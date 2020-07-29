For many people, the world looks a lot riskier today than it did on New Year's Day.

Introduction

Over the last six months, events have rocked the financial markets and everyday life. For many people, the world today looks a lot riskier than it did on New Year’s Day.

What do we mean by risk? How should we think about risk? What can we do today to better manage risk?

In financial terms, risk is usually defined as the variation between the actual return on an investment and the expected return. I don’t find this very useful.

Instead, the perspective I want to adopt here is a pragmatic and practical one, appropriate to an individual investor, e.g. a typical Seeking Alpha reader. Since financial and personal risk overlap and interact, we will consider both.

Thinking About Risk

What I mean by a risk is a possible future event whose actual occurrence would have a material adverse effect on your personal or financial life. Risk management is the process of understanding these risks, and deciding how to respond.

In general, risk management has four steps: identification, assessment, response planning, and response implementation. It is an iterative and ongoing process.

Risk Identification

Risks can be identified through a thoughtful review of your financial and personal situation, and the external environment. The output of this process is called a risk list; we will look at an example below.

Public companies list significant risks in their annual SEC filings, providing useful examples of the corporate view of risk. For example, the 2019 10-Ks of Bank of America (NYSE:BAC), Intel (NASDAQ:INTC), and Realty Income (NYSE:O), respectively, list 30, 28, and 34 risks. It’s a sobering and instructive read.

Most individuals can practically deal with only a limited number of risks, perhaps a dozen. Discrete risks with different root causes often have common or similar responses and may be usefully aggregated, e.g. cyber risks.

Risk Assessment

Next determine, for each identified risk, the likelihood that the risk event will actually occur, and the impact if it does occur. Ultimately, this assessment reflects your judgement, but you can often find relevant data to anchor that judgement.

Initially likelihood and impact can each be rated subjectively as High, Medium, or Low. However, our real goal is improved risk management. That is going to require enough precision in risk assessment to determine, at least roughly, the actual and relative significance of each risk. That in turn provides a basis for allocating always limited resources (time, attention, dollars) to counter the risks.

A good way to handle this is to define an explicit scale for High, Medium, and Low. The values that you use will reflect your personal and financial situation and risk tolerance; e.g. some people might rate a $25,000 cost as High impact, others might say $300,000.

We will use a likelihood scale where Low is < 10% probability of occurrence, Medium 10-30%, and High > 30%. We also need to specify a time frame to assess probability of occurrence; we will use 10 years.

Similarly, for impact we will use a scale where Low is a cost of < $20K, Medium $20-100K, and High > $100K.

Impact may be a direct cost in dollars or in quality of life. With some thought, a quality of life impact can usually be expressed in dollars, i.e. what you would willingly pay to avoid the adverse quality of life impact.

The risks on your risk list, now graded for likelihood and impact, can now be compared and ranked by severity, where severity = likelihood x impact.

For example, if Risk Event A is the loss of your internet connection for 1 week, and the likelihood is 10%, and the impact is a loss of $5,000 (because your business depends on it), you can say the severity of the risk is $500.

Risk Response

Risk responses are actions intended to reduce the likelihood that the event actually occurs, or to mitigate the impact if it does occur. There is usually a cost (time, attention, dollars) associated with a risk response. Some risk response actions with a significant cost specify a trigger condition, which defines the conditions to actually implement the response.

Let’s look at an everyday example. Many people would identify a serious driving accident as a significant risk event, both financially and personally. In fact, there are about 6 million auto accidents in the US each year, with about 2 million serious injuries and 35 thousand deaths. By our criteria, a driving risk event over a 10-year period would probably be assessed as Low likelihood with Medium or High impact.

Actions to reduce the likelihood of an accident might include driver training, defensive driving behavior, minimizing driving under adverse conditions, not driving while distracted or impaired, and replacing worn tires. The impact, or cost, if an accident does occur, might be mitigated by buying a vehicle with better safety features, routine seat belt use, and buying insurance. Note that some of these risk response actions involve an explicit out of pocket cost, for others the cost is in time or attention.

Practical Risk Management

We now have defined enough terminology and concepts to move on to practical risk management.

An initial list of potential risk events, with some potential responses, is shown below (risk; response). We use a 10-year time horizon for both risk identification and assessment. Note than even at this initial stage, it is very useful to state the risk event quantitatively, e.g. “SP 500 declines 40%” is more useful than “stock market down,” because it encourages one to think in more concrete terms.

Premature death with loss of income; life insurance.

Disability with loss of income; disability insurance.

Change in job with > 10% loss of income; backup income source, increase savings.

Restrictions on business operations; relocate, alternate business.

Pension fails or reduces payout; cash out, increase savings.

Assisted living required, 72 person months at $9K/month; increase savings.

SP 500 down > 40%, recovery longer than 3 years; change asset mix, increase savings.

Inflation, 40% drop in value of dollar over 10 years; change asset mix.

State and local taxes increase > 20%; move to lower tax location, downsize property.

Federal taxes increase > 20%; move assets to Roth, increase current gifts to heirs.

My bank or brokerage fails; diversify institutions.

Cyber services unavailable > 7 days – household, ISP, vendor, general internet.

Supply chain disruption for product or services; second source, higher inventory.

Basic services unavailable for > 3 days; preparation.

Natural disaster – hurricane, flood, wildfire, earthquake; preparation, relocate.

We will show what an assessment would look like for a few of these risks. We use a likelihood L, M, H scale is < 10%, 10-30%, > 30%. The impact L, M, H scale is <$20K, $20 - $100K, > $100K.

ID Type Risk Event Likelihood Impact 1 Financial SP 500 down > 40%, recovery > 3 years H H 2 Financial Inflation - 40% drop in value of $ over 10 years M H 3 Financial Financial institution you use fails L H 4 Health Assisted Living required, 72 person months @ $9K/month M H 5 Cyber capability unavailable > 7 days a – computer / phone b - ISP c - employer, financial institution, critical vendor d - general Internet L L M L M M M H 6 Supply Chain Important product or service unavailable, delayed, or significantly increased in price (e.g. medicine, food, spare parts) H M 7 Basic Services Critical utilities or public services – water, power, transport, public safety – unavailable or disrupted > 3 days L H

It may be difficult to assign a dollar value to some risk events, for example loss of internet access for 2 weeks after a hurricane, where much of the impact might be on quality of life.

Inability to stream TV shows for two weeks is one thing, losing the convenience of ordering groceries online is another, and being unable to operate your work from home business is yet another. One way to think about that is what would you pay to have avoided those impacts.

Note that some response actions may reduce the likelihood or impact for multiple risks. Look for those two birds with one stone opportunities.

For the purposes of this article, we are going to discuss in more detail the risk and response for cyber risk.

Cyber Risk

The risk scenario here is the loss of routine financial and quality of life functionality for a period of time. As both business and personal activities become increasingly dependent always on Internet access, the impact of an interruption to this access increases.

We identify four tiers of risk events – affecting your household, your Internet Service Provider (ISP), an important vendor or financial institution, and the general Internet. Household includes here both personal and work from home activities.

Bank of America’s 2019 10-K identifies its cyber risk. Part of its assessment is excepted below:

We, our employees and customers, regulators and other third parties are regularly the target of cyber attacks and are likely to continue to be the target of cyber attacks. These cyber attacks are pervasive and evolving and include computer viruses, malicious or destructive code (such as ransomware), phishing attacks, denial of service or information or other security breach tactics that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction or theft of confidential, proprietary and other information, including intellectual property, of ours, our employees, our customers or of third parties, damages to systems, or otherwise material disruption to our or our customers’ or other third parties’ network access or business operations, both domestically and internationally.

Risk response actions at the household level may both reduce likelihood and mitigate impact:

Use a surge protector, ~ $50

Use an Uninterruptible Power Supply (USP), ~ $100

Promptly install operating system and application software updates (security patches)

Automate routine backups to the cloud or external media

Periodically backup important information to removable media, ~ $50

Store critical information removable media backups offsite, ~ $50

Consider paper copies of critical information

Use unique passwords for all financial accounts, and change them at least annually

Use two factor authentications where available

Lock credit reports (Equifax, Experian, TransUnion)

Consider maintaining a backup computer or other device

There is probably little you can do to reduce the likelihood of a risk event with your ISP, a critical company, or the general Internet. But there are actions you can take to mitigate the impact:

Identify and implement a backup ISP, or hotspot.

Keep enough emergency cash at home to pay for at least 2 weeks of critical needs (groceries, gas, etc.).

Maintain two or perhaps three separate credit cards, split between Visa (NYSE: V (NYSE: MA

Maintain an emergency funds account at a bank or credit union different from the primary bank you use for everyday financial activities.

Split financial assets between two or three fiduciaries (e.g. Fidelity, Vanguard, Schwab).

Maintain a hardcopy list of critical contacts and phone numbers.

Conclusion

Thoughtful and systematic risk management will enable you to identify important risks and take proactive steps to reduce the likelihood of occurrence and/or mitigate the impact. Many risk response actions are relatively low-cost.

One of the most valuable results of doing this analysis is that it will increase your situational awareness, and make it easier to routinely notice items that impact your risk profile.

Successful risk management can reduce both financial and quality of life loss.

Finally, there may be investment opportunities - for example, in cyber security - that are worth investigating.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.