There is a lot of unstructured talk about risk which often comes across as: “We know it when we see it” but otherwise do not know how to define it. Computer models cannot live with this.
We start by defining two dimensions of risk:
1) Risk events - These are specific events that have an undesirable effect on a company which is not properly captured by the usual operational performance metrics.
2) Risk metrics - These are measures that quantify the risk events in some way.
Risk events come in two broad categories:
a) Exogenous causal events - Exogenous causal events can come from any number of sources: weather events (hurricanes, major snow storms, extreme temperatures), earthquakes, tsunamis, disease outbreaks, labor problems, regulatory changes, adversarial attacks (e.g. cyberattacks), major currency shifts, major changes in the economy, shifts in consumer behavior, and changes in technology (to name a few).
b) Performance events - These are specific outcomes of performance metrics for the company that are highly undesirable, and which have impacts beyond traditional performance metrics (such as earnings per share). Some examples are:
Performance events are often, but not always, triggered by exogenous causal events. A performance event can be inventory turns that exceed target, or earnings-per-share falling below a target, where neither is a result of any particular external event.
Risk events have to be defined by management to reflect their judgment that the events are not properly captured by the standard performance metrics. For example, low demand produces lower sales and revenue, but this is captured by standard operating and financial statistics. However, a stockout may produce lost future demand, or may send a message to the market of a shortage or inability to meet demand. These events have ramifications beyond their immediate impact, and as a result we need to manage these “risks” separately.
Read Part 1: Thinking About Complex Problems and Part 2: Performance Metrics.