Not all of the risk concepts described in this section can be readily (or meaningfully) quantified, particularly if operational risks are involved. As we’ll see, however, they are nonetheless important in understanding the nature of risk in any organization and should form the basis of the questions that a risk manager asks when assessing risk. Let’s consider them in turn. Exposure What do I stand to lose? Generally speaking, the exposure is the maximum amount of damage that will be suffered if some event occurs.
All other things being equal, the risk associated with that event will increase as the exposure increases. For example, a lender is exposed to the risk that a borrower will default. The more it lends to that borrower, the more exposed it is and the riskier its position with respect to that borrower. Exposure measurement is a hard science for some kinds of exposures-typically those that result in direct financial loss such as credit and market risk-but may be much more qualitative for others, such as reputational risk. VolatilityHow uncertain is the future? Volatility, loosely meaning the variability of potential outcomes, is a good proxy for risk in many applications. This is particularly true for those that are predominantly dependent on market factors, such as options pricing.
Volatility also has broader applications for different types of risk. Generally, the greater the volatility, the higher the risk. For example, the number of loans that turn bad is proportionately higher, on average, in the credit card business than in commercial real estate.Nonetheless, it is real estate lending that is widely considered to be riskier, because the loss rate is much more volatile. Companies can be much more certain about potential losses in the credit card business-and prepare for them better-than they can in the commercial real estate business. Like exposure, volatility has a specific, quantifiable meaning in sorne areas of risk.
In market risk, for example, it is synonymous with the standard deviation of returns and can be estimated in a number of ways.However, the general concept of uncertain outcomes also is useful in considering other types of risk: a spike in energy prices might increase a company’s input prices, for example, or an increase in the turnover rate of computer programmers might negatively affect a company’s technology initiatives. Probability How likely is it that some risky event will actually occur? The more likely the event is to occur-in other words, the higher the probability-the greater the risk.
Certain events, such as interest rate movements or credit card defaults, are so likely that managers need to plan for them as a matter of course, and mitigation strategies should be an integral part of the business’s regular operations. Others, such as a fire at a computer center, are highly improbable, but can have a devastating impact. A fitting preparation for these is the development of backup facilities and contingency plans that will likely be used infrequently, if ever, but must work effectively if they are.Severity How bad might it get? Whereas exposure is typically defined in terms of the worst that could possibly happen, severity is the amount of damage that is actually likely to be suffered. The greater the severity, the higher the risk. Severity is the partner to probability: if we know how likely an event is to happen, and how much we are likely to suffer as a consequence, we have a pretty good idea of the risk we are running.
Severity wiil often be a function of other risk factors, such as volatility.For example, consider a $100 equity position. The exposure is $100, since the stock price could theoretically drop all the way to zero and all the money tied up in the stock could be lost. In reality, however, it is not likely to fall that far, so the severity is less than $100. The more volatile the stock, the more likely it is to fall a long way.
The severity associated with this position is therefore greater, and the position more risky.As with our other risk factors, this way of thinking also can be applied to risks that are less easy to quantify. Consider, for example, the succession process after a key employee leaves or retires. Given that a change in management must occur at some point in time, and that the succession of new management will generally have a significant and potentially disruptive impact on the organization, it is alarming that companies don’t plan more carefully for this risk.