Every authoritative guideline on risk management advocates the quantitative (that is, probabilistic) evaluation of risk using Monte Carlo simulation – from ISO1, COSO2, NASA3, RAND Corporation4, AACE International5 and APM6, to Solvency II7 and Basel II/III8. There is some variation in terminology, but a general agreement on the basic process of risk management is shown in the following diagram. Key weak spots in the process are typically: risks are evaluated poorly (either qualitatively or quantitatively); and the low quality of the data collection process that helps identify and evaluate risks and their mitigation. In addition, the key failures in applying this process are: establishing the context; actually implementing the risk mitigation strategies that have been agreed; and checking the mitigations stay in place (highlighted).
Quantitative risk analysis (QRA) forms only a part of the whole risk management process (in the ‘Evaluate the Risks’ section), but it is agreed by all the authorities listed above to be an extremely valuable part. QRA is recommended because it allows one to move beyond describing risks in vague terms like “possible” and “likely” that offer no significant decision-making information, to talking in terms of numbers like “a 10% chance of losing more than $50 million”.
Despite this, only about one quarter of corporate strategic planning departments truly use simulation analysis (the most useful means of evaluating risks), and only a third quantify their risks at all9. In our experience, the primary reasons for this gap in take-up are:
- The perception that probabilistic modeling is too difficult to implement;
- The models are ‘black boxes’ that few people understand and can explain;
- Management are unclear about how much they can trust the analyses, what they can learn from them, or how to use the results; and
- The perception that risk analysis is a lot of guesswork somehow turned into hard numbers that can be wildly inaccurate.