Is Quantitative the Only Future of Risk Management?

Quantitative methods for understanding how risk and uncertainty impacts the organization is a subject I’ve been focusing on more this year. Without a doubt, modeling, Monte Carlo simulation, and other advanced math-based methods can be a valuable tool for helping decision-makers in certain companies.

Many risk management thought leaders, including some I quote often like Hans Læssøe, strongly endorse a quantitative-based approach as the only way to provide risk insights to executives, managers, and the Board.

The recent Risk Awareness Week 2020 featured many speakers who advocate this approach, including conference organizer Alexei Sidorenko.

As he explains in a session entitled Risk Management 2.0, concepts like probability theory, neuroscience, and others have been around in one form or another for several centuries. Although not developed specifically for risk management, these techniques are also useful for managing risks and understanding how uncertainty will impact the achievement of objectives with the ultimate goal of improving decision-making.

Risk management standards like ISO 31000 and COSO have little to no mention of these methods, rendering them obsolete or, as Alexei puts it, “window dressing lacking of substance.”

While quantitative methods will certainly play a major role in the future of risk management, they must also be approached with caution.

Shortly after the New Year, I published a post on what companies must have first before embarking utilizing quantitative risk analysis. Instead of a single definitive impact, quantitative methods help you visualize a range of impacts that can help determine the best risk response strategy.

But as I explain in the post:

…organizations I work with typically have different trouble spots that need to be resolved before they are ready for ERM. Some of these organizations do not have established corporate governance policies, a strategic plan, or even decision-making fundamentals!

Let’s use the analogy of fitness.

Prior to my pregnancy a few years ago, my husband and I decided we wanted to invest more time in getting and staying fit. We began working with a personal trainer who tailored sessions to correspond to our current level of fitness and our goals.

Fast forward nearly 7 years and we’re both still working out, but at a more intense level. Instead of short 30-minute sessions 3 days a week, part of my routine now involves intense athletic training workouts that last for an hour or more.

If I would have started out at this level, I most certainly would have been overwhelmed and failed because I didn’t have the ability, knowledge, endurance, and mindset that I do today.

Many of the quantitative methods Alexei and others talk about can be characterized the same way. Going from nothing to advanced modeling and other math-based methods is a huge jump that many companies are simply not ready for.

Instead of a sudden giant leap forward, the future of risk management should be seen as a journey unique to each organization.

As Alexei explains, correctly in my view, many consultants tend to take a one-size-fits-all approach that tries to pigeon-hole clients into one particular model. Several companies I’ve spoken to in my time as a consultant have sadly been disappointed with results after spending significant sums of money trying to make a square peg fit into a round hole.

Companies who jump heavily into quantitative-based analysis without being ready are at high risk of overwhelm and wasted resources. Many companies simply are not ready for a “probability chart” that shows a range of outcomes they can expect from a given choice, even when I would love for them to use that kind of information for decision-making.

And for some industries, change happens so quickly that it can make re-running models cumbersome and frustrating, even for those who regularly use modeling (like property insurance companies and banks).

Instead of jumping right into modeling, one possibility to start this journey is for executives and the broader company to be more disciplined in their strategic and operational planning by asking challenging questions. Examples can include:

  • What are any internal and external dependencies to achieving this goal?
  • How confident are we that all of those dependencies will be in place when needed?
  • What if one assumption turns out not to be true? How does that impact achieving the goal?

These of course are general questions…there will certainly be relevant company or goal-specific questions that you should develop. For additional examples, check out this previous article on questions to ask during scenario planning.

Although I certainly agree that change must happen in how risks are analyzed and information is distilled to decision-makers, it can also be damaging to assume that there’s only one path to the future of risk management.

Thank you to Alexei and all of the presenters at RAW 2020 for their exhaustive insights into the current state and future of risk management. I look forward to watching more sessions and reporting back in the weeks ahead.

What has been your experience with quantitative risk analysis methods? Has any transition been smooth or has it been overwhelming?

I’m interested in learning more about your experiences, so please don’t hesitate to leave a comment below or join the conversation on LinkedIn.

If your company is trying to understand which tools are best for helping achieve your goals, feel free to contact me through my consulting firm today!

Featured image courtesy of Ali Pazani via Pexels.com

, , , ,

Related Posts

4 Comments. Leave new

  • Hans Læssøe
    October 28, 2020 6:50 am

    Carol, I was taken apart by your headline, but agree that if/when a company does not have decision and governance fundamentals in place – and for those quantitative analyses will be a bridge too far. The first risk management steps will be to identify what cam severely hamper you, and discuss decide what you intend to do about those. This will be highly biased and lead to some ineffective decisions, but also to addressing risks which were otherwise left un-addressed.

    Once, you have done that, you start looking at ensuring this process (of risk management) is effective, and start applying data/quantitative analyses to limit biases and ensure a more effective decision making.

    That said – professional consultant should NOT advocate qualitative assessments as more than an interim approach, and should replace risk matrices with scenarios. Anything else is “misconduct” in my view.

    Reply
    • Hello Hans – thank you for your comment and insights! The title was meant to be a little provocative, but I tried my best to not make it seem like I was dismissing quantitative approaches. My point was that many companies, at least ones I’ve spoken and worked with, would just spin their wheels if they jumped right into quantitative. Their culture and capacities are not conducive to using modeling and simulations effectively, at least in the early stages. Would it be wise of them to spend limited resources on outsourcing this if they wouldn’t know what to do with the information?

      However, I do agree that companies who can use quantitative approaches effectively will be in a much better position in the years ahead.

      I agree 200% that risk matrices/heat maps, etc. should be put aside in favor of scenarios. I wouldn’t say consultants who still cling to them are engaging in “misconduct,” but they are certainly behind the times. Thank you again – hope you’re doing well!

      Reply
  • Thanks for another insightful post Carol! Most risk events can’t be modelled quantitatively because there are simply too many unknowns – human behavior and biases – as two continually evolving examples! The alternative as you say is to ask challenging questions, understand key assumptions, and take the long term view. For financial risk decisions, like investment appraisal, quantitative analysis is absolutely valid. However, I do not understand why quantitative risk practitioners must be so dismissive of other management techniques and approaches? Perhaps they fear being replaced by machines!! And how do they manage the risk of inaccurate or incomplete data – would they perform more quantitative risk analysis??

    Reply
    • Hi Paul – thank you for your kind words and insights! You’re right about the issue of inaccurate or incomplete data; a model is only as good as the data that goes into it. Just look at the controversy around the notorious model re: COVID that projected 2+million deaths here in the U.S. I think the point that Alexei, Hans, and others are trying to make is quantitative models, et al can provide a range of possibilities that will drive better informed decisions…of course, just like other approaches, they only work as good as the numbers/info you put into it. You know, the whole garbage in, garbage out metaphor.

      But you are absolutely correct that there are certain areas that lend themselves to be qualitatively assessed rather than using numbers. The trick is identifying those and eventually moving what you can to be quantitatively assessed, even as baby steps.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu