Ch 25: Risk Governance

Question 1

The risk management process

Answer 1

• Process of ensuring that the risks which an organisation is exposed to are the risks
• To which it thinks it is exposed
• To which it is prepared to be exposed
• General framework
• Not linear - all stages can impact and feed into other stages of the cycle
• Process is consistent with the ACC

Question 2

Risk identification

Answer 2

• Recognition of the risks that can threaten the income and
  assets of an organisation
• Identify risks that represent
• Material threats to business objectives
• Opportunities to exploit risk to gain competitive advantage
• Identify possible risk controls – reduce likelihood / impact
• Systematic / diversifiable
• Update risk register regularly - main operational aspect of
  ongoing risk identification

Question 3

Why is risk identification the hardest
part of risk management?

Answer 3

Because the risks to which an
organisation is exposed are numerous
and because risk identification needs to
be comprehensive. Biggest risks are the
risks not identified.

Question 4

Risk classification

Answer 4

Risk classification helps with:
* Calculation of cost of risk
* Value of diversification
* Allocation of “risk owner” - control processes for relevant risk category

Question 5

Risk measurement

Answer 5

• Estimation of probability and severity
• Carried out before and after application of risk controls
• Cost of risk controls included in assessment
• Basis for evaluating and selecting methods of risk control
• Declined
• transferred
• mitigated
  -retained with / without controls

Question 6

Risk control

Answer 6

• Determining and implementing methods of risk mitigation
• Decide whether to reject, fully accept / partially accept risk
• Aim to reduce probability / severity / financial and other consequences of a loss
• Risk appetite is key consideration for approach - quantitative and qualitative components
• Management actions to be taken when certain trigger points are reached
• Compare options, identify optimal one and implement it

Question 7

Risk financing

Answer 7

• Determining likely cost of each risk
• Cost of mitigations
• Expected losses
• Cost of capital from retained risk
• Ensuring adequate financial resources available to cover losses

Question 8

Risk monitoring

Answer 8

• Regular review and re-assessment of risks
  together with an overall business review to
  identify new / previously omitted risks
• Establish clear management responsibility for
  each risk
• Assess accuracy of underlying assumptions
• Identifying “near misses”
• Leads back to risk identification
• Objectives
• Determine if exposure to risk / risk appetite has
  changed over time
• Identify new risks / changes in nature of existing
  risks
• Report on risks that occurred and how they were
  managed
• Assess whether existing risk management
  process is effective

Question 9

Through an effective risk management process, a provider will
be able to:

Answer 9

• Avoid surprises
• Improve stability and quality of their business
• Improve their growth and returns
• By exploiting risk opportunities
• Through better management and allocation of capital
• Identify opportunities arising from
• Natural synergies
• Risk arbitrage - situations where provider may have
  different view on price of risk relative to another party
• Give stakeholders in their business confidence that the
  business is well managed
• Price products to reflect the inherent level of risk
• Improve job security and reduce variability in employee
  costs
• Detect risks earlier meaning they are cheaper and easier to
  deal with
• Determine cost-effective means of risk transfer

Question 10

Risk management process should:

Answer 10

• Incorporate all risks, both
  financial and non-financial
• Evaluate all relevant strategies
  for managing risk
• Consider all relevant constraints -
  political, social, regulatory,
  competitive
• Exploit hedges and portfolio
  effects among the risks
• Exploit financial and operational
  efficiencies within the strategies

Question 11

Example of natural synergies in life
insurance:

Answer 11

May sell term assurances with
mortality risk and annuities with
longevity risk. Risks naturally hedge
each other

Question 12

RISK

Answer 12

• All possible outcomes and their
  probabilities are known / can be
  estimated
• Can usually be managed
• Typically choice as to whether to take it

Question 13

UNCERTAINTY

Answer 13

• Possible outcomes and / or their
  probabilities are unknown
• Cannot be measured / controlled
• Typically no choice as to whether it is
  faced

Question 14

UPSIDE RISK:

Answer 14

risk should not be considered as only relating to adverse outcomes. Risk can be positive if the
outcome is better than expected

Question 15

SYSTEMATIC RISK

Answer 15

• Risks affecting an entire market / system
• Cannot be diversified away
• Not to be confused with systemic risk -
  failure of a specific system → domino-effect:
  failure of one bank leads to failure of many
  more
• Eg COVID-19, war

Question 16

DIVERSIFIABLE RISK

Answer 16

• Risk arises from an individual component of a
  financial market / system
• Rational investors typically hold a portfolio of
  assets as well diversified as possible
• Strategies depend on investor’s view of the
  riskiness of the assets and risk appetite
• Investors may opt for less diversified portfolios,
  but will require higher returns to compensate for higher risk – depends on risk appetite

Question 17

Some risks are both systematic and diversifiable

Question 18

BUSINESS UNITS

Answer 18

A company’s business units might:
* Carry out different types of activity within the
same company (finance/ marketing)
* Carry out activities in different industry sectors
or in different areas within the same sector
* Carry out different activities at different locations
* Operate in different countries
* Operate in different markets
* Be separate companies in a group, which each
have their own business units

Question 19

MANAGING RISK AT THE BUSINESS UNIT LEVEL

Answer 19

Silo approach to risk management:
* Parent company determines overall risk
appetite → allocated to BUs
* Risk capital allocated to BUs based on each BUs
retained risk
* Each BU manages risk individually based on
allocated risk appetite
* Diversification & pooling of risks not allowed for
* Crude allowance for diversification

Question 20

MANAGING RISK AT THE ENTERPRISE LEVEL

Answer 20

• Risk assessment at entity (entire enterprise) level
• Allowance made for diversification / pooling / concentration of risk
• Better budgeting for risk
• Required risk capital minimised
• Risk capital allocated to BUs based on each BUs retained risk
• Facilitates insight into
• Undiversified risk exposures and hence
• Risk transfer needs and
• Risk capital requirements
• Risk reporting a cornerstone of ERM
• Need to know if BUs comply with risk allocations
• Non-compliance may nullify diversification benefits

Question 21

Key features of ERM:

Answer 21

• Consistency between business
  units
• Holistic - considers the risks of
  an enterprise as a whole,
  rather than in isolation
• Seeking opportunities to
  enhance value

Question 22

Stakeholders involved in
risk governance of a cpy

Answer 22

• directors/ senior management
• risk managers & any Chief Risk Officer
• all other employees
• customers
• shareholders
• credit rating agencies
• regulators

Question 23

Employees:in risk governance of a cpy

Answer 23

• In efficiently run organisation, all members of staff are part of risk governance
• Identify risks and suggest ways in which risks can be mitigated / controlled

Question 24

Chief Risk Officer:in risk governance of a cpy

Answer 24

• All large companies and all providers of finance should have one
• Normally at enterprise level
• Allocate risk budgets to BUs after allowing for diversification
• Monitor group exposure to risks and document risks that materialised
• Should have authority and understand key stakeholders and drivers of performance
• Roles of Central Risk Function
• Giving advice to board
• Assessing overall risks being run by the business
• Making comparisons of overall risks with risk appetite
• Acting as a central focus point for staff to report new and enhanced risks
• Giving guidance to line managers about identification and management of risks, making
  suggestions for risk responses
• Monitoring progress on risk management
• Pulling the whole picture together

Question 25

3 lines of defence:

Answer 25

1. Line management staff in business units (BU’s) - accountable for measuring & managing risk in individual business units on a daily basis 2. Chief Risk Officer, risk management team & compliance team - accountable for establishing risk & compliance programmes & policies & reporting to the board 3. Board & audit function - accountable for effective governance of risk management process, setting risk management strategy, approving policies & ensuring ERM is effective Relationship between the first two lines of defence: * Offence vs defence - BU’s focuses on maximising income and risk management on minimising losses - could be destructive * Policy and policing - BU’s operate within rules which are set by risk management function and policed by risk management, audit, and compliance functions - Problems – out of date policies, failure to identify problems, friction, and little incentive to report problems / policy violations * Partnership model - BU’s & risk management staff (RMS) work together in client-consultant type relationship to manage risk. RMS recognise importance of their role as consultants. Independence may suffer in this structure.

Question 26

Appropriate governance structure will depend on factors such as:

Answer 26

* Structure of existing committees and decision- making bodies * Size and nature of business * Risks faced by business * Autonomy and accountability of the elements in the current corporate structure

Question 27

Line management

Answer 27

ERM supported by: * Process for engaging with BUs * Common risk taxonomy - system for classifying and defining risks * Standard risk management process * Appropriate incentives for employees, linked to agreed behaviours * Clear monitoring and risk reporting

Question 28

Incorporating risk management into business management processes:

Answer 28

* Business strategy * New product / business development - Set trigger points for each assumption - Specific risk committee * Pricing of products - Take account of all the costs of risk - expected losses, cost of capital, cost of risk transfer * Measuring business performance - Risk-adjusted performance measures * Risk and incentive compensation External stakeholders * Organisations can encourage their customers to note & report risk that they come across * Other stakeholders have strong interest in risk governance within an organisation including the shareholders, any regulators & credit rating agencies