While companies have routinely measured and placed a value on financial exposures in such areas as foreign exchange, commodity prices and investment portfolios, they have tended to do best-guess scenarios for broad, but mathematically squishy, operational exposures that can run the gamut from breakdowns in internal controls and corporate governance to failures of information technology systems, product recalls and more nightmarish events like major terrorist acts, global warming and an avian flu pandemic. Thanks to the Sarbanes-Oxley Act and a swarm of rules and criteria linking a company's risk assessment to its internal controls, that's just not going to be good enough in the very near future.

THE NOOSE TIGHTENS

Companies are now being strongly urged–and, in some industries, ordered–to put a number on operational risks and then rank them in terms of the potential impact on the enterprise. In financial services, for instance, the recent Basel II international banking accord compels companies to quantify operational risks when determining the adequacy of their capital reserves. Although other industries are not yet under a similarly rigorous mandate, some experts suggest that Basel II sets an example of good risk management for all companies. "The Basel II reforms call for banks to evaluate key risk indicators for likelihood and [potential] impact, using assumptions that are part of intuitive risk management," explains Tim Leech, chief methodology officer at Sarbanes-Oxley consulting firm Paisley Consulting. "Simple pieces of data turn subjective decisions on the likelihood of something happening into fact-based conclusions, but only if you take the extra step and quantify your analyses."

Credit ratings agencies–still defensive over their failures to identify ticking time bombs in companies like Enron Corp. and WorldCom Inc.–are also beginning to include in their credit evaluations a company's ability to enumerate its risks. "We're looking at how an enterprise measures risk–how it goes about it using a combination of quantification tools, technology, historical observations, regression analyses, consultants and in-house skills to quantify their exposures," says Neri Bukspan, managing director and chief accountant at Standard & Poor's Corp. in New York. This means that S&P and other ratings agencies are no longer going to be satisfied with numbers on risk; they want to see how a company arrived at them.

GETTING IT JUST RIGHT

So, while Vance may be in the minority at this juncture using a sophisticated tool like expert elicitation, he will not be alone for long in his struggle to find more exacting methods to put a number on corporate operational risks. And experts readily admit the effort poses a significant challenge for companies of all sizes. "Operational risks are extremely broad; virtually anything a company manages, such as product quality and customer service, creates operational risk," asserts enterprise risk management guru James Lam, president of James Lam & Associates and the author of several books on the subject. "You underestimate this risk and you jeopardize assets. You overestimate it and you jeopardize equity. You need to understand how operational risk can impact the balance sheet structure, and the organization's leverage, income statement, cash flow and earnings at risk, and how external variables drive revenue volatility, expense volatility and loss volatility. And you can't do any of this without quantification."

So how does one begin the uphill slog to quantification? The goal in operational risk quantification is to establish a process for collecting risk-based information, both data and expert opinion, and then formulate a methodology to quantify the risk in dollar terms. Although data may be scarce on a particular risk–predicting the time and location of a terrorist incident is an example–just going through the exercise helps companies better prepare for the event, no matter how remote. "We may not end up with absolute, objective quantification through expert elicitation, but at least we'll have relative quantification, helping us understand how we can most efficiently allocate our resources to ward off the risks that [are most likely] and [that could] have the greatest financial impact and likelihood," Vance notes.

The initial step almost always involves bringing in outside or internal experts to begin the process of risk identification and quantification. Getting one's hands on risk-based data–if it exists–is an important part of the exercise, but even without concrete information the collection of informed perspectives builds the foundation for objective analysis. These opinions can then be turned into mathematical formulae that are plugged into risk quantification software tools sold by tech firms like CXO Systems, OpenPages and Risk Metrics.

Not surprisingly, the major insurance brokers are also coming to the aid of clients in their efforts to quantify and rank risk–with each offering a proprietary solution. "The tool we use is called RiskFocus," explains Harry Powell, a vice president at Marsh Risk Consulting in New York. "Once we've worked with the client to identify potential operational exposures, [the data] is boiled down into an algorithm in which the impact is multiplied by the likelihood, minus the mitigation strategy. The clients work with us to define for themselves what they categorize as catastrophic or an unlikely event–once in every five years versus every 50. The tool then compares the risks and ranks them. We see this as a necessary step in true enterprise risk management."

Indeed, risk quantification is the third of four key elements in enterprise risk management. The first is to set up a governance structure for ERM; the second is to identify and assess all risks; the third is to quantify and report risks; and the fourth is to inform the board and management of the quantified risks to give them direction in acting upon them. "It is very difficult to skip the third step of quantification and have enterprise risk management," says ERM expert Lam, who urges risk managers to take pains to measure operational risks, in spite of the difficulty.

At SAP America, the U.S. arm of the German global technology provider, risk managers are evaluating a wide range of operational risks, including the threat of avian flu on its marketplace, competition and the overall economy. "We're looking at operational risks in terms of their impact on our business objectives, revenue, profit margin and customer projects," explains Bob Tizio, vice president of SAP's North American risk management group.

The risk quantification system is based on SAP's NetWeaver technology, which assesses risk probability and impact based on qualitative factors. "For example, say a group of experts we bring in wants to gauge the risk of possibly overrunning the timetable on a particular project," Tizio says. "The technology can determine a dollar number by identifying how many man-days this adds up to, times the hourly rate per man. When we can't come up with an actual dollar amount, we quantify the risk on a scale of one to five, with one being 'insignificant' and five being a 'catastrophic' risk."

Tizio's team of six risk managers comes from diverse backgrounds–he's a CPA, for instance. The team has quantified diverse operational risks, including the implications of potential tax changes and alterations in the company's product strategy on SAP America's revenue stream. The information is accessible by SAP's board for reporting purposes, and rolls up with other SAP country-specific risk data into the company's annual report, 20F and other regulatory filings.

FORMULA SOLUTION

Few companies have their own technology so readily available, so some choose to buy it. The $4.4 billion tax services and financial advice firm H&R Block Inc. has bought a dashboard from CXO Systems that provides a management-by-exception approach to the key risks in the tax organization, which also helps quantify them. "We're fairly early in our implementation," says Beth Middleton, director of risk management at the company's Kansas City, Mo.-based headquarters. "The tool uses a traffic light system, highlighting where our risks are in our field organization, and then drilling down into specific metrics, helping our field managers manage their exceptions."

At present, the tool monitors how extensively H&R Block's tax professionals are using discounts with clients. The tax pros, as the company calls them, are given wide leverage to use discounts in their sales and marketing. Middleton wanted to assess and quantify the risk of over-discounting, which would have an impact on Block's cash flow and earnings. "Our district managers have to manage the P&L and discounts are key to meeting their earnings objectives for the tax season," Middleton explains. "The tool helps them quantify average discounts to compare against our national average." With the information in hand, the district managers can take action to rein in excessive discount practices.

But sometimes a risk quantification exercise can be as simple as compelling business units to use the same scoring system to assess various risks. At The PMI Group, a Walnut Creek, Calif.-based provider of mortgage insurance with 2005 revenues in excess of $1 billion, subsidiaries are asked to score risks based on likelihood and impact. "We offer five to six factors to be scored, each with a defined weight, running from 'minor' impact to 'fundamental,'" explains Joanne Berkowitz, PMI executive vice president and chief enterprise risk officer. "We then translate this into dollar terms. For example, if we are evaluating the likelihood of the IT system in a subsidiary shutting down for a period of 24 hours, it is a very easily quantifiable number, based on one day of lost business and flow-through potential future loss of business."

Don Lofe, executive vice president and CFO, then takes the results of the scoring and evaluates it in terms of the "impact on current capital and our longer strategy horizon," he says. "Management is then able to take action where warranted."

Huntsman Corp. also has created processes for identifying, assessing and measuring operational risks. "We conduct pretty specific surveys of experts to manage operational risks and then follow up with facilitated interviews or group discussions," says Brian Merkley, risk financing manager at the Salt Lake City-based global diversified chemical company with $13 billion in 2005 revenues. "We then walk through the risks and risk drivers identified by the experts and tease out more detail. Over time, we build a risk map in quantifiable terms."

Merkley is especially interested in quantifying risks to corporate reputation, since a change in the perception of a company among customers or investors can be financially devastating, depending on the severity. "In surveying this risk, we brought in the internal managers and developed a laundry list of risk drivers. [We] then teased out of them expected frequency and severity," he explains. "We do this on a pre-mitigated basis to examine the risk in its pure form and then work toward creating a capital-at-risk metric, in dollar terms."

He recently combined discussions with internal operations experts and written reports from independent loss control engineers to identify credible loss scenarios, and the probability of these losses, across a portfolio of approximately 50 major industrial plants. "For each facility, we identified one-in-10-, one-in-100-, and one-in-1,000-year loss scenarios, including the financial impact of each event," he says. "A one-in-10- year event might be a mechanical breakdown, whereas a one-in-100-year event might be a major fire, and a one-in-1,000- year event could be a vapor cloud explosion. After accumulating the data from all the facilities in the portfolio, comprising the financial impact of the given scenarios and their respective probabilities, we used Monte Carlo analyses to model the range of potential outcomes over a 10-year period. Then, we overlaid various insurance risk transfer structures like retentions and limits onto this analysis to come up with the best risk management approach to these properties."

In many cases, the key to the exercises is not so much arriving at a precise value. It is more about prioritizing risks to determine how much investment in mitigation strategies is warranted. That certainly is the endgame at Diebold Inc., a Canton, Ohio-based manufacturer of self-service ATMs, electronic voting systems and security systems, with $2.6 billion in 2005 revenues. "Our goal is to focus on the top risks and then form a team to address them," says Robert Warren, Diebold's vice president and treasurer. "For example, we identified hurricanes as a significant risk, but after modeling the probability and impact using a tool provided by our insurance broker, it didn't make the priority list."

VERY SOFT NUMBERS

One risk that may make the list on the next go-round is avian flu, Warren notes. "We've started talking about it and there are a lot of unknowns out there," he says. "Still, we have plants all over the world and in China and India, so it is not something we can kick under the carpet. We also have discussed the possibility of a pandemic in the U.S. affecting our service organization–we have close to 5,000 people servicing our equipment nationwide. At this point, we're still trying to model the risk in terms of probability and impact. It's a squishy marshmallow right now."

Unfortunately, that's the case for so many operational risks. Regardless, thanks to the increased interest and demands of regulators and the investment community, risk management executives are going to have to be able to put a price tag on that marshmallow.