ERM - DONE Flashcards
ERM terms, concept, framework, and process (98 cards)
1
Q
Define risk capacity
A
The max amount of risk that the firm can support before jeopardizing its ability to meet obligations and regulatory requirements.
2
Q
Factors to decide on a risk aggregation approach
A
- Computing power
- End-user education
- Complexity vs accuracy tradeoff
3
Q
How to perform risk aggregation
A
Use Copulas. Use Correlation measures, if appropriate.
- Financial risks are highly correlated, and the nature of the dependency is not well captured with simple measures of correlation.
4
Q
Define risk appetite
A
The levels and types of risks that an organization desires to take to achieve its objectives (balancing threats and opportunities)
5
Q
What qualities should a risk appetite statement have?
A
1) Comprehensive
2) Measurable
3) Practical and achievable
4) Consistent and coherent
6
Q
What are the components of a risk appetite statement
A
1) Risk capacity, expressed in terms of capital adequacy, earnings volatility, and credit rating
2) Risk targets for each risk category
3) Risk limits for each risk category
7
Q
Why is risk appetite important?
A
1) Protects and creates value for the business by allowing management to make informed decisions to maximize risk-adjusted returns.
2) Ensures consistency between risk appetite and risk limits.
3) Integration into the corporate culture guides risk-taking operations
8
Q
How can a company determine its risk appetite?
A
1) Bottom-up analysis of the company’s risk profile
2) Meetings with the board to set risk capacity and link risk appetite with the company’s goals (objectives, strategies, KPIs)
3) Establish risk policies, risk limits, and risk monitoring processes consistent with appetite (using risk taxonomy language)
4) Define roles and responsibilities
5) Set review intervals
6) Ensure consistency with other risk management guidance
7) Communicate with senior management for their buy in
9
Q
Risk assessment
A
A comparison of the measured risks taken against the risk appetite and tolerance statements
10
Q
Components of a risk assessment
A
1) Detailed description of risk
2) Consequences of risk
3) Categorization of risk
4) Likelihood and impact of risk
5) Assessment of the effectiveness of controls and mitigation strategies
6) Assessment of residual risk
7) Actions required
11
Q
Types of risk assessment tools
A
- risk assessments reports
- loss event database
- KRI
- risk analytical models
- economic capital models
12
Q
Risk culture
A
The traditions, attitudes, and practices accepted and applied by the employees of the organization that determine the way in which they identify, understand, discuss, and act on risks
13
Q
What are the properties of a poor risk culture?
A
- Employees are unaware of the risks to the firm
- Risk management is viewed as an annoying constraint on profitability
- Risk management procedures are treated as a mere compliance exercise
14
Q
What are the properties of a strong risk culture?
A
Everyone in the business is…
- Proactively identifying key risks for the company
- Seriously thinking about the consequences of the risks for which they are responsible
- Communicating up and down the organization those risks that warrant others’ attention
15
Q
How to obtain a strong risk culture
A
- Set the tone from the top (through actions and words)
- Ask the right questions
- Establish a risk taxonomy
- Provide training and education to employees
- Link compensation to risk for employees at all levels
16
Q
How can we “ask the right questions?”
A
Use the RISK acronym.
- Return: what are the expected returns on the risks?
- Immunization: what risk limits are in place?
- Systems: do we have appropriate systems to track and measure risk?
- Knowledge: do we have the right people and skill for effective risk management?
17
Q
Tips to maintain a strong risk culture
A
- Measure risk culture through employee surveys testing awareness and views on risk issues
- To protect against risks that have reputational impacts, organizations can open an anonymous channel for employees to report issues anonymously
18
Q
Risk limit
A
A threshold (typically quantitative) to monitor so that actual risk exposure doesn’t deviate too much from the risk target and stays within the organization’s risk tolerance and risk appetite.
19
Q
What risk limits can be set?
A
- Use stop-loss limits to control the actual amount of loss taken
- Use sensitivity limits to control the potential losses the firm may take
- Use exposure limits
20
Q
Market risk limits
A
- Asset allocation limits
- Foreign exchange limits
- Fixed income securities duration limits
- Asset liability mismatch limits
21
Q
Insurance risk limits
A
A/E Ratio. To set the limit, calculate the expected payment under a stress event and divide by the expected payment under best estimate assumptions
To monitor, compare A/E ratios from regular experience studies to the A/E ratio limit
22
Q
Catastrophe risk limits
A
NAR and limit on the concentration of policyholders’ locations
23
Q
Challenges of translating risk appetite into specific risk limits
A
1) Technical challenges like projecting future scenarios
2) Availability of data
3) Conflicts between risks and measures (like capital and earnings volatility)
4) Maintaining consistency between BUs and group objectives
5) Interaction of risks and capital
24
Q
Risk Profile
A
A description of the unique, actual risk exposure of an organization at a point in time which is the result of a collective build-up of individual business decisions and risks taken
25
Why is risk profile important
Determines the company's earnings and earnings volatility
26
Risk responses
1. Accept
2. Avoid
3. Pursue
4. Mitigate
5. Transfer
27
What to look out for when choosing a risk response
Remember that mitigating and sharing risks often creates or increases other forms of risk
28
Risk strategy
The practices for implementing risks in the institution's strategy in the short, medium, and long term
29
Components of a risk strategy
For each risk, list the:
1) objectives
2) principles
3) risk appetite
4) responsibilities
30
Risk target
The optimal level of risk that an organization wants to take regarding a specific risk in pursuit of a specific business goal
31
Risk taxonomy
A common structure for describing the categories and sub-categories of risks, as well as the tools, metrics, and strategies for risk management
32
Why is a risk taxonomy important
1) With a risk taxonomy, discussions about risk can be done with an organization-wide understanding.
2) Classification can help to develop an understanding of the various risk types and how they're connected.
33
How to create a risk taxonomy
Avoid excessive use of jargon.
Identify quantifiable and unquantifiable risks.
To categorize risks, identify:
- the cause
- the event
- the adverse impact of a risk
34
Risk transfer
A risk management strategy to reduce exposure to a risk by transferring it to another party for a cost
35
Types of risk transfer
1) Insurance or reinsurance: A 3rd party takes on the loss between the deductible and the cap
2) Financing: alternative risk transfer or derivatives. A 3rd party provides funding, but is reimbursed over time
36
What is the standard practice when it comes to risk transfer?
1) Only consider transferring residual undesirable risk, after accounting for offsetting risks.
2) It's typically best to use a combination of internal controls and risk transfer strategies because the cost of the former reduces the cost of the latter.
Ex: implement workplace safety procedures and purchase worker's compensation insurance.
37
How to choose between risk transfer options
- When transferring risk, the benefit is reduced expected loss and loss volatility.
- The cost is the insurance premium and higher credit risk.
- Therefore, the company is ceding risk and return, so a ceded RAROC can be calculated for each risk transfer option. Choosing a risk transfer strategy with a ceded RAROC below the firm's cost of equity would add to shareholder value.
38
Risk tolerance
A quantitative description of the max amount of risk that the organization is willing to take regarding a specific risk.
39
Components of a risk report
1) Losses: just the main ideas like significant losses and important trends
2) Incidents: financial or not. Include the impact, causes, and responses.
3) Risk assessments: advance warning of key risks like absence of key staff, new product launches, etc.
4) KRIs
40
What properties should a risk report have?
Risk reports should have a self-correcting feature
- Losses and incidents are captured easily.
- Management may notice that losses and incidents are coming from risks that aren't discussed in the assessments or KRIs.
- Action can be taken to improve the risk report going forward.
41
Why are risk reports important?
The board and senior management should receive regular reports on risk and capital to:
1) Evaluate the level and trend of material risks
2) Evaluate the sensitivity and reasonableness of assumptions
3) Check that the insurer holds sufficient capital
4) Evaluate the adequacy of capital using stresses and scenarios
5) Assess future capital needs and make adjustments to the insurer's strategic, capital, and other plans, as necessary
42
How to mitigate risks that haven't yet been taken on
1. Support business growth through capital allocation
2. Support profitability through risk-adjusted pricing
3. Control downside risks by setting limits
43
How to mitigate risks that have been taken on
1. Understand the risks through risk analysis
2. Understand which risks offset and exacerbate each other
3. Transfer risk when time, resources, or flexibility are scarce
44
Tips for mitigating types of risks
1) High frequency, low-med severity risks: implement control procedures
2) Low frequency, high severity: establish contingency plans and insurance
3) SPOFs: develop back up processes
4) For critical operations and core systems: have excess capacity
45
Risk governance
The practices used by the Board and senior management to assign responsibilities for managing the firm's risks
46
Properties of good risk governance
- Board committees have been established to oversee the management of risks
- Senior management is actively engaged
- Roles and responsibilities are clearly assigned
- Executive bonuses are linked to the organization's performance and include ESG factors
- The risk governance process is reviewed regularly to ensure that risks are properly captured
47
Important roles in the risk governance process
1. Board
2. Risk committee
3. CEO, CFO, CRO
4. Chief actuary or appointed actuary
5. Compliance
6. Internal audit
48
Important responsibilities in the risk governance process
- Risk management to ensure frameworks are established
- Strategic planning to ensure risks are addressed in plans and reviews
- Finance and accounting to ensure accuracy of records and profitability models
- Legal to ensure activities are in compliance
- IT to ensure information security
49
How to perform risk identification
1. Select key personnel from all levels of the firm (ensuring all BUs and functions are represented)
2. Train the participants so they are engaged in and understand the process
3. Ask each participant to list some key risks and assess the frequency and most likely severity of each.
4. Consolidate the input from the participants (in a risk map)
5. Assess the relationships between risks (correlations)
6. Prioritize risks for further analysis and evaluation.
50
Why is it important that personnel from all levels of the firm are represented for risk identification?
Some risks are better identified at the bottom (like poor customer retention) and some are better identified at the top (like cyber risk). Also, employees will know well the risks they encounter in their work.
51
What's wrong with the typical risk identification process?
It's inherently subjective. People tend to discount the impact of low probability but high severity events
52
What might help someone identify risks?
1) Check loss-incident databases
2) Check KRIs
3) Think about the relationships between the firm and other parties (Principal, agency, etc)
53
Risk policy
A firm's action plan and guide for the employees handling a specific risk
54
Components of a risk policy
1) the firm's objective with the risk
2) the link to the risk strategy
3) tasks to be performed and how to measure the risk
4) roles and responsibilities
5) reporting procedures
6) escalation process
7) frequency of review of the policy
55
ERM
A holistic framework for managing key risks in order to achieve business objectives, minimize unexpected earnings volatility, and maximize firm value
56
Properties of ERM
ERM...
- is a continuous process
- is applied top-down
- assesses risk from many perspectives (holistic and standalone, positive and negative, short and long term, quantifiable and unquantifiable)
- aims to achieve an appropriate risk-reward balance
- is flexible to meet the individual circumstances of the firm
57
Benefits of ERM
ERM can...
1. Optimize the risk/return profile
2. Reduce earnings volatility
3. Maximize shareholder value
4. Increase organizational effectiveness
5. Improve the firm's credit rating
6. Reduce risk of regulatory interference
7. Reduce risk capital required (to increase returns to shareholders or lower prices)
8. Promote job and financial security
9. Allow a firm to react more timely and effectively to emerging risks
10. Allow a firm to include adequate margins for risk in pricing
58
Why is silo-based risk management inferior?
1. It doesn't account for interdependencies between risks
2. Diversification and concentration of risks are missed
3. Different risk tolerances may exist in different silos
4. It's difficult to aggregate risk exposure if business units use different methodologies and systems
59
What might inspire a firm to implement an ERM framework?
- a previous risk management failure in the firm
- a risk management failure in competitor
- a requirement from an industry regulator or the firm's auditors or investors
60
ERM process, in general
1. Identify risks
2. Set a risk appetite
3. Measure risks and compare against the risk appetite
4. Decide on a risk response
5. Report on and review actions taken
61
What is required for an ERM framework?
1. Establish top-down risk management (use a risk committee and CRO)
2. Develop analytical tools to quantify and manage risk
3. Integrate risk in processes and strategic decisions throughout the firm (capital allocation, performance measurement, pricing)
4. Ensure transparency for key stakeholders like the Board, regulators, and rating agencies
62
Importance of risk management
- reduces the cost of capital
- reduces the uncertainty of commercial activities
- Studies show that, in general, firms that hedge more tend to have larger asset values.
63
Pros and cons of making risk management part of every employee's job
- Pro: employees know the risks of their work activities best
- Pro: risk gets managed throughout the company
- Con: substantial training and education required
64
Properties of strong risk management
- Quantitative and qualitative tools are used to assess and measure risks
- Capital is allocated based on risk-adjusted performance measurements
- A full set of early warning indicators is developed
- Senior management should be able to answer questions like what are the company's top 10 risks? What were the company's losses and incidents and did we identify these risks in previous reports?
65
Requirements for strong risk management information
Risk management info needs to have the following qualities:
- Timely
- Comprehensive
- Consistent
- Accurate
- Auditable
- Forward-looking
66
What knowledge do risk management employees need?
Knowledge of:
- Historical data (risk/return results, volatility, correlations)
- Current risk exposures
- Future business plans
67
How to perform risk management
1. Promote risk awareness to foster a strong risk culture
2. Give employees the tools and skills required to manage risks
3. Use a portfolio approach to set targets and limits
4. Establish control systems
5. Align performance metrics with risk objectives
6. Measure risk
7. Control risk
8. Allocate capital to attractive projects based on risk-adjusted returns
9. Incorporate risk when making key decisions such as mergers
68
Risk management models
1. 3 lines of defense
2. Offense and defense
3. Policy and Policing
4. Partnership
69
3 lines of defense model
1. First line: day-to-day management, risk owners. Responsible for the risks arising from daily business activities.
2. Second line: risk management committees. Responsible for identifying, assessing, measuring, monitoring, and reporting risks across the organization
3. Third line: audit. Responsible for providing an independent review of the effectiveness of the first 2 lines.
70
What's wrong with the 3 lines of defense model?
- Contradicts the fundamental top-down principle of ERM
- The Board should have a primary role, but is barely mentioned
- Focused on record keeping and compliance (not strategic decision making)
- Puts onus on the first line, but these employees are not hired to be risk managers
71
The offense and defense model
- The first line wants to take as much risk as it can get away with to maximize returns
- The second line reduces risk as much as possible to minimize losses
- Cons: First line has no reason to consider risk and Second line has incentive to essentially reduce returns
72
The policy and policing model
- Second line sets policies and monitors compliance.
- Con: This approach can be too "hands-off."
73
The Partnership Model
- Embed risk professionals in the first line, ensure frequent dialogue between the 2 lines, and incentivize both to maximize returns within an acceptable level of risk.
- Con: If the second line is too involved, they cannot independently review the first line.
74
Common risk management failures
1. failure to use appropriate risk metrics
2. mismeasurement of known risks
3. failure to take known risks into account
4. failure in communicating risks to top management
5. failure in monitoring and managing risks
75
Risk measure
A function of a random loss variable that quantifies the potential losses arising from the associated risk
76
Purpose of risk measures
- determine capital requirements
- assess the adequacy of the firm's capital
- measure potential adverse outcomes
77
Common risk measures
VaR, TVaR, semi-variance, threshold semi-variance, downside semi-variance
78
Semi-variance
A variability risk measure that only focuses on the worst side of the data (losses above the mean)
79
Threshold semi-variance
Same as semi-variance, but with a chosen threshold instead of the mean
80
Downside semi-variance
- Same as threshold semi-variance, but the variable is a profit and loss random variables where a positive value indicates profit and negative indicates loss
- T = 0 is a common threshold. Measure the variance of losses with no contribution from profits
81
How to choose a risk measure
1. Consider the objective of the analysis because different measures are better suited for different objectives. Ex: Use TVaR instead of VaR if the loss distribution is heavily skewed.
2. Consider the interests and knowledge level of the stakeholders. Ex: shareholders may only care about losses up to bankruptcy, regulators care about losses beyond
3. Consider data and modelling limitations and the complexity vs accuracy tradeoff. Is the effort worth the benefit?
82
Risk models are best used for risks that are:
- Well-defined
- Quantifiable
- Material
- Supported by sufficient and relevant historical data
83
How to create a model
1. Model proposal
2. Model development
3. Model validation
4. Model approval
5. Model implementation
84
Model proposal stage
- Identify the purpose, the model users, and the developers
- Determine which factors will be modelled stochastically vs deterministically considering materiality and resources
85
Model development stage
- Ensure all essential features are incorporated
- Consider:
- Time step and time horizon
- Data quality
- Model assumptions (like no-arbitrage)
- The model users' knowledge when designing the output
- Document the limitations
86
Model validation stage
- Get an independent and comprehensive review
- Include model specification, data, programming, user interface, output, and documentation
- Industry standard models and previous models may be used as a benchmark
- Use goodness of fit tests
- Investigate the materiality of the model for model risk
87
Model approval stage
The approver should be independent. Not one of the developers and not a direct stakeholder in the model's approval and implementation
88
Model implementation stage
Add the model to the firm's model inventory
Integrate the model with risk management decision-making.
- When models are used for compliance rather than strategic risk management, results are overlooked, especially when the news is bad
89
How to maintain a model
1. Monitoring
2. Change management
90
Monitoring the model stage
Use performance metrics to quantify how well the model is meeting its goal. Check that the model and the input data are still the best available for their purpose.
- Are the model assumptions still valid in the current business environment?
- Are the model parameters reviewed and updated as new data comes in?
- Is the model being used as intended and for no unintended purpose?
- Is the model output consistent with emerging experience?
91
Change management model stage
Always document changes and reconcile the output from the revised model with the original. Update the firm's model inventory
92
What could make a model outdated?
- changes in the underlying risks
- improvements in the theory or practice being modelled
- availability of more/better data indicating that the model doesn't adequately meet its purpose
93
Methods to fit data to a statistical distribution
- Method of moments
- Max likelihood estimation
94
Methods to fit data to a linear model
- Max likelihood estimation
- Least squares regression
95
Model choices to fit a model with a categorical or binary dependent variable
- Probit and logit regression (GLMs)
- Discriminant analysis
- k-nearest neighbors
96
Model choices to fit a model with no dependent variables
- Principal component analysis
- Singular value decomposition
97
How NOT to select a model
If the standard error of the output statistic (like TVaR) is small
- This does NOT mean that model risk or parameter risk is small or that the model provides a good fit!
- It DOES mean that IF the model is accurate, then the standard error is X.
98
Risk monitoring
The process of repeatedly measuring and assessing risks faced by the firm. (risk measurement and assessment)
