I have a love/hate relationship with iTunes. I love the abilityto download a wide variety of single songs, but it annoys me that Icannot play my iTunes music library on a player other than an iPod,or transfer album purchases easily between computers. Still, whileI have peeked into Pandora Radio's box, and flirted with othersites, I keep coming back to iTunes because I love the way itorganizes and analyzes digital music.

iTunes Essentials contains groupings of music byperformer. Dozens of songs in each artist's catalog are all listedin order of their importance, prioritized in three sections,starting with the artist's most well-known songs: The Basics (thebiggest, best and most important songs), Next Steps (usuallycomposed of popular songs just beyond the hits) and in some cases,Deep Cuts (under-appreciated songs.)

Such categorization is also helpful to organize and illustratethe complex measurements involved in risk assessment, the processof gathering and analyzing risk information, and ranking risks bytheir importance or impact. This is the "second step" of enterpriserisk management (ERM), as described in my May 25 blog, Enterprise Risk Management – The Five Course Meal. Byaggregating standard risk metric data consistently through thecompanies, participants are able to analyze and illustrate riskcontrol and assessments across whole organizations.

ReadMore Risk Management Insights From Denise Tessier

Risk can be measured or evaluated in many ways, from multipleperspectives, and with varying degrees of detail. Often companiesstart to look at risks at a very basic level, with simplemeasurement standards. Over time, as their ERM program evolves,companies may become more sophisticated in how and why they reviewrisk. While there are no universal metrics, the following ERM"essentials" describe some of the major metrics or standards usedto sort and organize a risk library.

"The Basics": Frequency and Severity

Risk assessment has two platinum hits: frequency and severity.Frequency is the likelihood of a risk occurring, and risks arefirst usually classified on a scale from very unlikely to veryprobable. Severity, or magnitude, measures the impact of the riskshould it occur, or the consequence. Severity is also measured on acontinuum of potential loss, from insignificant or immaterial, toextreme—something that is "company busting." The degree ofpotential loss can be further broken down into "subset" views ofaverage loss, maximum possible versus probable loss, plus minimumpossible and probable loss. These breakdowns are the basic feedsfor many models used to analyze and rank the importance ofrisks.

The exact categorizations or labels of such metrics can begrouped either on a numerical scale, such as "1 through 5" or"$100M to $10B." Or it can be phrased as on a qualitative basis,with a descriptive phrase range, such as "highly unlikely,extremely likely," or "low impact, maximum impact." The exactwording of metric range will vary by company preference, and maydepend on the risk being measured. For example, credit or liquidityrisk may lend itself more easily to a numerical or dollar impactscale.

Together, frequency and severity are used to sort identifiedrisks. Various methods have been developed to help classify risksaccording to their seriousness, but the most common method is todevelop a two-dimensioned graph or matrix that classifies risksinto categories based on the combined effects of their frequencyand severity. Minor risks that do not require further managementattention are set aside or "back-burnered." Significant risks arepushed up in the queue for in-depth management attention or moreanalysis. In many companies, the process of classifying risks inmatrix form will ultimately yield a new combination of risks, shownby importance. Commonly, a prioritization is depicted in a list orreport form, often color-coded, such as "high" (red), "moderate"(yellow), or "low" (green). 

"Next Steps"

The "B-side" metrics, beyond the popular frequency and severitycuts, are several other common measurements or scales that can beapplied to a variety of risks, whether operational, claims,underwriting, marketing, credit, etc. These include:

Velocity – How fast will something take tohappen? Will it take minutes, days, weeks, hours or years for arisk to develop and become a problem or issue? Sometimes velocityof development can be controlled for a potential loss, and actionstaken to divert or delay full progress of a course of action,affecting its priority and urgency in a ranking process.

Duration – How long will losses last, when theyhave occurred? Considerations of duration may also impactimportance. For example, a long period of business interruption mayhave significant lasting reputational effects greater than thesudden, large cost of the destruction of a building. Mitigation orresponse efforts to the risk of a building fire may weigh moreheavily to reopening the business in an alternate location than togetting the actual building fixed immediately.

Causation – Is this a risk that will havelosses with a common cause, or something that will occur because ofa one-off, unpredictable and uncontrollable cause? For example,auto accidents may occur frequently, and insurers may be able topredict auto loss ratios fairly accurately. However, since theaccidents don't have a common cause, companies may not have thecontrol to mitigate losses very much. Other risks, like workplaceinjuries or employee theft, may occur more infrequently but mayhave a common cause such as lack of safety or security equipment oradequate training, which can be better addressed. Drilling downfrequency measurements further by commonality of cause can behelpful in prioritizing where to assign resources.

"Deep Cuts"

Some metrics qualify as "deep cuts," more appreciated byactuaries or ERM experts, useful in modeling, but not necessarilywidely known by the general public.

Volatility or Confidence – A "measurement ofthe measurements" looks at how confident the company is in itsestimate of a metric like frequency or severity. Is the metricitself based on a large quantity of solid historical data, whichwould increase its reliability? Or is it a rare occurrence whereactual consequences could vary widely from ERM estimates?

Correlation or "Inter-Connectivity" – Thismetric is used to determine how much a risk in one operational areaor department affects other risk areas. For example, underwritingloss or risk may go hand-in-hand with credit or liquidity risk.Marketing errors can affect both short-term sales and long-termreputation. Risks with a high correlation to other risks—those witha back-up band—may receive more attention in the ERM process thansolo risks. 

"Genius" & "Ping": AdvancedTechnologies

The advanced technology of iTunes' "Genius" program turns asimple library into a jukebox. It enables me to combine artists andalbums into new playlists, and generates recommendations forsimilar music. It even predicts what my appetite will be for newbands, based on a complex database of metrics and analytics codedfor each of my saved songs. Further, iTunes "Ping" is a socialnetwork service where users share in what their favorite artistsare listening to, and follow news and trends in real time. Geniusand Ping expand listening options exponentially.

ERM IT systems now play a similar role. ERM systems not onlysynch, copy, and archive data about specific risks, but they alsoplay risk metrics in a new way, combining two or more metrics toimprove the ranking process. Additionally, they provide managementreports and dashboards, artfully covering the complete set of acompany's risk. As a company grows and develops its ERM program,management and staff need to share risk assessment information andconstantly update their metrics, "real time," beyond just a staticspreadsheet file. ERM technology expands analysis optionsexponentially.

In sum, Steve Jobs knew that iTunes would change the way people"heard the world," quoted in Fortune in 2003 as saying,"It will go down in history as a turning point for the musicindustry. This is landmark stuff. I can't overestimate it!"Similarly, ERM has changed the way companies view the world, andimplementing ERM as an everyday business discipline has been aturning point for the financial services industry. Managing ERMmetrics through a dynamic library system can help companies assessand control future losses.