Mod 10: Monitoring and communication of risk

Question 1

Outline four key processes and systems that should be properly documented

Answer 1

Documented processes and systems
1. risk management decisions made and the reasons for those decisions
2. systems (eg systems specification and user-acceptance testing of IT systems)
3. financial models, including the assumptions and data employed in the model
4. risk management failures, including nature of failure and losses incurred ©

Question 2

Give examples of internal vs external, informal vs formal communication

Answer 2

Examples of types of communication
Internal communication: management information about what is happening inside the business, eg cashflow position, sales, inventory levels
External communication (inwards): collecting relevant information about what is happening outside the company, eg competitors’ sales
External communication (outwards): distributing information about the company to interested parties, eg to the media, shareholders and regulators
Informal communication: word-of-mouth (or technological equivalents, such as social media)
Formal communication: through a corporate intranet, management information systems, reports and/or corporate newsletters
©

Question 3

Describe what is meant by a feedback loop

Answer 3

Feedback loops
Feedback loops help the ERM framework respond to changes in:
 the business
 its environment.
Such changes should be identified using information about:
 past events
 the present, or
 expectations about the future.

Processes for informing stakeholders (including management) of any significant issues should be included in each loop.
©

Question 4

List the key stakeholders of an ERM framework and of what they should be made aware
©

Answer 4

Key stakeholders of an ERM framework

1. Internal recipients should be made aware of risks and responses:
   a. Board
   b. Board subcommittees
2. External recipients should be made aware of the organisation’s RM strategies:
   a. supervisors / regulators
   b. investors
   c. analysts

Question 5

Define a risk metric

Answer 5

Risk metric
A risk metric is a quantitative or qualitative indicator of the level of risk in a specific part of an organisation.
©

Question 6

Explain what is meant by a KRI

Answer 6

KRIs

1. A key risk indicator (KRI) is a risk metric that forms a key part of an organisation’s RM framework.
2. A range of KRIs might be established for each risk appetite statement
   − eg a market risk tolerance level (expressed perhaps as a VaR) might be driven by % or equity or the duration of the portfolio so the KRIs might include these portfolio metrics.
    
3. Quantitative or qualitative thresholds for these metrics may act to trigger appropriate actions.
4. A suite of KRIs (or other risk metrics) can support implementation of a risk appetite / tolerance framework, because the latter (being typically probabilistic) are hard / costly to measure in ‘real time’.

Question 7

Describe the qualities of a good KRI

Answer 7

Qualities of a good KRI

1. quantifiable (ie %, £, numbers)
2. based on consistent methodologies and standards
3. incorporates key risk drivers (exposure, probability, severity and correlation)
4. tracked over time
5. tied to objectives
6. linked to an accountable individual
7. useful in decision making
8. able to be benchmarked externally
9. timely
10. cost effective to measure
11. simple (not simplistic)
    ©

Question 8

List common and desirable features of risk reporting within a RM framework

Answer 8

Common and desirable features of risk reporting

1. clarity / simplicity, whilst maintaining an appropriate range and level of detail
2. relevance – being closely linked to risk appetite and risk tolerances
3. includes KRIs and risk limits to allow clear and timely decision making
4. split according to risk types and operating units
5. includes summaries of key risk areas, measured by likelihood and severity of impact – ideally in graphical form, perhaps using traffic light indicators
6. includes risk accountabilities
7. evaluates effectiveness of RM actions
8. includes emerging risks, trends, important events and milestones

Question 9

Describe the qualities of a good risk reporting system

Answer 9

Qualities of a good risk reporting system

1. designed using a top-down approach, ie given a particular audience, consider what information do they need to make the decisions they are responsible for making.
2. a single point of access to critical risk information collated from various risk systems and data sources
3. a role-based summary of risks to key decision makers with drill-down capabilities to more detailed information
4. prioritised just-in-time information (eg from real-time alerts to quarterly summaries)
5. a mixture of qualitative / quantitative, internal / external data
6. an opportunity for users to provide commentary, explanation or analysis of the information

Question 10

Outline the key components of a risk report to a board ©

Answer 10

Key components of a risk report to a board

1. internal and external, qualitative and quantitative information
2. a summary of losses and incidents
3. a summary of business risks and the key discussions and decisions required from the Board
4. a narrative from management on important data and trends
5. key performance indicators (KPIs), and key risk indicators (KRIs), relative to risk limits, with important deviations and trends highlighted
6. important events / milestones (eg a regulatory visit)

Question 11

State the four main areas usually covered by a balanced scorecard (or dashboard reporting)

Answer 11

Areas usually covered by a balanced scorecard
1. finance
2. stakeholders (eg customers / clients)
3. growth and learning
4. internal business processes