Chapter 25 - Risk Governance

Question 1

List the 6 stages in the risk management control cycle.

Answer 1

ICM CFM

1. Risk identification
2. Risk classification
3. Risk measurement
4. Risk control
5. Risk financing
6. Risk monitoring

Question 2

The risk identification stage of the process is more than just recognizing the risks to which an organization is exposed.

Outline the other aspects that should be identified or determined at this stage.

Answer 2

The following should be determined / identified:
1. Whether each risk is systematic or diversifiable

2. Possible risk control processes that could be put in place for each risk.
3. Opportunities to exploit risks to gain a competitive advantage
4. The organization’s risk appetite or risk tolerance

Question 3

Risk classification

Answer 3

classifying risks into groups aids the calculation of the cost of the risk and the value of diversification

Question 4

Risk measurement

Answer 4

it is the estimation of the probability of a risk event occurring and its likely severity

Question 5

Risk control

Answer 5

involves determining and implementing methods of risk mitigation

Risk control measures are identified to mitigate the risks or consequences of risk events by:
1. Reducing the probability of a risk occurring
2. Limiting the severity of the effects of a risk that does occur
3. Reducing the consequences of a risk that does occur

Question 6

What is risk financing?

Answer 6

Risk financing is the determination of the likely cost of a risk and making sure that the organization has sufficient financial resources available to continue to meet its objectives after a loss event occurs

The likely cost of a risk includes the expected losses, the cost of risk mitigation measures such as insurance premiums, and the cost of capital that has to be held against retained risk.

Question 7

What is risk monitoring?

Answer 7

I EAR

• IDENTIFY new risks or changes in the nature of existing risks
• determine if the EXPOSURE to risk or the organisation’s risk appetite has changed over time
• ASSESS whether the existing risk management process is effective
• REPORT on risks that have actually occurred and how they were managed

Question 8

Benefits of risk management process

Answer 8

SAMOSAS PJET

• improve STABILITY and quality of business
• AVOID surprises
• improve their growth and returns through better MANAGEMENT and allocation of capital
• improve their growth and returns by exploiting risk OPPORTUNITIES
• identify opportunities arising from natural SYNERGIES
• identify opportunities arising from risk ARBITRAGE
• give STAKEHOLDERS the confidence that the business is well managed
• PRICE products to reflect the inherent level of risk
• improve JOB security and reduce variability in costs
• detect risks EARLIER: cheaper and easier to deal with
• determine cost-effective ways of risk TRANSFER

Question 9

Requirements of risk management process

Answer 9

CHAOS

• consider all relevant CONSTRAINTS
• exploit HEDGES and portfolio effects among risks
• incorporate ALL risks ( both financial and non-financial)
• exploit OPERATIONAL and financial efficiencies within strategies
• evaluate all relevant STRATEGIES for managing risk

Question 10

Explain the difference between “risk” and “uncertainty”

Answer 10

“Uncertainty” means that an outcome is unpredictable.

“Risk” is a consequence of an action that is taken which involves some element of uncertainty, but there may be some certainty about some components of the risk.

Question 11

Systematic risk

Answer 11

Risk the affects an entire financial market or system, and not just specified participants. It is not possible to avoid systematic risk through diversification.

Question 12

Diversifiable risk

Answer 12

Risk that arises from an individual component of a financial market or system. An investor is unlikely to be rewarded for taking on diversifiable risk since, by definition, it can be eliminated by diversification.

Question 13

What does it mean to manage risk at the business unit level and what are the key disadvantages to this approach?

Answer 13

The parent company would determine its overall risk appetite and then divide it among the business units.

Each business unit would then manage its risk within the allocated risk appetite.

The key disadvantages of the approach are that it makes no allowance for the benefits of diversification or pooling of risk, and the group is unlikely to be making best use of its available capital.

Question 14

What does it mean to manage risk at the enterprise level?

Answer 14

Enterprise risk management means that risks are managed at the enterprise or group level rather than by each business unit separately, with all risks being considers as a whole.

Question 15

What are the benefits of risk management at the enterprise level

Answer 15

CUPPED

• Capital efficiency as capital can be targeted
• Understanding the risks better and so adding value by exploiting risk as an opportunity
• Pooling of risks
• Providing insight into risk in different parts of business, including identification of unacceptable concentrations
• Economies of scale in terms of the risk management process
• Diversification, including being able to identify undiversified areas of risk

Question 16

What are the 3 lines of defence in risk management

Answer 16

First line of defence - line management staff in the business units:
- accountable for measuring and managing risk in individual business units on a daily basis

The second line of defence - the CRO, risk management team
- accountable for establishing risk and compliance programmes and policies, supporting and monitoring the line management and reporting to the board

The third lie of defence - the board and audit function:
- accountable for effective governance of the risk management process, setting risk management strategy, approving policies and ensuring that enterprise risk management is effective

Question 17

What is the role of a central risk function

Answer 17

The CRF does not manage risk itself, this is the responsibility of line managers, but their role includes:

GAMMA GP

• giving GUIDANCE to line managers about the identification and management of risks
• ACTING as a central focus point for staff to report new and enhanced risks
• MAKING comparisons of the overall risks being run by the business with its risk appetite
• MONITORING progress on risk management
• ASSESSING the overall risks being run by the business
• GIVING advice to the board on risk
• PULLING the whole picture together

Question 18

Key responsibilities of CRO

Answer 18

MOLD CARD

• MANAGING the various risk functions
• ONGOING risk policy development
• providing LEADERSHIP and direction
• DESIGNING and implementing an erm framework across the company
• COMMUNICATING with stakeholders about the organisation’s risk profile
• ALLOCATION of capital across the firm
• RISK reporting
• DEVELOPING systems to analyse, monitor and manage risk

Question 19

Factors to consider when setting risk governance structure

Answer 19

RICE SAN

• scope of the RISKS faced by the business
• INCORPORATING risk management into the business processes - designing, pricing
• COSTS vs benefits
• the structure of the EXISTING risk management framework
• the SIZE of the business
• the AUTONOMY and accountability of the elements in the current corporate structure
• the NATURE of the business

Question 20

Describe 3 possible relationships between the first 2 lines of defence in a risk management model

Answer 20

Offence vs defence
- CRO and managers are set up in opposition with each other
- Managers want to focus on maximising profitability, CRO on minimising risks/losses
- Potentially destructive relationship – opposite objectives

Policy and policing
- Managers need to operate within rules set by CRO
- CRO with audit/compliances monitor
- Policies can become out of date
- Infrequent reviews
- Friction between CRO/managers if rules feel overly restrictive
- Little incentive to report problems (fear of consequences)

Partnership
- CRO staff integrated into individual companies’ management
- Client-consultant-type relationships
- Benefits in longer-term – NB to recognise
- CRO staff need to be responsive to companies’ needs
- May suffer from lack of independence