Risk-!n case study: How Sunstar set up a quantitative risk management system

Any risk manager that interacts with a board knows that much of their thinking revolves around financial considerations. Being able to ‘speak their language’ can be key to getting c-suite buy-in.

With that in mind, having a quantitative risk management system is a great way to put dollar prices against potential losses and get the attention of senior management, says Maya Wellig, head of global risk management at Sunstar.

Wellig told the Risk-!n audience that she had little risk management experience when first charged with the head of risk role. In fact, she comes from a financial background – which is what made the quantitative approach so appealing.

”We didn’t want to sit in our ivory tower making lists”

The journey started in 2016, when a risk consultant was brought in to evaluate the threats the organisation was facing. Over a period of two years, that consultant ran risk workshops to identify the business’ main strategic exposures. At that point, the risk function was created, and Welling was put in charge.

She said: “In 2020, Covid struck. For me, it was a blessing in disguise. Everyone was so busy dealing with the pandemic that I was able to spend a lot of time updating the risk framework and thinking about what we wanted to achieve. From the beginning, our ultimate mission was to actively help the management team manage risks. We didn’t want to sit in our ivory tower making lists.”

Wellig used the time well, looking at the historic risk register and seeing how the company had managed its threats. She found that in January 2017, a risk workshop with all the management, identified 43 risks and opportunities. They had ideas for mitigation but few of these were followed through because no one was looking at risk in a systemic way.

By 2020, ten of these threats had materialised, costing the company millions.

”Losses were many millions in those three years. All of this from foreseeable risk events”

She said: “There were some risks the team had identified which were actually mitigated where losses were minimal… Then there were also some unrecognised risks which occurred and further reduced profits. For that region, losses were many millions in those three years. All of this from foreseeable risk events.”

To try and change the culture and embed risk throughout the organisation, Wellig began her project to assign costs to each of the threats the company faced. She did this by holding risk interviews with senior management teams. Interviewees were asked to rate the risks for potential impact and likelihood and also to identify any new threats to be considered.

Wellig’s team then aggregated the feedback based on all the interviewees’ inputs to arrive at an estimated potential lost profit figure.

The potential impact of the risk was given a score of 1-4, which represented the potential lost profit. The lowest score meant a profit loss of less than 5% while a score of 4 meant more than 20%. The likelihood was scored from 1-6, with 1 representing almost impossible and 6 representing almost certain.

These two scores were then combined with the average profit at each entity, to give an overall quantitative risk value for every risk in the register.

”When we did go to the board, and they  asked where the numbers came from – we could say your own managers”

Wellig explained: “The key here for us was when we did these risk estimates we relied on the collective intelligence of that management. They’ve worked there for a long time and they know their business. And then eventually when we did go to the board, and they asked where the numbers came from – we could say ‘your own managers’.”

So far, Wellig has conducted dozens of risk interviews and identified and quantified over 200 threats facing the organisation.

Her next step was to hold risk mitigation workshops, to discuss mitigations for the top 36 risks, which were worth approximately a third of the total risk value.

Working with senior managers, these workshops have agreed on more than 120 actions, which Wellig tracks. One year after each workshop, there is a follow-up meeting with management to quantify the risk reduction. Wellig says she uses three achievement levels:

• Risk noticeably reduced vs prior assessment (reduction of 25% or more)
• Activities still in progress: risk partially reduced (12.5% reduction)
• Risk not reduced (no reduction)

Across the company, the average reduction after one year has been 17% of all risks discussed.

Wellig says: “The one thing management teams tell us is that sitting in a room and proactively discussing the biggest risks we are facing is something we never do, and this is really a great opportunity.

“We have seen a shift in the board and senior management’s perception of us”

“My team is relatively small, so we plan to do this exercise every two to three years. But a lot of the mitigation actions relate to getting the right people in the room and having those discussions [so the dialogue continues].

“We have seen a shift in the board and senior management’s perception of us. All of a sudden, they come to us and say ’can you help quantify this risk?’ because they’re starting to see the value proposition. But there are some things that they are more reluctant to engage on.

“They hate talking about HR issues, but they know they need to. It helps when you show them numbers and say: ’This is how much you thought you were going to lose and you lost that and more.’