Fundamentals of risk management M67 Study Text 2023-24 PDF

Fundamentals of risk management M67 2023-24 STUDY TEXT Fundamentals of risk management M67: 2023–24 Study text RevisionMate This unit is assessed by both an online multiple-choice examination and a coursework assignment, which is submitted via RevisionMate.You can access RevisionMate via your MyCII page, using your login details: ciigroup.org/login Both these components need to be completed within 18 months of purchase. Please refer to your RevisionMate coursework course for your assignment deadline. Your RevisionMate course contains everything you need to complete your studies, including: Printable PDF and ebook of the study text. Examination guide and specimen coursework assignment and answers. Coursework assignment questions and the submission area. Please note: If you have received this study text as part of your update service, access to RevisionMate will only be available for the remainder of your 18-month enrolment. Coursework questions can be answered from any edition of the study text. Updates and amendments As part of your enrolment, any changes to the exam or syllabus, and any updates to the content of this course, will be posted online so that you have access to the latest information. You will be notified via email when an update has been published. To view updates: 1. Visit www.cii.co.uk/qualifications 2. Select the appropriate qualification 3. Select your unit from the list provided Under ‘Unit updates’, examination changes and the testing position are shown under ‘Qualifications update’; study text updates are shown under ‘Learning solutions update’. Please ensure your email address is current to receive notifications. 2 M67/April 2023 Fundamentals of risk management © The Chartered Insurance Institute 2023 All rights reserved. Material included in this publication is copyright and may not be reproduced in whole or in part including photocopying or recording, for any purpose without the written permission of the copyright holder. Such written permission must also be obtained before any part of this publication is stored in a retrieval system of any nature. This publication is supplied for study by the original purchaser only and must not be sold, lent, hired or given to anyone else. Every attempt has been made to ensure the accuracy of this publication. However, no liability can be accepted for any loss incurred in any way whatsoever by any person relying solely on the information contained within it. The publication has been produced solely for the purpose of examination and should not be taken as definitive of the legal position. Specific advice should always be obtained before undertaking any investments. Print edition ISBN: 978 1 80002 677 3 Electronic edition ISBN: 978 1 80002 678 0 This edition published in 2023 Author/updater Stephen W. Lowe MSc, CFIRM, FCII, Certified Risk Professional, Chartered Insurance Practitioner. Stephen has over 25 years’ experience with international insurers, international brokers and risk management consultants in a variety of technical and managerial roles. Now an established independent consultant, he helps organisations set up and manage risk management and insurance solutions, supplemented, where appropriate, with comprehensive training and procedural manuals. He has helped to shape the new British Standard for Damage Management and publications relating to National Occupational Standards for the financial sector in a risk management context. Previous research work focused on business continuity and the management of fraud and reputation risks. Stephen is a keen supporter of CII efforts to promote ongoing professional development, training and education across the profession. Acknowledgements We would also like to thank Dr Simon Ashby BA (Hons), PhD, FIOR for his assistance with previous editions of this study text. The CII would like to thank the authors and reviewers of other CII study texts in respect of any material drawn upon in the production of this study text. While every effort has been made to trace the owners of copyright material, we regret that this may not have been possible in every instance and welcome any information that would enable us to do so. Typesetting, page make-up and editorial services CII Learning Solutions. Printed and collated in Great Britain. This paper has been manufactured using raw materials harvested from certified sources or controlled wood sources. 3 Using this study text Welcome to the M67: Fundamentals of risk management study text which is designed to support the M67 syllabus, a copy of which is included in the next section. Please note that in order to create a logical and effective study path, the contents of this study text do not necessarily mirror the order of the syllabus, which forms the basis of the assessment. To assist you in your learning we have followed the syllabus with a table that indicates where each syllabus learning outcome is covered in the study text. These are also listed on the first page of each chapter. Each chapter also has stated learning objectives to help you further assess your progress in understanding the topics covered. Contained within the study text are a number of features which we hope will enhance your study: Activities: reinforce learning through Key points: act as a memory jogger at practical exercises. the end of each chapter. Be aware: draws attention to important Key terms: introduce the key concepts points or areas that may need further and specialist terms covered in each clarification or consideration. chapter. Case studies: short scenarios that will Refer to: Refer to: extracts from other CII study test your understanding of what you texts, which provide valuable information have read in a real life context. on or background to the topic. The sections referred to are available for you to view and download on RevisionMate. Consider this: stimulating thought Reinforce: encourages you to revisit a around points made in the text for which point previously learned in the course to there is no absolute right or wrong embed understanding. answer. Examples: provide practical illustrations Sources/quotations: cast further light of points made in the text. on the subject from industry sources. In-text questions: to test your recall of On the Web: introduce you to other topics. information sources that help to supplement the text. At the end of every chapter there is also a set of self-test questions that you should use to check your knowledge and understanding of what you have just studied. Compare your answers with those given at the back of the book. By referring back to the learning outcomes after you have completed your study of each chapter and attempting the end of chapter self-test questions, you will be able to assess your progress and identify any areas that you may need to revisit. Not all features appear in every study text. Note Website references correct at the time of publication. 5 Examination syllabus Fundamentals of risk management Purpose To explore the principles of risk management and the role of insurance within these principles. Assumed knowledge It is assumed that the candidate already has knowledge of the fundamental principles of insurance as covered in IF1 Insurance, legal and regulatory or equivalent examinations. Summary of learning outcomes Number of questions in the examination * 1. Understand the meaning of risk. 9 2. Understand the role and purpose of risk management. 8 3. Understand the core elements of the risk management process. 12 4. Understand the different categories of risk. 5 5. Understand current trends in risk management. 6 6. Understand the position of insurance within risk management. 5 7. Understand the key risk management lessons learnt from major loss events. 5 * The test specification has an in-built element of flexibility. It is designed to be used as a guide for study and is not a statement of actual number of questions that will appear in every exam. However, the number of questions testing each learning outcome will generally be within the range plus or minus 2 of the number indicated. Important notes Method of assessment: Mixed assessment consisting of two components, both of which must be passed. One component is a coursework assignment and one is a multiple choice question (MCQ) examination. The details are: 1. an online coursework assignment using RevisionMate consisting of 10 questions which sequentially follow the learning outcomes. This must be successfully completed within 6 months of enrolment; and 2. an MCQ exam consisting of 50 MCQs. 1 hour is allowed for this exam. This exam must be successfully passed within 18 months of enrolment. This syllabus will be examined from 1 May 2023 until 30 April 2024. Candidates will be examined on the basis of English law and practice unless otherwise stated. This PDF document is accessible through screen reader attachments to your web browser and has been designed to be read via the speechify extension available on Chrome. Speechify is an extension that is available from https://speechify.com/. If for accessibility reasons you require this document in an alternative format, please contact us on [email protected] to discuss your needs. Published February 2023 ©2023 The Chartered Insurance Institute. All rights reserved. M67 6 M67/April 2023 Fundamentals of risk management Candidates should refer to the CII website for the latest information on changes to law and practice and when they will be examined: 1. Visit www.cii.co.uk/qualifications 2. Select the appropriate qualification 3. Select your unit from the list provided 4. Select qualification update on the right hand side of the page Published February 2023 2 of 4 ©2023 The Chartered Insurance Institute. All rights reserved. 7 1. Understand the meaning of risk. Reading list 1.1 Explain the difference between risk and uncertainty. 1.2 Explain the basics of probability theory. The following list provides details of further 1.3 Discuss risk perception. reading which may assist you with your studies. 1.4 Explain the difference between pure and speculative risk. Note: The examination will test the syllabus alone. 2. Understand the role and purpose of risk The reading list is provided for guidance management. only and is not in itself the subject of the 2.1 Explain the evolution of the discipline of risk examination. management. The resources listed here will help you 2.2 Outline the benefits of risk management. keep up-to-date with developments and 2.3 Explain the senior roles within risk management, provide a wider coverage of syllabus topics. their purpose and responsibilities. 2.4 Explain the relationship between risk management, CII study texts compliance and the audit function. Fundamentals of risk management. London: CII. Study text M67. 3. Understand the core elements of the risk management process. Insurance, legal and regulatory. London: CII. 3.1 Outline the risk management process. Study text IF1. 3.2 Explain the purpose and contents of a risk register. Books (and ebooks) 3.3 Discuss the key risk management standards. Approaches to enterprise risk management. 3.4 Explain the various risk management tools and London: Bloomsbury, 2010. * techniques. Handbook of insurance. Georges Dionne. 3.5 Explain the regulatory and corporate governance environment affecting risk management. New York: Springer, 2013.* Handbook of the economics of risk and 4. Understand the different categories of uncertainty. Mark Machina, W. Kip Viscusi. risk. North Hollans, 2014.* 4.1 Define and categorise the different forms of risks. Introduction to insurance mathematics: 5. Understand current trends in risk technical and financial features of risk management. transfers. Annamaria Olivieri, Ermanno 5.1 Discuss the principles of Enterprise Risk Pitacco. Berlin: Springer, 2011. Management (ERM) and Governance Risk and Principles of risk management and Compliance (GRC) and how this affects risk insurance. 12th ed. George E. Rejda, management. Michael J. McNamara. Pearson Education, 5.2 Explain the concepts of risk aggregation and 2014. correlation. Rethinking risk measurement and reports. 6. Understand the position of insurance 2v. Klaus Bocker (ed). London: Incisive, within risk management. 2010. 6.1 Explain the role of insurance as a risk transfer Risk: an introduction. Bernardus Ale. mechanism. Routledge, 2010. * 6.2 Explain the role of an insurance intermediary in supporting risk management. Risk analysis. 2nd ed. Terje Aven. Hoboken: 6.3 Discuss alternative risk financing options. Wiley, 2015.* Risk analysis in finance and insurance. 2nd 7. Understand the key risk management ed. Alexander Melnikov. Chapman and Hall/ lessons learnt from major loss events. CRC, 2010. * 7.1 Explain why risk management systems can fail and the consequences of their failure. Risk culture and effective risk governance. Patricia Jackson, ed. London: Risk Books, 2014. Risk management for insurers: risk control, economic capital, and Solvency II. Rene Doff. 3rd/2nd ed. London: Risk Books, 2015/2011.* * Also available as an eBook through eLibrary via www.cii.co.uk/elibrary (CII/PFS members only). Published February 2023 3 of 4 ©2023 The Chartered Insurance Institute. All rights reserved. 8 M67/April 2023 Fundamentals of risk management The risk management handbook. David Further articles and technical bulletins are Hillson. London: Kogan Page, 2016. * available at www.cii.co.uk/learning/elibrary/ (CII/PFS members only). Ebooks The following eBooks are available via Journals and magazines www.cii.co.uk/elibrary(CII/PFS members The Journal. London: CII. Six issues a year. only): Post magazine. London: Incisive Financial Enterprise risk management: a common Publishing. Monthly. Contents searchable framework for the entire organisation. Philip online at www.postonline.co.uk. E.J. Green. Oxford: Butterworth-Heinemann, Strategic risk. London: Newsquest Specialist 2016. Media. Eight issues a year. Enterprise risk management: from incentives Access to further periodical publications is to controls. James Lam. 2nd ed. Hoboken: available from the Knowledge website at Wiley, 2013. www.cii.co.uk/journalsmagazines Fundamentals of enterprise risk (CII/PFS members only). management: how top companies assess Reference materials risk, manage exposure and seize Concise encyclopedia of insurance terms. opportunity. John J. Hampton. New York: Laurence S. Silver, et al. New York: American Management Association, 2015. Routledge, 2010.* Fundamentals of risk management: Dictionary of insurance. C Bennett. 2nd ed. understanding, evaluating and implementing London: Pearson Education, 2004. effective risk management. Paul Hopkin, Kogan Page, 2014. Risk analysis in finance and insurance. 2nd Exemplars ed. A V Melnikov. Boca Raton, Florida: CRC Exemplar papers are available for all mixed Press, 2011. assessment units. Exemplars are available Risk management and financial institutions. for both the coursework component and the John Hull. Wiley, 2015. MCQ exam component. Risk management: concepts and guidance. These are available on the CII website under Carl L. Pritchard. 5th ed. Boca Raton: CRC the unit number before purchasing the unit. Press, 2015. They are available under the following link www.cii.co.uk/qualifications/diploma-in- Online resources insurance-qualification. The Insurance Institute of London (IIL) podcast lecture series features leading These exemplar papers are also available on industry figures and subject experts the RevisionMate website (ciigroup.org/login) speaking on current issues and trends after you have purchased the unit. impacting insurance and financial services. Available online at www.cii.co.uk/learning/ Exam technique/study skills insurance-institute-of-london (CII/PFS There are many modestly priced guides members only). available in bookshops. You should choose Alternative risk transfer (ART). Alan one which suits your requirements. Punter. Insurance-linked securities (ILS). Alan Punter. Risk control. Ian Searle. Risk identification. Ian Searle. Risk transfer. Ian Searle. Recent developments to Solvency II. Brad Baker. AIRMIC. www.airmic.com. Institute of Risk Management www.theirm.org. Published February 2023 4 of 4 ©2023 The Chartered Insurance Institute. All rights reserved. 9 M67 syllabus quick-reference guide Syllabus learning outcome Study text chapter and section 1. Understand the meaning of risk. 1.1 Explain the difference between risk and uncertainty. 1C, 1D 1.2 Explain the basics of probability theory. 5D 1.3 Discuss risk perception. 1B 1.4 Explain the difference between pure and speculative risk. 1E 2. Understand the role and purpose of risk management. 2.1 Explain the evolution of the discipline of risk management. 1A 2.2 Outline the benefits of risk management. 2A, 2B, 2C 2.3 Explain the senior roles within risk management, their purpose 3B, 3D, 3G, 3I and responsibilities. 2.4 Explain the relationship between risk management, compliance 3E, 3F and the audit function. 3. Understand the core elements of the risk management process. 3.1 Outline the risk management process. 2D, 7E 3.2 Explain the purpose and contents of a risk register. 5H 3.3 Discuss the key risk management standards. 7A 3.4 Explain the various risk management tools and techniques. 4A, 4B, 4C, 4D, 4E, 4F, 4G, 5A, 5C, 5E, 5F, 5G, 6A, 6B, 6C, 6D, 6E, 6F, 7D 3.5 Explain the regulatory and corporate governance environment 3A, 3H, 6C affecting risk management. 4. Understand the different categories of risk. 4.1 Define and categorise the different forms of risks. 1E, 5B 5. Understand current trends in risk management. 5.1 Discuss the principles of Enterprise Risk Management (ERM) 3B, 3C, 3D, 3J and Governance Risk and Compliance (GRC) and how this affects risk management. 5.2 Explain the concepts of risk aggregation and correlation. 5C, 5D 6. Understand the position of insurance within risk management. 6.1 Explain the role of insurance as a risk transfer mechanism. 6C 6.2 Explain the role of an insurance intermediary in supporting risk 6C management. 6.3 Discuss alternative risk financing options. 6D, 6E, 6F 7. Understand the key risk management lessons learnt from major loss events. 7.1 Explain why risk management systems can fail and the 7B, 7C consequences of their failure. 10 M67/April 2023 Fundamentals of risk management 11 Study skills and exam guidance Before you begin the study text, we would encourage you to read the next couple of pages to learn more about study skills and tips on how to approach the MCQ exam. Study skills While the text will give you a foundation of facts and viewpoints, your understanding of the issues raised will be richer through adopting a range of study skills. They will also make studying more interesting! We will focus here on the need for active learning in order for you to get the most out of this core text. Active learning is experiential, mindful and engaging Underline or highlight key words and phrases as you read – many of the key words have been highlighted in the text for you, so you can easily spot the sections where key terms arise; boxed text indicates extra or important information that you might want to be aware of. Make notes in the text, attach notes to the pages that you want to go back to – chapter numbers are clearly marked on the margins. Make connections to other CII units – throughout the text you may find ‘refer to’ boxes that tell you the chapters in other books that provide background to, or further information on, the area dealt with in that section of the study text. Take notice of headings and subheadings. Use the clues in the text to engage in some further reading (refer to the syllabus reading list) to increase your knowledge of a particular area and add to your notes – be proactive! Relate what you’re learning to your own work and organisation. Be critical – question what you’re reading and your understanding of it. Five steps to better reading Scan: look at the text quickly – notice the headings (they correlate with the syllabus learning outcomes), pictures, images and key words to get an overall impression. Question: read any questions related to the section you are reading to get a feel for the subjects tackled. Read: in a relaxed way – don’t worry about taking notes first time round, just get a feel for the topics and the style the book is written in. Remember: test your memory by jotting down some notes without looking at the text. Review: read the text again, this time in more depth by taking brief notes and paraphrasing. On the Web Visit here for more detail on study skills: www.open.ac.uk/skillsforstudy. Note: website reference correct at the time of publication. 12 M67/April 2023 Fundamentals of risk management Exam guidance Answering multiple-choice questions When preparing for the examination, candidates should ensure that they are aware of what typically constitutes each type of product listed in the syllabus and ascertain whether the products with which they come into contact during the normal course of their work deviate from the norm, since questions in the examination test generic product knowledge. Some questions are simply questions of fact, whereas others may be more progressive in nature, requiring reasoning to determine the correct option or, perhaps, being answerable by a process of elimination. Whatever the question, read it carefully to identify what it is really asking. Do not assume that you 'know' what it is asking, even if the question is on a topic about which you feel very confident; answer the question exactly as it is asked. Also, look out for the occasional negative question (Which of the following is not …?). Try to answer all of the questions. While there is no substitute for a good grasp of the subject matter, and you cannot expect to pass the examination purely on guesswork, you do not lose marks for giving a wrong answer! You can find more information on the specific unit in the exam guide (available on the unit page on the CII website and on RevisionMate). On the Web You can find more on preparing for your exam by visiting: https://www.cii.co.uk/learning/ qualifications/assessment-information/before-the-exam/. Note: website reference correct at the time of publication. Accessibility The CII has produced a policy and guidance document on accessibility and reasonable/ special adjustments. The purpose of this is to ensure that you have fair access to CII qualifications and assessments. On the Web The ‘Qualifications accessibility and special circumstances policy and guidance’ document can be found here: https://www.cii.co.uk/media/10129005/cii-qualifications-accessibility- and-special-circumstances-policy-and-guidance.pdf. Note: website reference correct at the time of publication. 13 Introduction In this study text we explore how people and organisations can anticipate and deal with risk and uncertainty. We see how a formal structure can help to identify risks, establish how often they are taken, and measure potential consequences if risks materialise. Then we look at risk management, how risk taking can be avoided or reduced, and what can be done to soften the effects when a risk goes wrong. Finally, we study some examples of well- publicised major losses to see what lessons can be learnt. We start by looking at how the concept of risk management evolved and explore how different people perceive different risks. By anticipating how people are likely to behave, an organisation can set guidelines as to how risk taking should be approached. We look at the type of risks faced by business organisations, what might cause them, and how they might be classified to facilitate further study. We study risk management as an integral part of achieving business objectives, reducing potential future costs and sometimes preventing total disaster. A formal risk management programme will consider the interests of all stakeholders in the business, evaluate external influences and investigate new and emerging risks. Risk management studies the link between cause, event and effect with a view to preventing causes, mitigating effects, or breaking links in the chain. We see that an organisation’s attitude to risk is determined by the board of directors and should be published as a formal risk philosophy. The board of directors has legal responsibility to supervise the management of operations and not to take unnecessary risks. Public companies must publish structures for corporate governance and risk management control that show the board is fully, accurately and reliably informed of important decisions and events. We see that risk management, audit and compliance functions are integral parts of strong governance and should use the same strategies, processes and technologies so that coherent information is presented to the board. The system used to control risk management across an organisation is known as enterprise risk management (ERM). Specific tools and techniques are available to help the various stages of risk management and control. We review internal and external sources of risk information, how to collect this data, assess its reliability, and determine whether it is susceptible to imminent change. We need to compare different risks in order to prioritise them. If we evaluate potential impact on the business, then impact multiplied by frequency is a measure of possible loss to which an organisation is exposed. It can be used as a basis for ranking. Some risks can be quantified in monetary terms but others will have qualitative descriptions based on their damage to business objectives. Large numbers of risks will be more easily managed if they are first divided into meaningful categories. Options are available to mitigate the effects of unavoidable risks and will be selected in line with risk philosophy. A reserved fund could ensure money was available to restore normal working as soon as possible, or we could transfer risk to a third party with an insurance policy or specific clauses in contracts. Options available to larger organisations may be to set up their own insurance company, negotiate global insurance cover, or directly access capital markets. We discuss the pros and cons of all these solutions, and see that, usually, a mix of financing options will be preferred, balancing costs against perceived benefits. An insurance portfolio needs to make best use of insurance limits and sums insured in commercial package offerings, and evaluate any external risk management services on offer. Not all risks can be insured, and most organisations must accept a disaster scenario is possible, and that continuity plans will be required. International risk management standards have been published with codes of best practice to assist organisations setting up and managing risk management systems. We review the most important of these. All these standards have to be kept up-to-date. Large disasters can alter our perception of risk, alert us to new risks and change risk management attitudes. We look at three high-profile examples in depth to see how multiple risk management failings allowed these events to happen. Organisations’ attitude towards risk management is an important factor in these examples. Organisations must actively work to achieve and maintain an appropriate risk management culture that is firmly embedded in their organisations. This will involve continuous management, audit, benchmarking and review. 15 Contents 1: The meaning of risk A Evolution of risk management 1/3 B Risk perception 1/8 C Risk and uncertainty 1/12 D Risk and reward 1/13 E Types of risk 1/14 2: The purpose and process of risk management A Introduction to risk management 2/2 B Benefits of risk management 2/3 C Risk and organisational objectives 2/4 D The risk management process 2/18 3: Roles and responsibilities A Corporate governance and internal control 3/2 B Enterprise risk management (ERM) 3/11 C Governance, risk and compliance (GRC) 3/12 D ERM system design 3/14 E Relationship between audit and risk management 3/16 F Relationship between compliance and risk management 3/18 G Individual responsibilities 3/18 H Risk appetite and risk tolerance 3/24 I Risk aware culture 3/26 J Risk maturity 3/27 4: Tools and techniques 1: risk identification A Why do we need risk information? 4/2 B What sort of information do we need? 4/3 C Sources of internal information 4/5 D Sources of external information 4/9 E Collecting data 4/11 F Reliability and change 4/14 G Methods of risk identification 4/15 16 M67/April 2023 Fundamentals of risk management 5: Tools and techniques 2: assessment and measurement of risk A Risk assessment 5/2 B Risk categorisation 5/4 C Measuring impact 5/8 D Measuring probability 5/10 E Risk ranking 5/17 F Risk appetite and tolerance 5/21 G Risk control 5/22 H Risk registers 5/24 6: Risk financing, retention and transfer A Cost of risk incidents 6/2 B Risk financing options 6/7 C Insurance as a risk transfer mechanism 6/9 D Other risk financing options 6/26 E Alternative risk transfer 6/33 F Risk financing plan 6/35 7: Risk management lessons A Risk management standards 7/3 B Risk management system failure 7/9 C Example studies of major losses 7/11 D Reinforcing risk culture 7/37 E Benchmarking 7/38 Self-test answers i Legislation ix Index xi Chapter 1 The meaning of risk 1 Contents Syllabus learning outcomes Introduction A Evolution of risk management 2.1 B Risk perception 1.3 C Risk and uncertainty 1.1 D Risk and reward 1.1 E Types of risk 1.4, 4.1 Key points Question answers Self-test questions Learning objectives After studying this chapter, you should be able to: explain the evolution of the discipline of risk management; discuss risk perception; explain the difference between risk and uncertainty; explain the connection between risk and reward; explain the difference between pure and speculative risk; define a selection of fundamental risks; and examine the link between cause, events and effects. Chapter 1 1/2 M67/April 2023 Fundamentals of risk management Introduction Risk management as we understand it today is a process that evolved during the twentieth century as a formal approach to anticipating and dealing with risk and uncertainty. If we can identify and understand the risks involved in an activity, then we might be able to control or avoid them and thus improve our chances of a successful outcome. More importantly, we might reduce our chances of total disaster. Alternatively, we might have a logical basis for deciding if we accept a particular level of risk in order to gain some reward. Risk management depends on: identifying risks involved in an organisation; estimating how often those risks are likely to materialise; measuring potential consequences; and exploring options available to exercise some degree of risk control. The theory is simple but practical difficulties abound. In large, changing organisations, it would be impossible to identify all the risks, analyse interdependencies and estimate impacts. Priority decisions need to be made, measurement techniques decided, and detailed records maintained. We also have to keep up with change. Therefore, for practical reasons, organisations need to develop a coherent management and procedural framework for effective risk management. The framework must be: organisation-wide; an integral part of the organisation and its culture; and organised to allow for both audit and continuous change. Information within the framework presents a further challenge. Is it accurate and who needs access to it? Managed communication channels are essential. We will start with a short history to help understand the meaning of risk and how perception of risk changed over time. We will see how eminent scientists and mathematicians set about quantifying different types of risk in terms of numbers, and how probability theory developed. From the timeline it is clear that modern approaches to management of a variety of risks are relatively new. This helps explain why there is as yet no universal agreement on fundamental definitions of key terms and why several similar yet different standards are in common use today. Next, we will look closely at how risk is perceived, how risk can be concerned with rewards and opportunities and how risk is related to uncertainty. We will examine a selection of fundamental risks likely to be faced by a variety of financial institutions. Finally, we will explore the link between cause, events and effects. Key terms This chapter features explanations of the following terms and concepts: Business risk Credit risk Dread and Insurance risk unknown risks Liquidity risk Market risk Operational risk Pure risk Regulatory and Reputation risk Risk and reward Risk and uncertainty legal risks Risk perception Speculative risk Chapter 1 The meaning of risk 1/3 Chapter 1 A Evolution of risk management People have always been interested in foretelling the future. Our decisions about what to do today are influenced by what we think will happen in the future. Examples of short-term decisions might be placing a bet on a horse or overtaking another car on a blind corner. Decisions with long-term consequences might be agreeing to marry or choosing a particular religion. When we make such decisions we recognise, consciously or subconsciously, that there are both risks and benefits involved. Some people may ignore risks, but wiser people take a chance only if they believe expected benefits outweigh the risk. Today we are used to measuring some risks. Bookmakers quote odds on horses so we can weigh up potential returns against our chances of winning. Statisticians work out life expectancies and can tell us the possible age when people will die. When we have comparative information to help us make choices we can make informed decisions, take reasonable chances and avoid unnecessary risks. We have the basis for managing risk. It was not always like this. The concept of measuring risk dates from the middle of the seventeenth century when two mathematicians, Fermat and Pascal, first proposed theories of probability. Gamblers knew long before this that the chance of throwing a particular number with a true dice was the same for each number on the dice, but they had no mathematical means of expressing this, or for working out differences between long and short runs of dice throwing or for throwing combinations of dice. Most believed a particular number came up because of fate or some decision of the gods. The early history of risk management theory is also the early history of mathematics. We express the severity of a risk in numerical terms and manipulate probabilities with mathematical expressions. This has only been possible since the thirteenth century when the numbers 0 to 9 we now use were gaining acceptance in the Western world. Also, people were only readily able to share ideas after the invention of printing in the middle of the fifteenth century. It took the early mathematicians and scientists over three hundred years to work out how to use numbers for things like multiplication, division, proportions, conversions, and the simple algebra that we now take for granted in school. It was not until 1565 that an eminent physician called Cardano, who was also a mathematician and inveterate gambler, produced a mathematical analysis of games of chance. It was another forty years before Galileo published a paper on similar topics. A1 Evolution of risk management in the seventeenth century Fermat and Pascal set out to decide how to divide the stakes fairly in an unfinished game of chance when one player is ahead when the game stops. They needed to work out what the probable outcome would have been. Fermat worked algebraically while Pascal developed a triangular arrangement of numbers from which probabilities could be deduced. For the first time there was a mathematical way to measure the probability that any specified combination of events might happen in the future. However, this was based on the assumption that all risks had an equal chance of happening or not happening. Pascal also considered the idea that one of two evenly possible risks might be more preferable than the other. As well as measuring the probability that a risk might materialise in the future, the consequences of that event had to be taken into account when deciding what risks to take. However, Fermat and Pascal were mainly dealing with simple risks whose probabilities could be mathematically calculated. How do we measure and assess everyday risks that have no obvious relationship? Can we assess future probabilities of events that are influenced by lifestyle factors or human decisions? Emphasis shifted from predicting the outcome of games of chance to the study of naturally occurring phenomena. A significant development came in 1662 with the publication of an analysis of records of births and deaths in London. This was compiled by a businessman called John Graunt with help from William Petty, a professor of anatomy and music and author of a pioneering book on political arithmetic, a precursor to modern economics. Graunt summarised available data and drew from it a variety of conclusions, including a forecast of life expectancy. He established the value of analysing past data as a reasonable guide to what might happen in the future. Chapter 1 1/4 M67/April 2023 Fundamentals of risk management In 1693, Edmond Halley (best known for calculating the orbit of the eponymous Halley’s Comet) published a similar analysis based on the town of Breslau in Germany, which kept particularly good births and deaths records. Halley developed the idea of statistical distributions and produced life expectancy tables giving the probability that a person of a given age would live for a further number of years. It was this analysis of the numerical measurement of risk of death which led to the development of life insurance and the birth of the annuity business. A2 Evolution of risk management in the eighteenth century Other useful data was being collected around this time for use in forecasting. Edward Lloyd ran a coffee house in London that attracted merchants and shipping proprietors, who exchanged information on the value and risks involved in various shipping options and trade routes. To keep his customers coming, Lloyd started to keep records of shipping movements and conditions abroad and at sea. He had a network of reporters across the trade routes and in 1696 published the information as a document called the Lloyd’s List. People used information in the List to calculate the probability of ships arriving safely at their destinations, and the coffee house became an effective centre of marine insurance, developing in 1771 as the Lloyd’s underwriting business that still exists today. On the Web www.lloydslist.com A major step forward in risk measurement and assessment came with the publication in 1738 of a paper by Daniel Bernoulli in St Petersburg, Russia. Bernoulli recognised that the value placed on a particular risk would be different for different individuals. People react to risk in different ways. Daniel Bernoulli’s uncle Jacob (who was also interested in probability) was attempting to extend early mathematical theories to forecast useful probabilities of risk in the real world. These mathematical theories were developed around games of chance. What general inferences could be drawn from samples of data such as that collected by Halley? Bernoulli worked on the basis that under similar conditions the chance of an event occurring would follow the same pattern as was observed in the past. He deduced that for a large number of events the average value will be more likely than the average value of a small number of similar events to differ from the true average by less than some stated amount. His work allowed estimates of probable average values to be calculated from collections of observed data. Abraham de Moivre is known to have corresponded with the Bernoulli family. In 1733 he published a paper acknowledging their early work and showing how the values of a set of similar random events would distribute themselves about the mean value. His distribution is known today as the normal curve, and has been shown to apply to many varied types of measurements. By observation of the standard deviation of results about the mean, it became possible to judge whether a data sample is sufficiently representative of the whole. A3 Evolution of risk management in the nineteenth century Following these developments in the eighteenth century, mathematicians became obsessed with collecting measurements so they had reliable past data to analyse. Quetelet, for example, was involved in planning the French census of 1829. With this data and other social measurements he analysed the characteristics of a variety of groups of people. He found that his measurements often fitted the normal distribution, which led him to come up with the idea of the ‘average man’ (or woman) in a particular sociological group. This is a concept which we still use today. Later in the nineteenth century, Francis Galton measured everything he came across from court sentences to the weight of an ox. He kept detailed records of the range and characteristics of every part of human anatomy. Developing a keen interest in heredity, he plotted changes in characteristics from one generation to the next. Studying the distribution of heights, for example, he found that parents with heights at the edges of the normal distribution for their generation did not invariably go on to produce even taller (or shorter) children. However, after one or two generations their children’s heights would be shorter, Chapter 1 The meaning of risk 1/5 Chapter 1 which would be more aligned towards the average heights for the group. His observations of ‘regression to the mean’ are fundamental to many risk management strategies today. Galton built on the earlier work by Gauss and Laplace. Large numbers of independent measurements are needed to decide whether a normal distribution can reliably be applied to any particular situation. Also, care must be taken to investigate cause and effect to distinguish one off events from the outlying measurements of random distributions. Henri Poincaré developed these ideas, recognising from the outset that real risk decisions often have to be taken when there is not enough reliable data available to be used for mathematical purposes. A4 Evolution of risk management in the twentieth century By the twentieth century attention had moved on from essentially mathematical developments and the study of distributions of naturally occurring phenomena. People were interested in the human element of decision making and risk taking. How do real people decide which risks to take? Why do people with the same facts make different decisions? What circumstances encourage people to take larger risks? Why do we gamble when we know the mathematical odds say we should lose? People like Arrow, Knight and Keynes focused on risks that could not be measured. New developments and inventions were happening rapidly that bore no resemblance to anything that was relevant in the past. World War I had introduced discontinuity where previously people were looking for order. Limitations of earlier work were exposed as emphasis shifted from the study of probability to theories of uncertainty. Knight and Keynes were economists trying to make sense of the relationships between unemployment, interest rates, money supply, borrowings and growth. Knight distinguished between risk and uncertainty, arguing that uncertainty could not be measured and that if risk could be measured then it could not be termed uncertainty at all. Attitude to uncertainty should be different to attitude to risk. Keynes worked with degrees of belief about the probability of future events, with past data often misleading or irrelevant. If outcomes were not inevitably following laws of chance or nature, then outcomes could be influenced by judicious interference in cause and effect. Risk management was possible. Economists, however, faced a major practical difficulty. Changes could be made to influence a particular outcome, but immediately people would react to those changes. Different decisions would be made and the resulting model might be quite unlike the model on which the original judgments were based. Decisions could not be guaranteed to produce the required effect. They had to be assessed on the basis of their likelihood of producing that effect. Considerations of this nature gave rise to the study of strategic game theory. This is where one person seeks to gain advantage over the other, without knowing in advance how their opponent is going to respond to any particular move. Von Neumann published a theory of games of strategy in 1926 analysing a very simple game in mathematical terms. Later, Von Neumann and Morgenstern produced a theory of games and economic behaviour, suggesting how risk appetites (how much risk an individual or organisation is willing to accept) might be measured in numerical terms and mathematical calculations applied to rational decision making. In 1900 Bachelier attempted to develop a mathematical model to simulate fluctuations in the value of financial products. However, up until World War II, managing risk was mainly seen as a combination of risk avoidance and insurance. A4A Post-World War II onwards It was not until the 1950s that risk management theory began to develop into the form we recognise today. Insurance products were becoming costly and incomplete and some risks were uninsurable. During the 1960s, attention turned to continuity planning, self-protection and self-insurance schemes and protection against work-related illness and accidents. Loss prevention and safety management became fashionable. The 1970s saw large fluctuations in interest rates, stock market returns, exchange rates and the prices of many raw materials and commodities. This led to derivatives being used as a risk management tool. Originally derivatives were seen as a simple option to buy or sell Chapter 1 1/6 M67/April 2023 Fundamentals of risk management stock or commodities at a fixed price at a future date. However, they were seen as a form of insurance and available options soon became more complex and secondary markets evolved, leading to new risks which needed to be managed. The development of self-insurance and other risk retention programmes continued, especially in relation to large organisations. In parallel to these, captive insurance companies emerged as alternative risk financing options. By the 1980s, large companies were introducing financial risk management and financial institutions were increasing market and credit risk management activities. Consider this… What do you think are the benefits of a captive insurance company? Operational risk and liquidity risk management became popular in the 1990s as organisations realised the importance of having enough cash available to meet commitments when required. Computers also became affordable in the 1990s and financial institutions developed risk management models and capital calculation formulae to protect themselves from unanticipated risks and reduce capital. International regulation of risk started, governance and control of risk became essential and risk management standards evolved. The large risks involved in new and rapidly growing financial markets and products became apparent in the late 1990s when a number of high profile bankruptcies were attributed to speculation in derivatives. Governments were forced to intervene and financial regulation tightened. The group of ten most industrialised nations had agreed in 1988 a system for regulating banks by controlling their capital reserves (Basel I accord). This was upgraded in 1994 (Basel II), introducing a more risk-based calculation of capital value for credit risk control and extending capital calculation rules for operational risk. In 2010 Basel III added more capital controls to address liquidity risk and emphasised the importance of financial risk management, transparency and corporate governance. Most Basel III requirements were adopted in UK legislation when leaving the EU, but some remain for discussion, particularly the calculation of risk weighted assets used to determine statutory capital ratios (the ratio of capital held by firms to the value of risk weighted assets). Consultation on these opened in 2022 with a view to full UK implementation from January 2025. Similar controls for insurance organisations were the subject of EU directives known as Solvency I in 1973 and Solvency II, which was implemented in January 2016. Brexit The UK left the European Union (EU) on 31 January 2020, following the referendum on 23 June 2016. A transition period applied until 31 December 2020, during which the UK continued to follow all the EU's rules. From 11pm on 31 December 2020, UK insurers and intermediaries lost their passporting rights to conduct business in the European Economic Area (EEA). To continue servicing their EEA clients, many UK insurers and intermediaries decided to operate through new or existing subsidiaries in the EEA, while the UK agreed to EEA firms continuing their activities for a limited period of time, if they entered the UK's Temporary Permissions Regime (TPR) at the beginning of 2020. The EU has expressed its opposition to 'post box' European operations. And, it has challenged arrangements where a new European operation was set up by the UK insurer purely to deal with EU business post Brexit, with no or few employees physically present in the relevant Member State. Chapter 1 The meaning of risk 1/7 Chapter 1 Regarding the run-off period for existing insurance contracts, the UK has allowed EEA insurers a 15-year period to continue servicing such contracts with UK insureds. The matter is more complex for UK insurers’ contracts with EEA insureds, as every EU State has implemented different rules which apply to UK insurers in its jurisdiction. Negotiations about an equivalence regime between UK and EU regulation started in March 2021 but have since broken down. It is unlikely the EU will grant equivalence to the UK's regulatory regime, due to the expected divergence by the UK from EU rules in the future, particularly in respect of Solvency II. Equivalence under EU law occurs where a third party's regulatory framework is sufficiently similar to EU standards that firms from that country are given access to the EU market. Equivalence is granted at the discretion of the EU Commission and can be withdrawn or changed at any time. It is not, therefore, the same as the passporting status enjoyed by UK firms before Brexit. From the UK's perspective, the EU Solvency II regime has been criticised because of its imposition of high-risk margin requirements. In fact, during the Queen's Speech on 10 May 2022, it was announced that the Financial Services and Markets Bill will revoke retained EU law on financial services, replacing it with an approach to regulation that is designed for the UK. Please note: This is the position at the time of publication. Any relevant changes that may affect CII syllabuses or assessments will be announced as they arise on the qualification update page for the unit. On the Web To learn more about Solvency II visit the EIOPA website: eiopa.europa.eu In the USA stringent governance and financial reporting regulations were imposed by Sarbanes–Oxley Act 2002 covering all companies listed on the New York Stock Exchange. Corporate governance requirements specifically emphasised risk management controls and recommended risk management standards to be followed. These developments were echoed in the UK with particular attention paid to the role, responsibilities and actions of directors, chief executives and senior management of organisations, who were to be held accountable for their long-term decisions. Insurance is no longer seen to be the main answer to risk-related problems. We look at the management of risk across and around an organisation as a whole. With emphasis on prevention of risk-related problems and sharper focus on managing consequences when a risk materialises (in the form of business continuity management) organisations are viewing risks in a more holistic way. Accidents are no longer accepted as fate. People look for the cause and try to allocate responsibility. Someone did something they should not have done or did not do something they should have done. Financial implications are argued by lawyers and health and safety regulations abound. While events such as lightning strikes are still attributed to acts of God, authorities are expected to recognise the probability of other natural disasters occurring in their region and legislate to mitigate their effects. Risk management professionals still have to address the same issues faced by the early pioneers. Insurers, intermediaries and organisations alike continue to try and predict future events and what their impact will be if they materialise. Debates around validity of data and its relevance abound and inferences or reasonable judgments still have to be made. Time continues to be devoted to identifying underlying causes of events and to management of their outcomes when they materialise. Before any decisions can be made, risks must be identified and measured so their threats and cost implications can be compared. As we have seen, it was the early work of mathematical pioneers over a long time period that made this first element of risk management possible. However, any organisation has to start by deciding what sort of risks they are prepared to take. In order to understand the process leading to decisions whether or not to accept certain risks it is important to appreciate in general terms how risks may be perceived. Are we happy to tolerate certain risks but not others and, if so, why? What shapes our thinking in this area? In the next section we will look at the different ways risks can be perceived. Chapter 1 1/8 M67/April 2023 Fundamentals of risk management B Risk perception People view risk in different ways and will therefore react differently to identical risks. What would happen if a group of people are asked to estimate the risk of fatality from various hazards and the answers compared with actual statistical observations? Slovic, Fischhoff and Lichtenstein found that individuals consistently underestimate or overestimate certain types of risk although the group average may be near the actual figure. What influences are at work? In this section we will look at the following issues which are associated with risk perception: Voluntariness Other influences Controllability on risk perception Dread and Delay unknown risks Man-made and Media natural risks Expected benefits Familiarity B1 Voluntariness Renn, Jungermann and Slovic confirmed our perception of risk is reduced if we choose a risk voluntarily, and our risk perception is increased if the risk is imposed on us. Earlier work by Starr found people were willing to accept risks they chose themselves (for example, skiing) that were up to one thousand times greater; compared to risks they had to accept which were imposed on them (for example, food preservatives). They chose risks because they wanted the rewards involved, and at the same time were confident of their personal ability to control the risk. They had freedom of choice and were prepared to accept responsibility for their decision. B2 Controllability People are more willing to accept risks they think they can control. Risks that are out of our control are more frightening because we cannot influence their outcome. Sjoberg notes that most people overestimate their ability to control risk, thinking they are better than average, which of course everyone cannot be. A variation of controllability is when we do not have the skills needed to accept a risk (say flying an aeroplane) then our perception is influenced by the degree of trust we have in the responsible person we accept on our behalf. B3 Delay If the effect of a risk is far into the future we may be more willing to accept that risk now. Perhaps we think something in the meantime will happen to reduce or avoid the consequences of the risk. A typical example is a smoker willing to accept known risks spelt out on the packet for transient rewards of immediate pleasure. Chapter 1 The meaning of risk 1/9 Chapter 1 B4 Man-made and natural risks Man-made and natural risks are perceived differently, the latter being more accepted than the former. This refers back to control. We assume something could be done to reduce the effect of man-made situations. We look to cause and effect and someone responsible to blame when things go wrong. Natural processes can be accepted as acts of god or fate, against which there is no redress. However, distinctions in this area are becoming blurred as some natural phenomena like global warming and climate change are being linked to man- made activity, and common natural disasters like floods and earthquakes can be defended against with suitable man-made precautions. B5 Familiarity Familiarity with risks also affects our perception. Slovic, Fischhoff and Lichtenstein confirmed we get used to living with certain risks, for example with driving, and our perception of the real risk can diminish with time. Uncertainty causes us problems and new risks whose outcomes are unknown can cause particular concern. Examples here would be the BSE/CJD beef scare, the consequences of genetic engineering and the side effects of shale gas fracking. B6 Expected benefits Expected benefits also influence our view of risk. We have already seen that driving, for example, a known high risk is accepted because of the overriding benefit of getting quickly from place to place. In this case, a personal risk gives a personal benefit, but will we accept a risk if the benefit goes to someone else? Studies show that we are more prepared to accept risk where we perceive benefits to be justly shared than if we think benefits are unfairly distributed. We may accept living with nuclear power stations because we all benefit from the resultant energy distribution, but we may protest about coal mining where risks may be seen as out of proportion to the distribution of rewards. In addition, people’s perception of justice differs between communities according to whether rewards are distributed universally, principally to benefit the poor or disadvantaged, or principally to benefit risk takers or contributors. B7 Media Finally, perceptions of risk are influenced by the media. Risks not in the media are not seen as important as those that are. Rightly or wrongly, we think risks must be important if the media has chosen to cover them. Today the media and social networking sites are among the main influences on our knowledge of risk, though there is debate as to how much media reports alter risk perception. The above broad classifications are attributed to the work of Slovic and others in 1985. In his paper, Perception of Risk, his US-led research also came up with a further way to illustrate how risks come to be viewed by comparing and plotting on a simple graph two extreme risk descriptions he called dread and unknown risks. B8 Dread and unknown risks A psychometric paradigm can be used to illustrate and compare the way ordinary people judge risks. Based on observation that many of the influences described below correlate with each other, a simplified chart is produced based on two composite risk descriptors – dread risk and unknown risk. Be aware Dread risks are characterised by perceived lack of control, catastrophic potential, inequitable distribution of risks and benefits and dreadful consequences. The opposite of dread risk is risk with characteristics such as controllable, individual or relatively contained consequences, equitable and voluntary. Unknown risks are those less generally known, with limited knowledge of the risk, perhaps with delayed effect and where the risk type is new. The opposite is known risks with known consequences, observable, and with immediate effect. Chapter 1 1/10 M67/April 2023 Fundamentals of risk management As you can see from figure 1.1, using dread and unknown risks as the x and y axes of a chart, with their opposites in the negative direction, people’s perception of particular risks can be plotted in relation to each other. This gives a visual representation of the weight people tend to place on various categories of risk. Risks in the high dread/high unknown sector tend to be widely discussed and generally overestimated. Risks in the low dread/low unknown area attract little attention and are generally underestimated. Following this observation, if a new risk can be positioned on the chart, predictions can be made about the amount of public concern likely to be generated. Figure 1.1: Dread and unknown risks Unknown risk Microwave ovens Electric fields Diagnostic x-rays Radioactive waste Nuclear reactor Pesticides accidents Antibiotics Asbestos insulation Satellite crashes Caffeine Lead paint Coal burning pollution Vaccines Skateboards Auto exhaust (CO2) Dread risk Smoking (disease) Large dams Skyscraper fires Chainsaws Underwater construction Bicycles Fireworks Auto racing Auto accidents Handguns Source: Slovic, P (1987) ‘Perception of risk’, Science, 236(17 April), pp.280–5, DOI: 10.1126/science.3563507. Reprinted with permission from the American Association for the Advancement of Science (AAAS) and Dr Paul Slovic. Modified with permission from Dr Paul Slovic. B9 Other influences on risk perception Risk perception influences are not limited to the factors outlined above. Further studies are exploring wider social issues and the effect of cultural differences between communities across the globe. Religious beliefs, lifestyle and economic concerns all have to be taken into account as well as different notions of justice and fairness. Local concerns can override otherwise general conclusions. In 2000 Renn and Rohrmann suggested a structured framework to take these additional factors into account. They adapted an earlier model developed by Breakwell in 1994 to highlight four context levels of risk perception. Each level has two sections reflecting individual and collective influences, and each level is embedded in the higher level to highlight mutual interdependence. A simplified diagram of Renn and Rohrmann’s structured framework is illustrated in figure 1.2. Chapter 1 The meaning of risk 1/11 Chapter 1 Figure 1.2: Renn and Rohrmann’s structured framework Personal identity and views Cultural influences Social, political and economic culture Media influence Knowledge of risk Emotional factors Collective reasoning strategies Common sense First level The first level covers collective and individual reasoning strategies that have evolved over the years, popularly referred to as common sense. These strategies are independent of the nature of a risk and are primary mechanisms of selecting, memorising and processing signals to form an opinion about the seriousness of the risk. Second level The second level covers knowledge of the risk, or at least what we believe from available information to be true. It also recognises that emotional factors are important. Whether the consequence of a risk is seen as good or bad will colour a person’s attitude to the risk and influence their process of balancing risk with rewards. Third level Level three concerns the influence of social and political institutions that people associate with a risk or its cause. People’s views are shaped by the views of their reference group, the group a person would like to or believes they belong to. Level three recognises economic as well as social status and values and acknowledges important input from the media. Fourth level The last level explores cultural factors that affect risk perception and govern many of the lower levels of influence. Perception of risk is shaped by the society in which we live. Politics, climate, economic development, culture and religion all play a part. We develop a view of the world from within this framework, together with our personal identity and beliefs. Studies focus on the importance of powerful interest groups, with either open or perceived hidden agendas, in altering individual attitudes and emotions. All four levels of influence need to be taken into account to study how people evaluate risk. The old model of probability and consequence does not match how people actually think. We know that psychological, social and cultural contexts need to be taken into account together with their mutual interactions. However, as of yet no one has developed a practical model that can be relied on to predict real decisions. Consider this… Despite the availability of a suitable vaccination programme, people in South Wales did not get children immunised and later suffered from a local outbreak of measles in 2013. What factors might have influenced their decision? Further problems arise when we consider the consequences of major new and emerging risks, as their indirect effects need to be taken into account. Will their outcome change the political or economic climate? Will the risk trigger widespread change in attitudes or new social movements? Can general conclusions ever be reached? Chapter 1 1/12 M67/April 2023 Fundamentals of risk management Consider this… COVID-19 was a major new risk emerging during late 2019, changing political and economic climates round the world, disturbing business and social activities and stimulating sometimes impassioned argument and rhetoric throughout 2020. Think how the various elements of Renn and Rohrmann's model have influenced the reactions of media reports and people you know. B10 Importance of risk perception in risk management Anyone trying to manage risk must recognise the multitude of factors determining how risks are going to be perceived and take them into account when making practical decisions. Risks cannot be ignored simply because one person or group does not see them as important. Conversely, people may demand controls for risks they see as threatening, even when mathematical logic says their probability is low. Communication can be vital. Open discussions may change opinions or at least gain acceptance of proposed mitigation measures. How individuals, or groups of individuals, at senior management or executive level perceive a given risk can be fundamental to the future direction of an organisation. This is because it could shape their risk appetite and their attitude to acceptance of a given risk. Similarly, maybe at a lower level in an organisation, an individual’s perception of a risk, or set of interrelated risks, could severely hamper their judgment or dictate their pattern of future behaviour. Recognising that different people see risks and opportunities in different ways, it is important to avoid significant decisions being taken by dominant individuals or by groups of like- minded people. In certain circumstances, an individual allowed to take large risks in a reckless or irrational manner could jeopardise the whole future of an organisation. We will see in chapter 7 that organisations are encouraged to promote diversity in management and decision-making committees. As well as the skills and experience necessary for the position, ethnic background, gender, age and religion should all be taken into consideration as appropriate, so more balanced conclusions can be reached. The way individuals in an organisation approach risk assessment and risk acceptability is influenced by the attitude and behaviour of senior management over a period of time. Organisations develop a particular way of approaching risk that is known as the organisation’s risk culture. We will discuss the importance of risk culture in chapter 3. As we will see it is a vital element of effective risk management. C Risk and uncertainty We have seen that risk is associated with uncertainty. We may be able to identify a risk but be uncertain about how often and when it will materialise in the future, if at all. Study of past measurements and application of probability theory can crystallise the degree of uncertainty associated with known risks, but we will always be faced with uncertainty when considering new and emerging risks. As well as frequency and timing, precise consequences and impact may also be unknown. Uncertainty has to be taken into account when attempting to manage and control risk in a practical environment. Control mechanisms and management alternatives for dealing with retained risks need some built in tolerance in case attributes of a risk turn out to be smaller or larger than expected. This can be particularly important where the risks affect objectives that have strict time deadlines for completion. When undertaking new projects or changing processes or structure, an organisation has to accept a degree of uncertainty and build in continuity plans. It must decide what variations from the original anticipated outcomes can be tolerated. Using concepts of classic control theory developed by mathematicians and engineers to keep machinery performances within specified tolerances, information gathered from measuring the effect of a variation on the outcome of a project can be fed back to control the variation and bring it back within acceptable limits. This sort of control risk management is the basis of a risk management approach often adopted by auditors and accountants. Frequently referred to as internal control, it Chapter 1 The meaning of risk 1/13 Chapter 1 concentrates on reducing uncertainty of outcomes by controlling risks and risk assessment is of secondary importance. Useful as this may be in particular project endeavours, organisations should not concentrate solely on internal control management techniques as they may find the process stifles entrepreneurial flair. We will explore the role of the audit functions and internal control issues in chapter 3. Consider this… What steps can an organisation take to protect against late delivery of a new project: when it is uncertain exactly how long it will take to complete key activities; and when it is uncertain when or how often work will be disrupted by unplanned events controlled by others? Question 1.1 Why is understanding risk perception important in managing risks? D Risk and reward Risk management is also about opportunity. We can illustrate this with an example. Example 1.1 A dental surgery plans to move from paper records to a fully computerised system. There are risks at the implementation stage, such as delays in software supply or surgery staff being unfamiliar with the software. However, there is a big opportunity to save time and money through ease of access to records. Also, there will be ongoing risks such as data security and back-up, but if those risks are properly managed the opportunity will be fully maximised. Now consider the following statements: A risk is the threat that an event or action will adversely affect an organisation’s ability to maximise stakeholder value and to achieve business objectives. Risk arises as much from the possibility that opportunities will not be realised as it does from the possibility that threat will materialise or that mistakes will be made. Risk is integral to all opportunity and is as much about opportunity as it is about threat. A person or organisation pursuing an opportunity balances risks involved against perceived rewards. There is always an element of risk. As a child you would have experienced conflict between risk and reward, for instance when learning to ride a bicycle. Pleasure of success would have been tempered by the pain of inevitable early falls. In theory then, we can measure the magnitude of a risk by evaluating and measuring its consequences, and balance that risk against any possible reward gained from allowing the risk to continue. We will see that sometimes risks are taken deliberately to achieve potential reward. Other times the reward is merely in reducing or removing risk, saving time or money that would be spent if that risk materialised. The difficulty, as we saw earlier, is that each person or organisation has their own perception of the value of a particular reward and make their own assessment of the effect of misfortune. The decision whether to tolerate a risk or try to avoid it is not always a simple one to make. This study text is concerned with risk management in business rather than personal and household risks. However, business organisations are simply groups of people organised to achieve common aims: Those who enjoy and use risk. Those who are risk-averse. Those who fit into the gap between the two extremes and bring their own personalities with them. Chapter 1 1/14 M67/April 2023 Fundamentals of risk management The overall attitude to risk an organisation adopts will depend on its directors and managers as well as its strengths, sensitivities, culture, marketplace, competitor strength and stakeholder expectations. E Types of risk In this section we will look at individual or specific risks which an organisation is likely to face. We will start to appreciate the scope of individual risks and how they are sometimes difficult to clearly describe or define. Any organisation must agree on the description or definition of specific risks, especially those whose management is considered fundamental to its future success. This is a practical necessity because these risks will be referred to in many risk-related communications, including risk registers, and need to be universally understood. Later on, as we move through the key stages of a risk management process, we will consider tools and techniques to identify a whole range of differing risks. Then we will look at some suggestions of the best way to go about grouping or placing risks into appropriate categories and sub-categories. For many reasons we will see that this is no easy task. For our examples we have selected risk names that appear frequently in risk literature, particularly in the context of financial service institutions. Their management is usually considered to have a fundamental part to play in the success of organisations within that sector of the economy. While the descriptions do not provide a definitive form of words to describe these specific risks they should give you a feeling for their nature and likely scope. We will revisit some of these risks when we consider options available for risk control or mitigation. Various definitions or descriptions of specific risks can be found in academic reference material, business and general dictionaries, financial media and books. Definitions vary from one organisation to another, different economic sectors, relevant professional organisations and with different people. Definitions can be brief or elaborate and can apply to groups of similar or different risks, related or independent. Be aware There is no universally accepted risk management terminology and therefore no universally accepted definition of individual risks. Remember that specific risks can dovetail and overlap with others. It is not always clear where demarcation lines should be drawn, or what risks should fall under broad heading descriptions. To a non-specialist person, terms such as corporate risks and business risks may appear to be interchangeable. Similarly, strategic risks are conventionally associated with long-term decisions or objectives of an organisation, but would all senior management teams agree on what long-term risk is? Long term in one organisation may be considered short term in another. Similarly, what risks would you consider under the heading of reputation risk? Would you include corporate social responsibility considerations? Would you include reference to media and, if so, which sections? Would you make specific reference to issues arising from social media? Questions like these are obviously relevant when we try to put risks into categories, but they also affect the description or definition of individual risks. Organisations therefore need to decide what definitions they will use and make sure names are consistently applied across the organisation. All functions need to understand how a given risk is defined and the context in which it should be used. This understanding must permeate all levels of the organisation if confusion and inconsistent risk related decisions are to be avoided. We start by looking at two very broad categories: speculat

Fundamentals of risk management M67 Study Text 2023-24 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue