Chapter 25: Risk governance

Question 1

Risk management

Answer 1

Risk management is the process of ensuring that the risks to which an organisation is exposed are the risks to which it thinks it is exposed and to which it is prepared to be exposed.

Question 2

List the 6 stages of the risk management process

Answer 2

1. Risk identification
2. Risk classification
3. Risk measurement
4. Risk control
5. Risk financing
6. Risk monitoring

Question 3

Which stage of the risk management process is considered to be the hardest?

Answer 3

Risk identification is seen as the hardest aspect because the risks to which an organisation is exposed are numerous and their identification needs to be comprehensive.

The biggest risks are unidentified ones, as they will not have been appropriately managed.

Question 4

Risk identification

Answer 4

Identification of risks that threaten the income or assets of an organisation.

The following should be determined/ identified:
- Whether each risk is systematic or
diversifiable.
- Possible risk control processes that could
be put in place for each risk.
- Opportunities to exploit risks to gain a
competitive advantage.
- The organization’s risk appetite or risk
tolerance.

Question 5

Risk classification

Answer 5

Grouping of identified risks into categories. This includes the allocation of risk ‘ownership’.

Classifying risks into groups aids the calculation of the cost of the risk and the value of diversification.

Question 6

Risk measurement

Answer 6

The probability of the risk event occurring and the likely severity is estimated.

Knowing whether a risk is high, medium or low probability and severity helps in the prioritization of risks and deciding what control measures should be adopted.

Question 7

Risk control

Answer 7

Risk control involves deciding whether to reject, fully accept or partially accept each identified risk.

Risk control measures are identified to mitigate the risks or consequences of risk events by:
- Reducing the probability of a risk
occurring
- Limiting the severity of the effects of a risk
that does occur
- Reducing the financial or other
consequences of a risk that does occur

Question 8

Risk financing

Answer 8

The determination of the likely cost of each risk. This includes:
- the expected loss
- the cost effectiveness of risk control
options
- the availability of capital to cover retained
risk

Question 9

Risk monitoring

Answer 9

Regular review and re-assessment of risks together with an overall business review to identify new / previously omitted risks.

Question 10

List the benefits of the risk management process to the provider.

Answer 10

• avoid surprises
• react more quickly to emerging risks
• improve the stability (i.e. reduce earnings
  volatility) and quality of their business
• improve their growth and returns by
  exploiting risk opportunities
• improve their growth and returns through
  better management and allocation of
  capital
• identify their aggregate risk exposure and
  assess interdependencies
• integrate risk into business processes and
  strategic decision making
• give stakeholders in their business
  confidence that the business is well
  managed

Question 11

Acronym: List the benefits of the risk management process to the provider.

Answer 11

SAMOSAS

• Stability and quality of business improved
• Avoid surprises
• Management and allocation of capital
  improved
• Opportunities exploited for profit
• Synergies identified (and related
  opportunities taken)
• Arbitrage opportunities identified
• Stakeholders in the business given
  confidence

Question 12

List the objectives of the risk management process.

Answer 12

The risk management process should:
- incorporate all risks (both financial and
non-financial)
- evaluate all relevant strategies for
managing risk
- consider all relevant constraints
- exploit hedges and portfolio effects
e.g. A life insurer may sell both whole life
assurance contracts and immediate
annuity contracts. The two risks have an
offsetting effect.
- exploit financial and operational
efficiencies

Question 13

Explain the difference between ‘risk’ and ‘uncertainty’.

Answer 13

“Uncertainty” means that an outcome is unpredictable.

“Risk” is a consequence of an action that is taken which involves some element of uncertainty, but there may be some certainty about some components of the risk. e.g. The provider of a whole life assurance policy is exposed to mortality risk. There is certainty that the policyholder will die - but the timing is uncertain.

Uncertainty cannot be modelled, but it is often possible to model risk.

Question 14

Systematic risk

Answer 14

Risk the affects an entire financial market or system, and not just specified participants. It is not possible to avoid systematic risk through diversification.

Question 15

Diversifiable risk

Answer 15

Risk that arises from an individual component of a financial market or system, and can be diversified away. An investor is unlikely to be rewarded for taking on diversifiable risk.

Question 16

Does a fall in the domestic equity market represent systematic risk or diversifiable risk?

Answer 16

Whether this risk is systematic or diversifiable depends on the context.

To an investor that is constrained only to invest in the domestic equity market, this risk cannot be diversified away and is systematic.

To a world-wide investment fund that can invest in many markets, the risk is diversifiable.

Question 17

Outline the roles of various stakeholders in risk governance.

Answer 17

• Employees: ALL members of staff are
  stakeholders in risk governance.
  Responsible for looking out for risks and
  suggesting controls.
• Chief Risk Officer: Enterprise level role.
  Responsible for allocating the risk budget
  to business units, monitoring group risk
  exposure and documenting risk events.
• Risk managers: Often within each
  business unit. Responsible for making full
  use of the allocated risk budget, risk data
  collection, monitoring and reporting.
• Customers: Could be encouraged to note
  and report risks they find when using the
  company’s products or premises.
• Shareholders: Can drive risk governance,
  e.g. through development of the risk
  appetite.
  Regulators and credit rating agencies - interested in the quality of risk governance; may impose minimum standards.

Question 18

What does it mean to manage risk at the business unit level and what are the key disadvantages to this approach?

Answer 18

The parent company would determine its overall risk appetite and then divide it among the business units.

Each business unit would then manage its risk within the allocated risk appetite.

The key disadvantages of the approach are that it makes no allowance for the benefits of diversification or pooling of risk, and the group is unlikely to be making best use of its available capital.

Question 19

What does it mean to manage risk at the enterprise level?

Answer 19

Enterprise risk management means that risks are managed at the enterprise or group level rather than by each business unit separately, with all risks being considers as a whole.

Question 20

What are the advantages to managing risk at an enterprise level?

Answer 20

• Diversification, including being able to
  identify undiversified areas of risk
• Pooling of risks
• Economies of scale in terms of the risk
  management process
• Capital efficiency as capital can be
  targeted
• Providing insight into risk in different
  parts of business, including identification
  of unacceptable concentrations
• Understanding the risks better and so
  adding value by exploiting risk as an
  opportunity
• Consistency across business units