Risk Evaluation of Strategic Indicators

Corporate management increasingly demands strategic decision support and the use of scientific tools and methods of modelling uncertainties, thus creating a connection between decisions and their expected outcomes. To put it differently, corporations want to bear the risk of their decisions consciously in order to maximise their profits. For this reason, risk analysis and risk management are highly topical issues in corporate practice. The literature of risk management introduces many different tools and methods to carry out risk analysis. However, as we studied the available sources we found that they were difficult to apply, as they were described in a language too difficult for practicing professionals to understand, and illustrative examples were rarely used. In other words, the methods recommended in specialised literature are generally not user-friendly. Rather than providing a scientific classification of the methods offered in professional literature or proposing their enhancement, the primary aim of this paper is to put forward a theoretically well-based risk analysis approach that is easy to use in corporate practice. This method will be discussed in the next section. Before explaining the detailed methodology, however, we feel it essential to define shortly the concept of risk management in order to facilitate a better understanding of the topic. One of the essential features during a decisionmaking process is the existence of uncertainties. Uncertainty means that the probability of occurrence of a given future event and its consequences are not known exactly. Risk usually means the particular negative or positive consequences while the occurrence itself is uncertain, but its probability can be calculated or estimated (Görög 2008). In order to assess the risk, different risk sources and events should be first identified. According to Hillson’s approach, risk usually refersto uncertain events that may have negative or positive outcomes (Hillson 2002). The inherent level of a particular risk is determined by the likelihood and magnitude of associated events (Hopkin 2012).


INTRODUCTION
Corporate management increasingly demands strategic decision support and the use of scientific tools and methods of modelling uncertainties, thus creating a connection between decisions and their expected outcomes.To put it differently, corporations want to bear the risk of their decisions consciously in order to maximise their profits.For this reason, risk analysis and risk management are highly topical issues in corporate practice.
The literature of risk management introduces many different tools and methods to carry out risk analysis.However, as we studied the available sources we found that they were difficult to apply, as they were described in a language too difficult for practicing professionals to understand, and illustrative examples were rarely used.In other words, the methods recommended in specialised literature are generally not user-friendly.Rather than providing a scientific classification of the methods offered in professional literature or proposing their enhancement, the primary aim of this paper is to put forward a theoretically well-based risk analysis approach that is easy to use in corporate practice.This method will be discussed in the next section.
Before explaining the detailed methodology, however, we feel it essential to define shortly the concept of risk management in order to facilitate a better understanding of the topic.
One of the essential features during a decisionmaking process is the existence of uncertainties.Uncertainty means that the probability of occurrence of a given future event and its consequences are not known exactly.Risk usually means the particular negative or positive consequences while the occurrence itself is uncertain, but its probability can be calculated or estimated (Görög 2008).In order to assess the risk, different risk sources and events should be first identified.
According to Hillson's approach, risk usually refersto uncertain events that may have negative or positive outcomes (Hillson 2002).The inherent level of a particular risk is determined by the likelihood and magnitude of associated events (Hopkin 2012).

DECISIONS
In this section the different approaches how to identify, analyse, evaluate and treat the risks will be highlighted.

Interpretation of risk management
It is interesting to investigate how risk analysis and response work in practice if there are insufficient historical data available.In the risk management literature a number of methods can be found that are suitable for risk assessment.Most of them can only be used if there are historical data available, as they rely on statistical analysis to assess risks (see e.g.Jorion 1997).If someonewould like to calculate exchange rate or interest rate risk exposure, for example, these statistical methods can be used if daily databases are available.But what is the situation if somebody would like to assess risks having an impact on the strategic goals of the company where he or she is working?An example could be to select the best strategic alternative by evaluating the yield/risk ratio for each alternative.In this case, there is rarely a daily database to use for assessing most risks.Of course, the probability of occurrence and impact of these risks should always be assessed (estimated) in a reliable manner.
There are also different approaches available to assess risks.These can be divided into two main categories: qualitative and quantitative methods.Qualitative methods are easy to use in practice, but reliability may not possible to ensure.Quantitative methods may ensure the reliability of analysis, but usage of them requires a large amount of historical data.
It seems an obvious suggestion to produce input data for quantitative methods (e.g.Monte-Carlo Simulation) by using the many years' experience of participants attending aworkshop to ensure reliable risk assessment.Of course, a special methodology is necessary for this, but it is worth to apply.The method presented below has been used in more than 50 different applications to date.The aim of this paper is to summarise the main steps of this method and to show how to use it in practice.
Risk management covers a systematic process of identifying, analysing, evaluating, responding to and controlling risk (Cooper & Chapman 1987;Chapman and Ward 2003), (PMI 2008).The risk management process for these steps is shown in Figure 1.The specialities of the process will be briefly summarised below even for a situation wherehistorical data are missing or inappropriate.

Identification of risk sources and events
The first task is to identify risk sources/ events in a structured form.Several techniques have been proposed for professionals to identify risk sources/events (Loosemore et al. 2006;Ohtaka & Fukuzawa 2010).
For the method in question, brainstorming is needed for executing the task.Workshops lasting a few hours or even days, depending on the nature of the task, can also be helpful.The composition of participants is important, since the results are influenced to a great extent by the presence or absence of experts having relevant knowledge.
In case of inappropriate historical data a pre-made database can be helpful to enhance the identification of risk factors (de Bakker et al. 2010;Bannerman 2008).This database can be customised according to the needs of particular organisations.There are different lists for this available in the risk management literature (see for example Summer 2000; Hartman & Ashari 2002;Chow & Cao 2008;Lind & Culler 2011).

Quantitative risk assessment
Identification of risk sources and events is followed by the step of quantifying the probability of their occurrence and impact.This paper focuses on how to use the developed methodfor defining input parameters of the Monte-Carlo simulation (Hertz 1964).
The first task is to delineate the scope of the analysis and to define the elements of the analysis target values.The next step is to identify and assign potential risk sources and events to each elementof analysis.The identification is done by experts at a workshop.
After the identification is completed, a maximum of four different scenarios (Watchorn 2007) will be assigned to each identified risk source and event.The next task is to estimate the subjective probability of occurrence and impact of each scenario.This is done by experts at theworkshop using their many years of experience.It is important to note that the sum of the subjective probability of occurrence of the maximum four scenarios cannot exceed 100%.
Following that, the existence of interrelation (if any) among the different risk sources and events must be assigned to one cash-flow element (Hunyadi et al. 1993).If found, its direction and intensity must also be investigated.(Thedirection is positive if an increase in one variable's value can cause another variable's value to increase and negative if a decrease in one variable's value can cause another variable's value to increase.The intensity can be measured by a correlation factor between -1 and 1 (Hunyadi at al. 1993)).To answer this question, experts' estimation should be used.Empirical experience shows that it can be assumed that the value of the correlation measuring the intensity between two probability variables can be maximum ±0.6 in the case of strongest intensity.So the experts attending the workshop only have to decide whether the intensity between two variables is strong, medium or weak using their experience.In this way they can estimate the value of correlations ranging from -0.6 to 0.6.Of course, it is not possible to calculate exact correlation values in this way.But it should be remembered that in this case there are insufficient historical data available to usestatistical methods for this task.
The next task is calculation of the expected value and standard deviation of eachelement using the results of the scenario analysis.These will be the input data for the Monte-Carlo Simulation.The expected value and standard deviation can be used for selecting critical risk sources and events as well.Inour understanding not every risk should be treated, anyway.This is because the cost of treatment can be higher than the cost incurred from the occurrence of the risk.To ensure the best efficiency of treatment activity it is vital to select the critical risks which should be treated in any way.To do this, a special rule can be used.According to this rule, a risk is critical if the value of relative deviation (ratio of standard deviation/expected value)is higher than a predefined threshold value.There has beenno exact equation to calculate the limit of any threshold value so far.It can only be defined by using the experience of a risk analyst.In thispaper we will show how to define the threshold values with regard to acase study.
If historical data are missing or inappropriate, the way suggested above can help to increase the chance of selecting the best suited probability distribution curve, mean value, and standard deviation belonging to it.This is the reason forperforming a scenario analysis first and running Monte-Carlo Simulation only after finishing the scenario analysis.
Selection of dependent probability variables is the next task.The change invalue of an independent probability variable can cause the change of value of a dependent variable.When all input data are at our disposal, Monte-Carlo Simulation is ready to run.Once the predefined number of iterations has been reached, the probability distribution of net present value with all characteristic statistical values (mean value, standard deviation, range, etc.) can be produced.The probability distribution can also contain the target value, so it is possible to compare the results of calculation before and after risk analysis.This is done with the support of any computer program for risk analysis found on the market (e.g.Oracle Crystal Ball, Palisade @Risk or Szigma Integrisk).

Steps of risk evaluation
Risk evaluation requirescreating a high-level network diagram, including: • the exact definition of activities, • definition of the duration of activities, • logical relationships between activities and • detailed resource and budget allocation (Grey 1995).These data are the target values (values before risk analysis).Each project activity will work as independent probability variables during the Monte Carlo Simulation.
The next step is to identify and assign potential risk sources and events that can have an impact on the duration and/or cost of every single activity (dependent probability variables) originally calculated.When identification is completed, the probability of occurrence and impact of each risk source/event will be estimated by scenario analysis as above (Cleden 2009).The interrelation among risk events and independent probability variables (duration and/or cost) should be analysed (Nakatsu & Iacovou 2009).
Thisis followed by selecting the probability distribution of the duration/cost of each activity with the use of the results of scenario analysis.In practice, the most frequently occurring distributions are the beta, gamma, triangle, lognormal, and normal distributions (Evans et al. 1993).After this, the parameters (expected value, standard deviation) characteristic of the given distribution should be calculated.The value of the probability of occurrence of activities after junctions in the network diagram should be estimated.It is important to keep in mind that the sum cannot exceed 100% (Grey 1995).
When all input data are available, the simulation process can be started.The length of the critical path and/or total cost of the project are calculated from a large amount of random data obtained from each probability distribution of the duration/cost of every single activity.This can be accomplished by any risk analysisprograms listed above.After reaching the predefined number of iterations, the probability distribution of the critical path and/or total project cost can be produced (Grey 1995).

Response to the risks
The risk management process has to formulate and execute risk response actions for critical risk sources and events selected previously.Risk response could have the aim of avoiding, sharing, transferring or accepting a risk by means of defining a risk response programme (Harris2009).It is important to consider the following aspects whenformulating a risk response programme: • The elements should have a quick-win characteristic, i.e. should be applicable quickly and at a reasonable cost.Reasonable costs mean lower cost than in case of occurrence of the risk event.
• Risk response actions should be measurable during actualisation.In case of an investment project it may be possible to increase the chance to finish the project on time and within the budget or to ensure the targeted project return.In other words, the execution of suggested risk response actions shouldmove the measured value closer to the target value (value before risk analysis).
It is important to assign a risk owner tothe proposed actions.A risk owner is a person or an organisation that is responsible for responding to a risk.Now we will present different risk response actions (Balaton et al. 2005): Risk avoidance -basically thiscovers those actions that are aimed atavoiding the occurrence.It is used when risk sources/events often occur and the likely impact is high (Pataki& Tatai 2008).An example of this could be the integration of check points, including internal regulation.Risk mitigation -this could be aimed at minimising the probability of risk occurrence by preventing the risk from occurring.A good example can be lobbying in order to influence lawmakers.Another approach is for the companyto prepare different actions in order to influence the impact, in many cases to increase the impact of positive risk events.A good exampleis business continuity planning.Transferring or sharing risks -thismeans finding a partner who consciously or unknowingly assumes at a certain pricelosses generated from potential dysfunctions.A typical case of risk transfer is insurance, but hiring an external contributor to implement a project could also be an example (Görög 2008).Risk acceptance -In this case, the risk cannot be avoided or transferred, or the likely impact is out of proportion with the costs of responding to it.This implies that management bears the magnitude of the risk consciously.

Risk controlling
The final step of the risk management process is performing risk control that covers updating the dataset, follow-up actions, and plan-fact analysis.
Risk management should be considered as a snapshot at a given moment.But it could happen that the kind of information that basically influences the results of analysis is found the next day.In this case, it is worth redoing the whole exercise.Of course, now the analysis can be done quickly, since it only consists of the transfer of the results from recording and assessing the new risk arising from new information.It could change the list of critical events that could modify the risk response actions.
The second element of control activity is following the risk execution program, which is based on risk response proposals.This could be considered as classical control activity and in the course of this the following tasks should be solved: overview of the situation, impact analysis, modifications based on impact analysis, ordering and publishing the modifications and the execution of modifications.
The third component of control is performing a planfact analysis after finishing the execution of the risk response actions.The aim of the analysis is to compare the post-program status with the pre-program status.The planfact analysis means an input for cost-benefit analysis (Rédey 2012), which can measure the effectiveness and efficiency of the risk management activity.

RISK EVALUATION IN THE CASE OF STRATEGIC INDICATORS
The University of Miskolc has prepared and approved an Institutional Development Plan that includes the strategic goals and the related performance indicators (in harmony with the Balanced Scorecard -BSC indicators) annually for a five-year period.Achieving the target values of the five-year period may be influenced by various strategic risks, positively or negatively.It is essential for the university to identify and understand the risks that may have any effect on these indicators.Based on the identified risks, strategic actions can be developed and performed in order to control the operation in accordance with the set objectives.It should be noted that the challenge is not a single intervention; continuous (regular) control is necessary.The process is summarised in Figure 2.

Figure2. Strategic control process Source: created by the authors
The details of risk evaluation are presented in Figure 3.

Figure 3. Process of risk analysis of strategic indicators Source: created by the authors
The content of the risk analysis process using the methodology in the previous sectionis as follows.A presumption is that the strategic indicators are available.
The initial step is to organise the indicators into homogeneous groups.The aim of grouping is to find the strategic issues that may be influenced by similar risk factors.Homogenous groups must be the results ofteamwork.The experts of the university perform a workshop that allows the proper teamwork.In the beginning external experts were involved in order to learn the methodology and keep focus on the content.Of course, the list of indicators in a group is not set in stone, the relevant strategic indicators may be changed.Review of the groups must be performed by the internal experts regularly, at least annually.
The next step is to designate the risk factors of the strategic indicators within each group.There are various sources that can be used for supporting the assignments.In addition to expert estimation, historical data and literature sources shouldbe taken into consideration.Establishing a comprehensive risk database will significantly increase the effectiveness of this step.Proper designation of risks factor is essential because the probability and the impact can only be assessedproperlyin this way.If a risk factor is assigned to more than one strategic indicator, it must be evaluated separately by each indicator because the impacts may be different.Table 1 shows an example of assignment.

Risk factor Description of the risk factor
Rate of students admitted to the University of Miskolc compared to all students gaining admission in the recruitment process of the given academic year Legal policy changes / Changes in government funding quota Changes in the government funding quota will influence the number of students admitted to the University of Miskolc compared to all students admitted in the country.Natural sciences and engineering studies have a higher quota, while the quota of law and economic studies is reduced.Minimum limits of admission scores may be changed.

University's reputation
Improving the university's reputation may attract potential students, so this can influence the number of applications (Rate of students admitted to the University of Miskolc compared to all students gaining admission in the recruitment process of the given academic year) The task of risk factor evaluation is supported by a scenario analysis performed in a workshop.The experts of the University of Miskolc reviewed the factors one by one.Possible impacts are summarised in the description of the risk factor based on the methodology described above.It must be noted that there is a simplification in the process: interaction between the risk factors is out of scope.It is hypothesised that the risk factors are independent from each other.We know that this is not always true, but the lack of historical data does not allow an estimation of interrelations with an acceptable level of reliability.The high failure ratio of the estimation does not help the proper evaluation but needs huge efforts.Table 2 shows an example of scenario analysis.2.

Increasing demand for bachelor courses 15 5
There is a competition for places in technical faculties, especially the Faculty of Mechanical Engineering and Informatics,alsoin the Faculty of Economics.Demand for courses of the Faculty of Law is influenced by the distracting effect of the University of Debrecen.Health care courses havea competition for places as well.Based on the data of felvi.huapprox.50−60% of these applications are firstplace applications, so this tendency may further increase.

3.
Reduced demand for bachelor courses

-5
Based on the forecasts there is a low probability of decreasing demand for the bachelor courses.There is a decline to be seen in the number of applicants in comparison between the years 2011 (8,003) and 2014 (4,937), especially in the number of applicants with government funding (from 2,149 to 1,899), so a general decline may be indicated if the number of fee-paying students will not compensate.
Calculating expected values and standard deviation based on the results of scenario analysis allows to find the risks being treated.Changes in the government funding quota will influence the number of students admitted to the University of Miskolc compared to all students admitted in the country.Natural sciences and engineering studies have a higher quota, while the quota of law and economic studies is reduced.Minimum limits of admission scores may be changed.
23.5 25.70 After making the scenario analysis the experts chose the risk factors which are critical to manage in order to achieve the university's strategic goals through meeting the target values of strategic indicators.The methodology requires defining tolerances for the expected values and dispersions calculated during the scenario analysis.Critical risk factors mustbe managed.A risk factor is considered to be critical if it exceeds any of these tolerances.The university experts use a tolerance limit 10% for the expected value and 200% for the relative deviation (standard deviation divided by the expected value of difference).Table 4 shows examples of critical risk factors.

Critical risk factor Description of the risk factor
Rate of students admitted to the University of Miskolc compared to all students gaining admission in the recruitment process of the given academic year Legal policy changes / Changes in government funding quota Changes in the government funding quota will influence the number of students admitted to the University of Miskolc compared to all students admitted in the country.
Natural sciences and engineering studies have a higher quota, while the quota of law and economic studies is reduced.Minimum limits of admission scores may be changed.

University's reputation
Improving the university's reputation may attractpotential students, so this can influence the number of applications.
(Rate of students admitted to the University of Miskolc compared to all students gaining admission in the recruitment process of the given academic year.) The next step of risk evaluation is elaboration of (strategic) risk management actions.Besides the description of the actions, this shouldinclude both the implementation deadline and the designation of the individual responsibilities.Planning of actions is also performed as a part of the risk management workshop.A proposed risk management action is shown in Table 5.In addition tothe numerical analysis and the content of the tables above, an evaluation summary is needed that explains the main results and the relationship between the particularparts and figures.An important goal of this task is the consolidation of the critical risks.In practice, consolidation means the determination of core risk factors, i.e. risk factors that are different from each other in content.A prerequisite for being a core risk factor is that it is assigned to at leastone strategic indicator by the university experts.Consolidation shouldalso: • summarise the risk factors byflagging the indicators theyare assigned to, • flag the critical risk factors by strategic indicators.
Eventually, the flagging designates the risks that must be managed.Table 6 shows an example of a consolidated list.It is necessary to consolidate the risk management action based on the consolidation of risk factors.The results shall consider the suggestions (strategic risk management action plans) of the university experts.The output of consolidation is a report for decision makers that includes in a comprehensive way the followings (an example is shown in Table 7):

Table 6 Consolidated list of critical risk factors
• consolidated risk management actions, • personal and/or department level responsibilities, • expected deadlines for performing the actions.
Results of consolidation should be uploaded to the databases of the university'sinformation management system.As a result of scenario analysis, annual information is available about the expected values and standard deviation of difference from target values of strategic indicators.This is followed by a comprehensive evaluation of each risk factor, including the calculation of a total deviation from the target values.These will allow us to calculate adjusted target values of the strategic indicators.Target values before the risk analysis process shouldbe adjusted by the calculated risk characteristics (expected values and standard deviation).Ultimately, the adjusted target values show the deviance from the institutional development plan.Higher differences in the values show the higher importance of risk management actions in order to enhance the possibility of achieving the original target value.Adjusted target values should also be uploaded to the databases of the university's management information system.

CONCLUSIONS
Systematic risk management supports institutional decision making.The systematic approach requires both a clear methodology of calculations and a proper workflow adapted to the organisational characteristics.The paper summarises the solution of the University of Miskolc.The main experiences and conclusions based on the pilot run of the system are the following: • Establishing risk identification and analysis as a supporting tool of strategic planning helps to understand the influencing factors of strategic objectives and to work out proper actions in order to increase the chance of fulfilling these objectives.• Realisation of the expected benefits is only achievable by performing the risk management actions, so attention must be given to assigning granting proper authorityand responsibilities.• It is important to upload the results to the databases of the management information system that require the necessary integration development actions (including changes in regulations and technicalprogramming development).• Deep and intensive risk analysis makes the updating processes within the planning periodeasier.Due to the continuous changes in internal and external environment of the university it is necessary the modelling of the influencing factors that is easier in case of the proper initial analysis.• Detailed justification and (if achievable) data support forthe results of risk analysis enhances itscreditability and acceptance.The pilot evaluation is being carried out as a part of the TÁMOP-4.1.1.C-12/1/KONV-2012-0001 project.Long-term utilisation requires the organisational integration of the process and the methodological elements, including harmonisation with the management information system and an up to date risk management regulation.Furthermore, decision makers must recognise the benefits and accept the results.
A further challenge insystem development is improving the accuracy of the expert estimation.We plan to carry out action research about further strategic influencing factors of the strategic position of the University of Miskolc.Including more factors in the risk analysis will allow us to draw up a more sophisticated map of risks and to evaluate the expected effects of the factors in a more detailed way.Our goal is to build up a structure of factors that is ready for running a Monte-Carlo simulation, which could give more accurate results.

Figure 1 .
Figure 1.The suggested risk management process Source: created by István Fekete studying inagiven course at the University of Miskolc compared to studentsinthe course nationwide Changes in the number of partners involved in practical education Utilisation of R&D&I infrastructure Level of R&D&I orders Number of PhD students Number of Hungarianand international publications and the ratio of them compared to the number of employees in education/research jobs Number of scientific publications and four-year target values of increment by institutional (faculty) level Number of Hungarianand international monographs and professional books and the ratio of them compared to the number of employees in education/research jobs

Table 2
Example of scenario analysis Table 3 summarises a sample result.

Table 3
Sample results of scenario analysis

Table 5 A
proposed (strategic) risk management action

Table 7 Consolidated risk management action Risk management action Indicator / risk factor Person in charge Deadline
Table 8 shows examples of adjusted target values.

Table 8
Strategic target values adjusted by the results of risk analysis