CH25 - Risk identification & classification Flashcards
Identifying all the risks in an organisation is a difficult task and requires good knowledge of (3)
- The circumstances of the organisation concerned
- The features of the business environment in which it operates
- The general business and regulatory environment
This is equivalent to needing to consider the external environment when following the actuarial control cycle.
Who should be involved in identifying the risks that could arise within an organisation
It is important that everyone involved in an organisation is involved in risk identification, not just management and not just those employees who work in a dedicated risk management team.
This is because those who work directly within the business and who use the processes on a regular basis are often most likely to be able to spot potential risk areas.
It is also useful to involve individuals who are external to the organisation. In particular, experts may be used to assist with those risks that are more difficult to identify.
Techniques available to ensure that all relevant risks have been identified (4)
- Use risk classification to ensure that all types of risk have been considered
- Use techniques from project management
- Use risk checklists, for example as used for regulatory purposes
- Use the experience of staff who have joined from similar organisation, and of consultants with broad experience of the industry concerned.
Risk checklists
Where there is a risk-based capital requirement regime, such as Solvency II in Europe, there may be lists of risks that regulators believe are relevant to the business.
For example, the standard formula for calculating capital requirements covers many risks relevant to financial product providers.
Identification and analysis of risks in project management
The steps necessary to achieve an effective identification and analysis of the risks facing a project can be summarised as follows:
- Make a high-level preliminary risk analysis to confirm that the project does not have such a high-risk profile that it is not worth analysing further - in which case, the project should not proceed.
- Hold a brainstorming session of project experts and senior internal and external people who are used to thinking strategically about the long term.
- Carry out a desktop analysis to supplement the results from the brainstorming session, by identifying further risks and mitigation options, e.g. by researching similar projects undertaken by the sponsor or others in the past.
- Obtain the considered options of experts who are familiar with the details of the project and the outline plans for financing it.
- Carefully set out all the identified risks in a risk register or a risk matrix, with cross-references to other risks where there is inter dependency.
The aim of brainstorming sessions (5)
- Identify project risks, both likely and unlikely, and their upsides and downsides
- Discuss these risks and their inter dependency
- Attempt to place a broad initial evaluation on each risk, considering both frequency of occurrence and probable consequences if it does occur
- Generate initial mitigation options
- Discuss these options briefly
Risk matrix
A risk matrix is very useful tool for the risk analyst because it is a reminder to consider particular types or risk, which may not have been sufficiently considered.
It may be linked to the use of risk checklists, and also provides a convenient categorisation for risks.
The rows in a risk matrix represent the stage of the project at which the risk arises. The columns represent the causes (or types) of risk.
Both the columns and the rows would be further subdivided.
Risk mitigation in project management
For each major risk, consideration would be given to identifying the main options for mitigating the risk. There options are the same as those that apply to businesses in general.
Risk classification
The phrase ‘risk classification’ can mean different things in different contexts.
In the wider risk management context, risk classification refers to allocating identified risks into higher level categories, in order to aid the other stages of the risk management control cycle.
Risk categories (6)
Broad classification of the risks that impact the providers of products and schemes that provide benefits on future contingent events.
It can be used as a structure when considering any other type of organisation. The risk categories are: 1. market risk 2. credit risk 3. liquidity risk 4. business risk 5. operational risk 6. external risk
This is a useful starting point for identifying risks for any organisation, not just for financial product providers.
A clear understanding of the business undertaken by a provider and the organisational structure is a prerequisite to assessing the significance of each risk and how the outcome of the risk translates into a financial impact on the balance sheet and cashflow requirements.
Market risk
Essentially market risks are the risks related to changes in investment market values of other features correlated with investment markets, such as interest and inflation rates.
Market risk can be divided into (3)
- The consequences of changes on asset values (this is the most obvious implication)
- The consequence of investment market value changes on liabilities
- The consequences of a provider not matching asset and liability cashflows
Asset value changes can result from (2)
- Changes in the market values of equities and property. These risks can be systematic if they occur across the whole market under consideration, or may be specific to particular markets and can therefore be diversified by holding a range of assets and asset classes.
- Changes in interest and inflation rates. These primarily affect the value of fixed-interest and index-linked securities, although there is usually some effect on equities and property too,
Liability value changes
Liability value changes might arise because promises to stakeholders, policyholders or benefit scheme members are directly related to investment market values or interest rates.
Alternatively, a change in interest or inflation rates might affect the level of provisions a provider needs to establish for future liabilities. For example, a reduction in interest rates may reduce the discount rate used to assess the liabilities and therefore increase the provisions that a benefit scheme is required to hold to meet its liabilities.
Two causes of liability value changes are changes to (2)
- The liability amount, e.g. inflation-linked annuities or unit-linked benefits.
- The liability value as the interest rate used in the valuation changes.
Asset / liability matching (5)
The fundamental principle of investment is that assets should be selected to match the liabilities in nature, term and currency. If it were possible to find such a perfect match, then market risk could be completely diversified away by choosing a matched portfolio.
In practice a perfect match may be impossible because:
1. there may not be a wide enough range of assets available, in particular it is unusual to find assets of long enough duration
2. liabilities may be uncertain in amount and timing
3. liabilities may include options and hence have uncertain cashflows after the option date
4. liabilities may include discretionary benefits
5. the cost of maintaining a fully-matched portfolio is likely to be prohibitive.
Hence even a well-matched portfolio is likely to retain some element of risk.
The existence of additional capital gives freedom to intentionally take an unmatched position in the hope of achieving an additional return. The capital will be used to cover the cost of the risk taken.
Credit risk
Credit risk is the risk of failure of third parties to meet their obligations.
Particular examples are:
- The issuer of a corporate bond defaulting on the interest or capital payments
- The term ‘credit risk’ is sometimes also used to describe the risk associated with any kind of credit-linked event. This could include changes to credit quality (up or down) or variations in credit spreads in the market as well as the default events described above.
Credit spread
Credit spread is the difference in yield between a particular corporate bond and an otherwise equivalent government bond.
Give some examples of credit linked events (5)
- Bankruptcy (insolvency, winding-up, appointment of a receiver)
- A rating downgrade or upgrade
- Failure to pay
- Counterparty risk, where one party to a transaction fails to meet their side of the bargain. An example of counterparty risk is settlement risk, which arises when a party pays away cash or delivers assets before the counterparty is known to have performed their part of the deal.
- General debtors - the purchaser of goods and services fails to pay for them
Outline possible credit risk exposures of an insurance company (5)
- Issuers of government and corporate bonds in which the insurance company has invested may default on payments or their bonds may be downgraded
- The company’s reinsurer(s) will represent exposure to counterparty risk
- The company is exposed to the risk of the failure of banks with which its deposits are held.
- If the company uses outsourcing companies or external investment fund managers, it is exposed to the risk that they will not fulfil their obligations (this may alternatively be classified as an operational risk)
- General debtors will include policyholders who may default on their premiums (this may be alternatively be classified as a business risk) and/or brokers who may fail to pass on premiums.
Security
If a borrower can provide security, providing finance to that borrower will be more attractive to a lender. However, the existence of security is not an excuse for otherwise bad lending.
The decision as to what security is taken is dependent on:
- The nature of the transaction underlying the borrowing
- The covenant of the borrower
- Market circumstances and the comparative negotiating strength of lender and borrower
- What security is available
The most common asset to take as security is property.
It is within the ability of the lender to realise the security if necessary in a cost-effective manner.
Credit rating
A credit rating is given to a company’s debt by a credit-rating agency as an indication of creditworthiness, i.e the likelihood of default / credit loss.
A company may act to improve its credit rating and these actions may affect the market for that company’s and other companies’ shares.
Liquidity risk
The normal definition of liquidity risk relates to individuals or companies.
Liquidity risk is the risk that the individual or company, although solvent, does not have available sufficient financial resources to enable it to meet its obligations as they fall due.
‘or that they can secure such resources only at excessive cost’
Liquidity risk for non financial institutions
Liquidity pressures are the most common reason why a trading company goes into liquidation. The phrase ‘into liquidation’ immediately gives the reason for the action.
A trading company may well have sufficient assets, probably largely stock and work in progress, to cover its liabilities, but if those assets cannot be realised the company may not be able to satisfy its creditors.
Liquidity risk for insurance companies and benefit schemes
Insurance companies and benefit schemes normally have little exposure to liquidity risk, because a large proportion of their assets are in cash deposits or bond and stock market assets. In general, these can readily be sold in the market to raise cash when required.
Liquidity risk for banks
Banks are generally exposed to significant liquidity risk. They lend depositors’ funds and funds raised from money markets to other organisations, and generally do so for longer periods than they offer to the providers of the funds.
A retail bank that offers customers instant access to their deposits needs to maintain sufficient liquid resources to withstand a large number of customers asking for their money back.
For this reason banks frequently offer good investment returns on fixed term deposits, where the depositors are not able to access their funds until the maturity date.
Liquidity risk for collective investment schemes and insurance funds
Similarly, collective investment schemes and insurance funds that invest in real property need to protect themselves if clients request access to their funds when the underlying properties cannot be sold. Such funds frequently have the power to defer withdrawals by up to six months if necessary to allow time for property sales. Hedge funds that invest in iliquid assets also often have lock-in periods to mitigate liquidity risk.
Managing liquidity risk
Financial companies will maintain a degree of liquidity to deal with anticipated liability withdrawal. In the event of these withdrawals being greater than expected, the company may have to convert some of its less liquid assets to cash or else try to borrow additional funds (which may be unavailable or expensive)
Market liquidity risk
In the context of financial markets, liquidity risk can arise where a market does not have the capacity to handle (at least, without a potential adverse impact on the price) the volume of an asset to be bought or sold at the time when the deal is required.
Business risk
Business risks are risks that are specific to the business undertaken.
Business risk differs from operational risk in the the latter are non-financial events that have financial consequences.
Sub-categories of the business risks of financial product providers (4)
- Underwriting risk - arising in relation to the underwriting approach taken
- Insurance risk - arising from the uncertainties relating to claim rates and amounts
- Financing risk - arising in relation to the financing of projects or other activities
- Exposure risk - arising in relation to the amount of business sold or retained, or to its concentration or lack of diversification
Examples of business risk (7)
- A life or general insurer not having adequate underwriting standards, and thus taking on risks at an inadequate price. (underwriting risk)
- An insurer suffering more claims that anticipated. (insurance risk)
- A provider of finance, such as a bank, investing in a business or project that fails to be successful. (finance risk)
- A reinsurer having greater exposure than planned to a particular risk event - for example through writing whole account protection covers as well as primary reinsurance of the risk (exposure risk)
- A music production company promoting a CD that fails to sell
- A competitor launching a new product in the week before your similar product launch
- An umbrella manufacturer whose sales suffer in a drought.
It might be argued that a drought, as an external event, is an external risk. However, the profits of the company will be so closely correlated with the amount of rainfall that the risk is key to the company’s business.
Operational risk
Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Operational risks can be controlled or mitigated by an organisation. For individuals, operational risks arise in carrying out their normal lifestyle. For an individual, crossing the road is an operational risk, which can be mitigated by looking and listening carefully before crossing.
External risk
External risk is a form of non-financial risk but is separate to operational risk.
External risk arises from external events, such as storm, fire, flood or terrorist attack.
However, the failure to arrange mitigation against such risks is an operational risk.
In general, these are systematic risks. Only for the largest entities is it economically efficient to diversify these by carrying out the same operation on different sites.
Operational risk can arise from (4)
- Inadequate or failed internal processes, people or systems
- The dominance of a single individual over the running of a business, sometimes called dominance risk
- Reliance on third parties to carry out various functions for which the organisation is responsible, e.g. if administration or investment work is outsourced
- The failure of plans to recover from an external event
While it is possible to develop computer models to analyse and price operational risk, such models are only as good as the parameters input. Whether or not a model is used, identification of operational risks requires considerable input from owners, senior management and other individuals who have detailed working knowledge of the operations of the business.
Examples of inadequate or failed internal processes, people or systems that may be a source of operational risk to an insurance company (4)
- Mismanagement, for example due to:
- inappropriate actions of the board of directors / staff
- failure (or lack) of management systems and controls
- administrative complexity - Data errors, for example inadequate, inaccurate or incomplete data
- Inadequate risk control measures
- Fraud
