Chapter 29: Risk measurement and reporting Flashcards
Describe how the risk identification “brainstorming” approach can be extended to obtain a subjective assessment of risk exposure.
The probability and severity of each risk event are both estimated (separately) using a simple scale.
The product of the probability and severity assessments gives a score on a scale. This provides an assessment of each risk event and allows them to be ranked and prioritized.
The assessment would be carried out with and without possible risk controls.
The assessment may be recorded in a risk register.
Outline how a model could be used to assess a risk event.
Distributions need to be assigned to both the probability and severity of the risk event (unless the latter is a fixed amount rather than a RV, such as for a without profit term assurance policy).
To quantify the risk simply, the company could define an event and then use historical data to determine a probability distribution for that event. Alternatively, the frequency of the event could be defined and this could be used to determine the loss parameter.
A decision needs to be made as to whether a STOCHASTIC or DETERMINISTIC model is appropriate.
The availability of data to parameterize the model may influence the decision as to which model (if any) is used. This is particularly important when considering RARE EVENTS.
State how operational risks can be evaluated.
Operational risk in particular can be difficult to quantify. Typical approaches are:
- a broad-brush addition to other risks (for
capital requirements)
- scenario analysis
State 5 ways of evaluating risks.
- Scenario analysis
- Stress testing
- Combined stress and scenario testing
- Reverse stress testing
- Stochastic modelling
Scenario analysis
Scenario analysis looks at the financial impact of a plausible and possibly adverse set or sequence of events. It is useful where it is difficult to fit full probability distributions to risk events. It provides information of the severity but not the likelihood of the risk.
Outline the steps involved in a scenario analysis to evaluate operational risk.
- Group risks into broad categories. This
should involve input from a wider range
of senior individuals in the organization. - Develop a plausible adverse scenario of
risk events for each group of risks, which
is REPRESENTATIVE of ALL the risks in the
group. - Calculate the consequences/costs of the
risk event occurring for each scenario,
again involving senior staff. - Calculate the total costs of all risks
represented by the scenario.
Suggest categories into which operational risks might be divided for the purpose of scenario analysis.
- Fraud
- Loss of key personnel
- Mis-selling of financial products
- Calculation error in the computer system
- Loss of business premises
- Loss of company e-mail access
Stress testing
Stress testing involves assessing the impact of a specific extreme adverse event over a period of time. It is a deterministic method, commonly used to model extreme market movements, e.g. shock fall in equity values.
Outline two types of stress test.
Two types of tests are designed to:
1. Identify ‘weak areas’ in the portfolio and
investigate the effects of localized stress
situations by looking at the effect of
different combinations of correlations
and volatilities.
- Gauge the impact of major market
turmoil affecting all model parameters
while ensuring consistency between
correlations while they are stressed.
Stress scenario
Stress and scenario testing can be combined to determine a stress scenario. In this case, the stress test is performed by considering the impact of a set of related adverse conditions that reflect the chosen scenario.
Reverse stress testing
This is the construction of a severe stress scenario that only just allows the company to be able to fulfill its strategic business plan, e.g. having insufficient capital to meet solvency requirements or to cover its minimum risk appetite.
Equivalently, it is the scenario which would just be enough to stop them doing so.
The scenario might be financial or non-financial.
Although it might be an extreme scenario, it must be plausible.
Describe how a stochastic model could be used to evaluate a particular risk.
The variables that gives rise to the risk are treated as random variables with probability distributions.
The model must be dynamic, with full interactions/correlations between variables.
The model can be run to determine the amount of capital that is needs to (just) void ruin with a given probability.
Outline different approaches to limiting the scope of a stochastic model in order to make the model more practical.
- Restrict the time horizon that the model
projects. - Limit the number of variables that are
modelled stochastically and model the
other variables deterministically with
scenario testing. - Carry out a number of runs each with a
different single stochastic variable,
followed by a single deterministic run
using all the worst case scenarios
together.
List 4 ways of aggregating individual risks, in order to allow for correlations and inter-actions and to determine capital requirements.
- stochastic modelling (may be impractical)
- simple formulae
- correlation matrices
- copulas
Copulas
Functions that take as inputs marginal cumulative distribution functions and output a joint cumulative distribution function.
Different copulas are used to describe different degrees of dependence between random variables, including in the tails of distributions.
What simple formulae can be used to determine the overall capital requirements for a combination of risks, if the risk events are fully dependent?
The overall capital requirement is the sum of the individual capital requirement.
What simple formulae can be used to determine the overall capital requirements for a combination of risks, if the risk events are fully independent?
The overall capital requirement is LESS than the sum of the individual capital requirements (the difference is the diversification benefit). Under certain assumptions, the overall capital requirement can be determined as the square root of the sum of the squares of the individual risk capital requirements.
What simple formulae can be used to determine the overall capital requirements for a combination of risks, if the risk events are partially dependent?
The overall capital requirement is less than the sum of the individual risk capital requirements. The diversification benefit depends on the degree of correlation (possibly negative) between the risks.
How can liability risks be measured?
Liability risks can be measured by an analysis of experience, e.g. actual deaths divided by expected deaths.
It is important to ensure consistent classification and measurement of the risk event and the exposure to risk.
List deterministic approaches to measuring risk.
- notional approach
- factor sensitivity approach
- scenario sensitivity approach
List probabilistic approaches to measuring risk.
- deviation (including standard deviation
and tracking error) - Value at Risk (VaR)
- probability of ruin
- Tail Value at Risk (TVaR)
VaR and TVaR can be calculated using an empirical, parametric or stochastic approach or scenario analysis.
Outline 3 drawbacks of using VaR as a measure of risk.
- It is often calculated assuming a normal
distribution of returns, whereas this is
not necessarily true in practice as
distributions may be ‘fat-tailed’ or
skewed. - VaR can be calculated using a different
distribution but data is often sparse,
particularly within the tails, and it is
difficult to fit an accurate distribution. - VaR does not quantify the size of the tail,
i.e. what the loss might be beyond the
VaR confidence level.
Describe what is meant by a “risk portfolio” and what it might contain.
A risk portfolio is a means of categorizing the various risks to the company or individual. Against each risk the likely impact and probability of occurrence are recorded. The product of these measures gives an idea of the relative importance of the various risks.
The risk portfolio can be extended to indicate how each risk has been dealt with: - accepted (and how much capital is needed
to support it)
- rejected
- diversified (and a revised assessment of
the remaining combination of risks)
- transferred or managed internally (and a
revised assessment of the remaining risk)
For retained risks, the risk portfolio could also include details of control measures, reassessment after controls, risk owners, committee/senior management with oversight of the risk, identification of concentrations of risk and the need for management in these areas.
Give 10 reasons why regular risk reporting is important within a business.
FRAUD CRIME
- Financing (appropriate price, reserves,
capital requirements) - Rating agencies (to help determine
appropriate rating) - Attractiveness to investors
- Understand better (risks and their
financial impact) - Determine appropriate control systems
- Changes to risk faced over time
- Regulator
- Interactions between risks
- Monitor effectiveness of existing controls
- Emerging risk identification
