Chapter 25 - Risk governance

Question 1

Define Enterprise Risk Management (ERM).

Answer 1

Identify potential risk events and opportunities

Involves managing risk to be within company’s risk appetite

It is applied in strategy setting across the enterprise.

Try provide reasonable assurance regarding the achievement of entity objectives..

A process effected by an entity’s board of directors, management and other personnel.

Question 2

List the main aims of ERM?

Answer 2

(See also list on first page of section 2)

Align risk appetite and strategy

Enhance risk response decisions

Reduce adverse operational surprises and losses

Identify and manage multiple cross-enterprise risks

Seize risk opportunities

Improve deployment of capital

Question 3

Discuss the key steps involved in the risk management process/cycle (notes)?

Answer 3

Risk identification

• Recognise risks that can threaten assets of an organisation, or possibly increase liabilities
• Needs to be comprehensive
• Also identify as systematic or diversifiable
• Identify possible control processes
• Identify opportunities to exploit risks and gain a competitive advantage over other providers
• Risk appetite is set by board and management

Risk classification

• Group identified risks into categories
• Aids diversification and calculation of cost of risk
• Allows allocation of different risks to areas or management teams in the business

Risk measurement

• Estimation of the probability of the risk event occurring multiplied by its estimated severity
• Also include cost of possible risk controls

Risk control

• Determining and implementing methods of risk mitigation
• Risk controls can be selected based on possible size of risk, such as rejecting, transferring, mitigating (reducing), or retaining risk
• Mitigate risk by reducing probability of event or limiting financial or other consequences of risk
• Can involve taking action when certain trigger points are reached which indicate risk has occurred
• Numerous control options should be compared with the aim of identifying the optimal solution

Risk financing

• Determine likely cost of each risk, including the cost of any mitigation systems
• Ensure solvency after risk event occurs with high probability

Risk monitoring

• Regular review and re-assessment of risks and risk mitigation systems
• Identify and mitigate previously unidentified or new risks
• Establish clear management responsibilities
• Identify why experience is different to what was expected (if this is the case)

Question 4

List the benefits of the risk management process (notes).

Answer 4

Avoid unwanted surprises

Improve the stability and quality of business

Improve returns and company growth by

• exploiting risk opportunities
• better management and allocation of capital

Identify opportunities arising from natural synergies
- This is when risks offset or compliment each other and reduce the overall risk

Identify opportunities from risk arbitrage
- This is when a company’s “view” on the cost of a risk or risk management system is lower than another’s and leading to possible mispricings

Give stakeholders confidence that the business is well managed and can handle adverse consequences efficiently.

Avoid interference from regulator/state

Question 5

What considerations should be made when utilising the risk management process/cycle?

Answer 5

All risks should be incorporated
- Both financial and non-financial

All relevant strategies should be evaluated
- For both financial and non-financial risks

All relevant constraints should be considered

• Political constraints
• Social constraints
• Regulatory constraints
• Competitive constraints

When setting strategies

• Hedges and risk synergies should be exploited where possible
• Financial and operational efficiencies should be exploited where possible

Question 6

Compare managing risk at the business and enterprise level.

Answer 6

Business unit level

• Managing risk at the business unit level of the company requires that the company divides its overall risk appetite up among the business units.
• Just as each business unit then has its own management team to run the business, the team also manages the risk within the appetite they have been allocated.

Business unit level - Positives

• Relatively easy and cheap to implement
• Should be easy to understand

Business unit level - Negatives

• Makes no allowance for diversification of risks across units
• Unlikely to lead to most efficient use of capital

Enterprise level

• The group risk management function is established as a major activity at the enterprise level.
• Models/analysis/results from the risk exposures at the business unit level are then combined into an assessment model at the enterprise level.

Enterprise level - Positives

• Explicit allowance for diversification across business units
• Better overall understanding of enterprise’s risk position

Enterprise level - Negatives

• Expensive / complex to establish
• Sometimes difficult to communicate

Question 7

Read through pp. 15-21

Answer 7

Topics are:

Internal stakeholders

• Should be all members of staff
• 3 lines of defence
  1) Line management staff in business units
  2) CRO, risk management team and compliance team
  3) Board and audit function

ERM and the board

Line management

CRO and central risk function

Relationship between first two lines of defence

Incorporating risk management into business management processes

External stakeholders

Question 8

Define risk management

Answer 8

Identifying/understanding risks an organisation is exposed to and ensuring it is prepared to deal with them.