THESYS: assessing risk to govern it

The concept of ‘country risk’, which mostly results from the international debt crisis of the 1980s, has long had a mainly economic and financial implication. It is no coincidence that, despite the lack of an unambiguous definition of country risk, the one given by American economist Duncan Meldrum in 2000 is still one of the most widely used.

According to Meldrum, the expression country risk refers to the set of risks that you do not incur if transactions are made in a domestic market, but that arise when an investment is made in a foreign country. Such risks are mainly linked to the political, economic and social differences between the investor’s country of origin and the country in which the investment is made.

‘Country risk’ can be broken down into two main components: transfer risk or sovereign risk (depending on whether the counterparty is a private or a public entity) and local risk factors. In addition to natural disasters (likely to compromise a country’s productive capacity), risk factors include those arising from socio-political phenomena, such as: protests, political and institutional instability, independence movements, armed insurgency groups, terrorism and crime.

On closer inspection, we are dealing with phenomena that increasingly also affect areas that are traditionally considered to be stable and safe. Just think about the recent referendum on the independence of Catalonia or the more and more frequent terrorist attacks in Europe (if we include Turkey too, there were 76 attacks in 2016 alone, with a toll of 557 dead and 2,471 injured).

The assessment of the so-called local risk factors poses a number of problems, mostly due to the complexity and the alleged random nature of the phenomena under consideration, as well as the difficulty in finding reliable and updated information and data to be used for analysis and comparisons. These obstacles push several economic operators to renounce important business opportunities in areas which they perceive as unstable or, in other cases, to underestimate certain risks, thus endangering their investments and the safety of their personnel.

Besides being the fundamental component of a broader process aimed at determining the soundness of an investment, risk assessment is also a legal obligation that, coupled with the broader duty of care principle, exempts companies and their managements from the so-called ‘liability 231’. Italian legislation on the matter is actually incomplete to some extent, but substantiated by the now plentiful legal activity on risk governance. This idea was reiterated and doubts of interpretation were cleared up by Italy’s Commissione per gli Interpelli in October 2016. In light of Article 2087 of the Italian Civil Code and Article 28 of the Italian Testo Unico Sicurezza (Consolidated law on security), the Commissione unambiguously confirmed that Employers have an obligation to also assess the potential and specific environmental risks linked to the features of the country in which the work will be performed, including the so-called “aggravated generic risks”, related to the geopolitical situation of the country (e.g. civil wars, terrorist attacks, kidnapping, etc.).

In order to exempt Employers from liability, the assessment must be unbiased and objective, and therefore based on reliable and verifiable data. There is no room for any conditioning resulting from cognitive bias and emotional factors or, in other words, from a random, and therefore, stochastic perception of risk. In this regard, IFI Advisory has developed its own certified ‘Country risk’ assessment system, the THESYS® (Threat Evaluation System), based on a complex methodology created in collaboration with the Italian National Research Council (CNR).

IFI refers to ‘Country risk’ as those local factors likely to have a direct or indirect impact on security. IFI’s risk assessment mechanism indexes four main types of threats (terrorism, crime, politics and ethics), in turn divided into 29 indicators, each of which is measured through quantitative or qualitative structured analysis techniques. Thanks to specific calculation algorithms, the system can process a large amount of ‘raw data’ obtained from specialised databases or by means of open-source analysis.

The above-mentioned techniques are coupled – in a consequential and complementary way – with a mechanism weighting up the various indicators. Such mechanism may vary according to the company’s field of activity, and therefore to the company’s lower or greater exposure to certain types of threats. The analysis can refer to either a country or a specific sub-state area affected by distinct political and/or security dynamics.

In its operational phase, the entire methodology is implemented through specific IT tools designed to quickly and thoroughly apply the relevant mathematical functions. The system also uses rankings and specific charts and tables to provide summary and trend data on one or more indicators on a time and geographical basis, so as to allow users to make easy synchronic and diachronic comparisons by individual countries, by regional area or between different areas. Thanks to these tools, valuable support can be provided for a ‘static’ threat assessment, but also for any activities which are preparatory to forecasting and foresight (that is, developing trends and targeted projections), in order to make informed decisions on medium to long-term investments.

The ultimate goal of THESYS® is to provide companies with an operational decision support tool, that, in addition to ensuring compliance with current regulations, serves as an aid in taking timely and informed policies and decisions. Because a correct assessment is the first, fundamental step to govern risk.