Ch 25: Risk Governance Flashcards
The risk management process
- Process of ensuring that the risks which an organisation is exposed to are the risks
- To which it thinks it is exposed
- To which it is prepared to be exposed
- General framework
- Not linear - all stages can impact and feed into other stages of the cycle
- Process is consistent with the ACC
Risk identification
- Recognition of the risks that can threaten the income and
assets of an organisation - Identify risks that represent
- Material threats to business objectives
- Opportunities to exploit risk to gain competitive advantage
- Identify possible risk controls β reduce likelihood / impact
- Systematic / diversifiable
- Update risk register regularly - main operational aspect of
ongoing risk identification
Why is risk identification the hardest
part of risk management?
Because the risks to which an
organisation is exposed are numerous
and because risk identification needs to
be comprehensive. Biggest risks are the
risks not identified.
Risk classification
Risk classification helps with:
* Calculation of cost of risk
* Value of diversification
* Allocation of βrisk ownerβ - control processes for relevant risk category
Risk measurement
- Estimation of probability and severity
- Carried out before and after application of risk controls
- Cost of risk controls included in assessment
- Basis for evaluating and selecting methods of risk control
- Declined
- transferred
- mitigated
-retained with / without controls
Risk control
- Determining and implementing methods of risk mitigation
- Decide whether to reject, fully accept / partially accept risk
- Aim to reduce probability / severity / financial and other consequences of a loss
- Risk appetite is key consideration for approach - quantitative and qualitative components
- Management actions to be taken when certain trigger points are reached
- Compare options, identify optimal one and implement it
Risk financing
- Determining likely cost of each risk
- Cost of mitigations
- Expected losses
- Cost of capital from retained risk
- Ensuring adequate financial resources available to cover losses
Risk monitoring
- Regular review and re-assessment of risks
together with an overall business review to
identify new / previously omitted risks - Establish clear management responsibility for
each risk - Assess accuracy of underlying assumptions
- Identifying βnear missesβ
- Leads back to risk identification
- Objectives
- Determine if exposure to risk / risk appetite has
changed over time - Identify new risks / changes in nature of existing
risks - Report on risks that occurred and how they were
managed - Assess whether existing risk management
process is effective
Through an effective risk management process, a provider will
be able to:
- Avoid surprises
- Improve stability and quality of their business
- Improve their growth and returns
- By exploiting risk opportunities
- Through better management and allocation of capital
- Identify opportunities arising from
- Natural synergies
- Risk arbitrage - situations where provider may have
different view on price of risk relative to another party - Give stakeholders in their business confidence that the
business is well managed - Price products to reflect the inherent level of risk
- Improve job security and reduce variability in employee
costs - Detect risks earlier meaning they are cheaper and easier to
deal with - Determine cost-effective means of risk transfer
Risk management process should:
- Incorporate all risks, both
financial and non-financial - Evaluate all relevant strategies
for managing risk - Consider all relevant constraints -
political, social, regulatory,
competitive - Exploit hedges and portfolio
effects among the risks - Exploit financial and operational
efficiencies within the strategies
Example of natural synergies in life
insurance:
May sell term assurances with
mortality risk and annuities with
longevity risk. Risks naturally hedge
each other
RISK
- All possible outcomes and their
probabilities are known / can be
estimated - Can usually be managed
- Typically choice as to whether to take it
UNCERTAINTY
- Possible outcomes and / or their
probabilities are unknown - Cannot be measured / controlled
- Typically no choice as to whether it is
faced
UPSIDE RISK:
risk should not be considered as only relating to adverse outcomes. Risk can be positive if the
outcome is better than expected
SYSTEMATIC RISK
- Risks affecting an entire market / system
- Cannot be diversified away
- Not to be confused with systemic risk -
failure of a specific system β domino-effect:
failure of one bank leads to failure of many
more - Eg COVID-19, war
DIVERSIFIABLE RISK
- Risk arises from an individual component of a
financial market / system - Rational investors typically hold a portfolio of
assets as well diversified as possible - Strategies depend on investorβs view of the
riskiness of the assets and risk appetite - Investors may opt for less diversified portfolios,
but will require higher returns to compensate for higher risk β depends on risk appetite
Some risks are both systematic and diversifiable
BUSINESS UNITS
A companyβs business units might:
* Carry out different types of activity within the
same company (finance/ marketing)
* Carry out activities in different industry sectors
or in different areas within the same sector
* Carry out different activities at different locations
* Operate in different countries
* Operate in different markets
* Be separate companies in a group, which each
have their own business units
MANAGING RISK AT THE BUSINESS UNIT LEVEL
Silo approach to risk management:
* Parent company determines overall risk
appetite β allocated to BUs
* Risk capital allocated to BUs based on each BUs
retained risk
* Each BU manages risk individually based on
allocated risk appetite
* Diversification & pooling of risks not allowed for
* Crude allowance for diversification
MANAGING RISK AT THE ENTERPRISE LEVEL
- Risk assessment at entity (entire enterprise) level
- Allowance made for diversification / pooling / concentration of risk
- Better budgeting for risk
- Required risk capital minimised
- Risk capital allocated to BUs based on each BUs retained risk
- Facilitates insight into
- Undiversified risk exposures and hence
- Risk transfer needs and
- Risk capital requirements
- Risk reporting a cornerstone of ERM
- Need to know if BUs comply with risk allocations
- Non-compliance may nullify diversification benefits
Key features of ERM:
- Consistency between business
units - Holistic - considers the risks of
an enterprise as a whole,
rather than in isolation - Seeking opportunities to
enhance value
Stakeholders involved in
risk governance of a cpy
- directors/ senior management
- risk managers & any Chief Risk Officer
- all other employees
- customers
- shareholders
- credit rating agencies
- regulators
Employees:in risk governance of a cpy
- In efficiently run organisation, all members of staff are part of risk governance
- Identify risks and suggest ways in which risks can be mitigated / controlled
Chief Risk Officer:in risk governance of a cpy
- All large companies and all providers of finance should have one
- Normally at enterprise level
- Allocate risk budgets to BUs after allowing for diversification
- Monitor group exposure to risks and document risks that materialised
- Should have authority and understand key stakeholders and drivers of performance
- Roles of Central Risk Function
- Giving advice to board
- Assessing overall risks being run by the business
- Making comparisons of overall risks with risk appetite
- Acting as a central focus point for staff to report new and enhanced risks
- Giving guidance to line managers about identification and management of risks, making
suggestions for risk responses - Monitoring progress on risk management
- Pulling the whole picture together