Mr. CFO or: How I Learned to Stop Worrying and Set an Operational Risk Management Budget

by CyberGRX

For such quantitative fields, CFOs and CROs often struggle to determine a holistic operational risk management budget (specifically risk management overhead), calculate ROI and communicate value creation to the Board, fellow executives, employees, and other interested stakeholders.  While there are a plethora of effective tools that are second nature to sophisticated risk managers and financial analysts, they tend to be applied to the underlying risks and potential losses only and are not well understood outside of a minority of industries. 

At the same time, I have yet to see a risk management department devoid of staff, software, and other costs, and operational risk is a very real issue for all businesses that need to be managed.

The real tragedy is that some fairly digestible and extremely useful concepts are hidden behind a wall of dense math full of weird symbols that are vaguely recognizable but long forgotten. 

Therefore, I humbly present a layman’s guide to the financial mathematics of operational risk management measurement and its application to corporate finance, assuming this hypothetical layman is a highly educated, trained and experienced finance professional. 

This is intended to be a mental framework, rather than an Excel template.

Related: Massive Risk and Limited Resources; What’s A Vendor Risk Manager To Do?

Establishing the Base: Inherent Risk

Inherent risk can be simply described as the amount of risk a company faces if they did nothing at all to manage risk.  The easiest way to think about inherent risk is as an aggregation of discrete loss events, which are measured in terms of impact and likelihood.  If you wrote out a list of possible adverse scenarios with the probability of them occurring in a 12 month period (likelihood) and what it would cost to resolve (impact), then plotted them on a histogram, you would get something that looks like this:

operational risk management

You can do fancy things with event correlation to change the shape of that curve, but that is beyond the scope of this article.  The simplest risk management budget would be to reserve the median amount in accounts such as allowance for doubtful accounts or shrinkage and not spend anything on risk management. 

Obviously, fewer resources can be ultimately deployed if the risk is managed strategically, but it is important to understand what your base is in order to measure ROI and the value that risk management activities are generating for stakeholders.  Everything should be framed as a reduction of inherent risk.

Related: How To Select Which Third-Party Vendors To Risk Assess

Budgeting Step 1: Tail Risk

The first risk to manage is the catastrophic risk that will shutter your business.  It’s exceedingly difficult for your other departments to generate value if they don’t exist.  Figure out the maximum amount of pain your company could take and still survive and draw a line there on your chart.

Every event to the right of that line needs to be managed to the left, which primarily means investments in reducing impact.  If the impact cannot be reduced at a reasonable cost, your next best option is to attempt to reduce the likelihood, but don’t forget about risk transfer (insurance).  Determine what you can spend here to maximize risk reduction with a borderline money-no-object mentality and consider this your fiduciary minimum risk management budget.  The combined likelihood of whatever residual risk remains to the right of your line is essentially the probability of declaring bankruptcy every year.

Budgeting Step 2: Residual Risk

With your tail sorted out, now you can attack the meaty part of the curve.  Residual risk can be simply described as the amount of risk a company still faces after all of their efforts to manage risk.  Figuring out where to invest your operational risk management budget is a classic project evaluation problem and can be treated the same way as any other strategic initiative.  You should expect to see some low hanging fruit that substantially reduces the risk for a minimal cost and some bad apples that cost a fortune to barely move the curve.  It will generally get more and more expensive to keep generating the same amount of value (in this case risk reduction), just like any other project portfolio.

A best practice here is to treat risk management initiatives like every other proposal and consider them together, not in a silo.  The only caveat is in your calculation of positive cash flows.  Instead of coming up with a complex model, the easy shortcut is to estimate current and pro forma residual risk (impact times likelihood) of only the risks relevant to the proposal (rather than enterprise-wide) and treat the delta as your positive annual cash flow from the project.  If it clears your hurdle rate, add it to your budget.  If not, invest in that marketing initiative and accept the risk (treat risk transfer as another project).

Budgeting Step 3: Loss Reserves

In step 1 you figured out what you have to spend and in step 2 you determined what you want to spend.  Based on those decisions, you should be able to estimate a pro forma residual risk curve in the same fashion as your inherent risk curve.  Hopefully, it looks something like this:

operational risk management

The last step is to book a loss reserve equivalent to the new median.  Your controller and auditors will likely prefer that you allocate the total into traditional allowances and reserves, but they are fundamentally fungible.  The total reserve (M1) can be characterized as the amount of risk that isn’t worth mitigating, and the delta between M0 and M1 is the amount of value created by your risk management activities every year.  It follows that ROI can be easily calculated given the budgeted spend calculated in steps 1 and 2, and the risk management ROI formula can simply be expressed as reserve reduction (return) over risk management budget (investment).

analytics third-party risk management (TPCRM)


Actually calculating the amounts described above in a mathematically rigorous way requires a fair amount of time and money.  However, making that investment only guarantees increased precision, not necessarily accuracy.

Most management teams can come up with a fairly complete list of risks with reasonable likelihood and impact estimates if they sit down and make the effort.  Even so, going through a comprehensive quantification exercise is not actually necessary in the first place for the purposes of my premise.  Understanding the entire process at a theoretical level provides a framework to evaluate individual decisions efficiently.

If approving a new risk management initiative, ask for an estimate of directly attributable risk reduction to evaluate the costs.  If you have better investment opportunities available, you can cut through the sometimes breathless justifications that over-emphasize impact and ignore likelihood.  Perhaps you can ensure the tail and eat the rest, as the expected profits from another initiative will more than cover the expected losses from accepting a risk.  If reviewing an existing control, ask yourself what value you are truly getting from the activity and if those resources can be better deployed elsewhere.