Risk velocity measures how fast an exposure can affect an organizationReprints
The emerging concept of “risk velocity” is likely to be unfamiliar to most risk managers, but experts say its underlying principle — measuring how fast a risk may affect an organization — may be more pervasive in companies' risk management strategies.
As a quantitative metric, risk velocity is applied predominantly to risk assessment and mapping models within large firms' enterprise risk management programs.
Though a standard industry standard definition of risk velocity has not yet emerged for the term that began appearing in risk management consulting literature and research reports around 2007, it generally is defined as the speed with which a risk manifests itself, first as an occurrence and then as an impact.
According to the Arlington, Virginia-based Corporate Executive Board's most recent “State of Enterprise Risk Management” survey, nearly half of 90 global companies have added velocity metrics to their risk assessment models.
“It's only been in the last two or three years that we've begun to see it actually being used by companies in their internal risk quantification practices,” said Rich Michel, Atlanta-based senior vice president and risk management national practice leader at Wells Fargo Insurance Services Inc.
Outside the multinational level, experts say the vast majority of companies still measure and prioritize risk according to a two-dimensional analysis of the likelihood of an occurrence and the probable effect on their business.
However, many companies' risk management strategies are more than likely informed by a conceptual — often intuitive — understanding of the degree to which the velocity of risk can affect their business.
“It's probably been a fundamental part of risk management for some time, but without being singled out as its own discrete area of risk management,” said John Dempsey, New York-based managing director of claims preparation, advocacy and valuation at Aon Global Risk Consulting.
Whether it is done quantitatively or conceptually, assessing the velocity of a risk typically provides a more comprehensive sense of its potential threat, experts say. Consequently, risk managers can better align their prevention, mitigation and response strategies with the true nature of a risk, as well as more appropriately prioritize their allocation time and resources to the most pressing risk management needs.
“Risks that present themselves over a very short time frame require a fundamentally different type of mitigation, and indeed risk management strategy, than those that manifest themselves over a much longer period of time,” said Matt Shinkman, an Arlington-based senior director at CEB.
For example, a regulatory enforcement action for violating the Foreign Corrupt Practices Act and a global economic downturn likely would generate similar risk scores if assessed only for their probability of occurrence and projected impact. Mapped according to the traditional two-dimensional model, the two risks would appear to pose essentially the same amount of danger to a company.
By adding their respective velocities into the risk mapping formula, experts say risk managers likely would find that the FCPA violation is a far more immediate threat than the prospect of an economic downturn, simply because the time a company would have to mitigate the consequences of the regulatory action is far shorter than the time it would take to respond to an economic downturn.
John Sibson, vice president of strategy at Milwaukee-based Johnson Controls Inc., said the auto parts manufacturing firm began factoring velocity into the assessment and mitigation planning components of its ERM program in 2011, primarily to support a renewed senior executive focus on improving business continuity planning following a string of natural catastrophes that wreaked havoc on supply chains worldwide.
“We decided that it was important for us to develop a metric that shows us how fast some of these risks can pop up and impact our business, and add that into our risk assessment equation,” Mr. Sibson said.
Implementing the speed of risk as an assessment metric in its ERM program — in which risks are determined to be low-, medium- or high-velocity based on how long it would take an occurrence to affect the company — has dramatically affected Johnson Controls' prioritization of mitigation and response strategies for geopolitical unrest and business continuity, as well as product liability, data breaches and other high-velocity risks, Mr. Sibson said.
“It's brought to the forefront a few of the risks that, back when we started the ERM program in 2008, weren't showing up among our company's top risks,” Mr. Sibson said.
Similarly, the prospect of incorporating risk velocity into a broader analysis and mitigation strategy recently attracted the attention of Eamonn Cunningham, chief risk officer at Sydney-based shopping mall development and management firm Westfield Group.
“Our approach to assessing and mitigating risk needed to pay some regard to how quickly risk moves,” Mr. Cunningham said.
Rather than develop a quantitative scale to measure every risk the company might encounter, Mr. Cunningham said he's applied the concept of risk velocity in a much more informal manner, and generally reserved its use for risks that he and his staff determine would ultimately benefit the company.
“You need to be as judicious and pragmatic as you can in your application of this concept,” Mr. Cunningham said. “Otherwise, you run the risk of adding a layer of complexity where it isn't really warranted and there isn't any benefit to be gained.”