Risk Aggregation – Purpose, Challenges & Approaches

Introduction

The nature of risk management is perpetually evolving which is of course, natural, as practitioners seek to drive improvements through either rethinking existing practices or through innovation. One such area on which there is often no overall agreement, is that of risk aggregation. There are few studies on this issue and neither ISO nor other industry bodies have provided a comprehensive solution.

The purpose of this paper is to provide an overview of risk aggregation, what it entails, its purpose, challenges faced, and potential methods to perform aggregation. Moreover, this document outlines potential methods for performing and consolidating risk assessments within a group structure, encompassing a parent entity and its multiple subsidiaries. The goal is ultimately to establish a clear, standardized approach to risk management that allows for effective consolidation and analysis of risks at both the subsidiary and group levels.

It is important to note that the considerations and methodologies below are to be considered by the Client and are only meant to provide options. None of the content herein is a prescribed solution but rather a consideration that should be applied and tailored to the relevant organisation in consideration of its unique characteristics, activities and data availability.

What is Risk Aggregation

Risk aggregation is a process used by organisations of all sizes to get a complete view of the total risk exposure across various processes, business lines, and risk types using multiple risk data aggregation methods. Risk aggregation is vital for informed decision-making.

The process of identifying the impact of various risks on a business requires the ability to aggregate risks both vertically and horizontally. A robust aggregation mechanism enables risk officers not only to understand the total risk exposure, but to also make risk-aware decisions and define risk treatment plans that are in line with their organisation’s risk appetite definitions.

The Basel Committee defines risk data aggregation as “defining, gathering, and processing risk data according to a bank’s risk reporting requirements to enable the bank to measure its performance against its risk tolerance/appetite.”

Some of the activities carried out during risk data aggregation include sorting, merging, and breaking down sets of data.

Why Should You Aggregate Risks?

Managing risks across a large enterprise can be a challenge. The process of identifying the impact of multiple risks on an organisation requires the ability to aggregate risks at multiple levels. The basic goal of risk aggregation is to collect several risks in order to arrive at a total risk exposure for all or a part of an organisation. Risk aggregation allows grouping of similar risks from different perspectives to provide a complete picture of risk across the enterprise.

Basel Committee on Banking Supervision (BCBS) points out the need for risk aggregation in banking and financial services sectors as below:

“Naturally, the organisation of risk management functions varies across firms. In some firms, risk management is a highly centralized function where the dedicated risk management function exercises substantial authority. In other firms, particularly in the insurance sector, local business units with a limited risk profile retain substantially greater autonomy over significant risk management decisions. Moreover, even in some firms with a bias toward centralized risk-management decision-making, the key decisions are made by a senior management committee, rather than by the risk management function itself. The organisational infrastructure of risk management decision-making varies considerably across firms, and it is difficult to conclude that any single approach is becoming dominant.”

Additionally, companies follow different organisational structures to support their nature of business. Some organisations might group risks as per organisational structure while others might group them by legal entities, geographical structure, processes, products or risk categories. Risks can be present at multiple levels within an organisation. Risk owners at each level would want to easily identify their exposure as against the total exposure at enterprise level. There could be common risks between two functions or locations. Stakeholders at each level would want to view aggregated level of risk exposure for specific risks or risk types, for example, External Fraud, Attrition etc. This can be useful for monitoring changes in risk profile over time. Risk owners at various levels would want to look at top risks at their levels and take necessary actions to mitigate them. They would also want to easily identify if any risk or a group of risks are approaching risk appetite limits or have already breached those limits. To facilitate all these, organisations have to adopt risk aggregation methodologies that suits their risk management approach and business strategy.

Risk aggregation at multiple levels and also at enterprise level helps risk leaders understand the root cause of risks and take meaningful, remedial actions. Slicing and dicing of risk data by aggregating at different levels enables risk owners and organisations to make risk-based decisions and take advantage of market movements and conditions.

Ultimately, the purpose of risk aggregation is to answer 2 questions: 1) Which risks need attention or escalation? & 2) Are any risks or portfolio of risks approaching risk appetite limits or have they already breached the risk appetite limits?

We see data (and/or risk) aggregation in many forms, the most common of which are credit ratings (Moody’s, S&P etc.), credit scores, stock market indices, and GDP.

However, how exactly does effective risk data aggregation and reporting benefit a bank? The benefits include:

    • An increased ability to anticipate problems. Aggregated data gives managers a holistic view of risk exposure and enables them to foresee problems.
    • An increased ability to find routes back to financial health in times of financial stress. For example, a bank may negotiate better credit deals or identify a suitable merger partner.
    • Improved resolvability. For all banks but global systemically important banks (G-SIBs) in particular, resolution authorities must have access to aggregate risk data that is compliant with Financial Stability Board’s Key Attributes of Effective Resolution Regimes for Financial Institutions.
    • Improved capability of the risk function to make judgments that can bring about increased efficiency and profitability.

Key Challenges While Aggregating Risks

While the benefits of risk aggregation are clear and intuitive, the process to aggregate risks is far from such. There are several important and significant challenges that need to be considered. Below are those that are of most significance.

Data Collection 

Collection, quality, and applicability of data are a major challenge while rating and scoring risks. In the absence of a tool, data may be residing in multiple scattered locations. Collating this data is not only time consuming, but also affects the outcome if not collated properly.

Mismatched Data

There is naturally a combination of qualitative and quantitative data. Unlike financial risks, operational risk reporting faces the additional challenge of primarily aggregating qualitative data. Risk scores, red-amber-green ratings and other indicators are discrete, qualitative and completely unfit for any arithmetical manipulation. A risk rated 5 (very high) alongside a risk rated 1 (low) is not at all equivalent to two risks rated 3 (moderate). Even where non-financial risks are quantified, there is a significant amount of subjectivity and estimation.

Different criticality threshold limits 

Risks are at different threshold limits based on their criticality. For example, a risk rated very high by a business unit may not have the same threshold limit assigned by another business unit or at a parent/enterprise level. Considering this, there may be multiple thresholds e.g. financial, reputational, regulatory, customer etc. across an intersection of different hierarchies making the challenge further complicated.

Strategic Considerations

There are a few important steps that can be taken to enable a smoother aggregation process. These include the following:

Top-Down Alignment

  • The parent entity sets broad risk assessment guidelines and parameters, and subsidiaries align their assessments accordingly.
  • Process:
    • Develop a group-wide risk assessment framework with standardized scales and definitions.
    • Subsidiaries perform risk assessments using the standardized framework e.g. 4×4, 5×5 matrix throughout, same risk categorisations and definitions of risk throughout etc.
    • Consolidate risk data, ensuring alignment with the parent entity’s risk management objectives.
  • Rationale: This ensures consistency in risk ratings and comparability across subsidiaries.

Likelihood Scale

  • The likelihood scale should remain the same across the group, regardless of whether a risk assessment is being performed for the parent entity or a subsidiary.
  • Unlike the impact scale which is dependent upon business/organismal unit/ produc etc., the likelihood scale is dependent upon probability or likelihood of occurrence. It is business agnostic and therefore should be applied consistently across the group.
  • Rationale: This further supports the aggregation process to enable a like-for-like comparison. Furthermore, given aggregation is a subjective process with several variables it helps to reduce the number of variables/parameters.

Bottom-Up Aggregation

  • While the Group/Parent Entity sets Top-Down alignment, each subsidiary performs its risk assessment independently within the broad framework set by the Parent. The results are then aggregated upwards i.e. bottom-up to group level.
  • Process:
    • Standardize risk assessment templates and methodologies across all subsidiaries.
    • Collect and consolidate risk data from subsidiaries.
    • Aggregate ratings assessments by using approaches suggested further below as options.
  • Rationale: This approach provides detailed insights into subsidiary-specific risks and ensures local context is considered. It also places the imperative on the subsidiaries to be cognisant of their own risks.
  • While this approach will naturally lead to challenges in aggregation and comparisons across subsidiaries, it means that meaningful risk assessments can be performed at the right level. This is particularly important for large organisations where there is no one size fits all Risk Register/RCSA. Good industry practise has evolved towards using different impact scales. Generally there are two: one at group level and one for business units. There are also firms that use Risk Registers/RCSAs at process level, however this is not generally recommended and this brings significant challenges of aggregating hundreds or thousands of granular risks.

Aggregation Approaches

Categorisation

Assuming adoption of the strategic considerations above, the first decision to be made is to determine what you will aggregate by. Organisations typically aggregate by one of three options:

  • Aggregate by Risk Category

e.g. Operational Risk → External Fraud [Risk rating for External Fraud within bank]

  • Aggregate by Organisation Hierarchy/Business Unit Category (or Legal Entity)

e.g. Retail Bank → Personal Banking or Credit Cards etc. [Risk rating for Personal Banking]

  • Aggregate by a combination of Risk Category and Business Unit Category

e.g. External Fraud within Personal Banking

Industry polls show that preference is given to the third option. Though perhaps more challenging to perform as more dimensions add more complexity, it does provide more comprehensive information, and the ability identify where the prominent risks lie.

Method of Aggregation

The next step is to determine your method of aggregation. There are a few options and considerations here that depend on the maturity of the organisation, robustness of the risk management process, quality of data, and requirements of the Board.

  • Worst-case/Maximum

The worst score of a data set, such as a group of residual risk ratings, is reported as the aggregated value – so, all of them will be red if one item is red. It is the most conservative form of reporting. This is appropriate when tolerance to risk is minimal, when data produced is quite reliable and when the indicators are strong predictors of risk. This approach has the advantage of being prudent, but the drawbacks of being potentially too alarmist and unsafe, if generating too many alerts means management disregards them, or is unable to distinguish signal from noise.

  • Average

Take an average of all the ratings in the data set to determine the overall rating. Many firms continue to use this approach; however, it is not recommended as it is applying arithmetic to qualitative ratings and does not yield meaningful information. Furthermore, the higher up you go it dilutes the overall risk rating.

  • Manual/Maximum

This approach considers the worst-case/maximum as the baseline for each assessment. Then each rating is reviewed individually to determine appropriateness. This method can be useful if risk systems are in place to enable quick initial aggregation with fixed field settings followed by a review of the consolidated output at an individual level to determine whether the ratings are sound or reasonable.

  • Sum

This approach is a summation of risk scores across business units or organisational hierarchies. This only works if the risk registers/RCSAs are the same across all businesses which is unlikely the case. Furthermore, as mentioned above, applying arithmetic to qualitative ratings is highly misleading. Therefore, this approach is not recommended. It has only been included here to illustrate the approaches that are or have been used.

  • Conversion and addition

Qualitative metrics are converted into a common monetary unit, which can then be quantitatively manipulated. Some large banks convert the non-financial impact results of their RCSA (reputational or regulatory, for instance) into financial data, to be able to sum and group risks. It requires a number of assumptions and approximations that some may find uncomfortable, but the approach has its merits. This approach necessitates the use of quality data, robust methodologies and consistent approach.

  • Monte Carlo Simulations

This involves the use of statistical techniques to model and analyse the probability distributions of risks. Like the above, and perhaps considered a version of conversion and addition. Relies on input variables, simulation and analysis in a consistent format across the entire group. It also relies on the provision of risk software to provide the results. The output is expressed as a probability range at a percentage confidence interval. The challenges are as mentioned above in addition to use of software and not necessarily accurate or useful for qualitative operational risk considerations.

  • Candle Reporting

Rather than averaging, summing or maximising risk scores, an alternative approach is to report risk scores per percentage of categories: percentage of red, amber, green, or percentage or low, medium and high risks. It avoids a misleading collapse of heterogeneous information into single data and presents a balanced view of the situation, while still being synthetic in display.

If red is used at the top and green is used for the base, these charts resemble candles, with the length of the flame indicating the level of risk. The longer the flame, the higher the risk.

 

In line with our examples above, rating set 1 could be external fraud across the group and each colour represents the number of high, medium and low ratings across the group. Alternatively, rating set 1 could be Personal Banking and the number of high, medium and low risks with the organisational unit are represented.

Overall, it is not advisable to report solely on red flags without the balance of a comprehensive yet synthetic report. Exception reports may only give a biased, over-pessimistic view to management of the level of risk facing the firm. If 80% of the indicators are green, this should be reported, alongside the more problematic issues, to give a fair view of the situation. Candles are visual and helpful in this instance.

Source: Chapelle, Operational Risk Management

  • Weight-based Aggregation

This approach is not stand-alone. Meaning that weights can and have been applied once ratings have been determined through the methods outlined above. These are applied to business units or organisational hierarchies. For example, 70% applied to Personal Banking risk ratings and 30% applied to Credit Card risk ratings in our example further above. It is important to note that the risk ratings e.g. high, medium, low would need to be converted to numerical expressions such as 5, 3, 1 respectively prior to applying the percentage.

Some organisations apply these weighting percentages based on perceived importance or impact of the business unit’s risk to the wider group. A standard weighting determination is based on revenue or capital contribution.

Industry polls suggest that most firms do not apply weightings because these add another layer of subjectivity and therefore bring in further complexity i.e. who decides the weighting, what is the rationale, does the method make sense etc.

  • Risk Index Approach

A final and alternative approach is the use of a risk index (similar to the concept of stock market index or credit rating score). It is comprehensive, data intensive and relies on multiple input factors. Therefore, there is significant work involved as it ultimately includes a combination of Risk Assessments (Risk Register/RCSA) and Risk Monitoring (KRIs, Incidents, Issues).

Furthermore, the approach is predominantly only relevant to a Business Unit/Organisational Hierarchy aggregation. Please see the appendix for further detail on this approach which is not common yet can provide a meaningful way to aggregate and monitor risks over time. It has been included for your consideration outside of the more common approaches.

Source: Risk Spotlight

Final Thoughts

Risk Aggregation is reliant upon many factors prior to determining the actual method of aggregation. These have been outlined in the paper and include the maturity of the organisation, quality of data, establishment of a consistent framework, robust application etc.

The method of aggregation selected should consider all these factors and the most appropriate applied. Furthermore, aggregation methods are not static and can be augmented over time. If there are data or quality issues, it is generally recommended to begin with less metrics to reduce complexity and then over time these can be added or enhanced as risk maturity evolves in the organisation.

Reach out to us if you need help with Risk Aggregation or any other aspects of Risk Management.

Ghassan ZeidanFounder & CEO of Paragon Consulting Partners

linkedin.com/in/ghassan-zeidan

Risk Management, Internal Audit and ESG Consulting Firm