Flashcards in Risk Management Deck (37)
What is the goal of ERM?
To create, protect and enhance shareholder value by managing uncertainties that could either negatively or positively influence achievement of the organization's objectives.
Explain why the fragmented approach to risk management is flawed.
Individual departments focus on the risks within its domain only (i.e. insurance group focuses on hazard risks). It's unsuitable to the complex and interconnected business environment. The approach should be from an enterprise-wide perspective.
List the five types of risks.
Hazard, financial, operational, strategic and business risks.
What are hazard risks?
Risks that are insurable (i.e. natural disasters, terrorism, death of senior officers, etc.)
What are financial risks?
Interest rate risk, exchange rate risk, commodity risk, credit risk, liquidity risk and market risk.
What are operational risks?
Risks related to ongoing and day-to-day operations. They are the risks of loss from inadequate or failed internal processes, people and systems. Legal and compliance risks are also included.
How to manage operational risks?
Have adequate internal control, business process reengineering and business continuity planning.
What are strategic risks?
Global economic risk, political risk, regulatory risk, risks related to global market conditions. Reputation risk, leadership risk, brand risk and changing customer needs are also included.
What are business risks?
Risk that a company will have a lower than anticipated profits or will incur a loss.
How do volatility and time work in terms of risk?
When uncertainty increases, risk increases. Therefore, as volatility or duration of a project/investment increases, so does the associated risk.
What are the key steps in risk management process?
1. Identify risks
2. Assess risks
3. Prioritize risks
4. Formulate risk responses
5. Monitor risk responses
How are risks identified?
Every risk that may affect the achievement of the organization's objectives (only those that could have an impact on the organization) must be considered. It must be performed for the entire organization down to its lowest operating unit because some occurrences may be inconsequential for the whole enterprise but disastrous for an individual unit.
How are risks assessed?
Risk must be assessed as to its probability and potential impact. There are quantitative and qualitative (high, medium, low) techniques.
Who is responsible to prioritize risks?
Top management may appoint an ERM committee to review identified risks and create response plans. The committee must include persons who are competent to make judgment and in a position to allocate the resources for adequate risk responses.
What are the two most important sources of information for ongoing risk monitoring?
1. Those closest to the activities themselves (i.e. manager of the operating unit; however, the operating managers may not always be objective especially when they design a particular response strategy)
2. The audit function
How to quantify expected value of a loss due to risk exposure?
Risk can be quantified as combination of severity and likelihood of occurrence.
Expected Loss = Potential Monetary Loss x Likelihood
What is unexpected loss (maximum possible loss)?
It's the potential loss amount that exceeds the expected amount.
What is risk appetite?
It is the degree of willingness of top management to accept risk.
List the strategies of risk responses.
Avoidance, retention, reduction, sharing and exploitation.
What is risk avoidance?
To end the activity from which the risk arises.
What is risk retention?
To accept the risk of an activity.
What is risk reduction (mitigation)?
To lower the level of risk with an activity.
What is risk sharing?
To transfer some of the potential loss to another party.
List examples of risk sharing (transferring).
Purchasing insurance policies, engaging in hedging operations, outsourcing an activity, entering into joint ventures.
What is risk exploitation?
To pursue risk for higher return on investment.
When is a risk response ignored?
In the cost-benefit analysis of risk, management should ignore a risk response when the costs exceed benefits. Costs includes both direct (design, implementation and maintenance) and indirect (opportunity costs). Costs can be measured quantitatively or qualitatively.
What is inherent risk?
Risk of an activity that arises from the activity itself.
What is residual risk?
Risk of an activity remaining after the effects of any risk responses.
What are the benefits of risk management?
Efficient use of limited resources: resources will be directed toward those with the greatest exposure.
Fewer surprises: odds that an incident that has never been considered are greatly reduced after comprehensive assessment.
Reassuring investors: strong risk management function probably means lower cost of capital.