Risk Assessment

Tools
April 1, 2015

Ali-Reza Khaleeli
ERM 603

Honor Code
• I will not lie or cheat in any way on any assignment for this course (including but
not limited to the following examples).
• My answers to homework, quizzes, and exams will be my own (except for
assignments that explicitly permit collaboration).
• I will not make solutions to homework, quizzes, or exams available to anyone else.
This includes both solutions written by me and official or unofficial solutions.
• I will not look up homework or exam answers on the internet.
• I will not engage in any other activities that will dishonestly improve my results
or dishonestly improve/hurt the results of others
 Annual Frequence Probability
Rating
Descriptor Definition Descriptor Definition

5 Frequent Up to once in 6 months or more Almost Certain 90% or greater chance of certain occurrence over life of asset or project

4 Likely Once in 6 months up to once in 5 years Likely 70% up to 90% chance of occurrence over life of asset or project

3 Possible Once in 5 years up to once in 10 years Possible 40% up to 70% chance of occurrence over life of asset or project

2 Unlikely Once in 10 years up to once in 20 years Unlikely 15% up to 40% chance of occurrence over life of asset or project

1 Rare Once in 20 years or less Rare <15% chance of occurrence over life of asset or project

Likelihood Scale:

1
 Rating Descriptor Definition
5 Extreme • Financial loss of $55 billion or more
• Considerable damage to global environment
• Unable to conduct daily operations
• No security for all employees and third parties, including customers or vendors
• Persistent negative international media coverage; enormous loss of market share
• Substantial prosecution and fines, litigation including class actions, incarceration of leadership
• Significant injuries or fatalities to employees or third parties
• Mass exodus of senior leaders, culture forever altered
4 Major • Financial loss of $15 billion up to $55 billion
• Considerable damage to local environment
• Extremely limited daily operations functioning
• Security of all employees and third parties threatened, including customers or vendors
• Persistent negative national media coverage; significant loss of market share
• Report to regulator requiring major project for corrective action
• Hospital care required for employees or third parties
• Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice
3 Moderate • Financial loss of $2 billion up to $15 billion
• Sufficient damage to local environment
• Partial daily operations functioning
• Security of all employees and third parties deteriorating, including customers or vendors
• Temporary negative national media coverage
• Report of breach to regulator with immediate correction to be implemented
• Out-patient medical treatment required for employees or third parties
• Widespread staff morale problems, high turnover, shift in culture
2 Minor • Financial loss of $600 million up to $2 billion
• Slight damage to local environment
• Majority of daily operations functioning
• Security of all employees and third parties slightly weakened, including customers or vendors
• Local reputational damage
• Reportable incident to regulator, no follow up
• Minor injuries to employees or third parties
• General staff morale problems and increase in turnover, culture questioned
1 Incidental • Financial loss up to $600 million
• Next to no damage to local environment
• All, but 1 or 2, daily operations functioning
• No breach of security of all employees and third parties, including customers or vendors
• Local media attention quickly alleviated
• Not reportable to regulator
• No injuries to employees or third parties
• Isolated staff dissatisfaction, culture intact

Impact Scale:

2
 Rating Descriptor Definition
5 Very High • Extreme rate of change in industry
• No ability to anticipate events
• No ability to withstand event
• No scenario planning performed
• No internal control capabilities to address risks
• No responses implemented
• No contingency or crisis management plans in place
4 High • High rate of change in industry
• Little ability to anticipate events
• Little ability to withstand event
• Limited scenario planning for key strategic risks performed
• Low internal control capabilities to address risks
• Partial responses implemented or not achieving control objectives
• Some contingency or crisis management plans in place
3 Medium • Modest rate of change in industry
• Selected ability to anticipate events
• Selected ability to withstand event
• Stress testing and sensitivity analysis of scenarios performed
• Medium internal control capabilities to address risks
• Majority of responses implemented and achieving objectives most of the time
• Certain contingency and crisis management plans in place, limited rehearsals
2 Low • Low rate of change in industry
• Strong ability to anticipate events
• Strong ability to withstand event
• Strategic options defined
• Medium to high internal control capabilities to address risks
• All responses implemented and achieving objectives except under extreme conditions
• All contingency and crisis management plans in place, some rehearsals
1 Very Low • Almost no rate of change in industry
• Can anticipate events
• Can fully withstand event
• Real options deployed to maximize strategic flexibility
• High internal control capabilities to address risks
• Redundant response mechanisms in place and regularly tested for critical risks
• All contingency and crisis management plans in place and rehearsed regularly

Vulnerability Scale:

Speed of Onset Scale:

Rating Descriptor Definition
5 Very High Very rapid onset, with little to no warning, instantaneous

4 High Onset occurs within the first week to a month

3 Medium Onset occurs between 1-6 months

2 Low Onset occurs between 6-12 months

1 Very Low Very slow onset, occurs over a year or more

3
Risk Ratings
L = Likelihood I = Impact V = Vulnerability S = Speed of onset

ID Risk L I V S
1 Competition 3.3 4.3 3.5 3
2 Inves tment 2.5 3.5 3.7 3
3 Adoption 4 4.5 4.3 5
4 Advertis ement 3.5 4.8 4.5 5
5 Opera ting Ma rgi n 3.9 4.5 4.3 3
6 Regul a tory 2.8 3.4 3.1 2
7 Proceedi ngs 4.4 2 3.7 4
8 Acqui s i tions a nd Inves tments 4.5 4 3.5 2
9 Bra nd 1.2 4.8 4.5 5
10 U.S. a nd Forei gn La ws 4.9 3.3 3.6 3
11 Intel l ectua l Property Cl a i ms 4.3 3.2 4 3
12 Intel l ectua l Property Ri ghts 3.9 4.1 3.8 4
13 Onl i ne Servi ces a nd Content 4.1 3.2 4.3 3
14 Technol ogy Pri va cy 4 4.8 4.6 5
15 Ma nufa cturi ng a nd Suppl y Cha i n 3.9 4 4.5 4
16 Securi ty 4.8 4.8 4.6 5
17 Sea rch Qua l i ty 3.4 3.4 2.2 3
18 Interruption or Fa i l ure of Sys tems 4.6 4.7 4.3 5
19 Interna tiona l Opera tions 4.1 4.1 4.1 4
20 Opera ting Res ul ts 4 3.8 4.7 2
21 Bus i nes s Stra tegy Execution 2.5 4.5 2.9 2
22 Pers onnel 2.5 4.4 2.8 3
23 Internet Acces s Bl ock 1.5 3.5 4.6 4
24 Ad Bl ock 4.1 3.2 4.6 2
25 Inves tment Portfol i o Va l ue 4 4.8 3.3 4
26 Ta x Li a bi l i ties 3.8 3.2 3.1 3
27 Stock Tra di ng Pri ce 4.2 3.8 4.1 4
28 Stock Owners hi p Concentra tion 2.8 3.3 4.3 4
29 Documents a nd La w Provi s i ons 1.5 2.8 4.1 1

4
Risk Map

5
Ranking Risks by Impact and Speed of Onset, individually:

Risk Impact Risk Speed of Onset

Risk Rating Risk Rating
4 Advertisement 4.8 3 Adoption 5
9 Brand 4.8 4 Advertisement 5
14 Technology Privacy 4.8 9 Brand 5
16 Security 4.8 14 Technology Privacy 5
25 Investment Portfolio Value 4.8 16 Security 5
18 Interruption or Failure of Systems 4.7 18 Interruption or Failure of Systems 5
3 Adoption 4.5 7 Proceedings 4
5 Operating Margin 4.5 12 Intellectual Property Rights 4
21 Business Strategy Execution 4.5 15 Manufacturing and Supply Chain 4
22 Personnel 4.4 19 International Operations 4
1 Competition 4.3 23 Internet Access Block 4
12 Intellectual Property Rights 4.1 25 Investment Portfolio Value 4
19 International Operations 4.1 27 Stock Trading Price 4
8 Acquisitions and Investments 4 28 Stock Ownership Concentration 4
15 Manufacturing and Supply Chain 4 1 Competition 3
20 Operating Results 3.8 2 Investment 3
27 Stock Trading Price 3.8 5 Operating Margin 3
2 Investment 3.5 10 U.S. and Foreign Laws 3
23 Internet Access Block 3.5 11 Intellectual Property Claims 3
6 Regulatory 3.4 13 Online Services and Content 3
17 Search Quality 3.4 17 Search Quality 3
10 U.S. and Foreign Laws 3.3 22 Personnel 3
28 Stock Ownership Concentration 3.3 26 Tax Liabilities 3
11 Intellectual Property Claims 3.2 6 Regulatory 2
13 Online Services and Content 3.2 8 Acquisitions and Investments 2
24 Ad Block 3.2 20 Operating Results 2
26 Tax Liabilities 3.2 21 Business Strategy Execution 2
29 Documents and Law Provisions 2.8 24 Ad Block 2
7 Proceedings 2 29 Documents and Law Provisions 1

6
Risk Correlations

Acquisitions and Investments

Business Strategy Ex ecution

Intellectual Property Claims

Online Services and Content

Intellectual Property Rights

Manufacturing and Supply

Investment Portfolio Value

Interruption or Failure of

International Operations
U.S. and Foreign Law s

Internet Access Block

Documents and Law

Technology Privacy

Stock Trading Price

Operating Margin

Operating Results
Risks

Stock Ow nership
Search Quality
Advertisement

Tax Liabilities

Concentration
Proceedings
Competition

Regulatory
Investment

Provisions
Personnel
Adoption

Ad Block
Systems
Security
Chain s
Brand
Competition x x x x x x x x x x
Investment x x x x x x x x x x x x x x x
Adoption x x x x x x x x x x x x x
Advertisement x x x x x x x x
Operating M argin x x x x x x x x x x x x
Regulatory x x x x x x
Proceedings x x x x x x x x
Acquisitions and Investments x x x x x x x x x x x x
Brand x x x x x x x x x x x x x x x x x x
U.S. and Foreign Law s x x x x x x x x
Intellectual Property Claims x x x x x x x x x x x x x
Intellectual Property Rights x x x x x x x x x x x x x x x x x
Online Services and Content x x x x x x x x x x x x x x x x
Technology Privacy x x x x x x x x x x x x x x
M anufacturing and Supply Chains x x x x x x x x
Security x x x x x x x x x x x x x x x x
Search Quality x x x x x x x x x x x
Interruption or Failure of Systems x x x x x x x x
International Operations x x x x x x x x x x x x x x x x x x x
Operating Results x x x x x x x x x x x x x x
Business Strategy Ex ecution x x
Personnel x x x x x x x x x
Internet Access Block x x x x x x x x x x x x
Ad Block x x x x x x x
Investment Portfolio Value x x x x x x
Tax Liabilities

Stock Trading Price x x x x x x x x x x x

Stock Ow nership Concentration x x
Documents and Law Provisions

By seeing these correlations, we are able to better understand the risks and risk portfolio. In addition,
performing this interaction map allows us to move away from silos and begin to see and practice
enterprise risk management as a collaboration of the company as a whole. This allows us to understand
how the different risks relate and how some can be managed together.

A next step that could be taken, but would need more information is using historical data to determine
which other risks might correlate as well as whether or not the risks that correlate have been properly
managed before or if these are new risks.

7
MARCI Chart

The MARCI chart allows us to prioritize risks based in risk response. In other words, the MARCI chart
allows us to prioritize the risks based on what needs to be done in order to manage each risk.

Velocity and “Clockspeed”

Although speed and velocity are synonyms in general terms, when defining them in the context of risk
management, they mean different things. Velocity is “the time it takes for a risk event to manifest itself,
or in other words, the time that elapses between the occurrence of an event and the point at which the
company feels its effects” (Curtis and Carey, 7). A risk with high velocity is one that manifests itself
immediately, while a risk with slow velocity is a risk that manifests itself very slowly. On the contrary,
clockspeed is defined by Marks as the information needed in order to manage risks. In this case, a slow
clockspeed risk is one that “is managed over a lengthy period of maturation and is managed effectively
through traditional control mechanisms” (Horwath, 26), while a fast clockspeed risk is one where
unexpected events occurs that require a fast response and may require a different approach that it would if
it was a slow clockspeed. Although similar, velocity is the speed of the event, while clockspeed
incorporates both velocity as well as the type of response needed in order to manage the event.

8
Quantitative Approaches
Google has proactively identified the potential risk that this particular trend is creating, and now faces the
challenge of taking a deeper dive into the most effective way to assess this risk. The document, Risk
Assessment in Practice, suggests a number of quantitative measures that companies should use in their
risk assessments, to include: benchmarking, scenario analysis, deterministic models, and probabilistic
models. Taking into consideration that Google is generally aware of the likelihood and impact of this risk,
they must focus on assessing the velocity of the risk, in order to develop a decision and action plan in
managing this trend. Using a risk interaction map to first link correlation, a bow tie diagram can then
further be developed using quantifiable data to illustrate the end events or losses stemming from the
consequences associated with the risk. Data used to assess the trend and velocity of this risk is an
extremely important factor, and should be derived from both the internal and external environment.
Competitor and industry trends data is crucial to assessing the real risk impact and the sensitivity of
timing. Analysis of both past and current relationships and partnerships with manufacturers and
distributors can provide good insight into the company’s current market share and future financial health.
All of the pertinent data used needs to then be modeled to look at the consequential impact on a range of
different factors, such as share price, research and development funding, marketing budgets, and others.

Risk Tolerance and Appetite Statements 1

Risk Tolerance Statement: The Company is willing to assume no more than a 10% loss to profit margin,
but will not accept more than a 5% loss to market share in conjunction with net sales.

In developing this statement, we considered the overall mission and strategic objectives of the company,
how it can be implemented throughout the whole organization, and the risk capacity concerning its
financial health. In this example, because the risk appetite is moderately high, the risk tolerance had to
reflect a compromise of boundaries concerning the company’s financial well-being. This is why the
company is willing to assume a higher tolerance on loss of profit, so long as the company continues to
deliver on its net sales and not significantly deviate from their current market share.

Risk Appetite Statement: The Company operates within a moderately high-risk appetite in relation to the
declining trend of personal computer usage amongst the general population. The company assumes this
appetite with the intent to excel within the highly competitive environment, and strives to continue to be
the “first in market” leader, holding majority market share of the industry’s technology, products, and
systems. Operating a moderately high appetite will increase our competitiveness in research and
development, and cultivation of business agreements with top manufacturers and distributors.

In developing this statement, we considered the overall mission and strategic objectives of the company,
the boundaries of acceptable risk tolerance, the effect on the company’s risk profile, its applicability to
decision making and action implementation, the company’s risk attitudes, and its relevance towards this
specific risk. The company has to assume a moderately high-risk attitude because of the fast paced nature
of their industry, as well as the macro environment. For Google, high-risk endeavors, specifically in the
field of research and development, have the ability to turn into highly profitable opportunities.

9
Risk Appetite and Tolerance Statements 2
Risk Tolerance Statement: The Company is not willing to assume any risk to its reputation, and will
therefore enforce a zero tolerance policy to reputation risk.

Risk Appetite Statement: The Company operates with a low risk appetite concerning any decisions and
activities which may cause any and all damages to Google’s reputation. The company assumes this
appetite with the intent to protect the reputation of the brand, its technology, products, and services,
affiliates, employees, and value.

Reputation is a concerning element that affects all of Google’s individual risks, and is mentioned in most
of their listed risk factors under Item 1A. Unlike the previous statements, Google cannot afford to enforce
a high-risk appetite, nor allow an exposed risk tolerance. Additionally, because reputation risk correlates
to each function of the organization’s goals, it is a highly sensitive risk that can have high magnitude
adverse effects.

Google should balance risk taking and risk control in a holistic manner, as these two functions should be
balanced. This balance will set clear concise objectives and parameters, without limiting the company
from pursuing profitable opportunities. Both risk taking and risk controls should be set in accordance to
the company’s goals, overall culture, and legal and regulatory mandates.

10
References
Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” Deloitte & Tuche LLP. Oct 2012.
The Committee of Sponsoring Organizations of the Treadway Commission.

Rittenberg, Larry, and Frank Martens. “Understanding and Communicating Risk Appetite.” The
Committee of Sponsoring Organizations of the Treadway Commission. Jan 2012.

Crowe Horwath. “Risk Appetite and Tolerance Guidance Paper.” Institute of Risk Management.

United States Securities and Exchange Comission. From 10k. Google Inc.

Marks, Norman. "Do You Realize How Fast You Need to Respond to Risk? What Does This
Mean?" Sustainable Business Forum. N.p., 16 Mar. 2012.

11