FERM - Ch.15.5: Unquantifiable Risks



Reading Source: Textbook - Financial Enterprise Risk Management

Topics Covered in this Reading:

  • Risk Map
  • Quantifiable New Risks

FERM - Ch.15.5: Unquantifiable Risks

This reading uses an example of a risk map to help gauge the magnitude and materiality of risks that are harder to quantify.

Let’s have some fun here; for the following risks, let’s pretend they are both quantifiable, and unquantifiable. Answer the following:

  1. Quantifiable - How would you go about quantifying this risk?
  2. Unquantifiable - Where on the risk map do you think the risk would belong?
  3. Pretend you were the CRO; have a try as to how you would mitigate this risk? :slightly_smiling_face:


  • Risk Event 1 - Fraud Risk - Visa credit cards experiences 150% increase in fraudulent credit cards losses (2.5 * Expected Losses) due to an increase in internet fraud activity.
  • Risk Event 2 - Regulatory Risk - The national regulator (i.e. OSFI in Canada, PRA in UK, etc.) gets hacked and private and confidential company information is leaked to the media and public - some of this data, when leaked to the public, could be crippling to a company.
  • Risk Event 3 - Outsourcing Risk - McDonald’s outsources all of its coffee bean production to a third party company called Green Free Trade (GFT) Coffee Producers. 90% of McDonalds Cafe products rely on products from GFT, and these are shipped globally. GFT is located in Tanzania, Africa, and suddenly is shut down by the African government due to tax evasion, and must pay the government the equivalent of $100 Million USD before being allowed to resume operations.


Thanks @Aaron_Yanofsky, I’ll start with number one

Fraud Risk:

  1. I would say you could probably model this using an a distribution and then using Monte Carlo simulation. I would say that normal levels of fraud would be fairly stable, and could probably be modeled using a normal distribution. Perhaps this could be modified to allow for certain catastrophic fraud events that could occur from time to time when a large individual fraud event would occur. Once this distribution is modeled, outcomes could be simulated using Monte Carlo simulation.

  2. I would place this risk around a 4 of likelihood, and about a 2 of impact. I think it could be reasonably likelihood to have certain periods where fraud risk increases to 150% of expected value for a short time (when there were a few larger fraud incidents). I think that this is unlikely to have a serious impact on Visa’s financial situation, which is why I placed it at a 2. If it were to continue at this level for an extended period of time, I could see the impact being placed higher, but if it were 150% of the expected for a short time period then I think it would be a short-term loss and not something that could risk serious losses.

  3. I wonder if insurance exists for this if risk! If so, perhaps credit card companies purchase this together as a way of pooling fraudulent losses, and even further diluting the risk. Another strategy could be to study past fraudulent losses and determine some common causes of loss. Perhaps some policies could be implemented to make it more difficult for these activities to occur. For example, if common fraudulent activities were made on internet purchases, perhaps forcing an additional login to take place with a second password would reduce the number of internet fraudulent activities.


I’ll take a shot at the second example.

  1. I would quantify this operational risk event by trying to conduct some research on past data breaches. For example, maybe there is publicly available information on breaches like the Equifax data breach. Perhaps there are professional research committees (i.e. SOA committees) that have already been studying this risk and could provide some direction? If I could get a few data points, I could establish a range of possible losses, calculate a mean and standard deviation, and determine a level of capital to hold at say the 99% percentile.

  2. I think this risk would be a 2 on likelihood, and a 2 on impact. I think that the chance of the government being hacked is quite low due to likely heightened security measures. And even if it was hacked, I think the impact is low since it would likely impact the entire industry, presuming the data breach wasn’t targeting any particular market/company segment of personal data.

  3. I think that it would be tough to mitigate the likelihood of impact as the CRO, since my company wouldn’t have control of the regulator’s systems. But, as CRO, I would ensure that my company had representation in any insurer association/lobbying bodies to ensure/pressure government to have to most up to date system security. I would also have my Risk team perform scenario exercises of data breach situations, and determine a plan (in advance of the breach) to address these types of situations, including things like speed of response, how we would address the media, our customers, having the corporate legal team think about implications, etc.