Risk modeling has been prevalent for years in certain industries in which taking calculated risk is integral to the business, such as financial services and energy.
More recently, organizations throughout the public and private sectors have begun to adopt a wide array of risk models and simulations to start addressing strategic, operational, compliance, geopolitical, and other types of risk. Wider availability of data and sophisticated analysis capabilities is making modeling more practical; at the same time, the need to cope with an increasingly risky environment is making it more valued.
Dr. Patchin Curtis, director, Deloitte & Touche LLP in the United States, and leader of Deloitte’s Center for Risk Modeling and Simulation, discusses the whys and hows of making risk modeling an integral part of enterprise risk management.
A. The rise of Big Data and the introduction of dynamic data visualization tools have spurred an increased appetite for using data analytics to address risk. However, data analytics has its limitations, and one of them is that the historical data used is inherently backward looking. So, you’re seeing how a system has behaved in the past, and you can look for correlations, which can give you some indication of causation. But if you want to be predictive, you can’t extrapolate those results into the future assuming that the system will behave in the future as it has in the past. Circumstances and variables are always changing, and the past may not be a good predictor of the future. That’s where modeling comes in—as an adjunct to data analytics and other statistical techniques and a powerful decision-making tool in its own right.
A risk model is a mathematical representation of a system, commonly incorporating probability distributions. Models use relevant historical data as well as “expert elicitation” from people versed in the topic at hand to understand the probability of a risk event occurring and its potential severity. Gathering the right data is one of the two greatest challenges of risk modeling; the second is getting decision makers comfortable enough with the models and their underlying assumption to use them when making meaningful decisions.
A. Risk models are applicable in assessing many types of risk. You might want to understand the risk to achieving broad strategic objectives or answer very specific questions. Perhaps you want to understand threats to your supply chain, or evaluate the geopolitical risks of entering an emerging market, or how an adaptive adversary (such as a hacker or terrorist) might attack you. Once risk models are developed, they can be used to evaluate not only how a system behaves under normal operating conditions but also under hypothetical “what if” scenarios. This helps organizations determine their level of risk tolerance and evaluate how to build resiliency into systems to be able to withstand various impacts.
It’s a common misconception that risk models are inherently very expensive and require many months or even years to develop. There are many new tools available and accelerators that help in creating even fairly complex models relatively quickly—in a time frame measured in weeks to a few months.
A. Risk models tend to be sprinkled throughout an organization, so companies with a mature ERM program will have identified risk owners for their key risks and a governance structure. Governance is important to monitor and oversee the quality of the assumptions used in the various models, and to intervene if competing models are presenting divergent outputs and causing confusion.
Any company employing risk models needs to understand how those models fit into the bigger picture of how it gathers and uses information about risks to make decisions. An emerging tactic is for organizations to move toward what we’re calling a Risk Analytics Sharing Center—a hub where risk information is stored. This hub is tied to primary data sets and other types of business intelligence to give a dynamic view of risks and how they're changing. Risk models are used to present this view, alongside other dynamic forms of risk sensing and data analytics. Really mature organizations are going one step farther and integrating risk intelligence with business intelligence.
Eelco Schnezler and Michiel Lodewijk, Deloitte Netherlands directors, focus on model simulation to power enhanced decision making.
A model can be used to represent a system such as business or production process, or even a balance sheet. Simulation is the exercise of looking at how that model behaves under certain conditions or assumptions. The results of such simulations can be used to help guide decision making or to gain insights into the underlying system or process so that it can be made more efficient, stable, resilient, secure—whatever quality is desired. In turn, the model itself can be adjusted and strengthened based on the outcomes of the simulation or as the underlying conditions or assumptions change.
In risk management, simulation can be used to measure risks, to guide decisions and sensible actions in light of those risks, to take steps to reduce risks, and to monitor risks over time. Together, modeling and simulation help reduce the complexity and alleviate the unease of making pivotal business decisions or investments in two ways. First, the act of creating a model inherently involves stripping away extraneous information so that only the essential elements remain, thus reducing a multidimensional problem to a more manageable form. Second, using simulation to see how the underlying system behaves under certain conditions or scenarios helps avoid surprises, lending a measure of comfort in making decisions. Simulation also lends a measure of control in guiding the outcomes of those decisions, in that you can make adjustments to the system or process to suit.
What models and simulations should not be used for, however, is to replace business acumen and common sense. Modeling and simulation by their nature look primarily at “known unknowns” and present results in terms of the probability of an outcome occurring—there is always some uncertainty. One of the fallouts we’ve seen from various crises, whether financial or geopolitical or natural disasters, is that certain long-held, widespread assumptions are simply not relevant anymore. A simulation can be a very powerful tool to test assumptions, realistic or far-fetched, to see the impact on the model and, in turn, understand how assumptions impact decisions about how you run your business. Think of models and simulations as a compass to guide decision making, rather than an autopilot that makes decisions for you.
Receive the latest thinking from Deloitte on a wide range of issues and ideas related to Governance, Risk and Compliance. Update your Deloitte profile and start receiving the latest insights on risk.