When companies look at risk, they may follow the conventional formula “Risk = Probability x Impact.” While this approach isn’t incorrect and is in common use across industries, it’s probably more accurate to view risk as:
Here’s why: any organization can have a risk that’s low probability, but high impact — often referred to as “tail risks.” If a tail risk occurs, what will matter most is the resilience of the organization — how quickly you can bounce back and continue normal operations. If you’ve already planned for resilience, the impact of a tail risk may be reduced.
Planning for tail risks has been a key area of interest for me in my previous roles including in the cyber-security industry, the Risk Division of Goldman Sachs, and in the Strategy Directorate of the British Army. In this article, we’ll highlight one way to identify tail risks and break down best practices to define controls and resilience strategies to help ensure your company’s survival in the face of such events.
What Are Tail Risks? The Tail End of the Bell Curve
When I was in financial services and in the British Army, we’d look at the center of the bell curve to identify the risks we thought would be coming our way in the near future; low-impact/high-probability risks. But we’d also look at the tail of that bell curve, the high-impact/low-probability risks — the ones that might only happen once in a thousand years — because there was still some chance that these risks would occur and, if they did, the impact of the event might be catastrophic. By identifying these tail risks and ensuring that resilience plans were in place, we could ensure the survivability of the organization.
Planning for these “tail risks” will help your business survive such events. Consider: an earthquake can impact an office even where earthquakes seldom happen. Conflict breaks out where your business operates, in a part of the world that’s generally regarded as stable. Companies need to understand what the impacts of tail risks could be — and be able to react if these risks occur. Several high-profile banking failures have been featured in recent news, highlighting potential consequences when risk management and resilience plans are not adequate.
Tail Risk Control and Resilience: Key Questions to Ask
Resilience planning starts with identifying high and critical inherent risks — risks to the business if there are no controls in place — through your assessment process. Explore which risks could have the greatest impacts to your organization, then examine what controls you have around each of these high or critical risks. Now you know how bad it could get if your controls fail.
For each tail risk identified, ask:
- How strong are our controls for this risk? Is there only a single control managing this risk right now — and if there is, how robust is it? How often is it tested? Can controls be enhanced to reduce the risk? One organization I worked with recognized loss of certain key information as a tail risk. Their controls included making multiple backups of the data. Our investigation showed that the data was indeed written to different drives, but they were all in the same server. It was improbable that all drives would crash, but it wasn’t zero probability and if there was a fire, or sprinklers discharged then both sets of data could be impacted at the same time. We amended controls so that the data was written to multiple drives in separate data centers.
- Can the risk be transferred? Cybersecurity insurance, storm insurance, and business resilience insurance are all examples of risk transfer mechanisms. While this does not prevent the risk from occurring it does provide a level of financial resilience to the organization.
- Do we have a viable resilience plan if the controls fail and the tail risk occurs? Consider costs related to any resilience plan. These costs alone could represent a threat to your organization’s financial viability, in which case the resilience plan itself is not viable.
- Which entities within the business have risks that could impact the organization overall? Regulatory fines for violations of the European Union’s General Data Protection Regulation (GDPR) within a single business entity, for example, can be as much as four percent of the parent firm’s global annual turnover, as in the notable Facebook example.
Ultimately, your board must sign off to demonstrate they accept risks, costs of controls, and the viability (and potential costs) of resilience plans.
When trying to plan for the most unlikely, unexpected, and unanticipated risks that could cause major disruptions to your business, implementing connected risk technology can provide valuable visibility into risk data and trends to enable you to identify and plan for tail risks. A compliance management solution can help ensure alignment with key frameworks and regulations, and assist with mapping out related controls. An integrated platform can identify your mitigation actions for regulations like GDPR, reducing siloed risk management to more effectively prepare for emerging or unexpected risks. Lastly, any resilience plan must stand up to scrutiny by risk committees, the board, auditors, and regulators. Your decisions at each stage must be auditable.
Low-Probability/High-Impact Risks Warrant Resilience Planning
It’s critical that businesses implement adequate controls and plan for resilience in the event of tail risks occurring. A great example of resilience done well is when Hurricane Sandy hit New York; the preparations of one major bank for such disasters meant that the office was one of the few buildings in Lower Manhattan with power — captured in an iconic photograph. Your efforts to identify and plan for tail risk resilience could make the difference in safeguarding your organization’s ability to survive.
Markis Duggan is a Manager of Product Solutions at AuditBoard UK&I. He is an experienced risk professional with extensive expertise in financial services, government organizations, and the technology and cybersecurity industries. Connect with Markis on LinkedIn.