Businesses face a myriad of risks that can impact their operations, reputation and bottom line. From financial uncertainties to IT vulnerabilities, the landscape of potential threats is vast and ever-evolving. This is where the concept of risk aggregation can be of value. By identifying and consolidating common risks across different parts of a company or group, businesses can gain a clearer picture of their overall risk exposure and develop more effective strategies to mitigate these risks. The idea for this blog came out of a client request that we received at Imergo for help in this area. We’ll explore the value of implementing risk aggregation approaches and provide practical steps to introduce this powerful tool into your business.
Why risk aggregation matters
Imagine you’re the captain of a ship navigating through treacherous waters. You have multiple crew members stationed at different parts of the ship, each reporting potential hazards they encounter. If you only focus on individual reports without seeing the bigger picture, you might miss the fact that several crew members are reporting the same hazard from different angles. Risk aggregation is like having a bird’s-eye view of the entire ship, allowing you to see the problem in its entirety and take coordinated action to avoid it.
The Value of Risk Aggregation
Enhanced visibility: By aggregating risks, businesses can identify commonalities and larger challenges that might not be apparent when looking at individual risks in isolation. This enhanced visibility allows for a more comprehensive understanding of the risk landscape.
Coordinated responses: When risks are aggregated, it becomes easier to coordinate group-wide responses. Instead of each department or subsidiary tackling similar risks independently, the organisation can develop unified strategies that leverage shared resources and expertise. This may involve risk escalation, a subject we explore in another post [link to escalation article].
Efficient resource allocation: Aggregating risks helps in prioritising which risks need immediate attention and which can be managed over time. This ensures that resources are allocated efficiently, focusing on the most critical threats.
Improved risk management culture: Implementing risk aggregation fosters a culture of risk awareness and proactive management. It encourages collaboration and communication across different parts of the organisation, leading to a more resilient and prepared business.
Practical Steps to Implement Risk Aggregation
Now that we understand the value of risk aggregation, let’s dive into the practical steps to introduce this approach into a business.
Identify common risk events: The first step in risk aggregation is to identify the common operational risk events that could occur across the teams, departments group of companies. This can be done by reviewing historical data from each team/entity or by conducting interviews with key stakeholders. Look for patterns and similarities in the types of risks that different parts of the organisation face.
Develop a taxonomy: Once you’ve identified common risk events, the next step is to develop a risk taxonomy. This involves categorising the operational risk events into specific types of risks, such as financial, IT, property, etc. A well-defined taxonomy helps in grouping similar risks together and identifying patterns across the organisation.
Establish a uniform approach to measurement and assessment: To ensure consistency, it’s important to establish a uniform approach to risk measurement. This includes agreed scales and descriptors for areas such as impact and likelihood. Instead of using absolute values, base the measurement on relative values like percentages and proportions. This equalises assessments across different parts of the organisation, making it easier to compare and aggregate risks.
Collect and normalise risk data: Collecting risk data from each company or department is a crucial step in the aggregation process. This may involve reviewing risk registers, conducting interviews with key personnel and analysing relevant documentation. Once the data is collected, normalise it to ensure comparability. Adjust for differences in team or department size, geographic location, and the nature of services provided. For example, calculate the frequency or severity of operational risk events as a percentage of the company’s revenue or number of employees.
Identify and analyse common risks: With normalised data in hand, identify the risks that are common to multiple teams, departments or other entities in the business. These risks may be identical in nature or related to a common external factor, such as regulatory changes. Analyse the aggregated data to identify patterns and trends across the organisation. This analysis will help in understanding areas of operational risk that are common across the business and developing strategies to mitigate these risks.
Aggregate and communicate the data: Aggregate the data by consolidating the risk events into a single, reportable risk that references the multiple component risks. Use data visualisation tools, such as charts or graphs, to present the aggregated data in a clear and concise way. For example, create a heat map that shows the frequency and severity of operational risk events by risk category and company. Communicate the results of the data analysis to key stakeholders within the group. This will help build awareness of operational risk and promote a culture of risk management.
Assign risk Owners: Finally, assign risk owners to each risk item on the list. These individuals or teams will be responsible for managing each risk. Clear ownership ensures accountability and facilitates the implementation of risk mitigation strategies.
The concept of connectedness
As you implement risk aggregation, you may also identify connected risks that could affect multiple parts of the business. Connected risks are those that are related to or dependent on other risks and have the potential to amplify the overall risk exposure of the organisation. Managing connected risks requires a comprehensive understanding of the various factors that contribute to them.
Criteria for identifying connected risks
Dependency: An interconnected risk is dependent on other risks or events and may be triggered or exacerbated by them. For example, a company’s supply chain heavily dependent on a single supplier could face significant disruptions if that supplier’s operations are affected.
Interconnectedness: An interconnected risk is linked to other risks or events within the organisation or the broader ecosystem. For example, a cyber-attack on one part of a business could have a ripple effect on other parts sharing the same network or systems.
Amplification: An interconnected risk has the potential to amplify the overall risk exposure of the organisation. For example, a damaged reputation due to a product failure could result in financial losses and affect the reputation of other departments or teams within the business.
Complexity: Interconnected risks are often complex and require a comprehensive understanding of the various factors that contribute to them. For example, exposure to climate change risks may be influenced by geographical location, nature of operations, and service locations.
Conclusion
Implementing risk aggregation approaches can significantly enhance an organisation’s ability to manage and mitigate risks. Incorporating the concept of connectedness further strengthens the organisation’s resilience by addressing interconnected risks that could amplify overall risk exposure. By following these practical steps, businesses can harness the power of risk aggregation to navigate the complex and ever-evolving landscape of operational risks, ensuring a safer and more secure future.