It is widely accepted that risk is calculated by multiplying the impact of an event by its probability of occurrence. Here, Hernan Huwyler has a look at some alternatives for measuring risk and how they fit into the day-to-day risk management framework. This article is aimed at clarifying common definitions and specific benefits of additional dimensions for measuring risks. It allows customization of risk methodology and registry to accommodate wider stakeholders’ needs. Risk velocity refers to the time elapsed from the event occurrence until the performance is impacted by a gain or a loss. It assesses how fast the chain of events will actually affect the business, in other words, the speed of onset. For instance, a high-risk velocity is a situation in which the consequences are immediately reflected into the business objectives such as a fire, an earthquake and many other natural hazards. Risk vulnerability refers to the tendency of assets to be affected by risks. It assesses how well the assets of a company are prepared to react to risks, including the mitigation plans and the crisis management skills. This variable is highly popular in information security, health and disaster risk assessments. Risk control effectiveness refers to how effectively the underlying processes and assets are controlled by the company. For instance, a robust control and compliance environment helps in the effectiveness of risk management plans. High effectiveness reduces the probability Risk preparedness refers to how effectively the company reacts once an event occurs, for instance by having implemented contingency plans, cost and schedule reserves or incident management tools. This dimension assesses the capacity to respond to and recover from a risk event. It measures the ex-ante investments in implementing early warnings, emergency and contingency measures and business continuity plans. High preparedness reduces the impact of a risk, particularly for high-velocity risks. Risk volatility refers to the stability of a risk over time, which makes its measurement difficult. The nature of emerging risks and unfamiliarity with new and undefined risk factors increases volatility. For instance, ever-changing compliance regulations increase the risk of receiving sanctions and litigation. Risks cannot be properly modelled and measured when the volatility in their factors is high to extreme. Risk programs adapt expeditiously in a more uncertain and volatile world. In this context, enterprise risk management should improve the continuous process to predict how the reputational and financial performance will be impacted by different variables. Risk managers should be pragmatic when deciding what dimensions are cost-effective to support the decision-making process of their companies

1. It is widely accepted that risk is calculated by multiplying the impact of an event by its probability of
occurrence. Here, Hernan Huwyler has a look at some alternatives for measuring risk and how they fit
into the day-to-day risk management framework
THE AUTHOR
Hernan Huwyler is a risk
management and internal
control specialist. His
background includes
management positions
with Veolia, Tenaris,
Baker Hughes,
ExxonMobil and Deloitte
Enterprise Risk Services
where he has served in
financial, audit and
compliance leadership
roles. He teaches
postgraduate courses in
risk, audit and
compliance at Instituto de
Empresa, Universidad
Complutense de Madrid,
the Comillas Pontifical
University and the Centro
de Estudios Financieros.
n the early days of enterprise risk
management as a discipline, it was
widely accepted that risk was calculated
by multiplying the impact of an event
by its probability of occurrence. Over time,
risk professional circles developed several
concepts to provide ever greater insights
to the actuarial approach based on impact
and frequency. Heat maps and risk
dashboards gradually integrated additional
measurement variables by using colors,
symbols and dot sizes. These new
concepts had not yet developed to
standard definitions and uses; and terms
are often mixed up by risk practitioners.
This article is aimed at clarifying common
definitions and specific benefits of
additional dimensions for measuring risks.
It allows customization of risk methodology
and registry to accommodate wider
stakeholders’ needs.
Velocity
This refers to the time elapsed from the
event occurrence until the performance is
impacted by a gain or a loss. It assesses
how fast the chain of events will actually
affect the business, in other words, the
speed of onset. For instance, a high-risk
velocity is a situation in which the
consequences are immediately reflected
into the business objectives such as a fire,
an earthquake and many other natural
hazards. Diseases caused by decades of
exposure to asbestos and the many
resultant legal claims are good examples of
low velocity risks. Understanding the
velocity of events is a key step in measuring
the impact of risks.
The velocity of risk can be linked to the
need for effective crisis management with
early detection and urgency for developing
action plans. It helps to assess how much
time will be available to prepare a
response and the number of warnings the
company will receive before a risk strikes.
Even the time elapsed to reflect the impact
of risk is discounted by calculation
methodologies, such as value-at-risk.
Showing this variable in risk maps helps
managers to prioritize action plans.
A related dimension, ‘risk persistence’, may
also show how long the effects of the risk
event are expected to last. Some ERM
practitioners divide risk velocity into the time
to impact from the occurrence to when the
consequences are felt and the time
to react, from the occurrence to when
the contingency actions should start.
Vulnerability
This refers to the tendency of assets to be
affected by risks. It assesses how well the
assets of a company are prepared to react
to risks, including the mitigation plans and
the crisis management skills. This variable
is highly popular in information security,
health and disaster risk assessments.
A highly vulnerable asset increases both the
impact and the frequency of risks. For
instance, a high vulnerability risk is a
situation in which there are deficiencies or a
lack of capacity exposing assets to threats.
Examples include, coastal areas in a
tsunami risk, unvaccinated people in an
epidemic, or unsecured servers in a hacking
attack. Understanding the drivers of
vulnerability is
30 The Risk Universe May 2017

2. a key step in identifying mitigation plans.
The vulnerability of a risk can be linked
to business resilience. Risk managers
make better unbiased assessments when
identifying the underlying vulnerabilities of
the physical and intangible assets under
evaluation. This dimension also allows for
monitoring the evolution of residual risks
after implementing the mitigation factors,
strategies and controls which build
resilient companies.
Effectiveness
This refers to how effectively the
underlying processes and assets are
controlled by the company. For instance, a
robust control and compliance environment
helps in the effectiveness of risk
management plans. High effectiveness
reduces the probability
Measuring risk
volatility allows
identification of
needs
for horizon
scanning,
Monte Carlo
simulations,
stress testing
and other
scenario-based
analyses
Measuring risk
of a risk occurring. Measuring the
confidence in the effectiveness of controls
helps to integrate risk into comprehensive
GRC initiatives.
Preparedness
This refers to how effectively the
company reacts once an event occurs, for
instance by having implemented
contingency plans, cost and schedule
reserves or incident management tools.
This dimension assesses the capacity to
respond to and recover from a risk event. It
measures the ex-ante investments in
implementing early warnings, emergency
and contingency measures and business
continuity plans. High preparedness
reduces the impact of a risk, particularly for
high-velocity risks.
The preparedness dimension can be
linked to the risk communication, the
training program and the need for testing
and improving contingency plans for
disruptive risks. The analysis of this
dimension is relevant for operational and
compliance risks, but critical for strategic
risks.
Volatility
This refers to the stability of a risk over
time, which makes its measurement
difficult. The nature of emerging risks and
unfamiliarity with new and undefined risk
factors increases volatility. For instance,
ever-changing compliance regulations
increase the risk of receiving sanctions and
litigation. Risks cannot be properly
modelled and measured when the volatility
in their factors is high to extreme.
Measuring risk volatility allows
identification of needs for horizon scanning,
Monte Carlo simulations, stress testing and
other scenario-based analyses.
Risk programs adapt expeditiously in a
more uncertain and volatile world. In this
context, enterprise risk management
should improve the continuous process to
predict how the reputational and financial
performance will be impacted by different
variables. Risk managers should be
pragmatic when deciding what dimensions
are cost-effective to support the decision-
making process of their companies.
May 2017 The Risk Universe 31