# Risk Assessment

Loss measurement

The measurement of the loss consists of the assessment of the direct and indirect losses resulting from the realization of each critical risk scenario.

One of the main problems when carrying out a risk and scenario analysis is the inaccuracy in the assessment of losses and the consequences of certain risks. The incorrect definition of losses implies wrong insurance contracts, both in terms of the risks to be named and transferred to an insurance program, as well as in relation to coverages. The same applies in contracting hedges.

Most of the time, the cost of indirect loss of a given risk is much greater than its direct loss itself. However, companies often only hire insurance coverage for their direct losses.

A corporate insurance program is based on restoring the loss and preserving the company’s cash flow. An inadequate analysis of indirect losses will involve hiring an insurance program that does not preserve this flow and affect the sustainability of the business.

Definition of the Rational Model

The “Rational Model Definition” step consists of identifying which variables are inherent to each risk being analyzed and thus calculating their effects in terms of impact or probability.

The methodology Parametrized Risk Analysis 2.0 aims to contribute to a better evaluation of two fundamental points of risk management:

– Impact quantification (degree of impact / severity)

– Estimation of Probability (estimated probability / expected frequency) related to the achievement of certain risk.

For the determination of the Impact Quantification, we understand that the variables add up to each other. The Probability Estimate is the result of the multiplicative effect among the variables.

Although the methodology for risk measurement is the same, the rational model and its equations may vary according to each risk to be measured, that is, for risk “A” we will have factors that directly influence its attainment totally different from risk “B”. Therefore, the rational model and the equation defined to measure risk “A” will be different from that used to measure risk “B”.

We could exemplify the risk of theft of cargo in road transport. In it, “attractiveness” can be considered a relevant variable and must be taken into account in the process of quantification of this risk.

In this case, we could say that a load of mobile phones has more “attractiveness” than a load of mineral water.

In the event that a hacker wants to intrude or “phish” into a site, he will probably be more interested in doing such action on well-known brand sites (such as IBM, Microsoft, Coca-Cola, etc.) instead of trying to break into the XYZ Bank website, which no one knows about.

In this case, we would have a variable called “propensity” that defines how prone or susceptible a particular operation is to attract the action of a given agent or threat.

In another scenario, to measure the risk of flooding, the attractiveness factor is not a variable considered critical and would not be present in the equation used to measure this risk. It would be necessary to study natural disaster maps that point out how such phenomena can affect the facility being analyzed. For this case, the “geographic” variable would make sense.

This unique approach, which is part of the Parametrized Risk Analysis Methodology 2.0, defining specific mathematical models for each risk allows for a much more assertive analysis in the measurement of risk in terms of impact quantification and probability estimation.

It is in this context that the definition of the risk variables is of particular importance. We need to list the risks and verify the risk variables that actually influence their attainment.

The structuring of the model to be used is one of the main points to be considered in a Parameterized Risk Analysis.

Once the variables that will be considered for the measurement of each risk are defined, it will be necessary to obtain qualitative or quantitative data related to these variables. Such references will be used for structuring the equations that will be used to assemble the Risk Matrix.

After defining the Critical Risks, the process follows the logic below:

– Definition of the variables that are relevant to the attainment of certain risk

– Definition of the variables that will serve as a basis for defining the Impact Quantification formula

– Definition of the variables that will serve as a basis for defining the probability estimation formula

– Define the measurement model of each variable (quantitative, qualitative or hybrid)

– Define the relation between the variables in each formula

– Application of the panels of Delphi for the definition of the weights in the formulas

– Validation of formulas

Definition of variables relevant to each risk

At this stage, after defining the Critical Risk List, one must analyze which variables affect the attainment of each risk, that is, which ones are really relevant. In the following subitems are listed the relevant variables that interfere with the definition of Impact Quantification and Estimation of Probability of risks of flooding, theft of cargo in transport and theft in storage.

Definition of the variables for Impact Quantification

The risks should be linked to the variables that are affected by their achievement in terms of impact. Once the variables have been defined, we move to the definition of the Impact Quantification formula, as shown in the table below: In the case of Impact Quantification (QI), there is rarely a change in the variables and consequently in the formula for their calculation.

Definition of variables for probability estimation

Once the risks and their variables have been defined, the next step is to link them to the definition of the probability estimation (EP) formula, as shown in the table below: Another good suggestion to organize the reasoning is to use the Table of Variables in order to have a clearer presentation of how each formula will be constructed to measure each risk in question. Define the measurement model for each relevant variable

Basically, there are 3 measurement processes of the variables: quantitative, qualitative and hybrid. In a crude way we could say that the quantitative process is applied when we have a reliable database and we can use statistical tools for the definition of probability.

In the case of the qualitative process, due to the lack of a database or event history, the opinion of specialists is used to classify risks in classification tables. In order to reduce the risk of distortions, the opinion of several experts is usually taken into account for the classification of risks. Another measure that can be done to facilitate the classification of risks is the use of a theoretical framework to help in this classification process, as shown in the table below: The hybrid model is usually used when we have the possibility to have access to the numerical data, but that the absolute data does not make much sense but the relative data. For example, we have the accident history of a particular operation per product. However, if we do not contrast this data with a benchmarking or market average, we can not know if this number is large or small, good or bad. Even reasoning can be applied to the assessment of a financial loss. The value itself may be high, but it can have a very low impact for a company that has great financial resilience. Therefore, we have to contrast the value of the financial loss with another parameter and relativize it, according to the example below: Briefly, we could describe the main characteristics of each model, as shown in the table below: Whenever we transform the quantitative model into a hybrid model, we are able to relativize it and combine it with qualitative models. Obviously, this relativization makes it possible to lose some precision due to the quantitative method (absolute value). However, much is gained in flexibility and in the possibility of equalizing different models.

Define the relation between the variables

For the definition of the formulas it is important to verify the relation that exists between the variables, that is, if they are added or if they multiply each other. In this way, we can begin to sketch the formulas that will define the axes of the Risk Matrix, as below (the conceptual description of each variable will be carried out throughout this chapter):

Impact Quantification Formula

Impact Quantification: IQ

Financial Loss: PF

Recovery: R

Image: I

Legal: L

QI = 2 x PF + 3 x R + 3 x I + 2 x L

10

Probability Estimation Formula

Probability Estimate: EP

Event History: HE

Exposure: Ep

Social Environment: AS

Attractiveness: At

Propensity: Pp

Geography: Ge

Vulnerability Index: IV

EP = HE x Ep x AS x At x (or Pp or Ge) x IV x 100

5 N