Tail risk, that is risk with low probability and high impact, is often neglected by traditional enterprise risk management. Indeed, the rarity of tail risks makes them easy to overlook, especially when so many everyday risks need attention.
It turns out, however, that tail risks actually inflict the most damage to organizations and operational resilience efforts. Data collected by a consortium of the world’s largest banks, revealed that the most frequent incidents – 61% – caused just 5.7% of losses. A mere 0.3% of total risk events, however, caused a staggering 63% of losses.
Given the presence and size of tail risk, how do you look for the causes? How can you spot early signs of trouble? And is tail risk always a surprise?
Why Businesses Tend to Underestimate Tail Risks
Despite the significance, tail risks are often underestimated by ERM programs simply because it’s human nature to focus on the most frequent and recent events instead of the less visible. Tail risks are doubly difficult to prepare for because they don’t typically occur from a single severe event. Tail risks are usually the result of a perfect storm of conditions that align to cause devastating damage.
Think of a diamond, the hardest naturally occurring substance on Earth. You can hammer a diamond over and over and cause no damage. But when you hit it at exactly the right point, it will smash apart.
Likewise, a risk event combined with a systemic weakness can turn into a point of destruction. Organizations with interconnected operations that lack the cushion of strategic redundancies are particularly vulnerable to a destructive chain of events. These kinds of systemic weaknesses are often downplayed by traditional risk models because of their low probability.
Prepare for Tail Risks
“Large events are rare when you control them well,” said Dr. Ariane Chapelle in a recent Risk@Work webinar. If you don’t look when you cross the street, it’s just a matter of time before you’re hit by a bus. The likelihood of the event (getting hit) depends on how well you control your losses (looking both ways first) and how well you monitor them.
So how do you find these fatal flaws? Here are three techniques:
- Factor analysis breaks down complex situations by deconstructing scenarios. It looks at independent risk sources to identify weak points and potential points of failure. For instance, factor analysis for third-party risk might assess your supply chain for supplier reliability, transportation risks, inventory management, and other exposures. This method helps untangle a complex web of factors contributing to tail risks to form the basis of risk mitigation efforts.
- Monte Carlo analysis combines an array of possible scenarios, each weighted for likelihood and impact, and simulates their potential outcomes. This type of analysis provides information about the probability that risks will play out in combination.
- Comprehensive tail-risk assessments go beyond simple risk identification to address emerging risks through ongoing monitoring and adaptation. This technique emphasizes a deep understanding of the interdependence between controls in risk management. For example, a comprehensive tail-risk assessment in the healthcare sector might involve continuous monitoring of patient care protocols and assessing the interdependence of critical healthcare processes. It might also include measures for monitoring evolving medical technology.
Scenario Analysis and the Swiss Cheese Model
Scenario analysis drills down into the components of tail-risk assessments to assess the probability and likelihood of different drivers of impacts so you can see your points of action. Tail risk depends on how your controls are layered and how dependent or interdependent they are to each other.
Dr. Chapelle uses James Reason’s “Swiss Cheese” model to illustrate the point. Applied to a practical example involving four controls, each with a 10% failure rate, the model illustrates the impact of the collective reliability of the controls. Stacked controls are only effective when independent. The weaknesses in multiple controls can be exploited by certain risk events – like lining up the holes in slices of Swiss cheese.
Once you have done the modeling, you can see where your controls are, your main causes of impact, and your weaknesses to see if you need to do more.
“People think they have many controls. But when you layer your controls, you have to make sure that the holes are not aligned,” says Dr. Chapelle. “The level of independence between your controls is much more important than the individual reliability. If your controls are all dependent, they’ll fall like dominos.”
Operational resilience is about having the capacity to absorb operational shocks – and the aftershocks. And when the dominos fall, there goes your operational resilience. A financial hit, for instance, can have all sorts of aftershocks like reputational damage, customer defection, and talent depletion that can have an exponential effect on the business.
Ditch the outdated mindset focused on chipping away at frequent, but insignificant risks. Says Dr. Chapelle: “It’s actually healthy for risk management to ignore the little things because it allows you to save your cognitive capacity, your time, your effort, and your attention span for something that matters.”
How much would your operational resilience improve if you could manage to avoid – or even reduce – tail-risk danger?
For more on tail risks, download our ebook, The Hunt for Hidden Risks, and check out Riskonnect’s Enterprise Risk Management software solution.