Key risk-management concepts Flashcards
Before establishing a risk-management framework, what do organisations need to do?
The risk categorisation approach chosen by an organisation will depend on what?
What is the problem with too many or too few risk categories?
Need to understand what kind of risks it currently faces or is willing to face and group these into categories based on the cause of the risk to focus on the key risks = more effective decision-making
The nature of its activates = small/less complex may use the Kaplan and Mikes 3 risk categorisation approach. Large = detailed typologies
Too many categories can make it difficult to categorise risks
Too few could mean important differences between risk types may be missed
DEFINING RISK - RISK VERSUS UNCERTAINTY
What is the distinction between risk and uncertainty?
When does uncertainty certainty arise?
When is risk used?
In an organisational setting, most decisions or actions will contain some element of uncertainty, but what will the degree of uncertainty often depend on? (4)
Name 3 example of uncertainty in an organisation.
What is often the common factor?
What can be used to measure the level of uncertainty of a particular risk?
Knightian uncertainty concept:
* Uncertainty = something that is unquantifiable due to the unpredictability of future event constraints = impossible to calculate (global warming is uncertain)
= arises where there is no data to allow the estimation of probability and impact
- Risk = something that can be quantified/estimated with a certain degree of confidence using statistical methods (playing roulette is risky. power failure/fire)
= used where it is possible to assign probability and impact values to the outcomes
- The chosen risk model and underlying assumptions
- Availability and quality of data
- The chosen model parameters (time horizon or frequency of data inputs)
- The chosen confidence level
A. R&D of a new product
B. Emerging risk (cyber-attacks)
C. Effects of negative media
Common factor = human element = human behaviour can be very unpredictable
Confidence intervals expressed as a % from 0 to 100
* Higher confidence level = greater confidence in the degree of accuracy that can be assigned to any statistical estimates of the risk in question
DEFINING RISK - RISK EVENTS
What is risk?
What is a risk event?
What is a loss event?
How are risk events categorised?
Risk = the effect of uncertainty on objectives, whether positive or negative
Risk event = any outcome that arises from a single decision or an action that could result in more than 1 potential outcome (Every outcome in an organisation is a risk event)
Loss event = a risk event that results in some form of loss for an organisation (financial or goodwill/reputation, death or injury)
Often categorised into a specific type of event (business or operation) to aid management and reporting
DEFINING RISK - PROBABILITY, IMPACT, AND EXPOSURE
The outcomes that result from a single decision or an action can be expressed in terms of what 2 things? What does this help an organisation understand?
What is probability? How can it be expressed for tangible and intangible risk?
What is impact? How is it estimated? How is it expressed?
What is exposure? How is it calculated?
What else should be considered when analysing risks?
Probability and severity = allows organisations to understand the likelihood and potential impact of an outcome
Probability = estimating the likelihood of a single outcome or a range of outcomes
*Can be expressed as % or decimal for tangible risk or qualitative measure (highly unlikely) for intangible risk (culture or reputation)
Impact = the scale of a particular positive or negative outcome
* Estimated in relation to how the specific objectives are affected = in financial terms (impact of losing largest client = £100,000), criticality terms (impact of losing reputation = catastrophic), or both
Exposure = the measure of probable future outcome resulting from a single decision or an action
* Probability x impact = exposure
(the greater the exposure, the greater the risk)
The time horizon over which probabilities are estimated = usually linked to the speed at which a specific risk changes:
* Financial risk = shorter time horizons
*Environmental risk = usually estimates over a 1-year (or longer) time horizon
DEFINING RISK - PURE AND SPECULATIVE RISKS
What are pure risks?
Provide 3 examples of pure risk in organisations.
What are speculative risks?
Provide 3 examples of speculative risk in organisations.
Gains may be what? (2)
Why should risks always be approach neutrally?
Pure = risks that may only have neutral or negative outcomes = no possibility of gains, only potential for loss
E.g., fire and floods, risk of injury or illness, pollution
Speculative = risks that may have three outcomes: positive, neutral or negative
E.g., R&D, M&A, fluctuations in consumer demand
* gains are usually (1) financial but can also be (2) welfare or social gains (improved health, happiness, environmental benefits)
Because ‘good’ or ‘bad’ risk categorisation is very much dependent on a specific objective
DEFINING RISK - INHERENT, RESIDUAL, AND TARGET RISKS
What is inherent risk (gross risk)?
What is residual risk (net risk)?
What happens in practice?
When is the distinction between the 2 most common?
What is target risk?
What is required where residual risk exceeds target risk?
Inherent risk (gross risk) = the level of risk exposure present with no controls/ mitigation applied
Residual risk (net risk) = the level of risk exposure present with controls/mitigation in place
Inherent risk assumes the existence of controls at current level (not no controls) and residual risk accounts for the remaining risk exposure
Most common for risks that are pure risks e.g., operational like H&S risks
Target risk = the desired level of risk exposure, usually the level required to keep the risk within appetite
*Where residual risk exceeds target risk, action taken to reduce exposure e.g., implement new controls or improve effectiveness of existing controls
DEFINING RISK - PRINCIPAL AND EMERGING RISKS
What is a principal risk?
Name 2 examples.
Where are principal risks reported?
What is the board’s role in relation to principal risks? (4)
What is emerging risk (AKA disruptive risk)?
Name 2 examples.
What is a risk profile?
Principal risk (significant or key risk) = large-scale risks to achievement of strategic objectives that may threaten business model, future performance, solvency, and liquidity = a risk that is considered material and can affect the viability of the business
E.g., talent. data security
Reported as part of the strategic annual report:
UK CG Code = board must understand (1) what the principal risks are, (2) why they are considered material, (3) how they may affect the organisation and its future performance, and (4) how they are manged/mitigated
Emerging risk = the risk that does not yet affect an organisation but may develop to become a principal risk in the future
E.g., changes in consumer preferences. use of data automation techniques
Risk profile = represents a combination of all principal and emerging risks that an organisation faces
DEFINING RISK - OTHER USEFUL CONCEPTS AND DEFINITIONS
What is model risk? What can cause model risk?
What is a Tail risk (Black swan events)? Name an example.
What is cliff risk? Name an example.
What is wrong-way risk?
What is risk taxonomy?
What is fragmented taxonomy?
What is the problem with this?
The risk that the model fails or performs inadequately = choosing an incorrect model or making incorrect assumptions
Tail risk (Black swan events) = the risk arising from a highly improbable and difficult-to-predict event, or an event that has a very small probability of occurring but has widespread ramifications (high impact)
* E.g., financial crisis 2007-8 = an unexpected low-probability, high-impact risk
Cliff risk (cliff-edge risk or cliff effect) = the risk arising from an event that is probable and has widespread ramifications (high impact)
* The UK leaving the EU
Wrong-way risk = occurs when the risk exposure to a counterparty is adversely correlated to the credit quality of that counterparty
Risk taxonomy = a set of all risk categories used within an organisation
Fragmented taxonomy = different departments categorise the same risks differently
Can cause a lot of confusion = ineffective decisions
COMMON APPROACH TO RISK CATEGORISATION
What are the 4 benefits of grouping risks into categories?
Grouping risks helps:
(1) Organisations to understand the range of risks to which it may be exposed
(2) Decision-makers to narrow down key risk categories that are relevant to their organisations
(3) Organisations to establish a common risk taxonomy = improves the quality of communication and increases the effectiveness of decision-making processes
(4) Support the management of risk because different types of risk may require different management approaches
COMMON APPROACH TO RISK CATEGORISATION
What are the 6 categories used in the standard approach to risk categorisation?
How is the first one managed?
How is the last one managed?
Name 3 examples of how the other 4 risks are managed?
- Business risk
- Credit risk
- Market risk
- Liquidity risk
- Operational Risk
- Reputation risk
Business risk is managed by conducting an assessment to identify key business risks, assessing them by severity and likelihood, and then trying to reduce the high-impact/high-probability risks to an acceptable level
Reputation risk is managed through examining strategies, principal, and emerging risks to identify key drivers of reputational risk = a designated RM framework can then be created to flag reputation threats
A. statistical models
B. stress testing and scenario analysis
C. risk appetite and limits
COMMON APPROACH TO RISK CATEGORISATION - BUSINESS RISK
What is business risk?
Name 2 examples.
Why is business risk willing assumed by organisations?
What are the 2 groups of business risk?
Name the case highlighting the consequences of poor business risk management.
= a type of non-financial risk that relates to the positive and negative outcomes that are inherent in an organisation’s operating environment
*generally intangible risks and hard to quantify
- Changes in consumer demand or supply chains
- Changes in government or regulatory policy
In order to gain a competitive advantage
Can be grouped as internal or external:
*Internal = failure of key production equipment due to maintenance
*External = natural disaster
Blockbuster = too slow to address emerging threats (streaming technology) to its business model
COMMON APPROACH TO RISK CATEGORISATION - CREDIT RISK
What is credit risk?
What are the 3 significant factors used to estimate credit risk exposure?
How is exposure measured and how is loss expressed?
What is concentration risk?
Name 2 examples.
= the risk that a borrower/counterparty will suffer a real or perceived deterioration in its credit rating, or an outright default that will make that borrower/counterparty unable to meet its outstanding obligations
*is a financial risk
- A borrower or counterparty’s cash-generation capacity
- Their level of indebtedness
- The availability of easy-to-sell assets
Exposure is measured as the amount of loss that would be realised if a borrower or counterparty actually defaults
*Expected and Unexpected loss
Concentration risk = the risk of any single exposure or a group of (possibly connected) single exposures that has a potential to result in losses that can threaten the ability of an organisation to maintain its core business activities
- E.g., if an organisation relies on one client to generate 80% of its revenues, it has a concentration risk to this client
- E.g., if an organisation relies on a group of three suppliers, all based in a country associated with an unstable political environment, to deliver a new product, it has a concentration risk to this group
COMMON APPROACH TO RISK CATEGORISATION - CREDIT RISK
What is counterparty Credit Risk (CCR)?
What is settlement risk?
Name an example and the relevant case study.
What is sovereign risk?
CCR = Credit risk which is specifically attributable to trading activities
Settlement risk = the risk of a trading transaction not settling as per pre-agreed terms and conditions in the first place
- E.g., when a counterparty fails to deliver securities against the payment
Herstatt bank
Sovereign risk = sovereigns cannot declare bankruptcy but they can default on their debt obligations
COMMON APPROACH TO RISK CATEGORISATION - MARKET RISK
What is market risk?
What is market risk also known as?
Why is market risk taken by organisations?
What are the 4 major sub-categories of market risk?
= measures the extent of change in the value of an investment due to changes in factors that affect the overall performance of the financial markets
*a financial risk
AKA systematic risk = the risk inherent to the entire market or market segment, not just a particular investment
Market risk is taken by individuals or organisations looking to make a return from an investment
- Equity risk
- Interest-rate risk
- Foreign-exchange risk
- Commodity price risk
COMMON APPROACH TO RISK CATEGORISATION - MARKET RISK
What is trading market risk?
What is non-trading market risk? (Arises from?)
What is the key driver of market risk?
How is market risk predominately measured?
Market risk can be relevant to trading and non-trading exposures:
* Trading market risk = risk of loss from a trading position
* Non-trading-market risk = arises from off-balance-sheet exposures
Key driver = volatility = represents the degree of dispersion of returns for a given investment: the higher the volatility, the higher the potential for an extreme loss or a gain
*Volatility is estimated using standard deviation
Predominantly measured by using the value at risk (VaR) method