AN IMPORTANT SHIFT IN perspective is that of looking at the risk in aggregate performance as opposed to individual risk exposures. In the previous chapters we have taken the view that it is desirable to understand the risk that critical thresholds of performance are breached. This perspective means that we have to think about how the various risk exposures combine to create variability in the firm's performance, and how far we currently are from these thresholds. What is called for is a framework capable of showing the firm's performance in relation to the critical thresholds under a multitude of different scenarios. Once in place, management can use such a framework for a proactive risk assessment of various corporate policies.

It is at this conjuncture that most enterprise risk management (ERM) programmes fall short. The risk register, the key output of such programmes, actually has not been designed to produce answers regarding the firm's aggregate risk. Questions like ‘What is the risk of the firm as a whole?’ cannot be answered by the register. As we shall see, mending the risk register for this purpose is not realistic either. Despite bringing so many risks under the corporate umbrella, it remains primarily a tool for focusing attention on the firm's main risks, a centrepiece of its risk governance.

To make progress on aggregate risk, we need to change tack altogether. We need an approach that is specifically designed to deal with risk aggregation. ...