Chapter 25 Flashcards
Risk Governance (25 cards)
what are the steps in a risk management cycle?
- Risk Identification
- Risk Classification
- Risk Measurement
- Risk Control
- Risk Financing
- Risk Monitoring
what is involved in risk identification? (4)
- identify the risks that threaten the income or assets of an organization and of possible controls
-identify whether its systematic or diversifiable
-identify opportunities to exploit risks and gain a competitive advantage over other providers (Chapter 28)
-identify the extent the organization is prepared to be exposed to each risk (risk appetite)
two main components of risk classification?
-group them into categories,
-helps identify the risk owner and the cost of each risk as well as the value of diversification
What is the purpose of risk measurement? (2)
-Estimating probability of occurrence and severity of risk
-gives basis for method of transferring risk
How do risk controls mitigate the consequences of risks? (4)
-reduce probability of occurrence
-limit the financial consequences of a risk (reinsurance)
-limit the severity of the effects of a risk that does occur (reduce probability of catastrophic loss)
-reduce the consequences of a risk that does occur (these are consequences that are not financial)
- if more than one mitigation option exists, what do you do? (3)
-risk appetite usually determines the appropriate risk mitigation strategy (also cost and risk measurement)
-compare (with the use of a model-to model that outcomes of each option)
-identify which option is optimal-cost and ease of adoption
-implement the appropriate option
what does risk financing involve? (2)
-determine cost of each risk including the cost of the mitigation approach
-ensure that organisation has sufficient financial resources available (capital - opportunity cost as you lose out on using the capital for other uses such as expansion)
what are the objectives of risk monitoring? (4)
o has risk appetite changes
o identify new risks or changes in the nature of existing risks
o which risks have actually occurred and how were they managed
o has the existing risk management process been effective
what are the benefits of the risk management process? (10)
- Avoid surprises
- React more quickly to emerging risks
- Improve stability (reduce earnings volatility) and quality of their business
- Improve their growth and returns by exploiting risk opportunities
- Better capital allocation to areas with higher risk-adjusted return
- Identify opportunities
Price products to reflect risk
Improve job security and staffing stability - Detect risks earlier (when cheaper)
- Determine most cost-effective risk controls e.g. matching, transfers
- Give stakeholders confidence business is well-run
The risk management process should: (5)
- Incorporate all risks (both financial and non-financial)
- Evaluate all relevant strategies for managing risks
- Consider all relevant constraints (e.g. political, social, regulatory)
- Exploit hedges and portfolio effects
- Exploit financial and operational efficiencies
key differences between risk and uncertainty: (3)
-risk arises as a consequence of uncertain outcomes
-risk can be modelled while uncertainty cannot
-there may not be any choice as to whether uncertainty is faced and it may not be possible to reduce it while risk can be managed and there is typically a choice as to whether to take it
difference between systemic, systematic and diversifiable risk
systemic - risk that an event impacting one entity could trigger a wider collapse particularly to a financial system
systematic - risk that affects an entire financial market or system. Cannot be diversified away.
diversifiable - risk arising from an individual component of a financial market or system (usually not rewarded)
- A company’s business unit can be differentiated as they might: (6)
- Carry out the same activity but in different locations
- Carry out different activities at the same location
- Carry out different activities at different locations
- Operate in different countries
- Operate in different markets
- Be separate companies in a group, which each have their own business units
What can be said about managing risk at the business unit level? (3)
- The parent company determines its overall risk appetite and divides it between the units – risk budgeting
- Risk analysis involves allocation of capital to support the risks retained by each business unit (means that the group is not making best use of its available capital)
- No allowance for the benefits of diversification or pooling of risks
Advantages of managing risk at enterprise level (ERM): (5)
- Similar risk management procedures on various business units are imposed, the results from the various models are combined into a risk assessment model at the entity level - consistency across business units
- Allowances can be made for diversification and pooling of risks (capital efficient way of managing risks) - considers risk in a holistic manner
- Allows the concentration of risk arising from a variety of sources within an enterprise to be appreciated
- Insight into the areas with resulting undiversified risk exposures where the risks need to be transferred or capital set against them
- Seeking opportunities to enhance value (if they understand their risks better, they can use them to their advantage by taking greater risks in order to increase returns)
- Considers risks in a structured consistent way
- Considers upside as well as downside risks
- Top-down but stresses risk management is everyone’s concern
Stresses value creation - Aligns with corporate strategy
- Recognises that risks are dynamic and considers interactions (diversification)
Name the 7 stakeholder involved in risk governance:
-Board of directors - set risk appetite
-CRO and risk managers - set risk budget
-all other employees - report risks in which business is exposed to
-customers
-shareholders
-credit rating agencies
-regulators
The board’s role in ERM (3)
-ensure risks are managed effectively
-set company’s risk appetite
-consider the risks faced by the company as a whole rather than the narrow view likely taken to be taken by a manager
What is the role of a Central Risk Function - team of specialist risk managers? (7)
-giving advice to the board on risk
-assessing the overall risks being run by the business
-making comparisons of the overall risks being run by the business with its risk appetite
-acting as a central focus point for staff to report new and enhanced risks
-giving guidance to line managers about the identification and management of risks making suggestions for risk responses
-monitoring progress on risk management
pulling the whole picture together
Key responsibilities of the CRO: (8)
-managing the various risk functions
-providing leadership and direction
designing and implementing an ERM framework across the company
-ongoing risk policy development
-risk reporting (internally and externally)
-allocation of capital across the firm
-communicating with stakeholders about the organisation’s risk profile
-developing systems to analyse, monitor and manage risks
what is included in Risk monitoring? (4)
- Documentation – risk reports
o Risk management decisions
o Systems
o Financial models incl assumptions and data
o Risk management failures - Communication
o Clear and consistent risk reporting is essential to feed accurate information back into the cycle. - Information
o Be timely, reliable and balanced between too much and too little - Data and resources – essential for risk measurement
o High quality internal and external data
o Appropriate systems and tech with appropriate resources
Summary on internal stakeholders: (5)
-Line management – standard risk taxonomy, processes
-BU risk manager – make use of risk budget, collect data, monitor and report
-CRF & CRO – advise board, risk budgets to BUs, monitoring exposure and risk appetite, gathering reports, guiding LM, monitoring and documenting
-Board: Broad view, culture, accountability (May have an audit and risk subcom)
-Three lines of defence: line management, CRO, Board and Audit
What are the 3 relationship types between the first two lines of defence
-Offense versus defence (the lines are set up to oppose each other with BU focusing on maximising income and risk management focusing on minimising losses, usually destructive as they would have opposing objectives)
-Policy and policing (BU operate within rules set by risk management and are policed by risk management, audit and compliance.)
-partnership (Risk staff incorporated into BU and share some performance measures)
What are the potential problems with a policy and policing relationship between the first two lines of defense? (4)
-policies may become out of date as risk management is not involved with day to day operations
-audit and compliance reviews do not occur continuously so may fail to identify problems
-may be friction between the two lines as each fails to understand the other’s viewpoint
-line management may have little incentive to report problems, policy violations and issues.
How would we incorporate risk management into business management processes? (5)
-Setting strategies – risk appetite
-New product e.g. trigger points or new risk committee
-Pricing – should account for expected losses, cost of capital, cost of risk transfer
-Measuring performance – should be risk adjusted (ch37)
-Remuneration (should not encourage excessive or inappropriate risk-taking)
