ICFC Risk Management PDF

Summary

This document provides a comprehensive overview of risk management, covering concepts such as risk tolerance, risk identification, risk drivers, and risk governance. It also discusses different types of risks, including financial and non-financial risks.

Full Transcript

**INTRODUCTION TO RISK MANAGEMENT**

Risk management is a process that defines risk tolerance and measures,
monitors, and modifies risks to be in line with that tolerance.

The risk management process seeks to

1\) identify the risk tolerance of the organization,

2\) identify and measure the risks that the organization faces, and

3\) modify and monitor these risks.

A risk management framework flows logically from the definition of risk
management that was previously given: It is the infrastructure, process,
and analytics needed to support effective risk management in an
organization.

Despite customization, every risk management system or framework should
address the following key factors:

Risk governance

Risk identification and measurement

Risk infrastructure

Defined policies and processes

Risk monitoring, mitigation, and management

Communications

Strategic analysis or integration

**Enterprise risk management is an overarching governance approach
applied throughout the entity and consistent with its strategy, guiding
the risk management framework to focus risk activities on the
objectives, health, and value of the entire organization**

A diagram of a risk management framework Description automatically
generated

**KEY TERMS**

- **Risk exposure** is the extent to which an entity's value may be
affected through sensitivity to underlying risks.

- **Risk governance** is the top-level foundation for risk management,
including risk oversight and setting risk tolerance for the
organization.

- **Risk infrastructure** comprises the resources and systems required
to track and assess the organization's risk profile.

- **Risk policies and processes** are management's complement to risk
governance at the operating level.

- **Risk identification and measurement** is the quantitative and
qualitative assessment of all potential sources of risk and the
organization's risk exposures.

- **Risk mitigation** and management is the active monitoring and
adjusting of risk exposures, integrating all the other factors of
the risk management framework.

- **Communication** includes risk reporting and active feedback loops
so that the risk process improves decision making.

- **Strategic risk analysis and integration** involves using these
risk tools to rigorously sort out the factors that are and are not
adding value as well as incorporating this analysis into the
management decision process, with the intent of improving outcomes

- **Risk drivers** are the fundamental global and domestic
macroeconomic and industry factors that create risk.

**Risk governance, risk tolerance and risk budgeting**

**Risk Governance**

Risk governance refers to senior management's determination of the risk
tolerance of the organization, the elements of its optimal risk exposure
strategy, and the framework for oversight of the risk management
function.

Enterprise risk management (focusing risk activities on the objectives,
health, and value of the whole organization) requires that the entire
economic balance sheet of the business be considered, not just the
assets or one part of the business in isolation.

In the same vein, another element of good risk governance is the formal
appointment of a responsible executive as chief risk officer (CRO). This
officer should be responsible for building and implementing the risk
framework for the enterprise and managing the many activities therein

**Risk Tolerance**

Determining an organization's risk tolerance involves setting the
overall risk exposure the organization will take by identifying the
risks the firm can effectively take and the risks that the organization
should reduce or avoid. Some of the factors that determine an
organization's risk tolerance are its expertise in its lines of
business, its skill at responding to negative outside events, its
regulatory environment, and its financial strength and ability to
withstand losses.

**Risk Budgeting**

Risk budgeting is the process of allocating firm resources to assets (or
investments) by considering their various risk characteristics and how
they combine to meet the organization's risk tolerance. The goal is to
allocate the overall amount of acceptable risk to the mix of assets or
investments that have the greatest expected returns over time.

**IDENTIFICATION OF RISK**

**Financial risks** are those that arise from exposure to financial
markets. Examples are:

1. **Credit risk.** This is the uncertainty about whether the
counterparty to a transaction will fulfill its contractual
obligations.

2. **Liquidity risk.** This is the risk of loss when selling an asset
at a time when market conditions make the sales price less than the
underlying fair value of the asset.

3. **Market risk.** This is the uncertainty about market prices of
assets (stocks, commodities, and currencies) and interest rates.

**Non-financial risks** arise from the operations of the organization
and from sources external to the organization. Examples are:

1. **Operational risk.** This is the risk that human error or faulty
organizational processes will result in losses.

2. **Solvency risk.** This is the risk that the organization will be
unable to continue to operate because it has run out of cash.

3. **Regulatory risk.** This is the risk that the regulatory
environment will change, imposing costs on the firm or restricting
its activities.

4. **Governmental or political risk (including tax risk).** This is the
risk that political actions outside a specific regulatory framework,
such as increases in tax rates, will impose significant costs on an
organization.

5. **Legal risk.** This is the uncertainty about the organization's
exposure to future legal action. Model risk. This is the risk that
asset valuations based on the organization's analytical models are
incorrect.

6. **Tail risk**. This is the risk that extreme events (those in the
tails of the distribution of outcomes) are more likely than the
organization's analysis indicates, especially from incorrectly
concluding that the distribution of outcomes is normal.

7. **Accounting risk.** This is the risk that the organization's
accounting policies and estimates are judged to be incorrect.

**MEASUREMENTS OF RISK**

Measures of risk for specific asset types include standard deviation,
beta, and duration.

1. **Standard deviation** is a measure of the volatility of asset
prices and interest rates. Standard deviation may not be the
appropriate measure of risk for non-normal probability
distributions, especially those with negative skew or positive
excess kurtosis (fat tails).

2. **Beta** measures the market risk of equity securities and
portfolios of equity securities. This measure considers the risk
reduction benefits of diversification and is appropriate for
securities held in a well-diversified portfolio, whereas standard
deviation is a measure of risk on a stand-alone basis.

3. **Duration** is a measure of the price sensitivity of debt
securities to changes in interest rates.

Derivatives risks (sometimes referred to as "the Greeks") include:

1. **Delta.** This is the sensitivity of derivatives values to the
price of the underlying asset.

2. **Gamma.** This is the sensitivity of delta to changes in the price
of the underlying asset.

3. **Vega.** This is the sensitivity of derivatives values to the
volatility of the price of the underlying asset.

4. **Rho.** This is the sensitivity of derivatives values to changes in
the risk-free rate.

**Tail risk** is the uncertainty about the probability of extreme
(negative) outcomes. Commonly used measures of tail risk (sometimes
referred to as downside risk) include Value at Risk and Conditional VaR.

1. **Value at risk (VaR)** is the minimum loss over a period that will
occur with a specific probability. Consider a bank that has a
one-month VaR of \$1 million with a probability of 5%. That means
that a one-week loss of at least \$1 million is expected to occur 5%
of the time.

2. **Conditional VaR (CVaR)** is the expected value of a loss, given
that the loss exceeds a minimum amount. Relating this to the VaR
measure presented above, the CVaR would be the expected loss, given
that the loss was at least \$1 million.

1. **Stress testing** examines the effects of a specific (usually
extreme) change in a key variable such as an interest rate or
exchange rate.

2. **Scenario analysis** refers to a similar what-if analysis of
expected loss but incorporates changes in multiple inputs. A given
scenario might combine an interest rate change with a significant
change in oil prices or exchange rates.

**Risks are not necessarily independent because many risks arise as a
result of other risks; risk interactions can be extremely non-linear and
harmful.**

**MODIFYING RISK EXPOSURES**

**Internal**

1. **Diversification** may offer a way to more efficiently bear a
specific risk.

2. Sometimes the term **self-insurance** is used to describe a
situation where an organization has decided to bear a risk. Note,
however, that this simply means that it will bear any associated
losses from this risk factor. It is possible that this represents
inaction rather than the result of analysis and strategic decision
making. In some cases, the firm will establish a reserve account to
cover losses as a way of mitigating the impact of losses on the
organization.

**External**

3. With a **risk transfer**, another party takes on the risk. Insurance
is a type of risk transfer. The risk of fire destroying a warehouse
complex is shifted to an insurance company by buying an insurance
policy and paying the policy premiums. Insurance companies diversify
across many risks so the premiums of some insured parties pay the
losses of others.

4. With a **surety bond**, an insurance company has agreed to make a
payment if a third party fails to perform under the terms of a
contract or agreement with the organization.

5. Insurers also issue **fidelity bonds**, which will pay for losses
that result from employee theft or misconduct. Managements that
purchase insurance, surety bonds, or fidelity bonds have determined
that the benefits of risk reduction are greater than the cost of the
insurance.

6. **Risk shifting** is a way to change the distribution of possible
outcomes and is accomplished primarily with derivative contracts.
For example, financial firms that do not want to bear currency risk
on some foreign currency denominated debt securities can use forward
currency contracts, futures contracts, or swaps to reduce or
eliminate that risk.