Conventional ERM systems are generally assessment based and, consequently, they typically report results via an assessment metric often based on three colors: red, amber, and green. The managerial usefulness of such systems is limited for a number of reasons: first, “assessment” as opposed to “measurement” is inherently subjective and not easily audited; second, an assessment metric cannot be aggregated to support important management techniques such as trend analysis, benchmarking, and ranking, and the comparison of actual usage against operating limits. To state the obvious, you can’t aggregate and compare colors.

The evolving risk landscape in which firms operate has undergone dramatic change in little more than a generation due to advances in science and technology and an ever-growing dependency on globally interconnected electronic data and information networks; globalization and geopolitical uncertainties leading to supply chain vulnerabilities; and the use of increasingly complex and sophisticated financial products to manage financial risks.

That has caused boards of directors, CEOs and other c-suite executives to become increasingly concerned with risk and its potential to trigger material unexpected losses which, as recent events such as the financial crisis of 2007-2008 demonstrate, can severely impact or even wipe out a firm’s capital.

Whereas accounting standards such as IFRS and GAAP are aimed at ensuring that enterprises present a fair view of their financial condition, there are no equivalent standards that apply to risk. In other words, a firm’s stakeholders — investors, regulators, customers, and auditors — receive little or no information on the risks firms accept absolutely or in comparison to others in order to create shareholder value.

risk accounting

Peter Hughes

The misalignment between finance and risk reporting is what academics have set out to resolve through their codification of the new accounting technique referred to as “risk accounting.” Risk accounting begins with the assertion that effective ERM must operate within a standardized system of risk measurement using a common risk metric that expresses all forms of risk. Accordingly, a unit of risk measurement unique to risk accounting has been created, the “risk unit,” or “RU.”

Analogous to financial accounting where profits are created through the sale of products and services, risk accounting assumes that exposure to risk is similarly correlated with revenue generation.For management reporting, transactions associated with the sale of products and services are tagged with codes that uniquely identify products, customers, business lines, organizational components, legal entities, and locations. For risk reporting, these same transactions are tagged with additional codes that are used in a calculation of each transaction’s risk-weighted value, that is, its exposure to risk in RUs.

The first step in risk accounting is to identify the primary risk types to which each industry is exposed. For example, in banking these are deemed to be operational, credit, market, liquidity, interest rate, and conduct risks.

Three sets of standardized tables provide the risk-weighted factors used in the calculation:

  • Product Risk Table. Provides risk-weights according to the risk characteristics of each marketed product graded by criteria such as complexity, toxicity, rate of decomposition, method of distribution, and method of trading.
  • Value Table. Used to convert revenue amounts according to accounting records into scaled value band weightings (VBWs).
  • Best Practice Scoring Templates. Used to calculate the risk mitigation index (RMI) based on key risk indicators (KRIs) that reflect the operational status of each department and underlying process.

These risk-weighted factors are then used to calculate three core metrics for each risk type triggered by the product in question:

  • Inherent Risk. The risk-weighted transaction value, expressed in RUs, that represents its maximum possible loss.
  • Risk Mitigation Index (RMI). A dynamic measure on a scale of 1 to 100, where 100 is agreed-upon best practice, that represents, in percentage terms, the portion of Inherent Risk that is mitigated through the effective management and control of the firm’s operating environment.
  • Residual Risk. The portion of a transaction’s Inherent Risk, also expressed in RUs, not covered by effective risk mitigation. This RU number represents the transaction’s probability of loss.

The pairing of accounting and risk values in a single source of controlled and audited accounting data at the transaction level enables the production of combined finance and risk reports and the computation of enterprise-wide risk and return metrics. Feedback loops give managers real-time or near real-time information on risk mitigation initiatives together with calculations of the associated improvement in RMIs and reduced residual RUs.

Given that risk accounting is an extension of management accounting, risk appetite can also be calibrated in RMIs and residual RUs and become an integral part of firms’ budgeting and planning cycles, thereby constituting a true ERM system. The RMI is the de facto measure of risk culture as it blends risk attributes from across the enterprise.

A more detailed description of risk accounting is available in a research working paper which is being published in the Journal of Risk Management in Financial Institutions. Whereas the theoretical models and worked examples included in the paper relate to banking, the method can be adapted for non-banks.

Peter Hughes is a chartered accountant, a former banker with JPMorgan Chase, a member of the advisory board of Durham University Business School’s banking, risk, and intermediation research group and a visiting research fellow at the Leeds University Business School.

, , , , , , ,

9 responses to “Welcome to ‘Risk Accounting’”

  1. In my article I explain the limited managerial usefulness of conventional ERM systems. We should be equally concerned with the limited usefulness of conventional accounting systems that report point-in-time financial position with no equivalent reporting of risk position. That may have been acceptable in a bygone era when risk concentrations within and between enterprises were innocuous but not today. Financial statements need to incorporate meaningful reporting of accepted risks in the aggregate so that management and stakeholders can conclude on whether an enterprise’s risk position is, or is not endangering its financial position. This is the object of our research into risk accounting techniques that will test whether extant financial accounting and control systems can be adapted to encompass accepted risks. The application of empirical research disciplines including the active participation of businesses and practitioners will ensure that proposed solutions are suitably verified as to their viability, operability and effectiveness. We welcome inquiries.

  2. Interesting. I run the finance shop at a small healthcare company where risk is a big factor. I keep qualifying the hell out of financial projections because I don’t have a way to incorporate risk. I will keep my eye on this subject

  3. Some interesting points in the article. It may help some types of organisation but like all modelling structures it must be recognised as imperfect and can never be totally relied upon. How can such a contrived model be validated to determine its limitations. The real world is non-linear and full of chaos – to what degree can this contrived structure reflect that?
    I am not persuaded that we can even effectively aggregate risk when managing the total picture of strategic, tactical and operational structures and processes – issues of interest to stakeholders are multi – dimensional.
    MSS 1000:2014 addresses the integrated management of prospect and risk in a different way.

  4. I’m one of the co-authors of the academic paper referenced in the article.

    Before the technique of Risk Accounting, aggregating or more appropriately ‘organizing’ an enterprise’s overall risk was accomplished through a multitude of techniques suited to each risk type. The overall enterprise’s understanding of risk was then ‘aggregated’ by narratives, color coding, positioning in quadrants of matrices, etc. These are the techniques focused on in MSS1000.2014. In contrast Risk Accounting aggregation is accomplished by defining a common metric that can be used to express all forms of risk, the RU (Risk Unit). Risk Units are used to decompose various types of risk valued through their own assessment silos into a common valuation system using a single metric. The decomposition of risk is done at the transaction level where risk weights and accounting values are applied and each reporting level aggregated to the next until the risk position of a whole enterprise can be viewed through the lens of a single metric, to be benchmarked against other strategic business units or other enterprises.

    The technique of aggregation in Risk Accounting through RUs is analogous to other ‘abstract’ metrics that distill complexity into singularity which then become intuitively accepted and understood over time. Examples include the multitude of human behavior distilled into a FICO score, the multitude of economic outcomes distilled into a commercial credit rating, or the degree of golfing skill distilled into a golf handicap.

    Finally, as to the comment of the improbability of a ‘contrived structure’ reflecting the ‘real world’ this is what building models is all about, is it not?

  5. “risk accounting assumes that exposure to risk is similarly correlated with revenue generation” Sorry, this assumption is not true, especially when comparing different types of risk. Unfortunately, this false assumption will lead users of this technique to made bad management decisions.

    • The thought process here is that unidentified, unquantified and unreported exposures to risk can, at any time, turn into unexpected losses which, as recent events have demonstrated, can be extreme. The events that trigger such unexpected losses typically relate to defective products and services already sold to consumers or failures of assets made available to consumers. This is explained in more detail in my second CFO.com article “Risk Accounting and Economic Profit” published on July 20. The point we are making is that bad management decisions are too frequently a consequence of excessive accumulations of exposure to risk that are not accounted for and, consequently, not reported in conventional accounting systems.

  6. Sounds like plain old contingency accounting in a new dress. If I understand it, the risk of a customer not paying is equal to the maximum possible loss (the amount of receivable due), or 100%, less the percentage of risk mitigated, yielding the residual risk. Isn’t that the same as the bad debt reserve as a percentage of outstanding receivables? How does this bring any clarity to the picture?
    I suspect this flavor-of-the-month will go the way of accounting for inflation in financial statements – intellectually of interest, but not of use in the business world.

  7. My reply to Tev’s comment above also applies here. The example given relates specifically to credit risk but exposure to unexpected losses associated with defective products and services sold to consumers persists even after the related trade receivables have been settled.

Leave a Reply

Your email address will not be published. Required fields are marked *