Risk can be measured or evaluated in many ways, from multiple perspectives, and with varying degrees of detail. Often companies start to look at risks at a very basic level, with simple measurement standards. Over time, as their ERM program evolves, companies may become more sophisticated in how and why they review risk. While there are no universal metrics, the following ERM "essentials" describe some of the major metrics or standards used to sort and organize a risk library.

"The Basics": Frequency and Severity

Risk assessment has two platinum hits: frequency and severity. Frequency is the likelihood of a risk occurring, and risks are first usually classified on a scale from very unlikely to very probable. Severity, or magnitude, measures the impact of the risk should it occur, or the consequence. Severity is also measured on a continuum of potential loss, from insignificant or immaterial, to extreme—something that is "company busting." The degree of potential loss can be further broken down into "subset" views of average loss, maximum possible versus probable loss, plus minimum possible and probable loss. These breakdowns are the basic feeds for many models used to analyze and rank the importance of risks.

The exact categorizations or labels of such metrics can be grouped either on a numerical scale, such as "1 through 5" or "$100M to $10B." Or it can be phrased as on a qualitative basis, with a descriptive phrase range, such as "highly unlikely, extremely likely," or "low impact, maximum impact." The exact wording of metric range will vary by company preference, and may depend on the risk being measured. For example, credit or liquidity risk may lend itself more easily to a numerical or dollar impact scale.

Together, frequency and severity are used to sort identified risks. Various methods have been developed to help classify risks according to their seriousness, but the most common method is to develop a two-dimensioned graph or matrix that classifies risks into categories based on the combined effects of their frequency and severity. Minor risks that do not require further management attention are set aside or "back-burnered." Significant risks are pushed up in the queue for in-depth management attention or more analysis. In many companies, the process of classifying risks in matrix form will ultimately yield a new combination of risks, shown by importance. Commonly, a prioritization is depicted in a list or report form, often color-coded, such as "high" (red), "moderate" (yellow), or "low" (green). 

"Next Steps"

The "B-side" metrics, beyond the popular frequency and severity cuts, are several other common measurements or scales that can be applied to a variety of risks, whether operational, claims, underwriting, marketing, credit, etc. These include:

Velocity – How fast will something take to happen? Will it take minutes, days, weeks, hours or years for a risk to develop and become a problem or issue? Sometimes velocity of development can be controlled for a potential loss, and actions taken to divert or delay full progress of a course of action, affecting its priority and urgency in a ranking process.

Duration – How long will losses last, when they have occurred? Considerations of duration may also impact importance. For example, a long period of business interruption may have significant lasting reputational effects greater than the sudden, large cost of the destruction of a building. Mitigation or response efforts to the risk of a building fire may weigh more heavily to reopening the business in an alternate location than to getting the actual building fixed immediately.

Causation – Is this a risk that will have losses with a common cause, or something that will occur because of a one-off, unpredictable and uncontrollable cause? For example, auto accidents may occur frequently, and insurers may be able to predict auto loss ratios fairly accurately. However, since the accidents don't have a common cause, companies may not have the control to mitigate losses very much. Other risks, like workplace injuries or employee theft, may occur more infrequently but may have a common cause such as lack of safety or security equipment or adequate training, which can be better addressed. Drilling down frequency measurements further by commonality of cause can be helpful in prioritizing where to assign resources.

"Deep Cuts"

Some metrics qualify as "deep cuts," more appreciated by actuaries or ERM experts, useful in modeling, but not necessarily widely known by the general public.

Volatility or Confidence – A "measurement of the measurements" looks at how confident the company is in its estimate of a metric like frequency or severity. Is the metric itself based on a large quantity of solid historical data, which would increase its reliability? Or is it a rare occurrence where actual consequences could vary widely from ERM estimates?

Correlation or "Inter-Connectivity" – This metric is used to determine how much a risk in one operational area or department affects other risk areas. For example, underwriting loss or risk may go hand-in-hand with credit or liquidity risk. Marketing errors can affect both short-term sales and long-term reputation. Risks with a high correlation to other risks—those with a back-up band—may receive more attention in the ERM process than solo risks. 

"Genius" & "Ping": Advanced Technologies

The advanced technology of iTunes' "Genius" program turns a simple library into a jukebox. It enables me to combine artists and albums into new playlists, and generates recommendations for similar music. It even predicts what my appetite will be for new bands, based on a complex database of metrics and analytics coded for each of my saved songs. Further, iTunes "Ping" is a social network service where users share in what their favorite artists are listening to, and follow news and trends in real time. Genius and Ping expand listening options exponentially.

ERM IT systems now play a similar role. ERM systems not only synch, copy, and archive data about specific risks, but they also play risk metrics in a new way, combining two or more metrics to improve the ranking process. Additionally, they provide management reports and dashboards, artfully covering the complete set of a company's risk. As a company grows and develops its ERM program, management and staff need to share risk assessment information and constantly update their metrics, "real time," beyond just a static spreadsheet file. ERM technology expands analysis options exponentially.

In sum, Steve Jobs knew that iTunes would change the way people "heard the world," quoted in Fortune in 2003 as saying, "It will go down in history as a turning point for the music industry. This is landmark stuff. I can't overestimate it!" Similarly, ERM has changed the way companies view the world, and implementing ERM as an everyday business discipline has been a turning point for the financial services industry. Managing ERM metrics through a dynamic library system can help companies assess and control future losses.