n
€

D
ri

ve
r

fa
tig

ue

Ti
pp

in
g M

ed
ia

co

ve
ra

ge

R
eg

ul
at

or
y

br
ea

ch

C
ol

lis
io

n

O
bs

ta
cl

e
ov

er
lo

ok
ed

P
re

ve
nt

iv
e

m
ea

su
re

s
C

or
re

ct
iv

e
m

ea
su

re
s

C
ar

in
sp

ec
tio

n

D
eb

ri
s

gu
ar

ds

In
su

ra
nc

e

A
ir

ba
gs

C
om

m
un

ic
at

io
n

Fi
g

. 3
.2

0
R

is
k

m
it

ig
at

io
n

m
ea

su
re

s
in

a
b

ow
-t

ie
d

ia
gr

am
. (

ad
ap

te
d

fr
om

P
ro

te
ch

t
20

13
)

136 3 Creating Value Through ERM Process

scenarios in the financial planning process can enhance a more rational, more formal
risk-based decision-making approach at management level which ultimately leads to a
more balanced risk and return management and in turn, creates value to the company.
Because the integration of ERM into business planning serves as the most important
precondition to improve decision quality, it is further detailed in the next paragraph
and illustrated with an example.

3.4.12 Align ERM with Business Planning

Unfortunately, very often in practice risk scenarios are discussed after business plans
have been developed and approved. Thus, the sole role of risk management is risk mini-
mization, similar to what we have called the “regulatory risk management approach” in
this textbook. Accordingly, risk-reward decisions and strategic choices based on rational
ERM input at the time decisions are taken is prevented. In many cases, planning pro-
cesses do not adequately represent risks and opportunities and represent risks incom-
pletely. Often, they underestimate the true risks and are positively biased. In addition,
at the time of the planning, many companies solely rely on historical data that is slightly
adjusted for future expectations (Schilling 2018, p. 30). A very important step is thus the
alignment of ERM and business-planning processes. Relying on the business plan rather
than on often too short-term, operational key figures enables a more future-oriented view
on risks and opportunities. This is obviously not a challenge unique to ERM, rather an
organisational and cultural challenge which involves far more personnel than only the
ERM team. A few of these challenges (not an exhaustive list) are presented as follows
(see similar NC State Pool College of Management, p. 3):

• First of all, integrating ERM into planning processes means a change in the company
that must be initiated and supported by the management (tone at the top). This change
process equals a shift from a rather risk-centric risk management approach (e.g. with
risk maps) to a more business-centric risk thinking. All parties involved should be
informed and trained accordingly as to why risk-adjusted planning adds value for the
company (Schilling 2018, p. 34).

• The CFO does not want to share his or her financial planning, forecasts and budget
information with the risk manager. This may be for political reasons or because the
CFO believes that the risk manager cannot provide relevant information to improve
the planning process. Specifically if the risk manager is hierarchically lower than the
CFO, this information often does not flow. Obviously, CFO’s must play an important
role in integrating risk management into planning and the subsequent decision-mak-
ing processes (Liu and Pergler 2013 p. 2).

• Management often believes that they already have a sound understanding of the inter-
nal and external uncertain environment. Management often has no reason to validate

137

its assumptions through a separate risk assessment. Thus, it perceives no value added
through the consideration of outcomes provided by the risk manager.

• If the company often has personnel changes in the area of business planning, the
underlying basic planning processes also may change again and again. This can lead
to frequent adjustments of how ERM can be integrated. For example, it may be the
case that before a change of personnel, the risk manager was involved in the planning
process by providing rational input to many assumptions underlying the planning.
This may fundamentally change with the appointment of the new staff. The planning
team now only considers its own information gained from other internal and external
sources and no longer considers the ERM team as part of the planning process.

If these challenges are successfully mastered, there are basically no more obstacles to
ERM into business planning. Usually, planning processes and the ERM process are initi-
ated in separate organisational units or departments. The strategic planning process for
example may begin with the CEO and the strategic planning team. The ERM process
ideally opens with the challenging of management assumptions followed by interviewing
management and board members (see Sect. 3.3.6 and 3.3.7). Very often, these two pro-
cesses are carried out in parallel on an annual basis. In many cases, the two processes are
completely separated from each other. There is no exchange of information between the
risk manager and the planning team. The processes are often not synchronised and thus
do not allow integration. In the following, a few hints on what to consider when aligning
ERM and business planning are discussed.

• Time-based synchronization of the two processes is the very first step for success-
ful integration. The planning teams depend on risk information before the plan will
be approved by management. Thus, all key risk scenarios that may have a significant
impact on business objectives must be communicated to the planning team well ahead
of the planning deadline(s).

• In larger companies, the planning process is often subdivided into several complex
sub-processes. Often it is an interaction between top-down and bottom-up processes.
From the group’s point of view, specifications and requirements commonly have to be
coordinated with plans from the individual business units. From a business unit per-
spective, each business unit manager basically must receive both the corporate stra-
tegic objectives and the key risk scenarios which may have an impact on the business
unit’s objectives. Ideally, each business unit takes this information into account in its
own planning.

• Before the kick-off of the planning process, the risk manager should contact the plan-
ning team. The aim is to clarify how to ensure that the risk manager and the planning
team discuss all planning assumptions and key risk scenarios in a structured manner
at the right time. Planning assumptions are potential key risk scenarios and must be
assessed accordingly by the risk manager. Conversely, it must be assessed whether

3.4 Assess Key Risk Scenarios

138 3 Creating Value Through ERM Process

key risks can cause deviations from the plan. The planning team and risk manager
should thus always coordinate potential risk information.

• Relevant risk scenarios need to be assigned to individual line items of the planning. It
is essential to determine which risk scenario can affect which planning item to what
degree (e.g. revenues, costs, discount rate). It is important to be aware that certain key
risks can affect planning over several years.

• Of course, the integration of ERM into planning only works if all risks are quanti-
fied, as recommended in this textbook. Risks that are only assessed verbally or quali-
tatively with ratings and scales cannot be incorporated directly into planning. These
risks are de facto assessed with zero impact (Gleißner 2014, p. 38).

• In order to fully exploit the benefits of integrating ERM into financial planning, it is
advisable to integrate ERM into an internal company valuation based on a discounted
cash flow (DCF) approach. Why is that the case? Basically, strategic risk scenarios
that affect a certain planning variable (e.g. revenues) for several years can be taken
into account. Budgets that are generally set for one year or less can not fully reflect
the long-term effects of strategic risks or any risk with a time horizon longer than
one year. Secondly, only at the cash flow level is it possible to capture financially all
impacts of any type of risk. In practice, the underlying key figure of ERM is often
EBIT or a similar profit figure. The use of a key performance indicator such as EBIT
is, of course, better than to dispense with it altogether and pursue isolated risk man-
agement. However, EBIT, for example, can not directly reflect interest and tax risk
scenarios. These would have to be taken into account additionally, which often is not
the case.

The following is a simplified example of how risk scenarios can be incorporated into cor-
porate planning.

Example
GreatSki Ltd. is a company based in Switzerland which manufactures and distributes
skis and, as part of a diversification strategy, ski clothing and ski accessories for sev-
eral years. GreatSki Ltd. has been valuing its company using a discounted cash flow
method for several years. This valuation serves as a basis for decisions on new strate-
gic options. Below is a simplified 4-year financial plan. From the fifth year onwards, a
residual value is calculated (based on a perpetuity calculation without growth).

Table 3.4 depicts that the planned company value without incorporating ERM rel-
evant information is EUR 28,614 based on all expected and discounted future cash
flows. The risk manager of GreatSki Ltd. discussed all possible risk scenarios and
uncertain assumptions in a meeting with the controller. Ultimately, it was agreed
which key risk scenarios affect which line item and thus could lead to unexpected
deviations of the planned values. For the sake of simplicity, only four risk scenarios
(3, 5, 7, 12) are included in Table 3.4, which may have an impact on revenues, costs
and taxes. The next step is to quantify the four identified key risks. The risk manager

139

uses the quantitative scenario technique and develops several quantified scenarios for
each risk.

The assessment of two example risks is shown in the following two tables. Risk 3
represents “new competitor entering the market” whereas risk 12 is briefly described
as “unfavourable tax negotiations”.

Table 3.5 shows the quantification results of risk scenario 3. Only two scenarios
have been assessed, a pessimistic and an optimistic one. The risk manager attached to
each risk scenario a probability of occurrence of 10%. The probability that this plan
will unfold as planned is thus the residual value of 100% – 10% – 10% = 80%. It is
further expected that the impact of that risk occurring lasts for two years (2020 and
2021).

Table 3.6 shows the second quantified risk scenario 12. Compared to the former
one, the tax risk does not comprise an “upside scenario”. It is assumed (or expected)
that this risk will not occur (75% probability). Thus, only a pessimistic scenario exists
for the tax risk.

With this information, the expected company value can now be reassessed taking
into account these risk scenarios. On the one hand, the isolated impact of each single
individual key risk scenario on the planned values can be considered. On the other
hand, it is possible to simulate all possible combinations of risks and their simultane-
ous impacts on the planned value using a Monte Carlo simulation. Figure 3.21 shows

3.4 Assess Key Risk Scenarios

Table 3.4 Financial plan of greatSki AG

EUR thousand Risk scenarios 2019 2020 2021 2022 2023 2024 and
thereafter

Revenues 3, 5, 7 4,150 2,450 3,000 2,700 2,475

− Costs 3, 7 600 400 450 450 425
= EBITDA 3,550 2,050 2,550 2,250 2,050

− Amortisation 75 75 75 75 75
= EBIT 3,475 1,975 2,475 2,175 1,975

− Tax 12 50 50 50 50 50
= NOPAT 3,425 1,925 2,425 2,125 1,925

+ Amortisation 75 75 75 75 75

= FCF Entity 3,500 2,000 2,500 2,200 2,000

WACC (Weighted
average cost of capital)

7.5% 7.5% 7.5% 7.5% 7.5%

Net present value FCFs
2020–2023

3,256 1,731 2,012 1,647 19,968

Residual value – – – – 19,968

Company value 28,614 – – – – –

140 3 Creating Value Through ERM Process

Table 3.5 Quantified risk scenario 3 „new competitor”

Scenario 3 (EUR
thousand)

Probability (in
%)

ΔRevenues
2020

ΔCosts 2020 ΔRevenues
2021

ΔCosts 2021

Pessimistic
Scenario

10% −01,000 −200 −750 −200

Plan (no risk) 80%

Optimistic Scenario 10% +200 0 +500 0

Table 3.6 Quantified risk scenario 12 „unfavourable tax negotiations”

Scenario 3 (EUR
thousand)

Probability (in %) ΔTax 2020 ΔTax 2021 ΔTax 2022 ΔTax 2023

Pessimistic
scenario

25% −1,400 −200 −400 −500

Plan (no risk) 75%

Optimistic scenario 0%

18000 22891 28614 33000 38000

– – – – – – – –

Company Value
Plan

20% Loss of
Company Value

– – – — — –

13000

12%

Fig. 3.21 Simulated company value greatSki Ltd.

141

the result of the simulation run which included all key risk scenarios 3, 5, 7 and 12
incorporated in the financial plan.

The risk appetite defined by the board of directors is a maximum of 10% probabil-
ity of losing more than 20% of company value. The planned company value amounts
to EUR 28,614 (see above). The output of the simulation shows that the probability
of losing more than 20% of the company value next year (corresponds to a value of
22,891) is 12%. This corresponds to the current risk exposure. The absolute deviation
thus is EUR 5,723. However, the risk appetite of GreatSki Ltd. is set at a maximum
of 10%. The risk exposure (current situation) is thus higher than the risk appetite (tar-
get). Management would now have to decide about measures to reduce the risk expo-
sure accordingly.

Ultimately, integration of ERM into business planning only provides value if decisions
are actually based on it or are at least supported by the information gained through that
alignment.

3.4.13 Replace Standard Risk Reporting

Normally, many books on risk management include standard risk reporting as an inde-
pendent chapter at the end of the risk management process. It is often defined as a rela-
tively independent process step that ultimately produces several specific risk reports for
business units, top management, internal audit and the board. Commonly, risk manage-
ment standards and policies promote that both the managers and many other stakehold-
ers must be informed about possible risk sources, risk events and potential impacts.
Information and communication on risks must be clear, timely and accurate. As not all
recipients of risk reports require the same risk information, risk reports shall be created
for different hierarchical levels (Erben 2015, p. 163).

Risk reporting is often considered as the most important deliverable of the risk man-
ager’s work. But what do we mean by a standard risk report, and why is risk reporting
included in this chapter on decision-making? Let us first have a look at the following
example of a very traditional risk reporting approach.

Example
The risk report of the CleverRisk Ltd. for the board of directors contains all risks
that the risk committee defined as key risks. The report comprises about 80 pages,
as it describes around 180 key risks in detail. All risks are assessed according to their
financial impact on EBIT and probability of occurrence and are described in various
scenarios. The risk report also contains planned and already implemented risk mitiga-
tion measures and their corresponding degree effectiveness. A risk owner is assigned
to each risk. Trends for each risk (increasing, stable, decreasing risk) are also included
in the risk report.

3.4 Assess Key Risk Scenarios

142 3 Creating Value Through ERM Process

The report enables the board of directors to fulfil its legal obligation to manage
risk. In particular, the board may

• review the implementation of risk management,
• discuss the most important risks of CleverRisk Ltd.,
• decide on the implementation of risk mitigation measures and delegate their imple-

mentation to the executive committee and
• compare risk appetite statements with current risk exposures.

The risk report is prepared once a year and must be approved by the board. Only the
management receives an update of the top risks during the year, i.e. on a quarterly
basis.

The agenda of the today’s board meeting includes, among other items, decisions
on new production sites and the development of a new product line. The last item on
the agenda will be the risk report, which will allow 20 min of discussion time. The
discussion about the new production sites is taking longer than planned. However,
since it is absolutely necessary to cope with all the items on the agenda, the time
required to discuss the risk report is reduced to 10 min. The risk manager was invited
to the meeting specifically for the last item on the agenda and is already eagerly
awaiting his appearance in front of the meeting room. Meanwhile, the most impor-
tant strategic decisions have been made and the risk manager sits down at the meeting
table.

All board members bend over the comprehensive risk report before the chair-
man asks the risk manager: “Has anything changed since the last report? Have new
top risks been added?” The risk manager replies: “We added the data loss risk. This
was not previously rated as a top risk”. A few minutes are spent discussing whether
the proposed risk mitigation measures are sufficient for this risk. Then the chairman
of the board asks: “If everyone agrees with the risk report, can we approve it in this
way?” The risk report was approved within the shortened 10 min discussion period.
One member of the board suggested that it was not ideal for some risk owners not to
have the authority to decide on risk mitigation measures. The risk manager is tasked
to check this problem within the next three months and provide a brief update. The
meeting is thus closed and the risk manager is gratefully acknowledged for the com-
prehensive risk report.

This example is, of course, an extreme case, but not so rare in practice. It shows what
we mean by standard risk reporting: providing an isolated risk report on a yearly basis,
which basically is irrelevant for decision-making processes. The example clearly shows
that relevant decisions were made without taking the risk report into account. Since
the report is only made available to the board of directors once a year and to manage-
ment twice a year, no risk-relevant information flows into any other meetings at all.
Although the board of directors is required to understand a company’s risk exposure and

143

corresponding risk mitigations, board members often decide predominantly on intuitive
knowledge without taking into account the more rational information created by a sound
ERM programme.

Standard risk reporting on single risks (often visualised by means of risk maps) often
lack a comprehensive view on company-wide risks. Even if it is the case that the board
recognises the risk report as an important decision-making resource, the often missing
view on aggregated risks on specific objectives makes it difficult to assess the total risk
exposure a company faces. Even if the board perceives all risks connected to the decision
of the new product line as acceptable, it may be the case that other product lines require
more risk taking to compensate some cannibalization effects of the new line. Actually,
the board considers only a very small slice of the risk pie and ignores the risks attached
to other areas of the company. Maybe the new risks associated with the positive deci-
sion on the new product line would become relevant from a portfolio view on all risks
(see a similar example in Levine 2015, p. 12). The message here is that very often, only
the risks connected to a specific decision are taken into account, ignoring the shift of the
overall risk exposure.

In many companies, traditional, independent risk reporting is common practice in risk
management today. Usually the board of directors or management specifically require a
standalone risk report on a regular basis. In some cases, there are specific legal require-
ments to prepare such isolated risk reports. Of course, these requirements must be met.
However, instead of creating isolated risk reports that in most cases are treated indepen-
dently from relevant decision-making processes, risk managers should aim at integrating
relevant risk information into management and board reporting and presentations.

Why is this the case? Let us recall what management reports are made for. Ultimately,
top management reports are designed to support decision-making processes and strat-
egy execution by providing transparent information on current business conditions and
potential uncertainties regarding future developments (Deloitte 2016, p. 2). These reports
include financial, marketing or operational information that is reported to internal man-
agement to be used as a basis for decision-making within the company. Management
reports are usually prepared monthly or even more often. Management reports are volun-
tary reports, so they can be created according the needs of every company freely and do
not have to meet any formal principles or regulatory requirements.

For example, management reports typically include items such as product-line profit
and loss statements, management dashboards including key performance indicators
(KPI) and early warning indicators, profitability reports, budget variance reports, infor-
mation about strategic initiatives and strategic projects, profit and cost centre reports and
many more. Ideally, management reports may provide answers to questions such as why
significant deviations from plans occurred, what is going to happen in the future or what
kind of measures, actions or controls can be implemented to increase the probability that
certain objectives will be achieved. All these questions can be answered partially or com-
pletely by risk-relevant information. When management reports are relevant to decision

3.4 Assess Key Risk Scenarios

144 3 Creating Value Through ERM Process

making, these decisions relate to measures and actions that lie in the future and are thus
uncertain (risky).

The same is true for management reports as for risk reports: to be relevant for decision-
making purposes, the reports must be provided to decision-makers at the time the deci-
sion is taken and must contain relevant information to ideally support decision-making
processes. For example, in a recent European survey conducted by Deloitte (2016) that
covers different industries, one finding is that there is basically need for more business
information in management reports. Often, management reporting is too heavily focused
on past financial information. However, decisions are related to future developments and
trends and require thus more future-oriented business related information beyond finan-
cials. Specifically, management is increasingly interested in information about relevant
sources (business drivers) which affect financial results (Deloitte 2016, p. 3).

Although the term “risk management” does not appear explicitly in the survey by
Deloitte, it is obvious that for example the business drivers can be subjected to a risk
analysis (risk-oriented assumption analysis). The individual business drivers could thus
be supplemented with a more rational, quantified scenario analysis provided by risk
management. The required additional future-oriented information in management reports
could be enriched with decision-relevant strategic risk scenarios. Additionally, KPI could
be supplemented with key risk indicators (KRI) which may serve as risk-based early
warning indicators. To make the long story short: We strongly believe that it is a good
idea to integrate risk management information in management reports where useful, so
that an isolated risk report is no longer necessary.

Apart from management reports, it is crucial to provide complete and accurate risk
management information at board level where essential decisions are steered. As pre-
viously discussed, very often decisions of the board are taken independently from risk
reporting. To change this, the board of directors should consider risk scenarios at the
time of decision-making. To do so, one suggestion is to provide the risk management
with relevant board presentations prior to the meeting. This enables the risk manager to
include one or two slides on risks and opportunities for all upcoming decisions. Again,
the aim with that is balancing intuition with more rational risk information. This is a
straightforward example of how ERM information can enhance decision quality imme-
diately. More generally, a company may consider including in a policy that information
from risk management on risk appetites and risk exposures must be taken into account
in all relevant decisions and objective setting processes. Subsequently, internal reporting
templates could adapted accordingly. The following examples illustrate a concrete proce-
dure how to integrate risk information into decision-making (see similar Sidorenko and
Demidenko 2017, pp. 23, 81).

Example
The controller at GreatSki Ltd. has decided to advance ERM to a decision-making
tool. She is pondering how the risk management of GreatSki can be better integrated
into decision-making processes. After having read a modern textbook on ERM, she

145

is aware that risk management should never be treated as a stand-alone process. An
effective way to foster a positive risk culture is to integrate accurate and consistent
risk assessments into various decision-making processes at GreatSki Ltd.

She suggested the following procedure how to start that process of integration risk
information into decision-making (adapted from Sidorenko and Demidenko 2017,
pp. 23, 81):

• She offered to review all important business decisions of the last few years to
assess whether rational information on decision-relevant risks and opportunities
have been collected, analysed and used as a basis for these decisions. Surprisingly,
no information flowed from risk management into all of these decisions. On the
basis of a number of past decisions, she was able to show that the decision quality
would have been higher if corresponding risk scenarios had been incorporated into
the decisions at that time.

• After discussing these important findings with the management, it was decided
which type of business decisions (e.g. financing, strategic, operational), which are
regularly made by management, could benefit most from an additional rational risk
analysis (balancing intuition with rationality).

• As a quick win, it was decided that key risk scenarios are no longer reported as a
separate agenda item at the end of the meetings. The reason is that these key risk
scenarios have not been considered in any type of decision.

• Despite some initial scepticism, the board of directors has decided that risk analy-
ses can be directly included in all board presentations. The controller developed
concrete suggestions on how risk-relevant information can be made available to
decision-makers at board level at the right time, i.e. before decisions are made: in
order to this process, she proposed some changes to the current MS PowerPoint
templates which have been used to date for the discussion of decisions. The inclu-
sion of a simple section in such templates entitled “risks related to the proposed
decisions and possible actions” can help to raise risk awareness, increase the need
for timely risk analysis and enhance the “risk attitude” of decision-makers.

3.4.14 Disclose Risks Appropriately

One major challenge of the on-going risk debate is the adequate disclosure of risk infor-
mation by companies to its external stakeholders (Linsley and Shrives 2006). Many neg-
ative events in the last two decades as the 09/11 attacks, the global financial crisis, fraud
scandals and bankruptcies of a few large companies as the famous grounding of Swissair
has led to increased interest in ERM in general and risk disclosures specifically. Causes
for such negative events with subsequent broad media coverage are amongst others to
be found in immature ERM programmes and deficiencies in adequate risk disclosures
(OECD 2014; Soliman and Adam 2017). These developments have forced regulatory

3.4 Assess Key Risk Scenarios

146 3 Creating Value Through ERM Process

bodies to reassess their existing corporate governance recommendations and guidelines
and to adapt them in order to better protect shareholders, lenders and investors (Soliman
and Adam 2017). Switzerland for example started an initiative at the beginning of the
year 2000 to enhance transparency in the business sector by issuing the Swiss Code of
Best Practice for Corporate Governance (OECD 2014).

Basically, we can differentiate between mandatory and voluntary risk disclosures.
Mandatory risk disclosures forces companies by law to publicly discuss—among other
items—specific information of the risk management process and specific risks which
may significantly affect the company’s performance. These mandatory disclosures are
country-specific, i.e. it depends on the legal requirements where a company is located.
Such mandatory risk disclosures in annual reports or in SEC filings (USA) encourage
companies to invest in their ERM programme (Tian and Chen 2009). In contrast, vol-
untary risk disclosures may be used as a business communication strategy, i.e. to signal
the maintenance of adequate risk management processes in order to positively influence
external decision-makers. Ultimately, risk disclosures shall create a positive relationship
of trust and transparency between external stakeholders and the company, which in turn
may lead to an increase in shareholder value (Deloitte 2012).

However, such risk disclosures are critically discussed. For example, many listed
companies which are required to disclose risks are rather wary or even reluctant to share
true and relevant risk information in any more detail (e.g. quantitative scenarios of stra-
tegic risks) than required by law. The reason is quite simple: companies are not willing
to be perceived more risky than any competitor in the same industry. This could expose a
company to the risk of losing company value (drop in share price). Why is this the case?
To be a first-mover in the sense of disclosing “true and relevant” risk information is con-
sidered as a relative disadvantage compared to all other companies disclosing rather
vague risk information.

Recent research supports the hypothesis that much of the information on risk that is
disclosed in company annual reports is boilerplate in nature and not particularly useful.
Further, it appears to be little interest among professional users of this information due
to concerns about the quality and usefulness of this type of disclosures (OECD 2014):
„where disclosure is non–specific, (…) or merely describes a risk management policy,
its use is limited” (Abraham and Shrives 2014, pp. 91–92). Thus, most companies only
disclose risk information at a very much aggregated level that is not relevant for any
decision-maker. In addition, most mandatory disclosed risk information is at best only
industry-specific and very rarely company-specific.

These symbolic, rather boilerplate disclosures (Day and Woodward 2004) will be of
very limited use to readers and external stakeholders may find it difficult to obtain more
information about the companies in order to assess the risk exposures faced, assess the
overall risk profile and understand the risk appetite. In the long run, such disclosures will
be ignored as they are seen as irrelevant. Company-specific information is much more
likely to differ from year to year rather than very general information that might apply to
every year. This suggests that management needs to reassess all risk disclosures regularly

147

to decide which disclosures are still relevant and which need to be updated or deleted.
Very often, management prefers routine general disclosures that are persistent over time
over ongoing change and reassessments. Another reason for limited interest in disclosing
company-specific risk information is that managers are not convinced that risk disclo-
sures actually lead to improvements in their own ERM programme. While this behaviour
is comprehensible in practice, such disclosures are of limited practical use (Abraham and
Shrives 2014; Kunz 2015, p. 13). Thus, many risk professionals, analysts and investors
believe that there is not much value for decision-makers to consider these risk disclo-
sures thoroughly (see similar Rees 2015, p. 10).

Research on that topic is ambivalent, too. For example, Linsley and Shrives (2006)
argue that companies with higher levels of risk will disclose more risk information as
management is forced to explain the causes of the higher risk exposures. On the other
hand, companies having higher risk “may not to want to draw attention to their ‘riski-
ness’ and, conversely, therefore may be reluctant to voluntarily disclose significant
amounts of risk information” (Linsley and Shrives 2006, p. 391). From this an investor
or lender is not able to conclude with certainty whether a company is actually riskier if it
discloses more about its risks than another one disclosing less.

Theoretically, risk disclosures are of course very important and shall support deci-
sion-makers with transparent information about the maturity level of the ERM pro-
gramme as well with company-specific risks and opportunities related to strategy and
operations. Conversely, many stakeholders indeed expect companies to discuss the
most relevant business risks thoroughly. From a signalling theory perspective, it may
be meaningful to include statements in the annual report about the overall high com-
mitment to risk-oriented strategy development and execution as well about how ERM
is incorporated in major investments and decisions. Signalling theory has been used by
many researches to explain the motivation of companies to disclose risks voluntarily. For
example, Elzahar and Hussainey (2012) suggest that companies in the same industry sec-
tor are more likely to adopt the same level of disclosure. The reason is if a company dis-
closes less risk information than others within the same industry, it may be interpreted as
a signal of hiding bad news. This again can lead to a loss in shareholder value. However,
again, it is still not empirically validated if such risk disclosures have primarily a posi-
tive, a negative or a neutral effect on company value or any performance measures. In
addition, it is not yet clear what role such disclosures actually play in the decision-mak-
ing process of investors, lenders and shareholders.

Companies usually disclose their risk information in a separate section of the annual
report. At this point, we can refer to the discussions on internal risk reporting. One major
requirement of sound internal risk reporting has been the integration of risk relevant
information in management reports or board’s presentations to provide risk information
at the time the decision is taken. Analogous to internal risk reporting, we can draw sim-
ilar conclusions for external risk reporting. It is probably most appropriate to allocate
risk disclosures according to the various topics in the annual report. For example, stra-
tegic risk scenarios can be added to the discussion of strategic objectives. Financial risk

3.4 Assess Key Risk Scenarios

148 3 Creating Value Through ERM Process

scenarios can be assigned to the financial reporting. Thus, it shall be attempted not to
present risks in a separate chapter in the annual report, but to include them where they
have a corresponding reference to specific topics (see similar Sidorenko and Demidenko
2017, p. 79). The following example illustrates two companies which disclose risks in
a separate risk management section, independent from the corresponding management
topics. These two examples are chosen randomly and represent the current structure of
Swiss annual reports.

Example
Looking at a recent annual report of Swisscom AG (Swisscom is a major telecommu-
nications provider in Switzerland, headquartered in Worblaufen near Bern), the reader
can find the following disclosures on risks related to the telecommunication market on
page 53:

Increasing competition driven by national infrastructure providers and service providers
who do not have their own telecoms infrastructure is exerting transformation pressure on the
business. During this transformation, the complexity resulting from the parallel operation
of old and new technologies has to be reduced to enable new, attractive services. Here there
is a risk that the revenue from the classic telecoms business will not be secured sustain-
ably during the transformation process, while at the same time technical complexity remains
undiminished. Moreover, a trend can currently be observed towards national and interna-
tional cooperation among telecommunications providers, the purpose of which is to provide
low-cost services internationally and exploit major synergies and economies of scale. There
is a risk that Swisscom will not be able to align its cost structures with its current and future
competitors, which would narrow the scope for investment, innovation and price reductions.
If such risks materialise, this could delay implementation of the strategy or have a detrimen-
tal effect on customer satisfaction. Swisscom has initiated measures in various areas to man-
age these risks (Swisscom 2017, p. 53).

This risk factor, as it is called in the annual report, is part of the last (!) paragraph
“risks” of the chapter “management commentary”. However, the very first paragraph
of that chapter deals with “strategy and environment” starting on page 16. So basi-
cally, as the risks associated with the telecommunication market are highly relevant
for achieving the strategic objectives of Swisscom, it might be a good idea to incorpo-
rate risk information into the strategy discussions.

Another example is Sika, a specialty chemical company for building and motor
vehicle supplies, headquartered in Baar, Switzerland, disclosed the following infor-
mation on its “customer and market” risks:

Sika has a policy of strategic diversification to limit market and customer-related risks.
Geographical diversification is tremendously important in the locally based construction
industry given the sometimes contrary business trends witnessed in this sector in different
regions of the world. Customer diversification—with no single customer accounting for
more than 2.0% of Sika’s turnover—is another stabilizing factor. As a further safeguard
against economic fluctuations, Sika operates both in the new-build sector and in the less
cyclical renovation and maintenance market (Sika 2017, p. 34).

149

As Sika states, their risk management is geared towards integration into strategic
decision-making processes. However, the same applies here as in the Swisscom exam-
ple: The risk disclosures (pp. 33–35) are completely separated from information on
strategy and the business environment (pp. 14–16).

A recent study conducted in Switzerland on how and what Swiss companies disclose
about risks in their annual reports revealed that most of the companies are very positive
about their business risks and their performance and one rather gets the impression that
annual reports underestimate true downside business risks or are biased towards good
risks. This is supported by the fact that two third of the total amount of risk disclosures
collected in 2014 are “good risks” (opportunities), downside risks are barely mentioned.
Maybe, these risk disclosures rather act as a marketing tool convincing the potential
investor of the many future upside potentials. What all risk reports have in common is
stating that risk management exists and is of high importance. Usually, there is also a
statement that the board of directors is ultimately responsible for risk management and
how frequent the (regulatory) risk management process is performed (Kunz 2015, p. 46).

In summary, it can be said that the current practice of risk disclosures in many coun-
tries offers only very limited added value. As long as no company-specific, quantified
risk scenarios are published and no information is provided on how they are considered
in decisions, no support can be created for external decision-makers. Policy makers need
to think about how they will deal with external risk disclosures in the future. An integra-
tion of risk-relevant information into the strategy discussion of annual reports would be a
first step in the right direction.

3.5 Assess and Improve ERM Quality

Once ERM has been implemented, it must be continuously improved. This means that it
needs to be subjected to effectiveness tests. It is important to find out whether ERM has
performed as intended, i.e. if it supported the creation of a balance between rationality
and intuition in decision-making processes. Many companies are not able to answer the
question whether their ERM is effective and how it can be assessed. Specific “perfor-
mance indicators” for ERM programmes are largely lacking. The following paragraphs
present some approaches on how companies can assess ERM effectiveness and which
are less meaningful in practice.

3.5.1 Test ERM Effectiveness Appropriately

Although the first presented test is widely used, it is not sufficient to test ERM effective-
ness (Gleißner 2018, pp. 18–19). It is a formal test and is similar to an audit-like proce-
dure. Basically, the test is about checking whether formal ERM requirements are met.

3.5 Assess and Improve ERM Quality

150 3 Creating Value Through ERM Process

This requires a review of all available documents and policies related to ERM. Following
our approach of ERM presented in this textbook, we can collect information on how
risks are being identified, assessed, aggregated, and linked to objectives and to decision-
making processes. Further, we might check how risk information is incorporated in exist-
ing reporting structures. In addition, we can have a look at documents containing risk
appetite statements and how ERM is organised, i.e. what roles and responsibilities have
been defined. If separate risk reports exist, we can check if these reports are updated
regularly and provided timely to the different decision-makers.

All these documents can be assessed according to the following criteria:

• Up-to-date
• Completion
• Responsibility for creating and maintaining these documents
• Clear definition of the recipients of the documents (reporting)

Of course, this formal check of the documents does not yet tell us anything about
whether ERM is actually used for decision-making and what the quality of the ERM pro-
cess results looks like. The second test focuses more on the quality of the information
provided by the ERM process. As we have learned, results from the ERM process should
be available at the time decisions are taken. This test is based on challenging whether the
ERM requirements of the different stakeholders have been met. First and foremost, man-
agement and the board must assess whether

• relevant risk categories are covered (no exclusive focus on financial risk)
• risks are comprehensibly assessed (by means of quantitative scenario analysis, not

stochastic black box models)
• risks are graphically prepared in such a way that they can be used for decision-mak-

ing (no risk maps)
• opportunities and risks have been assessed, not only the downside risk
• individual risk exposures are compared with the defined risk appetite statements
• key risk scenarios are communicated in a comprehensible way and their impacts are

linked to relevant key figures (company value, EBIT, cash flow, etc.)

A third approach to test ERM effectiveness is particularly well suited to assessing
whether ERM is achieving its ultimate goals. The two previous approaches can comple-
ment this test by contributing to a more comprehensive assessment. The following test is
relatively simple and asks whether all relevant decisions (investments, financing, strate-
gic options, risk mitigation measures) were supported by ERM information in the past
(e.g. last fiscal year). For this purpose, past decision-making processes should be recon-
structed. Basically, it is desirable that intuitive analyses of the management are well bal-
anced with the quantitative risk analyses of the risk manager in all relevant decisions.
The point here is not to assess whether the risk manager or the management was “right”
past decision (cf. Sect. 3.5.1). Rather, it plays a crucial role whether the discussion on

151

“rationality versus intuition” took place at the time of the decisions. It is clear that the
proportion of such “balanced” decisions in relation to all decisions within a company
may indicate the ERM relevance. If the test result reveals that ERM information is not
relevant for most of the decisions or such quantitative risk information is usually overrid-
den by management, this indicates very low ERM effectiveness.

A last suggestion to test ERM effectiveness relates to the analysis of target deviations
and their causes (see similar Gleißner 2018, p. 19). Based on this test, a statement can be
made as to whether ERM can actually provide relevant information about uncertainties
affecting business objectives. All past target deviations for a specific period, for exam-
ple for the last fiscal year, are collected and analysed. For all identified deviations (e.g.
strategic deviation regarding market shares, operational deviation regarding production
costs) the corresponding causes should be identified. The first purpose of this test is thus
to understand which causes contributed to the missed targets. If all (or at least most)
causes are known, it must be analysed whether these causes have been identified as risks
in the risk identification process or not. The more deviations can be explained by risks
identified at that time, the more effective the ERM is. Let us illustrate that effectiveness
test with the following concrete example.

Example
The world’s leading supplier of high-quality chocolate and cocoa products, Barry
Callebaut, is exposed to a variety of risks and uncertainties. An excerpt of the key risk
list (the full list consists of 12 key risks) according to the publicly available risk dis-
closures in the annual report 2017/2018 is provided in Table 3.7.

So how could an ERM effective test look like? Barry Callebaut recently announced
an important innovation in the chocolate industry: In addition to milk chocolate, dark
chocolate and white chocolate, a fourth variety, named “ruby”, has been created. The
launch of an innovative product is always associated with risks and opportunities.
One particular risk related to that newly introduced product occurred in 2017. Barry
Callebaut’s creation “ruby” did not fit the US Food and Drug Administration (FDA)
definition of what is allowed to be sold under the label “chocolate”. At that time,
Barry Callebaut was not allowed to sell its invention as “chocolate” in the United
States of America.

Obviously, this is a risk which falls into the regulatory risk category. Referring to
the effectiveness test, the relevant question at this point is: Has this risk been identi-
fied and included in any type of risk assessment by risk management? Or is this risk
occurrence a deviation from plan not previously recognised and assessed by the ERM
team? If we have a look at the key risk list, it is obvious that legal, regulatory and
compliance risks have been identified and assessed as key risks (see the last key risk
in Table 3.7). In so far, from an external point of view, we can assume that these kind
of risks (regulatory hurdles) have been incorporated in the ERM process. The same
procedure applies for any risk that occurred in that fiscal year. If Barry Callebaut
can match each deviation from budget with corresponding risks, the ERM process is
highly effective (even if the outcome was a bad one).

3.5 Assess and Improve ERM Quality

152 3 Creating Value Through ERM Process

Table 3.7 Excerpt of key risk list of Barry Callebaut 2017/2018. (Barry Callebaut 2018,
pp. 12–13)

Key risk Risk description Risk mitigation

Long-term
sustainable
supply of
cocoa

(…). Risk factors such as declining
productivity attributable to aging trees,
aging farmers and little interest from
the next generation in becoming farm-
ers, the conversion of cocoa bean fields
to other, more attractive crops, and
also the long-term impacts of climate
change could lead to a shortfall in
high-quality cocoa beans in the mid- to
long-term

Under the umbrella of its overall sustain-
ability strategy Forever Chocolate, the
Group aims to improve the productivity
and livelihood of farmers. Long-term
measures also include the continuous
evaluation and diversification of supply
sources in origin countries, develop-
ing improved agricultural practices for
cocoa farms and maintaining an industry
dialogue with key stakeholders in origin
countries

Rapidly
shifting
consumer
trends

Rapidly shifting consumer trends may
disrupt market and industry dynamics
that could impact the future growth of
the Group’s business

Trend analysis by the Group’s marketing
and customer insight teams, together with
cross functional commercial teams work-
ing closely with customers, aim to identify
trends early in the marketplace, both posi-
tive and negative. The Group constantly
invests in R&D as part of a well-structured
process, enabling the Group to develop
products which proactively address new
trends and changing demand patterns

Business
transfor-
mation

(…). Ineffective project portfolio man-
agement and implementation, insuffi-
cient due diligence, inaccurate business
plan assumptions or inadequate
post-merger integration processes can
all have negative consequences. Failure
to invest in technology that is no longer
competitive or becomes obsolete may
further impact the successful execution
of business transformation. These fac-
tors can result in an underperforming
base business, reduced synergies, or
higher costs than expected

All major business transformation
projects are prioritised and monitored
by the Group’s Executive Committee
and Strategy Team. The Group deploys
dedicated teams with significant experi-
ence and capability for their respective
business transformation projects. These
teams proactively follow market, technol-
ogy and other trends and work in close
collaboration with functional and regional
experts, external advisors, and the Group’s
Executive Committee. (…)

(continued)

153

In addition, reviewing the effectiveness of ERM programmes gives management an
opportunity to adjust its risk appetite statements and subsequently to decide about fur-
ther risk mitigation measures. One major objective of a sound ERM programme is to
steer risk exposures as close as possible to the corresponding risk appetite statements. In
other words, the maximum amount of accepted risk may be taken to exploit the expected
rewards associated with that risk. For example, management may closely monitor the
financial performance of a product line in a specific country over the last three years and
assesses competitor risk. If management concludes that the risk exposure of that product
line is less than originally determined (due to high market entry barriers), the company
can decrease the risk appetite for this product line in order to take on more risk in other
strategic initiatives.

3.5.2 Increase ERM Maturity Level

Using a meaningful risk maturity model allows companies to benchmark how their cur-
rent ERM practices match the suggested approaches in this textbook. Maturity models
are simple instruments that support corporate management to assess and improve their
business processes and organisational structures (Moutchnik 2015, p. 162). In the fol-
lowing, we will briefly explain the basics about maturity model and its components (see
Müller 2018).

Maturity models enable corporate management to review internal processes like
ERM and structures like risk governance in order to identify weaknesses within the
company. They can be considered as tools that help to analyse an as-is situation or a

3.5 Assess and Improve ERM Quality

Table 3.7 (continued)

Key risk Risk description Risk mitigation

Legal, reg-
ulatory and
compliance

The Group is subject to both interna-
tional and national laws, regulations
and standards in such diverse areas as
product safety, product labelling, envi-
ronment, health and safety, intellectual
property rights, antitrust, anti-bribery,
employment, trade sanctions, data pri-
vacy, corporate transactions and taxes
in all the countries in which it operates
in as well as stock exchange listing and
disclosure regulations in a constantly
changing regulatory environment. (…)

Dedicated regional and local functional
managers, supported by specialised
corporate functions and external advi-
sors, ensure compliance with applicable
laws and regulations. The Group has
robust policies and procedures in place
in the relevant areas. The Group’s Legal
Department oversees the Group’s compli-
ance programme, which ensures awareness
of the compliance risks and the Group’s
compliance standards. The Code of
Conduct and other Group policies set out
the legal and ethical standards of behav-
iour expected from all employees working
within the Group

154 3 Creating Value Through ERM Process

so-called current state. In some cases, maturity models also suggest improvement activi-
ties in order to obtain a higher-ranked to-be state. In other words, they either assess the
current state for benchmarking reasons or they can be used for continuous improvement
of the company. In that sense, maturity models postulate that a certain object, tool or
process progresses through different stages of maturity (Moutchnik 2015, p. 162; Frick
et al. 2013, p. 274). The ultimate goal for some companies is to achieve the final maturity
stage, which can be seen as the “perfect state” where no further improvement is possible
anymore (Müller 2018, p. 22). Maturity models are widely used in practice. Nowadays,
more than a hundred different concepts are available (De Bruin et al. 2005, p. 3). The
spectrum of such models start from a specific area of the company (process, function) up
to the company as a whole (Wendler 2012, pp. 1317–1318). Maturity models are nowa-
days applied in many different fields of business, likewise in risk management.

Maturity models consist of two main components: The capabilities and the maturity
levels (Müller 2018). Capabilities are the main areas of interest that an organisation likes
to assess. These objects, like the ERM process, can be decomposed by a list of criteria
and can be consequently measured. Examples for such capabilities are processes, docu-
ments, experiences, knowledge, or application steps. Most of the maturity models refer
to more than one assessment criterion (capabilities) and are thus called multidimensional
models. Maturity levels are the second component of a maturity model. They consist of
consecutive stages starting from a very low to a very high maturity level. Many maturity
models comprise five maturity levels, but their number can vary from three to six levels
(Wendler 2012, p. 1319). Based on suggestions by Romeike (2018, p. 57) and Hunziker
(2018, pp. 21–26) and on some updates suggested for this textbook, the following ERM
maturity levels can be differentiated:

• Level 1—Informal ERM: The first level is predominantly characterised by a miss-
ing (formal) commitment of the management for ERM. The value-adding compo-
nents of ERM are not acknowledged by management. This fundamentally prevents
a company from an adequate development of a positive risk culture and an effective
ERM. Usually, at this stage, no documented risk policy is available which serves as an
important guideline for ERM objectives and ERM implementation. Additionally, no
formal ERM process for identifying, assessing and managing risks has been defined.
Thus, risks are mainly identified only on an ad hoc basis. Companies at this stage
often lack ERM expertise and ERM tools. Some companies deliberately do without
a formal ERM since dealing with risks can make (too) risky businesses and missing
ERM competencies transparent. “Level 1 companies” perceive risks as weaknesses
(downside risk perception) and are thus not systematically assessed and disclosed.
Such companies may be under constant economic pressure or in crisis situations that
lead to a lack of resources or a lack of willingness to implement an additional ERM
process. Also, fast-growing start-ups at the beginning of their business lifecycle may
be at this very informal ERM maturity level.

155

• Level 2—Basic ERM: At this second stage, companies implemented a very basic, par-
tial ERM. Usually, it is not harmonised in terms of process steps and terminologies
and only focuses on a limited amount of (risk) areas. There is only little commitment
and interest of the management in ERM and, consequently, credibility and added
value is limited. No formalised ERM process is defined, and ERM knowledge within
the organisation is not shared and thus very limited. Often, a risk policy is still miss-
ing which prevents the development of a supportive risk culture.

Moreover, only (negative) risks of the most important current projects are covered.
As a rule, the risk manager is not very welcomed at the strategy table as he or she is
perceived as an obstacle to lucrative business. Risk information and adequate tools
for risk identification and risk assessment are rarely or insufficiently used. Employees
who are tasked with ERM assignments usually receive little support from manage-
ment due to a rather negative risk culture.

A partial and inconsistent (often purely qualitative) implementation of the ERM
process at this stage often leads to the absence of important key figures that could
demonstrate the value of an ERM. Risk aggregation, for example, is generally not
performed. As a result, ERM lacks credibility and is not perceived as a value-creating
tool for decision-makers. “Level 2 companies” are very common, specifically small
and medium-sized companies in Switzerland (and presumably in other countries too)
often run an incomplete, partial ERM which is not integrated into decision-making
processes (see Hunziker et al. 2016).

• Level 3—Evolved ERM: In contrast to the two previous maturity levels, level 3 is
characterised by a more formalised ERM process. There is a well-defined and docu-
mented ERM process available which allows identifying and assessing all types of
risks equally, i.e. strategic, operational and financial risks. Risks are assessed with
at least semi-quantitative approaches, often based on probability of occurrence and
financial impact. Roles and responsibilities of risk managers and risk owners are
defined and ERM is supported by simple software tools. A separate risk report is usu-
ally provided to management and the Board of Directors on a regular basis. However,
ERM is still not fully accepted as value-creating process which reflects in a miss-
ing risk policy and rather inappropriate risk culture (negative risk orientation). ERM
usually still exists as an independent approach at this maturity stage. Thus, it is not
sufficiently embedded in decision-making processes or strategy development and
execution. ERM is primarily perceived as a tool to prevent severe losses and not as
a management tool which can increase decision quality. The risk manager is still not
very welcomed at the strategy table for the same reason as in level 2. A sound risk
policy is still missing. Although ERM is accepted as important, a fundamental reluc-
tance to regularly invest in ERM can be observed. “Level 3 companies” do not fully
exploit the potential of ERM as it is still not incorporated in decision-making pro-
cesses. This maturity level dominates in Switzerland (see Hunziker et al. 2016).

• Level 4—Advanced ERM: For most companies, an upgrade from level 3 to level 4
is probably the largest hurdle and requires a fundamental reconsideration of the

3.5 Assess and Improve ERM Quality

156 3 Creating Value Through ERM Process

objectives of an ERM. The board of directors is in charge to develop an appropriate
risk policy. It is considered the cornerstone of any ERM programme. This includes,
for example, the objectives of ERM, the ERM organisation, individual risk limits,
sound risk appetite statements (see Sect. 3.5.6), the role of internal audit and risk
management mitigation strategies. The risk policy is a crucial precondition for reach-
ing level 4. All risks are equally quantified at level 4 (in monetary units), categorised
according to their causes and related to specific business objectives. Where useful,
risks are aggregated by means of a Monte Carlo-simulation and risk interdependen-
cies are taken into account. Risk exposures are compared to risk appetite statements
as a basis for decisions on risk mitigation measures. Risk information produced by
the ERM process is considered relevant for decision-making processes. Although risk
maps are often still in place, they do no longer serve as a major basis for decision-
making. At this level 4, key risks are quantitatively assessed using various scenarios.
Maturity level 4 requires a uniform ERM language throughout the entire company
(often, different terms, definitions and assessment methods have evolved over time in
individual risk areas which lead to confusion and non-comparability of different risk
categories). A sophisticated risk reporting enables decision-makers to take risk infor-
mation into account at the time decisions are taken. ERM is regularly assessed for
its performance (effectiveness tests) and, if necessary, companies invest in new tools,
techniques or know-how. At this high maturity level, ERM is also explicitly seen as
part of successful strategy development and execution. The risk manager is usually
member of management and a welcomed sparring partner in strategy meetings.

• Level 5—Leading ERM: To achieve the highest maturity level of an ERM, it requires
the following optimisations in addition to the previous level 4: Intuitive decisions are
consistently balanced with rational risk information provided by risk management.
Consequently, impacts of potential decisions under uncertainty (e.g. new market
entry) on company value or another key figure (e.g. EBIT or cash flow) are analysed
and discussed through the lens of several risk scenarios. Decisions are regularly made
based on risk-opportunities-considerations and, thus, ERM has evolved to a strate-
gic management tool. Moreover, ERM is linked to business planning to enhance the
robustness of the planning process (multi-scenario planning). At this stage, ERM is
noticeably lived within the organisation and embedded in the employee’s mindsets
and business processes. Management perceives ERM as a value-adding process which
significantly improves decision quality. Separate risk reports will only be produced
upon special request. Relevant risk information is integrated into existing policies,
templates and other documents which serve as a basis for decision-making. All risks
are fully quantified by means of scenario technique and are no longer depicted in
traditional risk (heat) maps. Instead, more powerful aids to visualise risks are used
such as tornado diagrams and other types of bar charts which enable the connection
between uncertainties and business objectives.

157

Key Aspects to Remember

Promote ERM as a tool to balance rationality with intuition
The main goal of ERM is to increase the quality of decision-making within the
company. This requires a full integration of risk information into decision-making
processes. Management often makes important decisions primarily intuitively. This
may be appropriate in some situations, but often there is a lack of more rational
information about risks and opportunities at the time such decisions are taken.
ERM can make a decisive contribution to a better balance between intuition and
rationality.

Challenge management assumptions first, then complement with traditional
risk identification
As a rule, the traditional risk management process starts with risk identification.
This process step is often supported by sending templates to different people
within the company or by conducting one-on-one interviews. A more effective way
is to analyse the assumptions underlying the business strategy and business objec-
tives first. This approach automatically leads to the identification of many, if not
almost all, relevant risks affecting business objectives. After having analysed these
assumptions, traditional risk identification techniques may complement the key
risk list.

Focus on fully quantified, credible key risk scenarios
Traditional risk maps promote the so called “binary thinking” about risk: either a
risk occurs or it does not. And when it does, it always has the same (financial)
impact. Of course, this simplified approach is usually wrong. Risks can emerge
in very different scenarios, which are more or less probable and have different
impacts. Consequently, a key success factor of ERM is to translate risks into plau-
sible, quantified stories using scenario technique. Effective ERM programmes use
clever filters to distinguish key risks from risks that are not (yet) decision-relevant.

Integrate risk information and avoid isolated risk reporting
Isolated risk reports are rarely used for decision-making. Although they are pro-
duced with a great deal of effort, they often receive little or no attention from man-
agement. Decisions on the board’s agenda are usually taken before the risk report
is discussed. In order to change this, relevant risk information must be available
at the time decisions are made. For all strategic decisions, associated key risk sce-
narios must be included in the corresponding documents or presentations on these
decisions.

3.5 Assess and Improve ERM Quality

158 3 Creating Value Through ERM Process

Continuously increase ERM quality
Traditional risk management is usually not geared towards supporting decision-
making. Thus, it must be continuously improved. Using a meaningful risk maturity
model allows companies to benchmark their current ERM practice. In many cases,
companies do not perceive and added value provided by risk management. To
change this, use the suggested maturity model in this textbook as a starting point:
If your company scores low (in most cases level 2 or 3), make the case for your
company to enhance ERM quality and promote improved decision-quality as the
major reason to further invest in ERM.

Critical Thinking Questions
1. What is the main difference between a regulatory risk management approach

and modern ERM?
2. Why do many ERM programmes fail in practice?
3. Risk maps are still very popular in practice. Can you explain why they are still

widely-accepted? What are the major drawbacks of this tool?
4. Why is it crucial to quantify all risks equally, even no or scarce data is available

for some types of risks?
5. Why is the risk manager often not welcomed at the strategy table in the com-

pany? How can this be changed in the future?

References

Abraham, S., & Shrives, P. J. (2014). Improving the relevance of risk factor disclosure in corporate
annual reports. The British Accounting Review, 46 (1), 91–107.

Andersen, T. J., & Winther Schrøder, P. (2010). Strategic risk management practice. How to deal
effectively with major corporate exposures. Cambridge: Cambridge University Press.

Andrews, K. R. (1971). The Concept of Corporate Strategy. Irwin: Homewood.
Barnett, M., Jermier, J., & Lafferty, B. (2006). Corporate reputation: The definitional landscape.

Corporate Reputation Review, 9 (1), 26–38.
Barney, J. B. (2002). Gaining and sustaining competitive advantage (2nd Ed.). Upper Saddle

River, NJ: Prentice-Hall.
Barney, J. B., & Hesterly, W. S. (2006). Strategic management and competitive advantage. Upper

Saddle River, NJ: Pearson Education.
Barry Callebaut (2018). Annual Report 2017/18. https://www.barry-callebaut.com/sites/default/

files/publications/barry_callebaut_annual_report_2017-18.pdf. Accessed 24 January 2019.
Beasley, M. S., & Frigo, M. L. (2007). Strategic Risk Management: Creating and Protecting Value.

Strategic Finance, May, 24–31.
Budescu, D. V., Broomell, S., & Por, H.-H. (2009). Improving Communication of Uncertainty in

the Reports of the Intergovernmental Panel on Climate Change. Psychological Science, 20 (3),
299–308.

159

Bunnenberg, S. (2016). Reputationsrisikomanagement: „Es fängt mit der Kultur an“. https://
www.3grc.de/risikomanagement/reputationsrisikomanagement-es-faengt-mit-der-kultur-an/.
Accessed 24 January 2019.

Buss, E. (2007). Image und Reputation—Werttreiber für das Management. In M. Piwinger &
A. Zerfaß (Eds.), Handbuch Unternehmenskommunikation (pp. 227–243). Wiesbaden: Gabler.

Calabretta, G., Gemser, G., & Wijnberg, N. M. (2016). The Interplay between Intuition and
Rationality in Strategic Decision Making: A Paradox Perspective. Organization Studies, 38
(3–4), 1–37.

Casas i Klett, T. (2008). Der Mensch in der Uncertainty Governance: Wertschöpfung jenseits von
Risiko-Management. In R. Wunderer (Ed.), Corporate Governance—zur personalen und sozi-
alen Dimension (pp. 26–30). Köln: Luchterhand.

Chapelle, A. (2015). Is reputation risk overstated? Operational incidents do not always give firms
a bad name. https://www.risk.net/risk-management/operational-risk/2394437/reputation-risk-
overstated. Accessed 24 January 2019.

Choo, C. W. (1999). The Art of Scanning the Environment. Bulletin of the American Society for
Information Science and Technology, 25 (3), 21–24.

Clayton Christensen (n.d.). Disruptive Innovation. http://www.claytonchristensen.com/key-concepts/.
Accessed 20 November 2018.

Collier, P. M., & Agyei-Ampomah, S. (2006). CIMA Learning System 2007 Management
Accounting—Risk and Control Strategy. Elsevier Science & Technology.

Collis, D. J., & Montgomery, C. A. (2004). Corporate strategy: Resources and the scope of the
firm (2nd Ed.). Chicago: McGraw-Hill Irwin.

Collis, D. J., & Rukstad, M. G. (2008). Can You Say What Your Strategy Is? Harvard Business
Review, 86, 82–90.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2017). Enterprise
Risk Management—Integrating with Strategy and Performance. Jersey City, NJ: AICPA.

Cox, L. A. (2008). What’s Wrong with Risk Matrices? Risk Analysis, 28 (2), 497–512.
Dane, E., & Pratt, M. G. (2007). Exploring intuition and its role in managerial decision making.

Academy of Management Review, 32 (1), 33–54.
Day, R., & Woodward, T. (2004). Disclosure of information about employees in the Directors’

report of UK published financial statements: substantive or symbolic? Accounting Forum, 8,
43–59.

De Bruin, T., Freeze, R., Kulkarni, U., & Rosemann, M. (2005). Understanding the Main Phases of
Developing a Maturity Assessment Model. ACIS 2005 Proceedings. 109.

Dean, J. W., & Sharfman, M. P. (1996). Does decision making process matter? A study of strategic
decision making effectiveness. Academy of Management Journal, 39 (2), 368–396.

Deloitte (2012). Cultivating a Risk Intelligent Culture. Understand, measure, strengthen, and
report. Luxembourg. https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/lu_
en_wp_riskintelligentculture_01082012.pdf. Accessed 18 December 2018.

Deloitte (Ed.) (2017). Strategic Risk. A cornerstone of risk transformation. https://www2.deloitte.
com/content/dam/Deloitte/global/Documents/Risk/gx-ers-risk-transformation.pdf. Accessed 24
January 2019.

Deloitte (Ed.) (2016). How to meet top management reporting expectations? https://www2.
deloitte.com/content/dam/Deloitte/be/Documents/finance/POV_top%20management%20
reporting%20survey_v8.pdf. Accessed 28 January 2019.

Deloitte (Ed.) (2015). Global Survey on Reputation Risk. https://www2.deloitte.com/content/
dam/Deloitte/za/Documents/risk/NEWReputationRiskSurveyReport_25FEB.pdf. Accessed 24
January 2019.

Diederichs, M. (2013). Risikomanagement und Risikocontrolling (3rd Ed.). München: Vahlen.

References

160 3 Creating Value Through ERM Process

Duijm, N. J. (2015). Recommendations on the Use and Design of Risk Matrices. Safety Science 76
(1), 21–31.

Eccles, R. G., Newquist, S. C., & Schatz, R. (2007). Reputation and its risks. Harvard Business
Review, 85 (2), 104–114.

Elzahar, H., & Hussainey, K. (2012) Determinants of narrative risk disclosures in UK interim reports.
The Journal of Risk Finance, 13 (2), 133–147. https://doi.org/10.1108/15265941211203189

Erben, R. F. (2015). Normen und Standards im Risikomanagement—Anwendbarkeit und Nutzen
von ISO 31000, ONR 49000 ff. und COSO ERM. In W. Gleißner & F. Romeike (Eds.),
Praxishandbuch Risikomanagement: Konzepte, Methoden, Umsetzung (pp. 143–174). Berlin:
Erich Schmidt Verlag.

Ernst & Young (2015). Rethinking risk management. https://www.ey.com/Publication/
vwLUAssets/EY-rethinking-risk-management-banks-focus-on-non-financial-risks-and-
accountability/$FILE/EY-rethinking-risk-management-banks-focus-on-non-financial-risks-and-
accountability.pdf. Accessed 28 Januar 2019.

Filatotchev, I., Toms, S., Wright, M. (2006). The firm’s strategic dynamics and corporate gov-
ernance life‐cycle. International Journal of Managerial Finance, 2 (4), 256–279. https://doi.
org/10.1108/17439130610705481

Fleischer, A. (2015). Reputation und Wahrnehmung. Wie Unternehmensreputation entsteht und wie
sie sich beeinflussen lässt. Wiesbaden: VS Verlag für Sozialwissenschaften.

Frick, N., Küttner, T. F., & Schuber, P. (2013). Assessment Methodology for a Maturity Model
for Interorganizational Systems—The Search for an Assessment Procedure. 46th Hawaii
International Conference on System Sciences.

Frigo, M. L., & Anderson, R. J. (2011). Strategic Risk Management: A Foundation for Improving
Enterprise Risk Management and Governance. Journal of Corporate Accounting & Finance,
22, 81–88.

Frigo, M. L., & Anderson, R. J. (2009). A Strategic Framework for Governance, Risk, and
Compliance. Strategic Finance, 90, 20–61.

Gleißner, W. (2018). Prüfung des Risikomanagements—ein Reifegradmodell. Der Aufsichtsrat,
2/2018, 18–21.

Gleißner, W. (2014). 10 Gebote für gute unternehmerische Entscheidungen. Controller Magazin,
4/2014, 34–41.

Gleißner, W. (2004). Die Aggregation von Risiken im Kontext der Unternehmensplanung. ZfCM—
Zeitschrift für Controlling & Management, 5/2004, 350–359.

Grundy, T. (2006). Rethinking and reinventing Michael Porter’s five forces model. Briefings in
Entrepreneurial Finance, 15 (5), 213–229.

Hillmann M. (2011). Storytelling: Mit Geschichten Unternehmen gestalten. In M. Hillmann (Ed.),
Unternehmenskommunikation kompakt (pp. 63–73). Wiesbaden: Gabler.

Howard, R. A. (1988). Decision analysis: practice and promise. Management Science, 34 (6),
679–695.

Hubbard, D. W. (2009). The failure of risk management. Why it’s broken and how to fix it.
Hoboken, NJ: John Wiley & Sons Inc.

Hubbard, D. W., & Evans, D. (2010). Problems with scoring methods and ordinal scales in risk
assessment. Journal of Research and Development, 54 (3), 2:1–2:10.

Hunziker, S. (2018). Erfolgskriterien von Enterprise Risk Management in der praktischen
Umsetzung. In S. Hunziker & J. O. Meissner (Eds.), Ganzheitliches Chancen- und
Risikomanagement. Interdisziplinäre und praxisnahe Konzepte (pp. 1–28). Wiesbaden: Springer
Gabler.

Hunziker, S., & Meissner, J. O. (2017). Risikomanagement in 10 Schritten. Wiesbaden: Springer
Gabler.

161

Hunziker, S., & Rautenstrauch, T. (2015). Risk Map: Instrument im Risikocontrolling—
Breit akzeptiert, kaum hinterfragt. https://www.weka.ch/themen/finanzen-controlling/
iks-und-risikomanagement/risikocontrolling/article/risk-map-instrument-im-risikocontrolling-
breit-akzeptiert-kaum-hinterfragt/. Accessed 24 January 2019.

Hunziker, S., Balmer, P., & Schellenberg C. (2016). Enterprise Risk Management Studie zum
Risikomanagement in Schweizer Unternehmen. Zug: SwissERM und IFZ—Hochschule
Luzern.

Hunziker, S., Fallegger, M., & Jovic, K. (2018). Risiko-Management im Führungssystem einbin-
den. Controlling & Management Review, 62 (9), 54–59.

Jonkman, S. N., van Gelder, P. H., & Vrijling, J. K. (2003). An overview of quantitative risk meas-
ures for loss of life and economic damage. Journal of Hazardous Materials, 99 (1), 1–30.

Kirstein, S. (2009). Unternehmensreputation. Corporate Social Responsibility als strategische
Option für deutsche Automobilhersteller. Wiesbaden: Gabler Verlag.

KPMG (2008). Understanding and articulating risk appetite. http://www.kpmg.com.au/Portals/0/
ias_erm-riskappetite200806.pdf. Accessed 24 January 2019.

Kunz, M. (2015). Non-financial risk disclosures in annual reports and the relationship to com-
pany risk factors: Evidence from Swiss listed companies. Master Thesis, Lucerne University of
Applied Sciences and Arts.

Levine, D. (2015). ERM at the Speed of Thought: Mitigation of Cognitive Bias in Risk Assessment.
2015 Enterprise Risk Management Symposium. National Harbor, Maryland.

Linsley, P. M., & Shrives, P. J. (2006). Risk reporting: A study of risk disclosures in the annual
reports of UK companies. The British Accounting Review, 38 (4), 387–404.

Liu, W., & Pergler, M. (2013). Concrete steps for CFOs to improve strategic risk management.
McKinsey Working Papers on Risk. https://www.mckinsey.com/~/media/mckinsey/dotcom/cli-
ent_service/risk/working%20papers/44_role_of_cfo.ashx. Accessed 23 January 2019.

Moutchnik, A. (2015). The maturity model for corporate environmental management. uwf
UmweltWirtschaftsForum, 23 (4), 161–170.

Müller, M. (2018). Risk Culture at Roche. Development of a Risk Culture Measurement
Framework. Master Thesis, Lucerne University of Applied Sciences and Arts.

OECD (2014). Risk Management and Corporate Governance. Corporate Governance, OECD
Publishing. http://dx.doi.org/10.1787/9789264208636-en

Porter, K. (2018). A Beginner’s Guide to Fragility, Vulnerability, and Risk. University of Colorado
Boulder. http://spot.colorado.edu/~porterka/Porter-beginners-guide.pdf. Accessed 21 November
2018.

Porter, M. E. (1985). The Competitive Advantage: Creating and Sustaining Superior Performance.
New York: Free Press.

Porter, M. E. (1980). Competitive Strategy: Techniques for Analyzing Industries and Competitors.
New York: Free Press.

Protecht (2013). A Bow Tie Event. https://www.youtube.com/watch?v=dpGKHncw-d8. Accessed
24 April 2019.

Proviti (2013). Board Perspectives: Risk Oversight. https://www.protiviti.com/sites/default/files/
united_states/insights/board-perspectives-risk-oversight-issue48-risk-appetite-dialogue-protiv-
iti.pdf. Accessed 23 January 2019.

Rautenstrauch, T., & Hunziker, S. (2011). Internes Kontrollsystem—Perspektiven der Internen
Kontrolle. Zürich: WEKA Business Media AG.

Rees, M. (2015). Business Risk and Simulation Modelling in Practice: Using Excel, VBA and @
RISK. Chichester: John Wiley & Sons.

RIMS (Ed.). (2012). Exploring Risk Appetite and Risk Tolerance. https://www.rims.org/resources/
ERM/Documents/RIMS_Exploring_Risk_Appetite_Risk_Tolerance_0412.pdf. Accessed 24
January 2019.

References

162 3 Creating Value Through ERM Process

Romeike, F. (2018). Risikomanagement. Wiesbaden: Springer Gabler.
Romeike, F., & Weissensteiner, C. (2015). Reputation: A Risk Factor. Risk Management Review,

6–10.
Roth, M. (2015). Compliance—in a nutshell (3rd Ed.). Zürich, St. Gallen: Dike Verlag.
Samad-Khan, A. (2005). Why COSO is flawed. Operational Risk, January, 1–6.
Schilling, B. (2018). Risikoadjustierte Unternehmensplanung—Integration von Unternehmensplanung

und Risikomanagement. Controller Magazin, 6/2018, 30–36.
Segal, S. (2011). Corporate Value of Enterprise Risk Management: The Next Step in Business

Management. New Jersey: John Wiley & Sons, Inc.
Sidorenko, A., & Demidenko, E. (2017). Guide to effective risk management 3.0. https://papers.

ssrn.com/sol3/papers.cfm?abstract_id=3014251. Accessed 18 December 2018.
Sieler, C. (2007). Präventives Reputationsrisikomanagement: Reputationsrisiken als Handlungsfeld

im Enterprise Risk Management. Risiko Manager, 11, 6–11.
Sika (2017). ANNUAL REPORT 2017. Risk Management. https://www.sika.com/content/corp/

main/en/group/investors_2016/risk-management.html. Accessed 28 January 2019.
Simon, H. A. (1987). Making management decisions: The role of intuition and emotion. The

Academy of Management Executive, 1 (1), 57–64.
Slywotzky, A., & Drzik, J. (2005). Countering the Biggest Risk of All. Harvard Business Review,

83 (4), 78–88.
Spetzler, C., Winter, H., & Meyer, J. (2016). Decision Quality: Value Creation from Better

Business Decisions. New York: Wiley.
Soliman, A., & Adam, M. (2017). Enterprise Risk Management and firm performance: an inte-

grated model for the banking sector. Banks and Bank Systems, 12 (2), 116–123.
Swisscom (2017). Annual Report 2017. Risk situation. http://reports.swisscom.ch/en/2017/report/

annual-report/management-commentary/risks/risk-situation. Accessed 24 January 2019.
Taleb, N. N. (2007). The black swan: The impact of the highly improbable. New York: Penguin

Books.
Tian, Y., & Chen, J. (2009). Concept of Voluntary Information Disclosure and A Review of

Relevant Studies. International Journal of Economics and Finance, 1 (2), 55–59.
Weissensteiner, C. (2014). Reputation als Risikofaktor in technologieorientierten Unternehmen.

Wiesbaden: Gabler Verlag.
Wendler, R. (2012). The maturity of maturity model research: A systematic mapping study.

Journal Information and Software Technology, 54 (12), 1317–1339.
Willis (2015). Risk Appetite Statements – Make or Break. https://www.willis.com/subsites/

australia/Documents/Publications/services/BusinessRisk/W0477AU_Thought_Leadership_
Article_Risk_Appetite_Statement_web.pdf. Accessed 26 April 2019.

163© Springer Fachmedien Wiesbaden GmbH, part of Springer Nature 2019
S. Hunziker, Enterprise Risk Management,
https://doi.org/10.1007/978-3-658-25357-8_4

Setting up Enterprise Risk Governance 4

Contents

4.1 Comply with Laws and Check Relevant Governance Codes . . . . . . . . . . . . . . . . . . . . . . . . 165
4.2 Consider ERM-Frameworks Thoughtfully . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

4.2.1 Motivation for Risk Management Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
4.2.2 ISO 31000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
4.2.3 COSO ERM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
4.2.4 Similarities and Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
4.2.5 Limitations of ERM Frameworks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

4.3 Develop a Sound Risk Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
4.3.1 Risk Policy and Corporate Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
4.3.2 Risk Policy as the Basis for Dealing with Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
4.3.3 Limitations of Risk Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

4.4 Enhance Risk Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
4.4.1 Relate Risk Culture to Corporate Culture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
4.4.2 Understand How Risk Culture Evolves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
4.4.3 Increase Risk Culture Maturity Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

4.5 Organise ERM Properly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
4.5.1 Does a Best-Practice ERM Organisation Exist? . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
4.5.2 ERM Organisation Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
4.5.3 Some Thoughts on Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

164 4 Setting up Enterprise Risk Governance

Learning Objectives
When you have finished studying this chapter, you should be able to:

• know the legal and enterprise risk governance requirements regarding ERM
• explain why the establishment of a sound risk culture is highly relevant
• formulate a risk policy which is based on the principles of modern ERM
• organise ERM effectively and efficiently within the company
• assess the appropriateness of ERM frameworks and norms in your company

Many textbooks on risk management place this chapter (or a similar one) before discuss-
ing the concrete ERM process. They commonly start broadly by describing ERM as a
part of overall corporate governance, highlighting its legal relevance and discussing vari-
ous ways in which risk management can be organised. In this textbook this is obviously
different. We have discussed the different cognitive and motivational biases and then pre-
sented the ERM process. Finally, we turn to risk governance. There are the following
reasons for this:

• We do not focus on legal requirements as we do not follow primarily a regulatory risk
management approach. Modern ERM should provide economic value by improving
decisions. Compliance with regulations does not create any obvious added value per
se. However, because laws must be adhered to, the legal situation is briefly discussed.

• Adapting the corporate culture (or risk culture) is a difficult and often long-winded
process. It is easier to implement the ERM process first (as good as possible) and con-
sider it as a starting point for subsequent cultural change. Going through the ERM
process reveals many examples that can be used as good arguments for cultural
change. Practical examples of past decisions whose quality could have been improved
by ERM convince management much more than theoretical presentations on how
ERM could be effective in the future.

• It is very important to have a current risk policy approved by the board of directors.
However, the elaboration of a risk policy also depends on having experience with
and results of the ERM process. The risk policy can be developed in parallel with
the ERM process. Experience has shown that a sound risk policy often requires sev-
eral meetings and workshops with the board. Here, too, it is better to have convincing
examples from the ERM process that reinforce the basic ideas of a modern ERM.

• It would be a wrong signal to the reader to present ERM frameworks and standards
too early as a main chapter at the beginning of the textbook. The reason is simple:
they do not fully reflect the modern ERM approach. In some (but not all) respects
they are an ideal complement to this textbook.

• Last but not least, it may be difficult to fully define roles and responsibilities as well
as other organisational aspects without having any experience with the ERM process.

1654.1 Comply with Laws and Check Relevant Governance Codes

For example, relevant stakeholders of ERM, such as risk owners and subject matter
experts may be selected on the basis of the process step “risk scenario collection”.
For this reason, it may be useful to consider the organisation of ERM, but this is not
the most important first step and can still adapt after having gone through the ERM
process.

With these preliminary remarks in mind, we can now turn to the different aspect of cor-
porate governance and enterprise risk governance. Basically, corporate governance can
be defined as the actions, processes, traditions and institutions through which author-
ity is exercised and decisions are made and implemented. Corporate governance is the
legal and regulatory framework for the management and supervision of any organisation
(von Werder 2015). In addition to the legal framework with all its laws, norms and stand-
ards, corporate governance focuses on the goal of good, responsible management which
allows long-term value creation (Romeike and Hager 2013, p. 111). In turn, enterprise
risk governance applies the principles of good governance to the identification, assess-
ment, management, communication and integration of risks into decision-making pro-
cesses (adapted from IRGC 2018).

4.1 Comply with Laws and Check Relevant Governance Codes

Risk management principles have found their influence in the respective laws and codes
of corporate governance. The focus and structure of these laws and codes can vary
greatly from country to country. According to the focus of this textbook, the situation in
Germany and Switzerland is very briefly discussed in the following.

Germany: “Gesetz zur Kontrolle und Transparenz im Unternehmensbereich”
(KonTraG)
The legal framework includes, among others, the comprehensive article act “Gesetz
zur Kontrolle und Transparenz im Unternehmensbereich” (KonTraG for short) which
requires the establishment of a risk management system and a monitoring system
(Sect. 91 (2) AktG), including the implementation of a risk early warning system and
appropriate communication structures. In addition, § 43 GmbHG provides for the duty
of care of the management and § 76 (1) AktG provides for the general management duty
of the Management Board. Hence, the executive board and the managing director must
deal appropriately with risks. In summary, this leads to the following conclusion: Risk
management is an original management duty of the executive board or managing director
(Romeike 2018).

Section 91 (2) AktG already makes it clear that the Executive Board must take suit-
able measures, including the establishment of an internal monitoring system, so that
developments that could endanger the existence of the organisation can be identi-
fied at an early stage and countermeasures initiated. Conversely, this requires a risk

166 4 Setting up Enterprise Risk Governance

management system that is effective throughout the organisation, provides management
with a comprehensive information and decision-making basis, and is future-oriented.
Important factors here include the appropriateness and effectiveness of the risk early
warning and monitoring systems used. This should take the form of an internal control
system (ICS). And the Business Judgement Rule also makes it clear that every business
decision is associated with risks (Hartmann and Romeike 2015). In this context, the
Executive Board of an AG (Corp., Inc.) is threatened with personal liability arising from
a breach of duty. Other specific regulations such as the Sarbanes-Oxley Act, Basel I to IV
or MaRisk for banks as well as VAG and Solvency II in the insurance environment are
among the regulations relating to risk management (Romeike 2018).

German Corporate Governance Code
The German Corporate Governance Code represents the essential statutory regulations
for the management and supervision of German listed companies and contains interna-
tionally and nationally recognised standards of good and responsible corporate govern-
ance in the form of recommendations and suggestions.

The code stipulates that the Management Board informs the Supervisory Board
regularly, promptly and comprehensively of all issues of relevance to the organisation
relating to strategy, planning, business development, risk situation, risk management
and compliance. The Executive Board should deal with deviations of the current busi-
ness development from the existing plans and targets and state the reasons for these
deviations.

The Management Board ensures appropriate risk management and risk control in the
company (DCGK 2017).

In addition, the management board is to ensure that all statutory provisions and the inter-
nal guidelines of the company are complied with and endeavours to achieve compliance
with them by the group companies (compliance). It also takes appropriate measures that
reflect the company’s risk situation (compliance management system) and discloses the
main features of these measures. Employees must be given the opportunity to report
suspected violations of the law in a protected manner; this opportunity should also be
granted to third parties (DCGK 2017).

Switzerland: Swiss Code of Obligations (CO)
Regarding legislation in Switzerland, the Swiss Code of Obligations (CO) addresses risk
management as one of the responsibilities that the board of directors can delegate to the
executive board, but has to maintain oversight of (OECD 2014). However, only larger
companies that are subject to an ordinary audit (according Art. 727 CO) have to prepare
a management report which provides information on the conduct of a risk assessment.

167

CO Art. 961c

1 The management report presents the business performance and the economic position
of the undertaking and, if applicable, of the corporate group at the end of the financial
year from points of view not covered in the annual accounts.

2 The management report must in particular provide information on:
1. the number of full-time positions on annual average;
2. the conduct of a risk assessment;
3. orders and assignments;
4. research and development activities;
5. extraordinary events;
6. future prospects.