Optimization model of financial resources for business risk management
Wanderlei Lima Paulo1, Francisco Carlos Fernandes2, Marcia Zanievicz Silva2
1 Professional Master Program in Business Administration, Campo Limpo Paulista College
2 Paulista School of Politics, Economics, and Business, São Paulo Federal University
ABSTRACT
This article aims to propose a model to determine the best allocation of financial resources for business risk management, permitting the risk manager to define a control policy with reduced costs that reaches a desired control target. The problem of study is presented as an issue of optimization of costs, formulated as a model of integer linear programming, which basic restrictions are associated to the demanded levels of control. The proposed model is applied to a problem of resource allocation for the control of operational costs. The results show that the model is an adequate instrument to better allocate financial resources, which its use proportionates better conditions for the decision process of business risks.
Keywords: Business risks; best resource allocation; integer linear programming.
INTRODUCTION
Corporation are being exposed to different types of risks, which are classified by literature in many distinctive formats, such as: operational, financial, environmental, technological, of reputation, or even, controllable and non-controllable risks (Jorion, 2006; Subramaniam et al., 2011; Zonatto et Beuren, 2010). Risk is typically defined as possibility to danger, waste, loss, or volatility of unexpected results. Concepts, definitions, and classifications of business risks can be seen in Merna et Al-Thani (2008) and Chapman (2006).
In regards to the management of business risks, the managers have a series of methodologies to measure and control risks, which are based on qualitative, quantitative, or mixed approaches. Among those approaches, it is important to mention Rainer et al. (1991), Miller et Waller (2003), Cornalba et Giudici (2004), and Paulo et al. (2007). In general lines, all methodologies aim to contribute to mitigate risks and to guarantee the effectiveness of internal controls. In this article, the qualitative approach is used, focusing to establish the level of risk by the composition of frequency and severity, generating a matrix of risks, a tool normally used to evaluate risks in general.
According to Lawrence et Sommer (2007), the limit of exposition to risk depends on the appetite and on the tolerance to risk under a personal and corporate context; on the other hand, it is also conditioned to the economical limitations of the agents, once there are budget limitations, the optimal solution to minimize risks is not necessarily the one to be implemented. According to Lei (2011), the risk managers, in order to minimize the costs of mitigation, need to determine the best level of spending or investments in risk management, however, this issue is rarely discussed in literature.
Yet related to the costs of risk mitigation, Lei (2011) reports that risk managers must have in mind that their role is to maximize the value of the enterprise for the interested parts, and that the value of the company under risk must be equal to its value without risks plus the cost of the risk. The goal of a risk manager must also include to minimize the total cost of the risk. Harrington et Niehaus (2002) subdivided the cost of risk in five components: expected loss; cost to control losses; cost to finance losses; cost to reduce risks; and cost of residual uncertainty.
Paulo et al. (2007) signal that there is an obsession with the relation between cost versus benefits in adopting control measures to reduce risks. To enable the allocation of available resources to implement action plans for risk controlling, the authors propose the use of a performance matrix generated from the measurement of the control level and of the importance level of the risks to be managed. Although, the selection of a control strategy is subjective and it does not consider the limitation of financial resources.
Within this context, this article aims to propose a model do determine a strategy of resource allocation to implement action plans to control business risks, permitting the risk manager to define a control strategy with a minimal cost and that reaches a desired control target. The problem of study is formulated as a model of integer linear programming, which basic restrictions are associated to set of demandes control levels (control target).
This article is organized in four sections, including this introduction. In section 2, the concepts of risk matrix and performance and control matrix are presented. The model of optimization that permits the risk manager to define a control strategy with minimum costs, and which achieves a desired control level is proposed on section 3. It is also presented a numerical example in order to illustrate the application of the model in a problem of financial resources allocation to manage operational risks. In the end, in section 4, some final considerations are presented.
THEORETICAL FOUNDATION
This section deals with the theoretical foundations that support the development of the proposed model in this article. In special, the concepts and the process of construction of a risk matrix are here presented, together with the ones of the performance and control matrix.
Risk Matrix
Under a qualitative approach, the level of risk can be determined by the composition of the variables frequency and severity (financial impact), being the risk matrix a tool normally used to evaluate business risks. Examples of applicability, construction, and observations with the adoption of the risk matrix as a tool for risk analysis can be seen in Hewett et al. (2004), Oliveira et Cunha (2015), Macedo et Salgado (2015), Baybutt (2015), and Duijm (2015).
The risk matrix is constructed from a criterion of qualitative classification for the frequency and impact levels, which can vary according to the function of the evaluative process, sixe of the enterprise, market segment of the enterprise, among other factors. Chart 1 presents an example of classification and parameterization of frequency and severity levels.
Chart 1. Example of classification and parameterization of frequency and severity
Source: Adapted from Paulo et al. (2007).
From the levels of frequency and severity, the risk matrix is partitioned in regions that characterize the levels of risk to be evaluated. The definition of these regions can vary according to the risk profile of the manager, the process evaluated, and of the operated products and services. Image 1 illustrates an example of a risk matrix with risk levels classified as Low, Medium, High, and Extreme. In this case, the regions of risk can be determined based on the values of risk intensities (values from 1 to 49), calculated by the product of the weights of the variable frequency (from 1 to 7), and the variable severity (from 1 to 7). As a whole, it can be considered that the risks placed in the region of high risks indicate the necessity of more rigid controls, while the ones located in the low risk region demonstrate an adequate control of the risks.
Image 1. Example of risk matrix with classification criterion based on the intensity of risk: Low Risk, Medium Risk, High Risk, and Extreme Risk.
Source: Designed by the authors.
Performance and Control Matrix
With a goal to enable the allocation of available resources to implement action plans to control risks, Paulo et al. (2007) propose the use of a performance and control matrix generated from the measurement of the control level and the importance of risk level associated to each type of risk being evaluated.
The level of risk control associated to a certain type of risk k, therefore called NCRk , is defined under the following formula:
in which e
are weights attributed to the i-th control used and to the j-th standard control (in accordance to the good control practices), respectively, representing a level of capacity of a control designed to mitigate a type of evaluated risk.
The parameter is defined by
,
in which are weights attributed to the l-th control attribution used and to the m-th standard attribution, respectively, representing a level of significance of an attribution to the effectiveness of a control to mitigate a certain type of risk.
Control attributes consist in requisites that characterize a certain control, being implemented from action plans. The level of risk control can assume the following values: , when the level of control is equal to the acceptable standard;
, when the level of control is below the acceptable standard; and
, when the level of control is above the acceptable standard.
Considering a risk matrix with a scale of weights for the variables frequency and severity, varying from (lower weight) to
(higher weight), the level of importance of risk
, associated to a certain type of risk k that can be described as:
in which and
are, respectively, the given weights to frequency and severity of the k-ish risk evaluated.
From the components and
, it is possible to build the performance and control matrix. Image 2 present an example of a performance and control matrix for five types of risks, from which it is possible for the manager to identify which risks require to have some improvement in control (region for improvement), which have adequate control (ideal region), and which controls are exceeding (region in excess). The ideal region is separated by its lower margin by the border of acceptability, being it the minimal level of control tolerated by the company. For example, the risks 2, 4, and 5 are in the region for improvement of control, demonstrating the necessity to review the policy for control in place. It is seen that the risk 3 presents a higher level of control when compared to risk 1, despite the fact that the risk 1 has a higher level of importance in risk. In this case, a possible action could be applying part of the resources used in risk 3 to improve the level of control of risk 1.
In general, an acceptable control policy would place all risks in the most adequate region. In the end, it is important to mention that the regions for improvement, of excess, of urgency, and the adequate ones are defined by the manager, based on the profile of risk and of the level of demand for control.
Image 2. Example of a performance and control matrix for five types of risks.
Source: Adapted from Paulo et al. (2007).
The method proposed by Paulo et al. (2007) permits to identify which risks present inadequate levels of control, assisting the risk manager in the decision-making process related to the allocation of financial resources. For example, the manager could reduce the resources applied to risk controls placed in the region in excess of the performance and control matrix to apply them to the controls located in the region of improvement, thus contributing to the optimization of available resources to implement risk mitigation plans. However, it will be a decision of the manager, based on subjective criteria, which actions (specification of controls and attributes) must be implemented with the objective to achieve a target of desired level of control.
A relevant question in the moment of the decision-making process is: which control strategy with minimal cost would support the goal of the risk manager? In the next section, there is a suggestion for a mathematical model that aims to respond to such question, giving the risk manager lesser subjectivity in the decision making process to control business risks.
METHODOLOGICAL PROCEEDINGS
This section presents a proposed model to determine an optimal strategy of allocation of resources to the implementation of action plans to control business risks. The model is applied in a problem of allocation of financial resources to manage operational risk.
Proposed Model
For the purpose of this article, it was defined that strategy of control is as set of controls and their respective attribution to be performed; and as control target a set of established control levels. The problem of allocation is placed as a problem of integer linear programming, which aims to determine a control strategy with minimal costs and that satisfies a setting of restrictions, such as: control target, dependable decisions, minimal quantity of controls, etc.
Considering the concepts and measures presented in section 2, it is defined that:
Based on the indicator (1), the level of risk control associated to the k-ish risk, , is therefore defined as:
in which the variable and the parameters
are as defined previously in this article.
The problem of optimization, in its basic format, is to find a set of attributes that minimize the total cost (CT), and at the same time, it responds to a control target, thus described as:
minimize
subject to:
in which:
are minimal and maximum desired control levels associated to the k-ish risk. It is seen that the solution found is given by a vector of dimension
, whose elements are given by x*kil with,
and
, in a way that the set of controls to be placed in order is directly established from
, thus defining the best control strategy (set of controls and their respective attributes to be performed).
It is seen that, by the two restrictions defined in (4), there is a control target a set of intervals of control levels, in other words, , in which n is the quantity of evaluated risks. Such restrictions are considered as basic restrictions of the proposed model. However, besides these, other restrictions can be considered in a way that they treat inherent aspects to the operational process of the company or the regulations of supervision and regulation of risk control. For example: the application of a control element conditioned to the implementation of a certain operational system (a dependent choice); control requisites that will be incorporated to the plans of action independently of the power of mitigation or cost of implementation they may require.
The previous model proposed enables the manager to define a control strategy with minimal costs that achieves a desired level of control (or a certain interval) for each type of risk. On the other hand, such minimal cost can be found above the budget defined to implement the control of risk, which would make the application of measurements unfeasible to achieve an optimal solution based on the model (3)-(4). In this case, an alternative is to rewrite the initially proposed model with a problem of optimization by targets under budget restriction, in means to find a control strategy that the resulting level of control is near to the maximum level expected (control target). Therefore, the problem consists in finding a set of attributes in which to minimize the distance between the levels of control of the evaluated risks and their respective expected levels of control, thus described as:
minimize
subject to:
in which is the expected level of control (target);
, is the level of control associated to the k-ish risk defined in (2); and L the maximum level of resource available (budget restriction).
It is suggested the usage of this problem when the budget limitation L is lower than the minimal cost found by the application of the model (3)-(4).
Numerical Example
This subsection presents an application of the model previously proposed in a problem of allocation of financial resources to the management of operational risk. It can be considered that the operational risk is associated to the events of losses inherent to the operational process of a corporation, such as system failure, obsolescence of equipment, professional qualification, typing errors, frauds, among others. Studies related to the analysis and to the measurement of operational risks can be seen in Gonçalves et al. (2014), Urbina et Guillén (2014), and Yang et al. (2015).
Based on the case study presented by Paulo et al. (2007), it is considered there are the following types of risks inherent to the operational process of contract management: Contract Risk (R1), Process Design Risk (R2), Conformity Risk (R3), Tributary Risk (R4), and Outsourcing Risk (R5). For each type of risk, it is defined a set of standard controls; and for each control, a set of standard attributes.
To apply the proposed model in this article, it was established costs of implementation to each attribution. The five first columns of Chart 1 show, respectively, the list of risks, of controls, of attributes, and their corresponding weights. The column “Cost” refers to the costs of implementation for each attribution. The attributes highlighted in bold were defined as standard attributes. The column “Attributes in Place” describes the attributes placed after a cycle of evaluation.
Chart 1. Classification of the types of risks, of controls, of attributes, and of their respective weights and costs, inherent to the process of contract management
Source: Adapted from Paulo et al. (2007).
Considering the data found on Chart 1, the Image 3 presents a performance and control matrix as a result from the applicability of the proceedings described in the section 2 to calculate the level of control (NCR) and the level of importance of risks (NIR). It is seen that the risks from Process Design (R2), Tributary (R4), and Outsourcing (R5) present inadequate levels of control, as they are found in the region for improvement. From this moment, the manager can define a control strategy (set of controls and their respective attributes) in order to improve the level of control of such risks. Therefore, the proposed model (3)-(4) permits to determine a control strategy with minimal implementation costs that attend to the control target established (desired levels of control).
Image 3. Performance and control matrix generated after a cycle of evaluation of risks, referring to the process of contract management.
Source: Designed by the authors.
As an example of application of the model (3)-(4), it is considered as a control target defined by the following minimal control levels:
, which is described as:
minimize
subject to
in which is the quantity of controls (column “Controls” from Chart 1) given to the k-ish risk (column “Risks” from Chart 1); is the quantity of attributes (column “Attributes” from Chart 1) associated to the i-ish control; and
refers to the unit cost (column “Cost” from Chart 1) of the l-ish associated attribute to the i-ish control of the k-ish risk. The levels of control
are specified according to the definitions in (2).
The solution to the problem (5)-(6) was acquired from the function BINTPROG in the Matlab software. The column “Attributes to place” in Chart 2 refers to the respective control strategy with minimal costs. In this case, the minimal cost to implement such strategy, calculated by the application of the function (5) is . This cost is below the one from the present control strategy (set of attributes defined in the column “Attributes in place” from Chart 2),
.
Chart 2. Types of control, attributes in place and to place (optimal control strategy), referring to the process of contract management.
Source: Designed by the authors.
Image 4 presents the performance and control matrix considering the optimal control strategy described on Chart 2 (column “Attributes to place”), in which the levels of risk control (identified by “∆”) were calculated by the expression (1), being .
It is perceived that the restrictions defined in (6) were fulfilled. Therefore, it is possible to conclude that the model of optimization proposed permitted the best selection of controls to be used, minimizing the costs of implementation, and placing all risks evaluated (R1, R2, R3, R4, and R5) in the adequate region of the performance and control matrix, in such a manner that the levels of control of all risks had an improvement.
Image 4. Performance and control matrix generated from the optimal control strategy, referred to the process of hiring management.
Source: Designed by the authors.
Aiming to evaluate the behavior of the solution of the proposed model as a function of the degree of demand for control, it was established a simulation of the minimal cost, calculated from the problem (5)-(6), considering the variations of the target control (set of control levels). It was defined as the initial control target the set of minimal control levels related to the present control strategy (column “Attributes in place” from Chart 2), or .
In Chart 3, the authors present nine control targets, generated from the initial target, for which it was determined their respective minimal costs (column “Minimal Cost”). As expected, it was seen that the minimal cost increases with the development of the demanded minimal control level.
Chart 3. Simulation of the minimal cost as function of the average of the minimal control levels.
Source: Designed by the authors.
It is important to mention that a control strategy for minimal costs does not necessarily will be the most appropriate strategy from the view of risk management. For example, considering the problem (5)-(6), with minimal control levels established by the values specified in the ninth control target, as presented in the Chart 3, , the Image 5 shows the position of each type of risk (R1, R2, R3, R4, and R5) as a result from the optimal solution found (identified by “o”).
It is seen that all risks are above the border of acceptability of the performance and control matrix, yet it is possible to consider it was not the most appropriate strategy for control. This fact occurs once the conformity risk (R3) is placed in the region of excess, thus part of the resources used to control it could be allocated to improve the level of control of another type of risk with higher importance (as for example, in the process design risk, R2).
A possible control target would be to define the intervals of the control levels associated to the levels of importance of risks, once the most relevant risks are signed with higher levels of minimal control. For example, the positions identified with “∆” in Image 5 represent the levels of controls generated, considering the following restrictions:
.
It is possible to see that, in average, the level of control is proportional to the level of importance (or relevance) of the risks.
Image 5. Performance and control matrix
Source: Designed by the authors.
*“o” represents the position of each type resulting from the optimal solution found, considering as minimal control levels (target) those specified in the ninth control target presented in Chart 3, while “∆” represents the position originated from the optimal control strategy, considering as targets the following intervals of control: .
It is important to mention that the model here proposed considers as constant the level of importance of risk (NIR), being only a component of the level of control of risk (NCR) affected by the control strategy generated by the model (3)-(4), as it is identified by the images 3 and 4 (occurrence only seen by the vertical movement of the control levels). Another aspect to be highlighted is the fact that the model considers that controls and attributes are exclude one another in such manner that each attribution is associated to one single control, and each control is associated to one single type of risk.
FINAL CONSIDERATIONS
This article presented a model that enables to determine an optimal strategy to allocate resources to manage business risks. The problem of allocation is formulated as a model of integer linear programming, in which the function-objective represents the total cost of implementation of control attributes, and that the basic restrictions are characterized by a specific control target (set of control levels attributed to the risks evaluated). The model proposed assists the risk manager to define a control strategy with minimal costs that fulfills the desired control level.
The results found showed that the model proposed is presented as an adequate tool to the best allocation of financial resources. Its usage permits better conditions to support the decision making process in risk management, facilitating the positioning of managers in situations that the best exposition also depends on the set of available financial resources, and in the case presented, on the costs. Such restrictions are inherent to the business reality and they could include legal restrictions (mandatory controls, for example), budget restrictions (availability of resources, for example), among others.
It is important to mention that the proposed model considers as constant the level of importance of the evaluated risks (NIR), being only a component of the level of risk control (NCR) affected by the control strategy set by the model (3)-(4). A suggestion is to incorporate the optimization of the model to the component NIR, in order to permit the occurrence of horizontal or oblique movements from the position of a risk under the performance and control matrix. Another suggestion would be to adjust the model in order an attribution (or control) could be applied in more than one type of control (or type of risk).
REFERENCES
Baybutt, P. (2015), “Calibration of risk matrices for process safety”, Journal of Loss Prevention in the Process Industries, Vol. 38, pp. 163-168.
Chapman, R. J. (2006), Simple Tools and Techniques for Enterprise Risk management, John Wiley & Sons, Chichester, England.
Cornalba, A. C. et Giudici, B. P. (2004), “Statistical models for operational risk management”, Physica A, Vol. 338, pp. 166-172.
Duijm, N. J. (2015), “Recommendations on the use and design of risk matrices”, Safety Science, Vol. 76, pp. 21-31.
Gonçalves, M. A., Ferreira, B. P. e Alemão, M. M. (2014), “Risco Operacional no Setor Saúde: Financiamento pelo SUS Paralelo aos Gastos na Fundação Hospitalar do Estado de Minas Gerais”, Revista Gestão & Tecnologia, Vol. 14 No. 1, pp. 126-150, disponível em: https://revistagt.fpl.edu.br/get/article/view/532/505 (Acesso em 20 de junho de 2014).
Harrington, S. E. et Niehaus, G. (2002), “Enterprise Risk Management: the case of united grain growers”, Journal of Applied Corporate Finance, Vol. 14 No. 4, pp. 71-82.
Hewett, C.J.M., Quinn, P.F., Whitehead, P.G., Heathwaite, A.L. e Flynn, N.J. (2004), “Towards a nutrient export risk matrix approach to managing agricultural pollution at source”, Hydrology and Earth System Sciences, Vol. 8 No. 4, pp. 834-845.
Jorion, P. (2006), Value at Risk: the new benchmark for managing financial risk, McGraw-Hill, New York, NY.
Lawrence, R. E. H. et Sommer, P. (2007), “Computing value at risk: a simulation assignment to illustrate the value of enterprise risk management”, Risk Management and Insurance Review, Vol. 10 No. 2, pp. 299-307.
Lei, Y. (2011), “Minimizing the cost of risk with simulation optimization technique”, Risk Management and Insurance Review, Vol. 14 No. 1, pp. 121-144.
Macedo, M. H. B. et Salgado, E. G. (2015), “Gerenciamento de risco aplicado ao desenvolvimento de software”, Sistemas & Gestão, Vol. 04 No. 1, pp. 158-170, disponível em: http://www.revistasg.uff.br/index.php/sg/article/view/V10N1A13/SGV10N1A13 (Acesso em 11 de maio de 2016).
Merna, T. et Al-Thani, F. F. (2008), Corporate Risk Management, John Wiley & Sons, Chichester, England.
Miller, K. D. et Waller, H. G. (2003), “Scenarios, Real Options and Integrated risk management”, Long Range Planning, Vol. 36 No. 1, pp. 93-107.
Oliveira, A. M. et Cunha, A. C. (2015), “Análise de risco como medida preventiva de inundações na Amazônia: estudo de caso de enchente de 2000 em Laranjal do Jari-AP, Brasil”, Ciência e Natura, Vol. 37, pp. 110-118.
Paulo, W. L., Fernandes, F. C., Rodrigues, L. G. B. e Eidt, J. (2007), “Riscos e controles internos: uma metodologia de mensuração dos níveis de controle de riscos empresariais”, Contabilidade & Finanças, Vol. 18 No. 43, pp. 49- 60.
Rainer Jr., R. K., Snyder, C.A. e Carr, H. H. (1991), “Risk analysis for information technology”, Journal of Management Information Systems, Vol. 8 No. 1, pp. 129-147.
Subramaniam, N., Collier, D., Phang, M. e Burke, G. (2011), “The effects of perceived business uncertainty, external consultants and risk management on organizational outcomes”, Journal of Accounting & Organizational Change, Vol. 7 No. 2, pp. 132-157.
Urbina, J. et Guillén, M. (2014), “An application of capital allocation principles to operational risk and the cost of fraud”, Expert Systems with Applications, Vol. 41, pp. 7023-7031.
Yang, M., Khan, F. e Amyotte, P. (2015), “Operational risk assessment: A case of the Bhopal disaster”, Process Safety and Environmental Protection, Vol. 97, pp. 70-79.
Zonatto, V. C. S. et Beuren, I. M. (2010), “Categorias de Riscos Evidenciadas nos Relatórios da Administração de Empresas Brasileiras com ADRS”, Revista Brasileira de Gestão de Negócios, Vol. 12 No. 35, pp. 141-155.