Risk Management: Cubes To Doughnuts

Let’s imagine that your private equity fund is considering a long term investment in an American energy company that ships millions of barrels of crude oil through Philippine waters each year. When Filipino President Duterte unexpectedly calls American President Obama a “son of a whore” while promising to “continually engage China in a diplomatic dialogue rather than anger officials there,” do you change your mind about the investment opportunity?

Under normal circumstances, in order to make an informed decision, you would prepare a valuation analysis that compares the investment’s immediate cost against the present value of its future benefits. But how can you possibly assess its future benefits when massive uncertainty over President Duterte’s evolving foreign policy makes it impossible to render any predictions about the future?

For guidance in managing such risks, we generally turn to the Enterprise Risk Management (ERM) framework that is promulgated by the Committee Of Sponsoring Organizations (COSO) of the accounting profession. The current cube-shaped framework prescribes eight component activities for managing such risks, with Event Identification representing the first of its four central activities.

Indeed, one of the reasons for this framework’s enduring popularity is its reliance on the identification of clearly definable risk events. Thus, when a risk factor can be defined in terms of future discrete events, the COSO cube is a natural choice for risk managers.

Worried about the impact of potential hurricane damage on a waterside property, for instance? A hurricane is a future discrete event. It will either occur or not occur, and the consequences of its occurrence or non-occurrence are relatively easy to estimate. If a hurricane occurs, there will be massive losses. And if not, the status quo will continue unabated.

But what if a risk factor cannot be defined as a discrete event? What if the long term impact of a risk factor depends on slowly evolving circumstances that are extremely difficult to even define, let alone assess? Does COSO have a different framework for such factors?

Yes, it does. A new version of the framework is only available in a draft exposure format at the moment, but it is expected to be finalized shortly. It uses a doughnut symbol, instead of a cube. And although Risk Identification continues to represent an important underlying function of ERM, it no longer appears prominently on the face of its new framework.

Whereas the older cubic framework prescribes a list of eight rigidly defined and sequenced component activities, the newer circular doughnut framework relies on 23 broad principles like “Commitment to Integrity and Ethics” and “Develops Portfolio View.” So, with these two frameworks in mind, let’s think about the political risk that is challenging our private equity investor.

On the one hand, President Duterte’s colorful comments will undoubtedly impact the short term relationship between his nation and the United States. But on the other hand, this relationship will continue to evolve over time, and will be impacted by numerous unpredictable future circumstances. So even though President Duterte’s eventful actions can influence the future Filipino-American relationship, he cannot unilaterally determine it.

That’s why we need a doughnut shaped framework, with its 23 principles, to assess such complicated circumstances. Although the event-centric cubic framework is sufficient for more easily defined risks, the circular framework is required to analyze the complex risks that challenge us in our multi-dimensional environment.