Key risk-management concepts Flashcards

1
Q

Before establishing a risk-management framework, what do organisations need to do?

The risk categorisation approach chosen by an organisation will depend on what?

What is the problem with too many or too few risk categories?

A

Need to understand what kind of risks it currently faces or is willing to face and group these into categories based on the cause of the risk to focus on the key risks = more effective decision-making

The nature of its activates = small/less complex may use the Kaplan and Mikes 3 risk categorisation approach. Large = detailed typologies

Too many categories can make it difficult to categorise risks
Too few could mean important differences between risk types may be missed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

DEFINING RISK - RISK VERSUS UNCERTAINTY

What is the distinction between risk and uncertainty?

When does uncertainty certainty arise?

When is risk used?

In an organisational setting, most decisions or actions will contain some element of uncertainty, but what will the degree of uncertainty often depend on? (4)

Name 3 example of uncertainty in an organisation.

What is often the common factor?

What can be used to measure the level of uncertainty of a particular risk?

A

Knightian uncertainty concept:
* Uncertainty = something that is unquantifiable due to the unpredictability of future event constraints = impossible to calculate (global warming is uncertain)
= arises where there is no data to allow the estimation of probability and impact

  • Risk = something that can be quantified/estimated with a certain degree of confidence using statistical methods (playing roulette is risky. power failure/fire)
    = used where it is possible to assign probability and impact values to the outcomes
  1. The chosen risk model and underlying assumptions
  2. Availability and quality of data
  3. The chosen model parameters (time horizon or frequency of data inputs)
  4. The chosen confidence level

A. R&D of a new product
B. Emerging risk (cyber-attacks)
C. Effects of negative media

Common factor = human element = human behaviour can be very unpredictable

Confidence intervals expressed as a % from 0 to 100
* Higher confidence level = greater confidence in the degree of accuracy that can be assigned to any statistical estimates of the risk in question

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

DEFINING RISK - RISK EVENTS

What is risk?

What is a risk event?

What is a loss event?

How are risk events categorised?

A

Risk = the effect of uncertainty on objectives, whether positive or negative

Risk event = any outcome that arises from a single decision or an action that could result in more than 1 potential outcome (Every outcome in an organisation is a risk event)

Loss event = a risk event that results in some form of loss for an organisation (financial or goodwill/reputation, death or injury)

Often categorised into a specific type of event (business or operation) to aid management and reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

DEFINING RISK - PROBABILITY, IMPACT, AND EXPOSURE

The outcomes that result from a single decision or an action can be expressed in terms of what 2 things? What does this help an organisation understand?

What is probability? How can it be expressed for tangible and intangible risk?

What is impact? How is it estimated? How is it expressed?

What is exposure? How is it calculated?

What else should be considered when analysing risks?

A

Probability and severity = allows organisations to understand the likelihood and potential impact of an outcome

Probability = estimating the likelihood of a single outcome or a range of outcomes
*Can be expressed as % or decimal for tangible risk or qualitative measure (highly unlikely) for intangible risk (culture or reputation)

Impact = the scale of a particular positive or negative outcome
* Estimated in relation to how the specific objectives are affected = in financial terms (impact of losing largest client = £100,000), criticality terms (impact of losing reputation = catastrophic), or both

Exposure = the measure of probable future outcome resulting from a single decision or an action
* Probability x impact = exposure
(the greater the exposure, the greater the risk)

The time horizon over which probabilities are estimated = usually linked to the speed at which a specific risk changes:
* Financial risk = shorter time horizons
*Environmental risk = usually estimates over a 1-year (or longer) time horizon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DEFINING RISK - PURE AND SPECULATIVE RISKS

What are pure risks?

Provide 3 examples of pure risk in organisations.

What are speculative risks?

Provide 3 examples of speculative risk in organisations.

Gains may be what? (2)

Why should risks always be approach neutrally?

A

Pure = risks that may only have neutral or negative outcomes = no possibility of gains, only potential for loss
E.g., fire and floods, risk of injury or illness, pollution

Speculative = risks that may have three outcomes: positive, neutral or negative
E.g., R&D, M&A, fluctuations in consumer demand
* gains are usually (1) financial but can also be (2) welfare or social gains (improved health, happiness, environmental benefits)

Because ‘good’ or ‘bad’ risk categorisation is very much dependent on a specific objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

DEFINING RISK - INHERENT, RESIDUAL, AND TARGET RISKS

What is inherent risk (gross risk)?

What is residual risk (net risk)?

What happens in practice?

When is the distinction between the 2 most common?

What is target risk?

What is required where residual risk exceeds target risk?

A

Inherent risk (gross risk) = the level of risk exposure present with no controls/ mitigation applied

Residual risk (net risk) = the level of risk exposure present with controls/mitigation in place

Inherent risk assumes the existence of controls at current level (not no controls) and residual risk accounts for the remaining risk exposure

Most common for risks that are pure risks e.g., operational like H&S risks

Target risk = the desired level of risk exposure, usually the level required to keep the risk within appetite

*Where residual risk exceeds target risk, action taken to reduce exposure e.g., implement new controls or improve effectiveness of existing controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

DEFINING RISK - PRINCIPAL AND EMERGING RISKS

What is a principal risk?

Name 2 examples.

Where are principal risks reported?

What is the board’s role in relation to principal risks? (4)

What is emerging risk (AKA disruptive risk)?

Name 2 examples.

What is a risk profile?

A

Principal risk (significant or key risk) = large-scale risks to achievement of strategic objectives that may threaten business model, future performance, solvency, and liquidity = a risk that is considered material and can affect the viability of the business

E.g., talent. data security

Reported as part of the strategic annual report:

UK CG Code = board must understand (1) what the principal risks are, (2) why they are considered material, (3) how they may affect the organisation and its future performance, and (4) how they are manged/mitigated

Emerging risk = the risk that does not yet affect an organisation but may develop to become a principal risk in the future

E.g., changes in consumer preferences. use of data automation techniques

Risk profile = represents a combination of all principal and emerging risks that an organisation faces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DEFINING RISK - OTHER USEFUL CONCEPTS AND DEFINITIONS

What is model risk? What can cause model risk?

What is a Tail risk (Black swan events)? Name an example.

What is cliff risk? Name an example.

What is wrong-way risk?

What is risk taxonomy?

What is fragmented taxonomy?

What is the problem with this?

A

The risk that the model fails or performs inadequately = choosing an incorrect model or making incorrect assumptions

Tail risk (Black swan events) = the risk arising from a highly improbable and difficult-to-predict event, or an event that has a very small probability of occurring but has widespread ramifications (high impact)
* E.g., financial crisis 2007-8 = an unexpected low-probability, high-impact risk

Cliff risk (cliff-edge risk or cliff effect) = the risk arising from an event that is probable and has widespread ramifications (high impact)
* The UK leaving the EU

Wrong-way risk = occurs when the risk exposure to a counterparty is adversely correlated to the credit quality of that counterparty

Risk taxonomy = a set of all risk categories used within an organisation

Fragmented taxonomy = different departments categorise the same risks differently

Can cause a lot of confusion = ineffective decisions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

COMMON APPROACH TO RISK CATEGORISATION

What are the 4 benefits of grouping risks into categories?

A

Grouping risks helps:
(1) Organisations to understand the range of risks to which it may be exposed

(2) Decision-makers to narrow down key risk categories that are relevant to their organisations

(3) Organisations to establish a common risk taxonomy = improves the quality of communication and increases the effectiveness of decision-making processes

(4) Support the management of risk because different types of risk may require different management approaches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

COMMON APPROACH TO RISK CATEGORISATION

What are the 6 categories used in the standard approach to risk categorisation?

How is the first one managed?

How is the last one managed?

Name 3 examples of how the other 4 risks are managed?

A
  1. Business risk
  2. Credit risk
  3. Market risk
  4. Liquidity risk
  5. Operational Risk
  6. Reputation risk

Business risk is managed by conducting an assessment to identify key business risks, assessing them by severity and likelihood, and then trying to reduce the high-impact/high-probability risks to an acceptable level

Reputation risk is managed through examining strategies, principal, and emerging risks to identify key drivers of reputational risk = a designated RM framework can then be created to flag reputation threats

A. statistical models
B. stress testing and scenario analysis
C. risk appetite and limits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

COMMON APPROACH TO RISK CATEGORISATION - BUSINESS RISK

What is business risk?

Name 2 examples.

Why is business risk willing assumed by organisations?

What are the 2 groups of business risk?

Name the case highlighting the consequences of poor business risk management.

A

= a type of non-financial risk that relates to the positive and negative outcomes that are inherent in an organisation’s operating environment
*generally intangible risks and hard to quantify

  1. Changes in consumer demand or supply chains
  2. Changes in government or regulatory policy

In order to gain a competitive advantage

Can be grouped as internal or external:
*Internal = failure of key production equipment due to maintenance
*External = natural disaster

Blockbuster = too slow to address emerging threats (streaming technology) to its business model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

COMMON APPROACH TO RISK CATEGORISATION - CREDIT RISK

What is credit risk?

What are the 3 significant factors used to estimate credit risk exposure?

How is exposure measured and how is loss expressed?

What is concentration risk?

Name 2 examples.

A

= the risk that a borrower/counterparty will suffer a real or perceived deterioration in its credit rating, or an outright default that will make that borrower/counterparty unable to meet its outstanding obligations
*is a financial risk

  1. A borrower or counterparty’s cash-generation capacity
  2. Their level of indebtedness
  3. The availability of easy-to-sell assets

Exposure is measured as the amount of loss that would be realised if a borrower or counterparty actually defaults
*Expected and Unexpected loss

Concentration risk = the risk of any single exposure or a group of (possibly connected) single exposures that has a potential to result in losses that can threaten the ability of an organisation to maintain its core business activities

  • E.g., if an organisation relies on one client to generate 80% of its revenues, it has a concentration risk to this client
  • E.g., if an organisation relies on a group of three suppliers, all based in a country associated with an unstable political environment, to deliver a new product, it has a concentration risk to this group
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

COMMON APPROACH TO RISK CATEGORISATION - CREDIT RISK

What is counterparty Credit Risk (CCR)?

What is settlement risk?

Name an example and the relevant case study.

What is sovereign risk?

A

CCR = Credit risk which is specifically attributable to trading activities

Settlement risk = the risk of a trading transaction not settling as per pre-agreed terms and conditions in the first place

  • E.g., when a counterparty fails to deliver securities against the payment
    Herstatt bank

Sovereign risk = sovereigns cannot declare bankruptcy but they can default on their debt obligations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

COMMON APPROACH TO RISK CATEGORISATION - MARKET RISK

What is market risk?

What is market risk also known as?

Why is market risk taken by organisations?

What are the 4 major sub-categories of market risk?

A

= measures the extent of change in the value of an investment due to changes in factors that affect the overall performance of the financial markets
*a financial risk

AKA systematic risk = the risk inherent to the entire market or market segment, not just a particular investment

Market risk is taken by individuals or organisations looking to make a return from an investment

  1. Equity risk
  2. Interest-rate risk
  3. Foreign-exchange risk
  4. Commodity price risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

COMMON APPROACH TO RISK CATEGORISATION - MARKET RISK

What is trading market risk?

What is non-trading market risk? (Arises from?)

What is the key driver of market risk?

How is market risk predominately measured?

A

Market risk can be relevant to trading and non-trading exposures:
* Trading market risk = risk of loss from a trading position
* Non-trading-market risk = arises from off-balance-sheet exposures

Key driver = volatility = represents the degree of dispersion of returns for a given investment: the higher the volatility, the higher the potential for an extreme loss or a gain
*Volatility is estimated using standard deviation

Predominantly measured by using the value at risk (VaR) method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

COMMON APPROACH TO RISK CATEGORISATION - LIQUIDITY RISK

What are the 2 types of liquidity risks?

Organisations must keep what?

Which case shows how an organisation that funds its long-term assets with short-term loans can easily suffer a liquidity squeeze during stock-market turbulence?

A
  1. Asset liquidity risk = an asset’s degree of illiquidity – the inability to easily sell this asset
  2. Funding liquidity risk = the risk that an organisation is unable to fulfil its payment obligations in a timely manner in normal or stressed market conditions

a minimum amount of cash/liquid assets to cover day-to-day liquidity needs and fund long-term assets with long-term loans

Northern Rock bank

17
Q

COMMON APPROACH TO RISK CATEGORISATION - OPERATIONAL RISK

What is operational risk?

Where do operational risks arise and what are they closely linked to?

Name 3 examples of operational risks.

Operational risk typically includes what 3 sub-risks?

Which case shows how an operational risk event can be a cause of a material financial loss?

A

= the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events
* Generally pure risks that can only result in losses

Risks arise within the business as usual operations and are closely linked to factors such as organisational culture, the internal controls environment, contingency planning and crisis management

  1. Fraud by staff, customer or 3rd-parties (including fat-finger error = £100 million instead of £10 million)
  2. Damage to physical assets, such as due to fire or flood, or H&S incidents
  3. Security breaches e.g., cyber-attacks

(1) legal risk = the risk that an organisation will be unable to meet its obligations as required by law
(2) regulatory-compliance risk = arises when an organisation may be in violation of applicable laws and regulations
(3) data-quality risk = the risk that data used to calculate internal or regulatory risk exposures is incomplete or incorrect

Allied Irish Bank = In 2002 one of its employees was exposed for entering a large number of unauthorised trades causing $700 million losses = incident exposed weak operational controls and attracted a lot of negative publicity as well as regulatory attention

18
Q

COMMON APPROACH TO RISK CATEGORISATION - REPUTATIONAL RISK

What is reputational risk?

How does the The Reputation Institute define reputation and reptation risk?

Reputational risk is often associated with what?

How else can reputational risk be caused?

What needs to happen in the background of an organisation with regards to reputational risk?

A

= a risk of loss resulting from damages to the reputation of an organisation, the value of its brand and perceived goodwill
* A strategic risk

Reputation = ‘the level of trust, admiration, good feeling, and overall esteem a stakeholder has for that organisation’

Reputation risk = an event that will negatively affect the relationship between an organisation and its stakeholders

Often associated with some kind of a risk event i.e. a large-scale operational incident

Can be caused by employees’ actions (employee risk), such as ethical lapses or criminal offence = good corporate culture and training is essential

A range of contingency and crisis planning, training and testing activities needs to happen in the background = ensure that contingency- and crisis-management teams are ready to respond to any reputational threat at any time

19
Q

COMMON APPROACH TO RISK CATEGORISATION - REPUTATIONAL RISK

What are 3 benefits of a good reputation?

Damage to a reputation often corresponds with what 6 things?

Which case shows how reputational loss can be entirely driven by statements made by the CEO?

A

Good reputation:
(1) Gives an organisation a competitive advantage
(2) Attracts more customers and high-quality employees
(3) Contributes to lower overall marketing and financing costs

Damage to a reputation often corresponds with:
1. Negative publicity
2. Increased regulatory scrutiny
3. Litigation costs
4. Loss of customers and key employees
5. Loss of CEO, chair of the board, or both
6. Fall in share price

The Ratner Group = CEO said jewellery was cheap and rubbish

20
Q

ALTERNATIVE APPROACHS TO RISK CATEGORISATION - 3 RISK CATEGORISATION

What is the 3 risk categorisation framework?

How are each of the risks best managed?

What 3 things does this approach highlight?

A

Kaplan and Mikes (2012) risk categorisation framework segregates all organisational risks into 3 categories:

(1) Preventable risks = internal risks faced by organisations that are controllable e.g., employee risk

Manage through active prevention = monitoring risky activities and guiding human behaviours

(2) Strategy risks = risks assumed by organisations willingly in order to gain a competitive advantage and to achieve their objectives e.g., credit risk

Manage through a framework

(3) External risks = risks external to an organisation and are beyond its influence or control e.g., natural disasters

Manage through identification and mitigation actions = business continuity and contingency planning

Highlights:
1. Organisations cannot achieve objectives without taking risks
2. Not all risks can be directly controlled
3. Weakness in risk governance and control are the central cause of human-made risk events

21
Q

ALTERNATIVE APPROACHS TO RISK CATEGORISATION - THE ORANGE BOOK CLASSIFICATION

How does The Orange Book categorise risks that could be useful to non-financial organisations? (5 and 13)

A

Categorises 5 risk types:
1. Business
2. Financial
3. Operational
4. Project
5. Reputation

into 13 categories:
(1) Business = commercial, strategy
(2) Financial
(3) Operational = governance, information, legal, operations, people, property, security, technology
(4) Project
(5) Reputation

22
Q

RISK AND INTERNAL CONTROL FAILURE

What are internal control risks?

Where may they arise from? (2)

Whose responsibility is it to ensure that internal control risks are mitigated appropriately?

Name the relevant case study.

A

= risks related to the governance and internal control activities of an organisation

May arise from processes, systems and controls that an organisation has in place to manage its employees and managers:
(1) Poorly designed processes, systems and controls may increase potential for innocent mistakes or deliberate act
(2) Weaknesses in policies, procedures and staff training

Board and SM

The London Interbank Offer Rate (LIBOR) and Barclays:
* Barclays staff manipulated the interest rates reported to LIBOR during and after the financial crisis of 2007–08 to make Barclays appear financially stronger than it was
*Barclays management and recruitment policy focused on ‘winning’ = encouraged malpractice from employees
* Barclays’ SM and board were criticised for not making clear the codes of behaviour that all staff should adhere to while at work
*Received a large fine from UK and US regulators

23
Q

RISK INTERCONNECTIVITY

Why are risks becoming much more complex, impactful and interconnected?

How is interconnectedness expressed?

What is another way to appreciate the interconnectedness or risks?

There has been a growing recognition that traditional risk-management approaches do not adequately capture interconnected risks.

What can help organisations to identify and manage interconnected risks?

Interconnected risk-management is often focused on what?

A

Due to rise in globalisation, innovation, and technological advances.

In statistics = By correlation which measures the extent to which different variable move together
*Positive correlation = variables will increase/decrease together

Look at how one risk can trigger the occurrence of another

The use of ‘what if’ scenarios help to identify risk connections and organisation-specific vulnerabilities

strengthening operational resilience and emergence response

24
Q

RISK PERCEPTION

There is debate on whether risk can/should only be expressed in objective terms i.e., probability x impact = exposure.

What are the 5 challenges that arise when viewing risk as a statistical concept that can quantified using the above equation?

How can risk perceptions affect decision-makers?

A
  1. The choice of a specific statistical model, underlying assumptions, model parameters, and a confidence interval is a subjective action
  2. The output is only as good as the input = patchy data can skew the results
  3. Many risk models use historical data to predict future risk events and rely on supporting subjective judgements
  4. Not every risk can be quantified using conventional statistical methods
  5. Even where risks can be quantified, decision-makers may not interpret their findings in an objective manner = different people would make different estimates and conclusions about the same risk

Risk perceptions may affect how they view risk and may cause them to over- or under-estimate the level of risk

25
Q

RISK PERCEPTION - UNQUANTIFIABLE RISK

What is unquantifiable risk?

Name 3 examples.

How do organisations manage such risks?

Name an example.

A

= the risk that cannot be measured using conventional statistical methods
(usually due to lack of relevant or quantifiable data)

E.g., reputational risk, compliance risk, or corporate culture health

Organisations use a combination of quantitative and qualitative solutions

E.g., one way to measure an organisational culture is to build a framework that would combine quantitative inputs (a number of whistleblower complaints per year or employee retention rates) with qualitative inputs (employee satisfaction surveys and exit interviews)

26
Q

RISK PERCEPTION - SUBJECTIVITY OF RISK PERCEPTION

People react to risk using a complex array of perceptions that cause them to interpret the statistical data that is presented to them in different way.

What are the 6 common risk perception issues?

A
  1. choice = a person’s perception of risk is reduced if they take risks they choose
  2. control = people are more willing to accept risks they believe they can control
  3. familiarity = people get used to living with certain risks so perception of the risk can diminish with time and experience
  4. distant risks = if the effect of a certain risk is far into the future, people may be more willing to accept that risk now e.g., smoking
  5. media = rightly or wrongly, people think a risk must be important if the media has chosen to cover it
  6. randomness = naturally occurring events are more accepted (believed to be random bad luck), whereas people assume that something can be done to control or reduce human-made risks
27
Q

RISK PERCEPTION - SUBJECTIVITY OF RISK PERCEPTION

In addition to common risk perceptions, behavioural economists have also identified a series of cognitive biases that may influence the decision-making process, especially when it comes to estimating the impact from emerging risks.

What is cognitive bias?

What are they directly connected to to?

What are the 4 common cognitive biases?

When weighing up risk management or risk-taking decision options, an organisation should consider what?

A

Cognitive bias = an influencing factor that causes someone’s judgement to deviate from a norm or from rationality

Cognitive biases are directly connected to how people perceive and process information

(1) Group-think bias = individual decision-makers strive for group consensus over alternative viewpoints

(2) Authority bias = a SM’s viewpoint overrules the viewpoints of other contributors

(3) Status quo bias = favours preservation of the current state

(4) Myopia bias = leads to an increased focus on smaller and less impactful risks at an expense of more strategic and more impactful risks

Consider the availability of objective data as well as psychological biases that may influence the results.

28
Q

OTHER PRATICAL CHALLENGES

What are 3 common practical challenges and trends surrounding risk models?

What are the 2 remedies available for organisations striving for an objective risk-management solution in the light of numerous judgemental and psychological barriers?

A
  1. Risk models have become increasingly complex due to the availability of advanced analytical tools and techniques
  2. Risks are interconnected, whereas many risk models are not and ignore the bigger picture
  3. the number of required regulatory risk models has been growing due to increased regulation since the financial crisis of 2007–08

(1) Taking charge of an organisational data infrastructure (= major remedy) = instituting an appropriate enterprise data-management strategy

(2) Fully utilising the potential of the board including the oversight of risk culture
= Strong boards will question key risk assumptions and challenge risk-mitigation strategies, while helping the management to keep an eye on principal and emerging risks