Year: 2020

Risk Assessment Tools

A critical but often overlooked aspect of a competent derivatives trading operation are the computer systems and risk assessment tools used to manage risk, account for the positions on a mark-to-market basis, track derivatives-related events (such as expiries and rollovers) and measure Value-at-Risk. Options produce their own problems because of the convexity of these products.

One must have an appreciation of how these risks change with the progress of time and the evolution of prices. It helps to establish a framework for evaluating a financial risk management system and use this framework to assess some of the more common off-the-shelf products on the market.

Using Derivatives Risk Assessment Tools

Integration

At the beginning of the global derivatives market’s development, almost every bank pursued derivatives in a stand-alone asset-class-by-asset-class fashion. That is to say, one group managed interest rate derivatives, another group managed equity derivatives and a third group managed foreign exchange derivatives.

However, an increasing number of financial institutions are turning to a more integrated approach, stripping the derivatives desks from each asset class’ cash group and combining them into a more efficient cross-marketing machine. Once you understand interest rate derivatives, it is fairly straightforward to understand equity derivatives or foreign exchange derivatives. Conversely, it is not necessarily the case that a manager who has spent his entire career overseeing spot foreign exchange salespeople will be able to understand the way in which a derivatives book works.

To Buy or to Build

The next question the bank’s senior management must ask itself is whether or not the bank should buy off-the-shelf risk assessment tools or build one using its own internal IT resources.

Buying a system is convenient, particularly if it is one that is in widespread use. Popular systems have been tested and have had all of the kinks worked out. The more popular the system, the less likely that it is vulnerable to internal control irregularities. The more popular the system, the less likely it is possible for individuals to manipulate the bank’s official records for fraudulent purposes. Systems are typically very expensive, with charges for both a site license and individual annual log-ins. Many of the companies that sell these systems make it easy for the user to customize reports, batch files, and pricing modules, among other things.

However, many financial institutions are reticent to relinquish the responsibility for risk management computer systems to a third party. The managers of these institutions would prefer to have their own internal risk management personnel design the system that is then implemented by the bank’s IT staff. Not only is this more expensive than buying an off-the-shelf system in terms of up-front dollar cost and delays in implementation, but the system is vulnerable to the expertise of a handful of individuals, who may not always be available or may choose to leave the company.

Interface

One of the key aspects of a well-designed system is its flexibility. Good risk assessment tools will have a user interface that is customizable. A vast majority use the Internet as their interface platform, as it allows for quick and efficient information exchange across multiple markets. The interface is also the mechanism in which reports are designed.

Asset Class Coverage

Good risk assessment tools will provide the senior management with the ability to immediately access information on all of the derivatives activities in which the financial institution is engaged, across all asset classes.

Covering all of the asset classes also allows for greater overall risk-taking because it allows for the portfolio effects of diversification of risk across the different asset classes.

Pricing Model Flexibility

Model risk refers to the problems associated with discrepancies between the theoretical pricing of a financial instrument and the way in which it actually trades in the market. The difference in price, for a given set of input parameters, is a result of the assumptions that are necessary for solution of the mathematical model of the price of the financial product in question.

For some financial products, particularly the more exotic or novel ones, the choice of pricing model is controversial. A good risk management system will allow management to pick and choose the pricing model it prefers for a particular instrument and compare the model risk in different market environments associated with individual pricing models.

Ability to Link to Other Systems

Derivatives risk assessment tools are only one of a handful of systems with which the dealer at a financial institution must be familiar. Other systems include ticketing systems for cash instruments, accounting systems, credit risk management systems and, possibly, spreadsheets tracking customer portfolios.

A dealer’s life is made much easier when the primary system he uses on a daily basis, the risk management system, can communicate its information to the other relevant systems automatically. Otherwise, the dealer (or more likely his assistant) will have to input multiple tickets for a single transaction. This is not just a question of personal effort. It is also an operational risk issue. Every time the dealer inputs a ticket, there is room for an error. Too many errors and the bank begins to lose customers as well as money.

The following are some of the best risk management tools and techniques that professional project managers use to manage their projects against the inevitable risks, issues and changes.

Brainstorming

To begin the brainstorming process, you must assess the risks that could impact your project. This starts with reviewing the project documentation, looking over historic data and lessons learned from similar projects, reading over articles and organizational process assets. Anything that can provide insight into issues that might occur during the execution of the project. Once you’ve done your research, start brainstorming with anyone who might have insight.

A variant of this is the Delphi technique, which is when a request is sent to experts and they reply anonymously. Or the project manager can interview experts, team members, stakeholders and others with experience in similar projects.

Root Cause Analysis

The root cause is another way to say the essence of something. Therefore, root cause analysis is a systematic process used to identify the fundamental risks that are embedded in the project. This is a tool that says good management is not only responsive but preventative.

Often root cause analysis is used after a problem has already come up. It seeks to address causes rather than symptoms. But it can be applied to assessing risk by going through the goals of any root cause analysis, which ask: What happened? How did it happen? Why did it happen? Once those questions are addressed, develop a plan of action to prevent it from happening again.

SWOT

Begin with strengths and determine what those are as related to the project (though this can work on an organization-level, too). Next, list the weaknesses or things that could be improved or are missing from the project. This is where the likelihood of negative risk will raise its head, while positive risk come from the identification of strengths. Opportunities are another way of referring to positive risks and threats are negative risks.

When collecting SWOT, illustrate your findings in a four-square grid. The top of the square has strengths to the left and weaknesses to the right. Below that is opportunities to the left and threats to the right. The left-hand side is helpful to achieving the objective of the project and those on the right-hand side are harmful to achieving the objective of the project. This allows for analysis and cross-reference.

Risk Assessment Template for IT

While this tool was developed for IT projects, it can be expanded to speak to any project. What a IT risk assessment template offers is a numbered listing of the risks, to keep them in order, and then an out that risk is and the control environment. It basically provides a space in which to collect the risks of a project, which is also helpful when executing the project and tracking any risks that become reality.

One of the aspects of the risk assessment template for IT is that the spreadsheet has a built-in calculator that figures out the likelihood of a risk in fact occurring and then multiples that against the impact it would have on the project or the organization. This way, a project manager knows the potential harm of the risk and so can prioritize their response to it if or when the risk happens.

Risk Register

Similar to the risk assessment template for IT is a risk register. It also is a list to track risk, a tool that can be as simple as a spreadsheet or as dynamic as a project management software like ProjectManager.com. Basically, what a risk register does is identify and describe the list. It then will provide space to explain the potential impact on the project and what the planned response is for dealing with the risk, if it occurs. Furthermore, the risk register allows a project manager to prioritize the risk, assign an owner responsible for resolving it and gives a place to add notes as needed.

The risk register is a strategic tool to control risk in a project. It works to gather the data on what risks the team expects and then a way to respond proactively if they do show up in the project. It has already mapped out a path forward to keep the project from falling behind schedule or going over budget. Pick up a free risk register template here.

Probability and Impact Matrix

Another tool for project managers is the probability and impact matrix. It helps prioritize risk, which is important, as you don’t want to waste time chasing a small risk and exhaust your resources. This technique combines the probability and impact scores of individual risks and then ranks them in terms of their severity. This way each risk is understood in context to the larger project, so if one does occur, there’s a plan in place to respond or not.

The matrix is a box, broken up in probability on the left, ranging from rare on top to very likely on the bottom. The top is the impact, going from trivial on the left to extreme on the right. The individual boxes then are colored, so that the top left corner is green for low risk. The middle, rising from the bottom left corner to the top right corner is yellow for medium risk. The bottom right corner is red for high risk. This provides a road toward reaching a priority list that gives project managers the head’s up as to when to act and when they can keep a risk on the backburner of a project.

Risk Data Quality Assessment

With a risk data quality assessment technique, project managers use data that has been collated for the risks they’ve identified. This is used to then find the level to which information about the risk is relevant to the project manager. It helps the project manager understand the accuracy, reliability, quality and integrity of the risk as related to the collected data about it.

For each risk listed, the risk data quality assessment requires that the project manager determine the extent of the understanding of the risk, collect what data is available, what the quality and reliability is for that data and its integrity. It is only by examining these parameters of the risk can an accurate assessment be reached.

Asset liability management (ALM) can be defined as the comprehensive and dynamic framework for measuring, monitoring and managing the financial risks associated with changing interest rates, foreign exchange rates and other factors that can affect the organization’s liquidity.

Asset and liability management (often abbreviated ALM) is the practice of managing financial risks that arise due to mismatches between the assets and liabilities as part of an investment strategy in financial accounting.

ALM sits between risk management and strategic planning. It is focused on a long-term perspective rather than mitigating immediate risks and is a process of maximising assets to meet complex liabilities that may increase profitability.

ALM includes the allocation and management of assets, equity, interest rate and credit risk management including risk overlays, and the calibration of company-wide tools within these risk frameworks for optimisation and management in the local regulatory and capital environment.

Often an ALM approach passively matches assets against liabilities (fully hedged) and leaves surplus to be actively managed.

The concept of asset/liability management focuses on the timing of cash flows because company managers must plan for the payment of liabilities. The process must ensure that assets are available to pay debts as they come due and that assets or earnings can be converted into cash. The asset/liability management process applies to different categories of assets on the balance sheet.

Evolution of ALM in Indian Banking System

 In view of the regulated environment in India in 1970s to early 1990s, there was no interest rate risk as the interest rate were regulated and prescribed by RBI. Spreads between deposits and lending rates were very wide.  At that time banks Balance Sheets were not being managed by banks themselves as they were being managed through prescriptions of the regulatory authority and the government.  With the deregulation of interest rates,  banks were given a large amount of  freedom to manage their Balance sheets.   Thus, it became necessary to introduce ALM guidelines so that banks can be prevented from big losses on account of wide ALM mismatches.

Reserve Bank of India issued its first ALM Guidelines in February 1999, which was made effective from 1 st April 1999.  These guidelines covered, inter alia, interest rate risk and liquidity risk measurement/ reporting framework and prudential limits. Gap statements were required to be  prepared by scheduling all assets and liabilities according to the stated or anticipated re-pricing date or maturity date.  The Assets and Liabilities at this stage were required to be divided into 8 maturity buckets (1-14 days; 15-28 days; 29-90 days; 91-180 days; 181-365 days, 1-3 years and 3-5 years and above 5 years), based on the remaining period to their maturity (also called residual maturity)..    All the liability figures were to be considered as outflows while the asset figures were considered as inflows.

As a measure of liquidity management, banks were required to monitor their cumulative mismatches across all time buckets in their statement of structural liquidity by establishing internal prudential limits with the approval of their boards/ management committees. As per the guidelines, in the normal course, the mismatches (negative gap) in the time buckets of 1-14 days and 15-28 days were not to exceed 20 per cent of the cash outflows in the respective time bucket.

 Later on RBI made it mandatory for banks to form ALCO (Asset Liability Committee) as a Committee of the Board of Directors to track, monitor and report ALM.    

It was in September, 2007, in response to the international practices and to meet the need for a sharper assessment of the efficacy of liquidity management and with a view to providing a stimulus for development of the term-money market, RBI fine tuned  these guidelines and it was provided that  the banks may adopt a more granular approach to measurement of liquidity risk by splitting the first time bucket (1-14 days at present) in the Statement of Structural Liquidity into three time buckets viz., 1 day (called next day) , 2-7 days and 8-14 days.   Thus, banks were asked to put their maturing asset and liabilities in 10 time buckets.

Thus as per  October 2007 RBI guidelines, banks were advised that the net cumulative negative mismatches during the next day, 2-7 days, 8-14 days and 15-28 days should not exceed 5%, 10%, 15% and 20% of the cumulative outflows, respectively, in order to recognize the cumulative impact on liquidity. Banks were also advised to undertake dynamic liquidity management and prepare the statement of structural liquidity on a daily basis. In the absence of a fully networked environment, banks were allowed to compile the statement on best available data coverage initially but were advised to make conscious efforts to attain 100 per cent data coverage in a timely manner.     Similarly, the statement of structural liquidity was to be reported to the Reserve Bank, once a month, as on the third Wednesday of every month. The frequency of supervisory reporting of the structural liquidity position was increased to fortnightly, with effect from April 1, 2008. Banks are now required to submit the statement of structural liquidity as on the first and third Wednesday of every month to the Reserve Bank.

Board’s of the Banks were entrusted with the overall responsibility for the management of risks and required to decide the risk management policy and set limits for liquidity, interest rate, foreign exchange and equity price risks.

Asset-Liability Committee (ALCO), the top most committee to oversee the implementation of ALM system is  to be headed by CMD /ED. ALCO considers product pricing for both deposits and advances, the desired maturity profile of the incremental assets and liabilities in addition to monitoring the risk levels of the bank. It will have to articulate current interest rates view of the bank and base its decisions for future business strategy on this view

Progress in Adoption of Techniques of ALM by Indian Banks

ALM process involve in identification, measurement and management of risk Parameter. In its original guidelines RBI asked the banks to use traditional techniques like Gap analysis for monitoring interest rates and liquidity risk. At that RBI desired  that Indian Banks slowly move towards sophisticated techniques like duration , simulation and Value at risk in future.  Now with the passage of time, more and more banks are moving towards these advanced techniques.

Asset- Liability Management Techniques

ALM is bank specific control mechanism, but it is possible that several banks may employ similar ALM techniques or each bank may use unique system.

Gap Analysis

Gap Analysis is a technique of Asset – Liability management . It is used to assess interest rate risk or liquidity risk. It measures at a given point of time the gaps between Rate  Sensitive Liabilities (RSL) and Rate Sensitive Assets (RSA) (including off balance sheet position) by grouping them into time buckets according to residual maturity or next re-pricing period , whichever is earlier. An asset or liability is treated as rate sensitive if;

(i) Within time bucket under consideration is a cash flow.

(ii) The interest rate resets/reprices contractually during time buckets

(iii) Administered rates are changed and

(iv) It is contractually pre-payable or withdrawal allowed before contracted maturities.

 Thus;

 GAP = RSA-RSL

GAP Ratio = RSAs/RSL

• Mismatches can be positive or negative
• Positive Mismatch: M.A.>M.L. and vice-versa for Negative Mismatch
• In case of +ve mismatch, excess liquidity can be deployed in money market instruments, creating new assets & investment swaps etc.
• For –ve mismatch,it can be financed from market borrowings(call/Term),Bills rediscounting, repos & deployment of foreign currency converted into rupee.

Currency Risk

Currency risk, commonly referred to as exchange-rate risk, arises from the change in price of one currency in relation to another. Investors or companies that have assets or business operations across national borders are exposed to currency risk that may create unpredictable profits and losses. Many institutional investors, such as hedge funds and mutual funds, and multinational corporations use forex, futures, options contracts, or other derivatives to hedge the risk.

Currency Risk, sometimes referred to as exchange rate risk, is the possibility that currency depreciation will negatively affect the value of one’s assets, investments, and their related interest and dividend payment streams, especially those securities denominated in foreign currency. Corporations with operations in overseas markets are also exposed to currency risk since their foreign financial results must be consolidated into the company’s home currency. Corporate treasurers and investment managers, particularly with larger multi-national firms where the risk is material, attempt to manage this risk with various hedging techniques where appropriate. Typically, a Treasury Policy exists that states that currency risk must be mitigated where economically justified by using a specified list of financial instruments that may be employed for the purpose. Generally, a combination of forex forwards and options allow the company to fix country risk within acceptable levels as along as premiums are reasonable. These hedging techniques are not consistently effective, but diversification into many major currencies can help limit this risk.

Examples of Currency Risk

To reduce currency risk, investors can consider investing in countries that have strong rising currencies and interest rates. Investors need to review a country’s inflation, however, as high debt typically precedes inflation. This may result in a loss of economic confidence, which can cause a country’s currency to fall. Rising currencies are associated with a low debt-to-gross domestic product (GDP) ratio.

The Swiss franc is an example of a currency that is likely to remain well-supported due to the country’s stable political system and low debt-to-GDP ratio. The New Zealand dollar is likely to remain robust due to stable exports from its agriculture and dairy industry that may contribute to the possibility of interest rate rises. Foreign stocks sometimes outperform during periods of U.S. dollar weakness, which typically occurs when interest rates in the United States are lower than other countries.

Investing in bonds may expose investors to currency risk as they have smaller profits to offset losses caused by currency fluctuations. Currency fluctuations in a foreign bond index are often double a bond’s return. Investing in U.S. dollar-denominated bonds produces more consistent returns as currency risk is avoided. Meanwhile, investing globally is a prudent strategy for mitigating currency risk, as having a portfolio that is diversified by geographic regions provides a hedge for fluctuating currencies. Investors may consider investing in countries that have their currency pegged to the U.S. dollar, such as China. This is not without risk, however, as central banks may adjust the pegging relationship, which would be likely to affect investment returns.

Interest Rate Risk

Interest rate risk is the risk that arises for bond owners from fluctuating interest rates. How much interest rate risk a bond has depends on how sensitive its price is to interest rate changes in the market. The sensitivity depends on two things, the bond’s time to maturity, and the coupon rate of the bond.

Interest-rate risk is the risk, taken by bond investors, that interest rates will rise after they buy. Stated another way, it is the risk that a bond’s yield will rise (as its price falls) after it has been purchased.

All bonds involve interest-rate risk, but some involve more than others. The more interest-rate risk a bond involves, the more its price will fall as its yield rises. Duration quantifies the amount of interest-rate risk a bond involves.

Interest rate risk in a bond or a bond portfolio arises on account of the vulnerability of the value of the bond or the portfolio to the changes in interest rates.

When interest rates change, it has an impact on new and existing bonds. New bonds will now pay a coupon rate that reflects the prevailing interest rates, while existing fixed-rate bonds will not see a change in their coupon rates. However, the price of the bond will adjust so that the yield will reflect the new levels of interest rates.

If interest rates go up, existing bonds that pay a lower coupon will see a decline in the prices so that the yield from them will adjust upwards to the current market rates.

How to Mitigate Interest Rate Risk?

Similar to other types of risks, the interest rate risk can be mitigated. The most common tools for interest rate mitigation include:

1. Diversification

If a bondholder is afraid of interest rate risk that can negatively affect the value of his portfolio, he can diversify his existing portfolio by adding securities whose value is less prone to the interest rate fluctuations (e.g., equity). If the investor has a “bonds only” portfolio, he can diversify the portfolio by including a mix of short-term and long-term bonds.

2. Hedging

The interest rate risk can also be mitigated through various hedging strategies. These strategies generally include the purchase of different types of derivatives. The most common examples include interest rate swaps, options, futures, and forward rate agreements (FRAs).

Business Risk management is a subset of risk management used to evaluate the business risks involved if any changes occur in the business operations, systems and process. It identifies, prioritizes and addresses the risk to minimize penalties from unexpected incidents, by keeping them on track. It also enables an integrated response to multiple risks, and facilitates a more informed risk-based decision making capability.

Businesses today are unpredictable, volatile and seem to become more complex every day. By its very nature, it is filled with risk. Businesses have viewed risk as an evil that should be minimized or mitigated, whenever possible. However, risk assessment provides a mechanism for identifying which risks represent opportunities and which represent potential pitfalls. Risks can have negative impact, positive impact, or both. Risks with a negative impact can prevent value creation or erode existing value. Risks with positive impact may offset negative impacts or represent opportunities.

The risk management process involves:

• Identifying risks: Spotting the evolving risks by studying internal and external factors that impact the business objectives
• Analyzing risks: It includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.
• Responding to risk: After identifying and analyzing the potential risk, appropriate strategy needs to be incorporated. Either by establishing new processes or eliminating, depending on kind and severity of the risk.
• Monitoring risk and opportunities: Continually measuring the risks and opportunities of the business environment. Also keep a check on performance of management strategies.

Types of risks

• Hazard risk: A hazard is anything in the workplace that has the potential to harm people. Hazard risk includes factors which are not under the control of business environment, such as fallout of machinery or dangerous chemical, natural calamities.
• Financial risk: A large number of businesses take risk with their financial assets, quite regularly. Sometimes choosing a wrong supplier or distributor can backfire. Financial risk also includes risk in pricing, currency exchange and during liquidation of any asset. Business risk management should say how much risk is too much in financial relationship.
• Operational risk: Evaluation of risk loss resulting from internal process, system, people or due to any external factor through which a company operates.
• Strategic risks: Might arise from making poor or wrong business plans and losing the competition in the market. Failure to respond to changes in the business environment or inadequate capital allocation also represents strategic risk.

Running a business comes with many different types of risk. Some of these potential hazards can destroy a business while others can cause serious damage that can be costly and time-consuming to repair. Despite the risks implicit in doing business, CEOs and risk management officers can anticipate and prepare for potential risks regardless of the size of the business.

Identifying Risks

If and when a risk becomes a reality, a well-prepared business can minimize the impact on earnings, the lost time and productivity, and the negative impact on customers. For startup businesses and established organizations, the ability to identify which risks pose a threat to successful operations is a key component of strategic business planning. Business risks are identified using various methods, but each identifying strategy relies on a comprehensive analysis of specific business activities that could present challenges to the company. Under most business models, organizations face preventable, strategic, and external threats that can be managed through either acceptance, transfer, reduction, or elimination.

 Hiring a risk management consultant is a good investment for most companies. A consultant can analyze a business and determine which risks should be covered by insurance.

Below are the main types of risk that firms face:

Physical Risks

Building risks are the most common type of physical risk. Fire or explosions are the most common risk to a building. To manage building risk, and the risk to employees, it is important that organizations do the following:

• Make sure all employees know the exact street address of the building to give to the 911 operator in case of emergency.
• Make sure all employees know the location of all exits.
• Install fire alarms and smoke detectors.
• Install a sprinkler system to provide additional protection to the physical plant, equipment, documents, and, of course, personnel.
• Inform all employees that in the event of emergency their personal safety takes priority over everything else. Employees should be instructed to leave the building and abandon all work-associated documents, equipment, and/or products.

Location Risks

Among the location hazards facing a business are nearby fires, storm damage, floods, hurricanes or tornados, earthquakes, and other natural disasters. Employees should be familiar with the streets leading in and out of the neighborhood on all sides of the place of business. Individuals should keep sufficient fuel in their vehicles to drive out of and away from the area. Liability or property and casualty insurance are often used to transfer the financial burden of location risks to a third-party or a business insurance company.

Human Risks

Alcohol and drug abuse are major risks to personnel in the workforce. Employees suffering from alcohol or drug abuse should be urged to seek treatment, counseling, and rehabilitation, if necessary. Some insurance policies may provide partial coverage for the cost of treatment.

Protecting against embezzlement, theft, and fraud may be difficult, but these are common crimes in the workplace. A system of double-signature requirements for checks, invoices, and payables verification can help prevent embezzlement and fraud. Stringent accounting procedures may discover embezzlement or fraud. A thorough background check before hiring personnel can uncover previous offenses in an applicant’s past. While this may not be grounds for refusing to hire an applicant, it would help HR to avoid placing the new hire in a critical position where the employee is open to temptation.

Illness or injury among the workforce is inevitable and a persistent problem. To prevent loss of productivity, assign and train backup personnel to handle the work of critical employees when they are absent due to a health-related concern.

Technology Risks

A power outage is perhaps the most common technology risk. Auxiliary gas-driven power generators are a reliable back-up system to provide electrical energy for lighting and other functions. Manufacturing plants use several large auxiliary generators to keep a factory operational until utility power is restored.

Computers may be kept up and running with high-performance back-up batteries. Power surges may occur during a lightning storm (or randomly), so organizations should furnish critical business systems with surge-protection devices to avoid loss of documents and destruction of equipment. Establish offline and online data back-up systems to protect critical documents.

Although telephone and communications failure are relatively uncommon, risk managers may consider providing emergency-use-only company cell phones to personnel whose use of the phone or internet is critical to their business.

Strategic Risks

Strategy risks are not altogether undesirable. Financial institutions such as banks or credit unions take on strategy risk when lending to consumers while pharmaceutical companies are exposed to strategy risk through research and development for a new drug. Each of these strategy-related risks is inherent in an organization’s business objectives. When structured efficiently, the acceptance of strategy risks can create highly profitable operations.

Companies exposed to substantial strategy risk can mitigate the potential for negative consequences by creating and maintaining infrastructures that support high-risk projects. A system established to control the financial hardship that occurs when a risky venture fails often includes diversification of current projects, healthy cash flow, or the ability to finance new projects in an affordable way, and a comprehensive process to review and analyze potential ventures based on future return on investment.

Making a Risk Assessment

After the risks have been identified, they must be prioritized in accordance with an assessment of their probability.

Establish a probability scale for purposes of risk assessment.

For example, risks may be:

• Very likely to occur
• Have some chance of occurring
• Have a small chance of occurring
• Have very little chance of occurring

Other risks must be prioritized and managed in accordance with their likelihood of occurring. Actuarial tables—statistical analysis of the probability of any risk occurring and the potential financial damage ensuing from the occurrence of those risks—may be accessed online and can provide guidance in prioritizing risk.

Insuring Against Risks

Insurance is a principle safeguard in managing risk, and many risks are insurable. Fire insurance is a necessity for any business that occupies a physical space, whether owned outright or rented, and should be a top priority. Product liability insurance, as an obvious example, is not necessary for a service business.

Some risks are an inarguably high priority, for example, the risk of fraud or embezzlement where employees handle money or perform accounting duties in accounts payable and receivable. Specialized insurance companies will underwrite a cash bond to provide financial coverage in the event of embezzlement, theft, or fraud.

When insuring against potential risks, never assume a best-case scenario. Even if employees have worked for years with no problems and their service has been exemplary, insurance against employee error may be a necessity. The extent of insurance coverage against injury will depend on the nature of your business. A heavy manufacturing plant will, of course, require more extensive coverage for employees. Product liability insurance is also a necessity in this context.]

If a business relies heavily on computerized data—customer lists and accounting data, for example—exterior backup and insurance coverage are mandatory. Finally, hiring a risk management consultant may be a prudent step in the prevention and management of risks.

Risk Prevention

The best risk insurance is prevention. Preventing the many risks from occurring in your business is best achieved through employee training, background checks, safety checks, equipment maintenance, and maintenance of the physical premises. A single, accountable staff member with managerial authority should be appointed to handle risk management responsibilities. A risk management committee may also be formed with members assigned specific tasks with a requirement to report to the risk manager.

The risk manager, in conjunction with a committee, should formulate plans for emergency situations such as:

• Fire
• Explosion
• Hazardous materials accidents or the occurrence of other emergencies

Employees must know what to do and where to exit the building or office space in an emergency. A plan for the safety inspection of the physical premises and equipment should be developed and implemented regularly including the training and education of personnel when necessary. A periodic, stringent review of all potential risks should be conducted. Any problems should be immediately addressed. Insurance coverage should also be periodically reviewed and upgraded or downgraded as needed.

The coordination of the risk management process should be centralized: the risk office analyses and draws up information related to each process phase, and proceeds with strategic planning, in coordination with the organization’s board.

The risk committee, with the risk manager playing the role of coordinator, sets up the criteria to select the most relevant information coming from the risk management information system (selective approach). Significant risks in terms of impact or strategic level are reported by the office supporting the risk manager on a regular, specific and exceptional basis. The risk manager gives directions on translating strategies into risk management objectives, and monitors their achievement by divisions/offices and managers within their own competence. The risk manager therefore finalizes the information received, by adapting it to the organizational context (down to the any single office level), in order to correct possible deviations from strategic priorities.

Risk register development involves detailing organizational risks (corporate as well as project and operational ones), and setting up specific risk registers on particular topics (work health and safety, fraud, IT security, environment, etc.).

Three kinds of approach can be followed for involving management and stakeholders in identifying risks:

• Top down-approach: The decision-making process is centralized at governance level. This approach can show two modes: a) Full top-down mode, where the business units’ risks are listed at department level, meaning that heads of unit cannot add risks themselves at unit level. There is no need of risk escalation, except at departmental level. b) Prevailing top-down mode, where a corporate risk register is directly created from a detailed operational risk register.
• Bottom-up approach: The decision-making process is done at management level. Operational risks are identified by any staff member while performing his or her daily work (e.g., in order to encourage the staff to be more active in defining non-conformities, an opportunity to register them online has been provided).
• Mixed approach: The board entity states the criteria (top-down) by which the heads of unit identify and manage risks (bottom-up). Risks may be viewed and assessed throughout the organization at any level (e.g., group, program, office, project, etc.). In order to set the framework, the hierarchy of risks on which attention is focused corresponds to the enterprise, operational and project levels.

Such approaches are not mutually exclusive, and a combination of approaches to the management of processes is desirable to achieve effective integration of risk management at any level within the organization.

These risk management approaches are also a way of cutting across the organization hierarchy and overcome organizational barriers.

The figure below outlines the risk management process according to the top-down perspective; it also highlights the information flows related to decision-making processes, according to the different roles involved.

Processes of Corporate Risk Management

The risk management process is a framework for the actions that need to be taken. There are five basic steps that are taken to manage risk; these steps are referred to as the risk management process. It begins with identifying risks, goes on to analyze risks, then the risk is prioritized, a solution is implemented, and finally, the risk is monitored. In manual systems, each step involves a lot of documentation and administration.

Step 1: Identify the Risk

The first step is to identify the risks that the business is exposed to in its operating environment. There are many different types of risks – legal risks, environmental risks, market risks, regulatory risks, and much more. It is important to identify as many of these risk factors as possible. In a manual environment, these risks are noted down manually. If the organization has a risk management solution employed all this information is inserted directly into the system. The advantage of this approach is that these risks are now visible to every stakeholder in the organization with access to the system. Instead of this vital information being locked away in a report which has to be requested via email, anyone who wants to see which risks have been identified can access the information in the risk management system.

Step 2: Analyze the risk

Once a risk has been identified it needs to be analyzed. The scope of the risk must be determined. It is also important to understand the link between the risk and different factors within the organization. To determine the severity and seriousness of the risk it is necessary to see how many business functions the risk affects. There are risks that can bring the whole business to a standstill if actualized, while there are risks that will only be minor inconveniences in analyzed. In a manual risk management environment, this analysis must be done manually. When a risk management solution is implemented one of the most important basic steps is to map risks to different documents, policies, procedures, and business processes.

Step 3: Evaluate or Rank the Risk

Risks need to be ranked and prioritized. Most risk management solutions have different categories of risks, depending on the severity of the risk. A risk that may cause some inconvenience is rated lowly, risks that can result in catastrophic loss are rated the highest. It is important to rank risks because it allows the organization to gain a holistic view of the risk exposure of the whole organization. The business may be vulnerable to several low-level risks, but it may not require upper management intervention. On the other hand, just one of the highest-rated risks is enough to require immediate intervention.

Step 4: Treat the Risk

Every risk needs to be eliminated or contained as much as possible. This is done by connecting with the experts of the field to which the risk belongs to. In a manual environment, this entails contacting each and every stakeholder and then setting up meetings so everyone can talk and discuss the issues. The problem is that the discussion is broken into many different email threads, across different documents and spreadsheets, and many different phone calls. In a risk management solution, all the relevant stakeholders can be sent notifications from within the system. The discussion regarding the risk and its possible solution can take place from within the system. Upper management can also keep a close eye on the solutions being suggested and the progress being made from within the system. Instead of everyone contacting each other to get updates, everyone can get updates directly from within the risk management solution.

Step 5: Monitor and Review the risk

Not all risks can be eliminated – some risks are always present. Market risks and environmental risks are just two examples of risks that always need to be monitored. Under manual systems monitoring happens through diligent employees. These professionals must make sure that they keep a close watch on all risk factors. Under a digital environment, the risk management system monitors the entire risk framework of the organization. If any factor or risk changes, it is immediately visible to everyone. Computers are also much better at continuously monitoring risks than people. Monitoring risks also allows your business to ensure continuity.

The basics of the risk management process stay the same

Even under a digital environment, the basics of the risk management process stay the same. What changes is how efficiently these steps can be taken, and as it should be clear by now, there is simply no competition between a manual risk management system and a digital one.

Risk management

Risk management is an important business practice that helps businesses identify, evaluate, track, and mitigate the risks present in the business environment. Risk management is practiced by the business of all sizes; small businesses do it informally, while enterprises codify it.

Businesses want to ensure stability as they grow. Managing the risks that are affecting the business is a critical part of this stability. Not knowing about the risks that can affect the business can result in losses for the organization. Being unaware of a competitive risk can result in loss of market share, being unaware of a financial risk can result in financial losses, being aware of a safety risk can result in an accident, and so on.

Businesses have dedicated risk management resources; small businesses may have just one risk manager or a small team while enterprises have a risk management department. People who work in the risk management domain monitor the organization and its environment. They look at the business processes being followed within the organization and they look at the external factors which can affect the organization one way or the other.

A business that can predict a risk will always be at an advantage. A business which can predict a financial risk will limit its investments and focus on strengthening its finances. A business which can assess the impact of a safety risk can devise a safe way to work which can be a major competitive advantage.

If we think of the business world as a racecourse then the risks are the potholes which every business on the course must avoid if they want to win the race. Risk management is the process of identifying all the potholes, assessing their depth to understand how damaging they can be, and then preparing a strategy to avoid damages. A small pothole may simply require the business to slow down while a major pothole will require the business to avoid it completely.

Knowing the severity of a risk and the probability of a risk helps businesses allocate their resources effectively. If businesses understand the risks that affect them then they will know which risks need the most attention and resources and which ones the business can disregard. Risk management allows businesses to act proactively in mitigating vulnerabilities before any major damage is incurred. There are different types of risk management strategies and solutions for different types of risks.

After investing money in a project a firm wants to get some outcomes from the project. The outcomes or the benefits that the investment generates are called returns. Wealth maximization approach is based on the concept of future value of expected cash flows from a prospective project.

So cash flows are nothing but the earnings generated by the project that we refer to as returns. Since fixture is uncertain, so returns are associated with some degree of uncertainty. In other words there will be some variability in generating cash flows, which we call as risk. In this article we discuss the concepts of risk and returns as well as the relationship between them.

Concept of Risk

A person making an investment expects to get some returns from the investment in the future. However, as future is uncertain, the future expected returns too are uncertain. It is the uncertainty associated with the returns from an investment that introduces a risk into a project. The expected return is the uncertain future return that a firm expects to get from its project. The realized return, on the contrary, is the certain return that a firm has actually earned.

The realized return from the project may not correspond to the expected return. This possibility of variation of the actual return from the expected return is termed as risk. Risk is the variability in the expected return from a project. In other words, it is the degree of deviation from expected return. Risk is associated with the possibility that realized returns will be less than the returns that were expected. So, when realizations correspond to expectations exactly, there would be no risk.

Elements of Risk

Various components cause the variability in expected returns, which are known as elements of risk. There are broadly two groups of elements classified as systematic risk and unsystematic risk.

(i) Systematic Risk

Business organizations are part of society that is dynamic. Various changes occur in a society like economic, political and social systems that have influence on the performance of companies and thereby on their expected returns. These changes affect all organizations to varying degrees. Hence the impact of these changes is system-wide and the portion of total variability in returns caused by such across the board factors is referred to as systematic risk. These risks are further subdivided into interest rate risk, market risk, and purchasing power risk.

(ii) Unsystematic Risk

The returns of a company may vary due to certain factors that affect only that company. Examples of such factors are raw material scarcity, labour strike, management ineffi­ciency, etc. When the variability in returns occurs due to such firm-specific factors it is known as unsystematic risk. This risk is unique or peculiar to a specific organization and affects it in addition to the systematic risk. These risks are subdivided into business risk and financial risk.

Measurement of Risk

Quantification of risk is known as measurement of risk.

Two approaches are followed in measurement of risk:

• Mean-variance approach
• Correlation or regression approach

Mean-variance approach is used to measure the total risk, i.e. sum of systematic and unsystematic risks. Under this approach the variance and standard deviation measure the extent of variability of possible returns from the expected return and is calculated as:

Where, X_i = Possible return,

P = Probability of return, and

n = Number of possible returns.

Correlation or regression method is used to measure the systematic risk. Systematic risk is expressed by β and is calculated by the following formula:

Where, r_im = Correlation coefficient between the returns of stock i and the return of the market index,

σ_m = Standard deviation of returns of the market index, and

σ_i = Standard deviation of returns of stock i.

Using regression method we may measure the systematic risk.

The form of the regression equation is as follows:

Where, n = Number of items,

Y = Mean value of the company’s return,

X = Mean value of return of the market index,

α = Estimated return of the security when the market is stationary, and

β = Change in the return of the individual security in response to unit change in the return of the market index.

Concept of Return

Return can be defined as the actual income from a project as well as appreciation in the value of capital. Thus there are two components in return—the basic component or the periodic cash flows from the investment, either in the form of interest or dividends; and the change in the price of the asset, com­monly called as the capital gain or loss.

The term yield is often used in connection to return, which refers to the income component in relation to some price for the asset. The total return of an asset for the holding period relates to all the cash flows received by an investor during any designated time period to the amount of money invested in the asset.

It is measured as:

Total Return = Cash payments received + Price change in assets over the period /Purchase price of the asset.

In connection with return we use two terms realized return and expected or predicted return. Realized return is the return that was earned by the firm, so it is historic. Expected or predicted return is the return the firm anticipates to earn from an asset over some future period.

Corporate risk management refers to all of the methods that a company uses to minimize financial losses. Risk managers, executives, line managers and middle managers, as well as all employees, perform practices to prevent loss exposure through internal controls of people and technologies. Risk management also relates to external threats to a corporation, such as the fluctuations in the financial market that affect its financial assets.

Protecting Shareholders

A corporation has at least one shareholder. A large corporation, such as a publicly-traded or employee-owned firm, has thousands, or even millions, of shareholders. Corporate risk management protects the investment of shareholders through specific measures to control risk. For example, a company needs to ensure that its funds for capital projects, such as construction or technology development, are protected until they are ready to use.

Types of Risk

Consider the types of risk that a corporation must address every day. A corporation may become insolvent if it hasn’t bought insurance, implemented loss control measures and used other practices to prevent financial loss. Insurance is no substitute for successfully identifying measures to prevent losses, such as safety training to prevent worker injuries and deaths. Risks can include hazard risks, financial risks, personal injury and death, business interruption/loss of services, damage to a corporation’s reputation, errors and omissions and lawsuits.

Probability and Consequences for corporate risk management

To prevent financial losses, a corporation engages in a certain amount of speculation. A risk manager calculates the probability of each type of event that would damage the firm’s financial position and the consequences. Calculating the likelihood that something will happen and its associated costs enables a risk manager to recommend ways to address the most probable risks to senior management, the board of directors and owners of the corporation.

Solutions for corporate risk management

A corporate risk manager is a multi-disciplinary professional with an understanding of internal business processes and many financial instruments. This professional might have a background in business management, finance, insurance or actuarial science. She might suggest solutions to a corporation to protect its assets. For instance, she might recommend buying millions of dollars in commercial liability insurance coverage. Some risks that she calculates, as potentially damaging to the corporation, are ignored while others are covered by this liability policy. She might recommend buying other types of insurance, such as fire or fraud, after first weighing the costs versus the benefits of each type of coverage.

Building strategies for Corporate Risk Management

Strategies for corporate risk management usually consist of two processes: setting the framework for the company’s risk management and setting the communication channels in the organization. Risk management is, though, useless unless you measure and know your risks first. You must also have a robust procedure for ongoing monitoring and a cycle of continual assessment.

Risk management planning encompasses three elements:

• Operational risk management, such as damage to property or other risks that can’t be planned for.
• Financial risk management, which emerges from the effects of markets on an entity’s assets; this includes risks to credit, price and liquidity.
• Strategic risk management, or thinking about the bigger picture and the future of the company.

Consider what happened to Kodak once digital cameras came along, and ask if that was a failure of operational risk management or strategic risk management.

One of the best available metrics of risk measurement is economic capital, which is the amount of equity required to cover any unexpected losses. The economic capital required to support an individual risk can be calculated and results aggregated across all risks. Dividing the anticipated after-tax return on each strategic initiative by the economic capital gives you a RAROC, or risk adjusted return on capital, figure – if the RAROC is less than the cost of capital, it will destroy value and is, therefore, a huge risk to the company.

Outside of economics, there are five steps to take when first assessing the risk and deciding on the best solutions for mitigation:

• Identify the risk: Risks can be internal or external, so include any events that could cause problems or benefits for the company.
• Analyze the risk: Thoroughly analyze the potential effects each risk will have on consumer behavior, the company or any endeavors underway.
• Evaluate the risk: Rank risks according to the likelihood of each outcome to see how severely a set risk could impact the company or its strategy.
• Treat the risk: Look at ways to reduce the probability of a negative risk and increase the probability of positive risks, preparing preventative and contingency plans as needed.
• Monitor the risk: Track variables and proposed possible threats, and calmly treat any problems that arise as your tracking system identifies changes.

Once the risk assessment is complete, assign a strategy to treat the identified risks. Generally, there are four ways to handle a risk:

• Avoid the risk, or forfeit all activity that carries the risk – though this also means forfeiting all associated potential returns and opportunities.
• Reduce the risk, or make small changes to reduce the weight of both risk and reward.
• Transfer or share the risk, or redistribute the burden of loss or gain by entering partnerships or bringing on new entities.
• Accept the risk, or assume any loss or gain entirely; this is usually put into play for small risks where any loss can be easily absorbed by the entity.

Cost of Risk is a quantifiable, controllable number that can be identified and reduced. Simply put, TCoR is the total cost of your insurance premiums, retained losses (deductibles/uninsured losses) and internal/external risk control costs. By recognizing these costs we can plan and implement management strategies to reduce them.

Most people assume it’s their insurance premiums alone. They’re only partially correct: premiums are only a piece of the puzzle. While insurance premiums are the most visible cost associated with risk, they are hardly the only cost. There are many other costs associated with risk that are either not tracked or are viewed as fixed costs. That is the paradigm. What most business owners don’t realize is that these additional costs are controllable. All of the costs related to risk can be tracked and monitored. In addition, there are operational strategies that can be implemented which will manage and ultimately reduce these costs.

Elements of Total Cost of Risk

Insurance premiums

The first and most easily tracked component of Total Cost of Risk is insurance premiums. This includes the amount a firm spends on insurance coverage and brokers’ commissions.

Retained losses

The next element is retained losses. The retained loss value is the amount of money that a firm spends “out of pocket” for losses incurred. These are costs that are below a company’s deductible. An example is a small mishap such as dry-cleaning a client’s suit due to spillage from an employee.

Costs to protect employees/customers from injury

The next applicable costs may not be as easy to track but are still important components captured in the TCoR calculation. These are the costs needed to protect your employees or customers from injuries. Examples are safety equipment, mats, warning signs, training, etc. These costs should be tracked as part of the TCoR for your business internally.

Costs to engage firms for help with risk & insurance issues

The next component is money spent with professional firms to help you handle insurance or other risk associated issues. These would include costs for an attorney to respond to a complaint or to review a contract’s indemnification agreement. These are also part of the TCoR calculation and are considered external risk control costs.

Productivity loss

Other relevant cost is productivity loss due to injuries or losses. Having your employees spend their time either driving other employees to the doctor, investigating incidents, cleaning up spills, etc. are also costs that are risk related and are taking away from your bottom line.

Administration Costs

Financial impacts incurred in providing the services required to effectively administer a Total Cost of Risk Program. They include claims management, risk control and all other project costs such as data analytics. In the case where a firm pays additional fees or expense for these services, they are an addition to the TCOR formula. However, when they are provided by a third party (Insurance Brokerage or Risk Management Services Provider) as part of the relationship, they are a reduction to the extent that the measurable ROI exceeds the cost of the services.

Loss Costs

Loss Costs are generally broken up into 2 parts. The direct cost of the losses and the indirect cost of losses. Both of these items impact the organization’s Total Cost of Risk.

• Direct Cost of Losses: Deductibles and claims that are anticipated and funded inside the organizations risk financing program. (i.e. Captive, Deductible or Self Insurance Programs) In addition the cost of administering claims by third party administrators (TPA’s) are considered a direct cost of the loss as the TPA expense is usually a direct correlation of the claims experience. Any uninsured loss is also a direct cost of loss.
• Indirect Loss Costs: Every loss creates a corresponding expense that is unfunded and in some cases unanticipated. While the risk financing (insurance) may pay the known claim, there is a high correlation of additional unfunded business expenses that arise from virtually any claim. These loss costs are commonly known as The Iceberg. These are quantified and measured in an accurate Total Cost of Risk calculation. (For more on the subject of Indirect Loss Costs see the Wikipedia Indirect Loss cost topic)

A static risk refers to damage or loss to a property or entity that is not caused by a stable economy but by destructive human behavior or an unexpected natural event. This risk can be covered by insurance.

Static risks are often associated with a commodity the value of which will not be affected by an economic change. It even further presumes that the financial state is, more or less, stable.

Static risks include damage caused by human behavior, such as theft, vandalism, robbery, arson, and burglary. It also includes damage caused by natural conditions like rain, thunder, or lightning.

Insurance covers these kinds of risk. A policy might require a policyholder to specify which risks they want to have covered or they might simply opt for a more comprehensive insurance coverage.

Static Risk

Static risks are risks that involve losses brought about by irregular action of nature or by dishonest misdeeds and mistakes of man.  Static losses are present in an economy that is not changing (static economy) and as such, static risks are associated with losses that would occur in an unchanging economy.  For example, if all economic variables remain constant, some people with fraudulent tendencies would still go out steal, embezzle funds and abuse their positions.  So, some people would still suffer financial losses.  These losses are brought about by causes other than changes in the economy.  Such as perils of nature, and the dishonesty of other people.

Static losses involve destruction of assets or change in their possession because of dishonesty.  Static losses seem to appear periodically and because of these they are generally predictable.  Because of their relative predictability, static risks are more easily taken care of, by insurance cover then are dynamic risks.  Example of static risk include theft, arson assassination and bad weather.  Static risks are pure risks.

Dynamic Risk

Dynamic risk is risks brought about by changes in the economy.  Changes in price level, income, tastes of consumers, technology etc (which is examples of dynamic risk) can bring about financial losses to members of the economy.  Generally dynamic risks are the result of adjustments to misallocation of resources.  In the long run, dynamic risks are beneficial to the society.  For example, technological change, which brings about a more efficient way of mass producing a higher quality of article at a cheaper price to consumers than was previously the case, has obviously benefited the society.

Dynamic risk normally affects many individuals, but because they do not occur regularly, they are more difficult to predict than static risk.

Difference between dynamic risk and static risk