Chapter 25 - Risk Governance Flashcards
Risk Management Process consists of 5 steps:
- Risk Identification
- Risk Classification
- Risk Measurement
- Risk Control
- Risk Financing
- Risk Monitoring
Risk identification
- Is the recognition of the risks that can threaten the income and assets of an organisation.
- Necessary to determine whether a risk is systematic or diversifiable
- For each risk, it is necessary to have a preliminary identification of possible risk control processes that could be put in place which will reduce either the likelihood of the risk event occurring or the impact of the risk event should it occur.
- Identifying opportunities to exploit risks and gain a competitive advantage over other providers. Taking on risk is a potential source of profit and is the core business model for insurance and reinsurance
Risk Classification
Classifying risks into groups aids the calculation of the cost of risk and the value of diversification
It also enables a risk ‘owner’ to be allocated from the management team. The risk owner would normally be responsible for the control processes for the risk
Risk Measurement
Risk measurement is the estimation of the
- probability of a risk event occurring
- and its likely severity.
This would normally be carried out before and after application of any risk controls, and the cost of the risk controls would be included in the assessment.
Risk measurement gives the basis for evaluating and selecting methods of risk control and whether the risk should be:
- declined
- transferred
- mitigated
- retained with or without controls
Risk Control
Risk control involves deciding whether to reject, fully accept or partially accept each identified risk. This stage also involves identifying different possible mitigation options for each risk that requires mitigation.
Risk control measures are systems that aim to mitigate the risks or the consequences of risk events by:
- Reducing the probability of a risk occurring
- Limiting the financial consequences of a risk
The financial consequences comprise the losses if the risk event occurs, together with the costs of mitigation techniques used, such as insurance premiums.
- Limiting the severity of the effects of a risk that does occur. In particular, reducing significantly the probability of catastrophic loss. Insurance would be a common way of achieving this
- Reducing the consequences of a risk that does occur
A risk that gives rise to serious exposures to the organisation must be a priority candidate for the application of control techniques
Frequently risk mitigation techniques involve management actions to be taken when certain trigger points are reached (for example, to protect a portfolio value, or to reduce the amount of risk being accepted)
Risk Financing
Risk financing involves:
Determining the likely cost of each risk (including the cost of any mitigations and the expected losses and cost of capital arising from retained risk)
- ensuring the organisation has sufficient financial resources available to continue its objectives after a loss event occurs
Risk Monitoring
Having decided that all or part of a risk should be retained, with or without controls, the risks should be monitored.
Risk monitoring is the regular review and re-assessment of all the risks previously identified, coupled with an overall business review to identify new or previously omitted risks.
It is important to establish a clear management responsibility for each risk in order that monitoring and control procedures can be effective.
Benefits of a Risk Management Process
Through an effective risk management process, a provider of financial benefits will be able to:
- avoid surprises
- react more quickly to emerging risks
- improve stability (i.e. reduce earnings volatility) and quality of their business
- improve growth and returns by exploiting risk opportunities
- improve growth and returns through better management and allocation of capital
- identify aggregate risk exposure and assess interdependencies (i.e. concentration of risk, diversification benefits, natural synergies)
- integrate risk into business processes (e.g. pricing) and strategic decision making (e.g. product development, mergers and acquisitions, etc)
-give stakeholders business confidence that the business is well managed
Ideally, in the management of risk, providers need to look to find the optimal set of strategies that balance the needs for return, growth and consistency. The risk management process should:
- incorporate all risks, both financial and non-financial
- evaluate all relevant strategies for managing risk, both financial and non-financial
- consider all relevant constraints, including political, social, regulatory and competitive
- exploit the hedges and portfolio effects among the risks
- exploit the financial and operational efficiencies within the strategies
Systematic vs Diversifiable Risk
Systematic risk is risk that affects an entire financial market or system, and not just specific participants. It is not possible to avoid systematic risk through diversification.
In the context of investment markets, the risk of a decline in the market as a whole, with all stocks being affected, is a systematic risk. Assuming that the investor is required to participate in the market, the risk cannot be avoided.
Diversifiable risk arises from an individual component of a financial market or system.
In the context of investment markets, diversifiable risk occurs when the value of an individual security falls. A rational investor should not take on any diversifiable risk, as only non-diversifiable risks are rewarded within the scope of most financial systems
Therefore, the required return on an asset, that is, the return that compensates for risk taken, must be linked to its riskiness in a portfolio context – i.e. its contribution to overall portfolio riskiness – as opposed to its ‘stand-alone riskiness’.
Enterprise Risk Management
All but the simplest businesses comprise a number of business units. These units might:
- carry out different types of activity within the same company (e.g. finance, marketing, IT, customer administration)
- carry out activities in different industry sectors (e.g. financial, manufacturing) or in different areas within the same sector (e.g. banking, insurance)
- operate in different locations, countries or markets.
The largest multinational companies may comprise business units that carry out completely unrelated activities.
A decision must be made as to whether risk should be managed at:
- the business unit level
- the group (or enterprise) level. with this approach called enterprise risk management.
One approach to risk management would be for the parent company to determine its overall risk appetite and to divide this up among the business units. Just as each business unit has its own management team to run its business, the business unit management team manages the risks of the business within the risk appetite they have been allocated.
As risk analysis involves allocation of capital to support the risks retained by each business unit, this approach is likely to mean that the group is not making best use of its available capital.
It is clear that this approach makes no allowance for the benefits of diversification or pooling of risks. A crude approach to allow for diversification would be simply to allow the risk appetites allocated to the business units to add up to perhaps 130% or 150% of the group’s overall risk appetite.
Managing Enterprise Risk
A preferable approach is to establish the group risk management function as a major activity at the enterprise level.
The group can then impose similar risk assessment procedures on the various business units, which will enable the results from the various models to be combined into a risk assessment model at the entity level.
By examining risk at group level, allowance can be made for pooling of risk, diversification achievable and economies of scale. This should prove to be the most capital efficient way of managing risk.
Enterprise risk management involves considering the risks of the enterprise as a whole, rather than considering individual risks in isolation. This allows the concentration of risk arising from a variety of sources within an enterprise to be appreciated, and for the diversifying effects of risks to be allowed for.
This will also give the group management insight into the areas with resulting undiversified risk exposures where the risks need to be transferred or capital set against them. This will be an important feed into the business planning and capital allocation cycles.
Such an approach to risk management will enable the company to take advantage of opportunities to enhance value, i.e. if they understand their risks better, they can use them to their advantage by taking greater (educated) risks in order to increase returns. Enterprise risk management is not just about reducing risk – it is also about a company putting itself into a better position to be able to take advantage of strategic risk-based opportunities.
Stakeholders in Risk Governance
- Internal Stakeholders including staff , managers and mainly Chief Risk Officer
- Central Risk Function (CRF). This might be a team of specialist risk managers, or could be just one person in small organisations. The CRF does not normally manage risks itself – this is the responsibility of line managers in most businesses.
However, its role should include:
- giving advice to the board on risk
- assessing the overall risks being run by the business (taking account of hidden risks and correlations, as well as general uncertainty)
- making comparisons of the overall risks being run by the business with its risk appetite
- acting as a central focus point for staff to report new and enhanced risks
- giving guidance to line managers about the identification and management of risks, making suggestions for risk responses
- monitoring progress on risk management, and
- pulling the whole picture together
- External Stakeholders
Organisations can also encourage their customers to note and report risks that they come across in using the company’s products or visiting the company’s premises.
Other stakeholders may have a strong interest in risk governance within an organisation. This could include any shareholders of the organisation, any regulators of the organisation and credit rating agencies