Chapter 24-Risk governance

Question 1

1. What approach do the steps of the risk management process follow?

Answer 1

It will be seen that these steps follow the approach of the actuarial control cycle.

Question 2

2. Describe the risk identification stage of the process.

Answer 2

Risk identification is the recognition of the risks that can threaten the income and assets of an organisation and therefore make it unable to meet objectives. This is the hardest aspect of risk management.
Having identified each risk, it is necessary to determine whether it is systematic or diversifiable.
For each risk it is necessary to have a preliminary identification of possible risk control processes that could be put in place which will reduce either the likelihood of the risk event occurring or the impact of the risk event should it occur.
It is also important to identify opportunities to exploit risks and gain a competitive advantage over other providers. Taking on risk is a potential source of profit and is the reason for insurance and reinsurance companies.

Question 3

3. Explain the purpose of the risk classification stage of the process.

Answer 3

The company should then classify the identified risks into groups in order to ensure full coverage and aid analysis, including assessing diversification opportunities.
The organisation should ensure that it has considered all sources of risk, both financial and non-financial, eg market risk, credit risk, liquidity risk, business risk, operational risk, external risk.
A risk ‘owner’ should be allocated to each risk, having responsibility for the control processes for that risk.

Question 4

4. Describe the risk measurement stage of the process.

Answer 4

Risk measurement is the estimation of the probability of a risk event occurring and its likely severity. This would normally be carried out before and after application of any risk controls, and the cost of the risk controls would be included in the assessment.
A common approach to risk assessment is a simple scoring scale, under which the scores for each of probability and severity are multiplied in order to rank risk events.
Risks could then be quantified more accurately by using appropriate risk measures, for example tracking errors, Value at Risk (VaR), conditional expected shortfall , an analysis of actual vs expected experience etc.
Existing control measures should be allowed for in the measurement.
An overall risk assessment should be performed at a whole company level.
When modelling risks in aggregate, allowance needs to be made for diversification or inter-relationships between risks, eg by using correlation matrices, stochastic modelling, copulas.

Question 5

5. Explain what risk control involves.

Answer 5

Risk control involves deciding whether to reject, fully accept or partially accept each identified risk. This stage also involves identifying different possible mitigation options for each risk that requires mitigation.
The extent to which an organisation controls its risk will depend on:
* its risk tolerance level/ risk appetite
* the cost/ benefit ratio of any control measures.
Types of risk controls include:
* insurance and/or reinsurance
* alternative risk transfer tools
* underwriting
* claims controls
* management control systems, eg contingency planning
* diversification.
Particular care should be taken to control those risks with a significant financial impact but which have a low probability of occurrence.

Question 6

6. Outline the three ways in which risk control measures can mitigate risks or their consequences, including an example of each.

Answer 6

Risk control measures are systems that aim to mitigate the risks or the consequences of risk events by:
* reducing the probability of a risk event occurring - for example, by introducing good safety procedures within a company to reduce the risk of a fire starting
* limiting the severity of the effects of a risk that does occur - for example, by having sprinkler systems and adequate fire extinguishers, so that a fire that does occur can quickly be put out
* reducing the consequences of a risk that does occur- for example, by having adequate insurance in place to meet the costs of a fire that does occur.

Question 7

7. What type of risk must be a priority candidate for the application of risk control?

Answer 7

A risk that gives rise to serious exposures to the organisation must be a priority candidate for the application of control techniques.

Question 8

8. Explain the relevance of ‘trigger points’ to risk mitigation.

Answer 8

Not all risks occur at a single point event. For example, in a stock market ‘crash’, prices do not normally fall in a single day, but the full effect of the crash is observed over a number of weeks or months.
Frequently risk mitigation techniques involve management actions to be taken when certain trigger points are reached (for example to protect a portfolio value, or to reduce the amount of risk being accepted). It is vital that the actions really are taken when the trigger is reached and not delayed ‘because it might get better tomorrow’, however unpalatable the actions might be.

Question 9

9. What is it necessary to do if more than one option exists for mitigating a particular risk?

Answer 9

Where more than one option exists for mitigating a particular risk, it will be necessary to compare each option, identify which option is optimal and then implement the appropriate options.

Question 10

10. What is a key component in the decision on the approach to take to control a risk?

Answer 10

The organisation’s risk appetite is another key feature in the decision on the approach to take to control individual risks. Risk appetite is likely to have both quantitative and qualitative components. The qualitative aspect of risk appetite includes risk preferences of the organisation.

Question 11

11. Explain what risk financing involves.

Answer 11

Risk financing involves determining the likely cost of each risk (including the cost of any mitigations and the expected losses and cost of capital arising from retained risk) and ensuring the organisation has sufficient financial resources available to continue its objectives after a loss event occurs.
The organisation should hold enough capital to cover the residual risks which remain after implementing its risk controls.
Tools that may be used to manage the organisation’s capital include banking products, subordinated debt, retaining earnings.

Question 12

12. Describe the monitoring stage of the risk management process.

Answer 12

Having decided that all or part of a risk should be retained, with or without controls, the risks should be monitored. Risk monitoring is the regular review and re-assessment of all the risks previously identified, coupled with an overall business review to identify new or previously omitted risks. It is important to establish a clear management responsibility for each risk in order that monitoring and control procedures can be effective.

Question 13

13. List seven things that a provider aims to achieve through an effective risk management process.

Answer 13

Through an effective risk management process a provider of financial benefits will be able to:
* avoid surprises
* improve the stability and quality of their business
* improve their growth and returns by exploiting risk opportunities
* improve their growth and returns through better management and allocation of capital
* identify opportunities arising from natural synergies
* identify opportunities arising from risk arbitrage
* give stakeholders in their business confidence that the business is well managed

Question 14

14. List five things that the risk management process should involve in order to achieve these aims.

Answer 14

Ideally, in the management of risk, providers need to look to find the optimal set of strategies that balance the needs for return, growth and consistency. The risk management process should:
* incorporate all risks, both financial and non-financial
* evaluate all relevant strategies for managing risk, both financial and non-financial
* consider all relevant constraints, including political, social, regulatory and competitive
* exploit the hedges and portfolio effects among the risks
* exploit the financial and operational efficiencies within the strategies

Question 15

15. Give examples to illustrate the difference between risk and uncertainty.

Answer 15

A risk can be associated with an event that is certain in time - will it rain on my wedding day? Alternatively, the event can be certain and the issue is when it will occur - how long will I live to draw my pension? Thirdly, both the occurrence and the timing can be uncertain - will my house suffer from storm damage?
A risk event having occurred, there can then be uncertainty about the consequences of the event - is the loss amount fixed or variable, and what is the shape of the loss distribution?
Finally, even certain strategies to avoid loss may not be risk-free on detailed investigation.

Question 16

16. Define systematic risk and describe how it arises in investment markets.

Answer 16

Systematic risk is risk that affects an entire financial market or system, and not just specific participants. It is not possible to avoid systematic risk through diversification.
In the context of investment markets, the risk of a decline in the market as a whole, with all stocks being affected, is a systematic risk.
Assuming that the investor is required to participate in the market, the risk cannot be avoided. Conversely the risk of a decline in the value of a single security can be mitigated by an investor spreading the risk and investing in a large number of small holdings. However, a portfolio of 30 to 40 securities in developed markets such as the UK or US (more in case of developing markets because of higher asset volatilities) will render the portfolio sufficiently diversified to limit exposure to that of systematic risk only.

Question 17

17. Distinguish between the terms ‘systemic risk’ and ‘systematic risk’.

Answer 17

The term systematic risk is sometimes used interchangeably with systemic risk. Systemic risk is a specific technical term used in finance. Systematic risk has an additional more general meaning that is ‘of or pertaining to a system’.

Question 18

18. Define diversifiable risk and describe its role in investment markets.

Answer 18

Diversifiable risk arises from an individual component of a financial market or system.
In the context of investment markets, diversifiable risk occurs when the value of an individual security falls. A rational investor should not take on any diversifiable risk, as only non-diversifiable risks are rewarded within the scope of most financial systems.
Therefore, the required return on an asset, that is, the return that compensates for risk taken, must be linked to its riskiness in a portfolio context - ie its contribution to overall portfolio riskiness - as opposed to its ‘stand-alone riskiness’.
According to the above theory all rational investors would hold a portfolio of assets that was as well-diversified as possible. If all investors had the same estimates of the relative risks and returns then they would all hold the same market portfolio. It would be impossible to outperform the market except by chance, so only index-tracking funds would exist.
However, in practice different investors have different estimates of the risks and returns. As a result, they will hold a less well-diversified portfolio if they believe that it offers a sufficiently higher expected return than the market to compensate them for the diversifiable risks they take. The risk appetite of the investor will affect the extent that they are prepared to move away from the market portfolio in search of higher returns.

Question 19

19. Using an equity investment fund as an example, describe how whether a risk is systematic or diversifiable depends on the context.

Answer 19

Whether a risk is systematic or diversifiable depends on the context.
For example, an investment fund that is constrained to invest in domestic equities, because of the prospectus and other information issued to clients, will see the domestic equity market as a systematic risk.
A worldwide equity fund that can invest in domestic and overseas equities will see exposure to the domestic equity market as a diversifiable risk. Such a fund can hold investments from a wide range of international markets and thus limit the exposure to any particular national market.

Question 20

20. Explain, giving examples, how a company might comprise a number of business units.

Answer 20

All but the simplest businesses comprise a number of business units.
These units might:
* carry out the same activity but in different locations
* carry out different activities at the same location
* carry out different activities at different locations
* operate in different countries
* operate in different markets
* be separate companies in a group, which each have their own business units.
The largest multinational companies may comprise business units that carry out completely unrelated activities.

Question 21

21. Discuss the management of risk at the business unit level.

Answer 21

If risk is managed at the business unit level then the parent company determines its overall risk appetite and to divide this up among the business units. The business unit management team manages the risks of the business within the risk appetite they have been allocated.
Therefore each business unit feels a sense of responsibility / direct involvement in risk management. The management teams are most closely involved in understanding the risks and how to deal with them.
As risk analysis involves allocation of capital to support the risks retained by each business unit, this approach is likely to mean that the group is not making best use of its available capital.
It is clear that this approach makes no allowance for the benefits of diversification or pooling of risks. A crude approach to allow for diversification would be simply to allow the risk appetites allocated to the business units to add up to perhaps 130% or 150% of the group’s overall risk appetite.

Question 22

22. Discuss the management of risk at the enterprise level.

Answer 22

Enterprise risk management involves considering the risks of the enterprise as a whole, rather than considering individual risks in isolation.
If risk is managed at the enterprise level then a group risk management function is established. The risks of the various business units are identified and then the results combined into a risk assessment model at the entity level.
This allows the concentration of risk arising from a variety of sources within an enterprise to be appreciated, and for the diversifying effects of risks to be allowed for.
This will also give the group management insight into the areas with resulting undiversified risk exposures where the risks need to be transferred or capital set against them. This will be an important feed into the business planning and capital allocation cycles.
Each business unit would receive capital in proportion ot the risks taken, and where the greater returns are available. Enterprise risk management can then combine the individual capital requirements for each business unit into the overall capital requirements at the entity level.
The overall diversified capital requirements for the group could reduce significantly if there is significant diversification of risks across the enterprise.
The overall enterprise may have a particular risk appetite for each business unit. For example it could require each business unit to hold a particular buffer in excess of the business units calculated capital requirement.
Such an approach to risk management will enable the company to take advantage of opportunities to enhance value, ie if they understand their risks better they can use them to their advantage by taking greater (educated) risks in order to increase returns. Enterprise risk management is not just about reducing risk - it is also about a company putting itself into a better position to be able to take advantage of strategic risk-based opportunities.

Question 23

23. Describe how the employees of an organisation should be involved in risk governance.

Answer 23

In an efficiently run organisation, all members of staff are stakeholders in risk governance.
In a company with a well-embedded risk culture, all employees should be looking out for risks to which the business is exposed and should be suggesting ways in which risks can be mitigated or controlled.
Reports from staff on risk should be noted and rewarded through the normal appraisal system.

Question 24

24. Describe the Chief Risk Officer role.

Answer 24

All large companies and all providers of financial products should have a designated Chief Risk Officer. This role will normally be at the enterprise level. It will be responsible for allocating the risk budget to business units after allowing for diversification, and for monitoring the group exposure to risks and documenting the risks that have materialised and affected the group.

Question 25

25. Describe the role of a risk manager.

Answer 25

Business units will often have a risk manager, although this function may be combined with another role, depending on size. At business unit level the responsibility is to make full use of the allocated risk budget, as well as data collection, monitoring and reporting.

Question 26

26. Outline how customers can be involved in risk governance.

Answer 26

Organisations can also encourage their customers to note and report risks that they come across in using the company’s products or visiting the company’s premises.

Question 27

27. List three other stakeholders that may have a strong interest in the risk governance within an organisation.

Answer 27

Other stakeholders may have a strong interest in risk governance within an organisation. This could include any shareholders of the organisation, any regulators of the organisation and credit rating agencies.