Risk Indicator Roundup

Recall that Value at Risk (VaR) measures the worst-case scenario in an uncertain return by telling us the endpoint beyond which our losses will likely not go, up to a certain degree of confidence, in a definite period of time. Thus a daily 1% VaR of $10 million means the probability that you will lose more than $10 million is 1%, which is the same as saying that you are 99% confident that the losses will not exceed $10 million.

While the VaR gives a worst-case scenario with a certain confidence, what if that confidence is broken, i.e., the VaR is breached? What can we expect? That’s precisely the tail value at risk tries to answer. By using the expected value of a conditional probability, it gives us, in a single number, what would be expected if a worst-case scenario occurs.

There is no better way than this plot by Nematrian to summarize both VaR and tVaR.

This is a relatively new one. Remember we discussed Return on Control (ROC) to decide whether investing in a given defense is worth the hassle?

The change in loss was obtained from two simulated scenarios: one with the control and another without it. Both were obtained by "averaging out", i.e. finding the expected value of a simulated distribution for the loss.

The Annualized Loss Expectancy (ALE) is related to such a computation in that it is also obtained from a couple of expected, estimated values. These estimated values are the expected number of occurrences of an event in a year (the Annualized Rate of Occurrence, ARO), and the expected loss for a single occurrence (Single Loss Expectancy, SLE). Thus, total = reps x single. Too many acronyms for too little content:

Experts can estimate the ARO. Suppose it is known that a data breach will most likely occur at least once in 10 years. The ARO for such an event is 1/10 = 0.1 events per year. The SLE is to be estimated by your own experts. How much would such a breach cost you? Say, $100 million. Then the loss expected in every one of those years is 0.1x100 = $10 million. However, this rate will be fixed for each of the next ten years. It is static and unlikely to be true since risks and threats change daily.

The loss exceedance curve is a decidedly different one, and one of our favorites at that. We have already discussed it at length in our introduction to quantitative risk, our general Monte Carlo simulation article, and gave an example of implementing in Quantitative Python. In a nutshell, it’s a graph that tells you the probability of losing a given amount or more of money, for any amount in a range. It’s like having all possible values-at-risk for all confidence levels. We believe the graph speaks for itself.

Overall, single number risk indicators (ALE, VaR and tVaR) are good for making quick comparisons and monitoring them over time. In contrast, the LEC might allow you to make a more fine-grained decision regarding how much risk you are willing to take vs. how much you would have to lose in many different scenarios, all in a single chart.

For ease of use, we’d say ALE is the winner. However, we wouldn’t expect its predictions to be the most accurate of the lot. Also, its time period (one year) might be too much for the fast-paced market we currently live in. If you have to choose one single-number indicator, we would recommend using VaR, which international banking regulations (Basel II) use, since the tVaR might be a tad too extreme.