CERM Unit1 1621 Introduction to risk management PDF

Preview

Summary

Certified expert in risk management courses. Unit out 6...

Description

Certified Expert in Risk Management Unit 1: General Introduction into Risk Management

Certified Expert in Risk Management

Unit 1: Introduction to Risk Management

Symbols Introduction

Definition

Example

Remember

Further Reading

Video Lecture

6. Edition 9/2016 © 201 6 Frankfurt School of Finance & Management, Sonnemannstr. 9 – 11, 60314 Frankfurt am Main, Germany All rights reserved. The user acknowledges that the copyright and all other intellectual property rights in the material contained in this publication belong to Frankfurt School of Finance & Management gGmbH. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any fo r m or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher. Violations can lead to civil and criminal prosecution. Printed in Germany

Content 1

What is Risk? ..................................................................... 5

2

Risk Management Principles and Process ...................... 13

2.1

High-Level Risk Management Strategy ............................... 13

2.2

Principles of Risk Management .......................................... 15

2.3

Risk Management Process ................................................. 17

3

Other Risk Management Credentials ............................... 19

4

Exercises ......................................................................... 21

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

1

Abbreviations ABC

Activity Based Costing

ALCO ALM

Asset and Liability Management Committee Asset-Liability Management

ATM

Automated Teller Machine

ATTF

Agence de Transfer de Technologie Financière

BCBS

Basel Committee on Banking Supervision

BSC CAR

Balanced Scorecard Capital Adequacy Ratio

CGAP

Consultative Group to Assist the Poor, Microfinance Secretariat at the World Bank

COSO

Committee of Sponsoring Organizations of the Treadway Commission

EAD

Exposure at Default

EL ERM

Expected Loss Enterprise Risk Management

EUR

Euro currency

FRM

Financial Risk Manager - professional designation

HR

Human Resources

ISO KPI

International Standards Organization Key Performance Indicator

KRI

Key Risk Indicator

LGD

Loss given Default

MFI

Microfinance Institution

MIS MIV

Management Information System Microfinance Investment Vehicle

MSME

Micro-, Small and Medium Enterprise

NBFI

Non-Bank Financial Institution

NGO

Non-Governmental Organization

NPL OHSAS

Non-Performing Loan Occupational Health & Safety Advisory Services

PAR

Portfolio-at-risk

PD

Probability of Default

PMI

Project Management Institute

PMI - RMP PRM

PMI Risk Management Professional designation Professional Risk Manager professional designation

ROA

Return On Assets

ROE

Return On Equity

SME

Small and Medium Enterprise

TA USD

Technical Assistance US Dollar

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

2

Learning Outcomes This Unit will get us started thinking about risk in more systematic terms. That is from the perspective of managing an organization in a dynamic and competitive external environment. After studying this Unit you should be able to:



define the notion of risk in a generic, non industry-specific context,



communicate effectively about the fundamentals of enterprise risk management, risk processes, high- level risk mitigation and transformation strategies,



position your objective of applying risk management in financial institutions within the global risk management movement: what are the main sources of best practices, what are typical applications of risk management across industries, what kind of professional associations and certifications are out there?

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

3

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

4

1

What is Risk?

Here we are. I have a stack of expensive books on Risk in Banking on my desk, have been consulting in risk management for more than ten years, and I am still having a hard time defining "risk". Risk truly is one of the most overused and least understood buzzwords of our time. It is right up there with "process", "design", "system" and "value". Try it: The guy who gets passed over for the promotion says: "The Schlenovo laptop weighs 15 kilos and has a 5 inch screen, I do not think anyone will buy this." The upwardly mobile consultant says: "Let's hold a workshop on strategic design risk. We need to build a customer-centric value system right into our core processes." So, I asked a few regular people what they think risk is: Mostly the response is about the possibility of something bad or negative happening, a loss or an injury, for example. For sure, risk has an element of uncertainty about future outcomes. And these future events must be relevant to us, in the sense that the individual or the organization cares, or should have cared, about the outcome of the uncertain situation. We may call this relevance "exposure" to the uncertain outcome. The proverbial bag of rice that may or may not tip over in China is uncertain, but it is only a risk, if we are interested or invested in the outcome. If I bet a thousand dollars on whether the bag stands or falls, or if it falls I don't eat for a week, then I am exposed. Now, the uncertainty about the bag tipping or not has become a risk.

Possibility of Loss

Sometimes in statistics or game theory, risk is simply equated to uncertainty pure and simple. Rolling a six-faced die, for example. The outcome is uncertain, is risky. One might even say that the outcome is objectively uncertain and that obtaining a six has an objective probability of 1/6. Yet, are these outcomes really objectively uncertain? Or, are we simply ignorant of the detailed mechanics of die throwing: trajectory angles, wrist flick velocity, tablecloth friction coefficients, etc. This is not just a philosophical question: Our risk model might assume that next week's EUR/USD exchange rate is the result of a "random walk", while in fact it is the certain knowable result of a deterministic process, and a nuclear physicist at a hedge fund has already figured out the formula. Often, random events in finance feel indeed more like rolling a die - but with a metal plate under the six and a strong magnet under the table - than an honest game of chance. If you are philosophically inclined, I recommend the discussion of subjectivist versus objectivist probabilities in the brilliant article by Glyn A. Holton "Defining Risk", which you will find in the essential reading collection. For now, let's go with the mainstream definition of risk: Risk is a form of uncertainty about outcomes that may have a potentially adverse effect on an individual or an entity. Risk is subjective as perceived by the entity that would sustain the loss or injury.

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

5

Objective Uncertainty?

Example: If the future loss is certain, it is not a risk. Jumping out of an airplane without a parachute to certain death is not risky. However, if I jump with a parachute, the uncertain survival is a risk to myself and my family who are invested in my earnings capacity. To the reader, the outcome of a sky-diving adventure by a risk management consultant is revenue neutral, thus not a risk.

Risk = Volatility of Outcomes

Many other alternative definitions of risk exist for different industries or special analytical applications. In portfolio investment theory, for example, we view risk in the context of the classic risk/return trade-off. Here, risk is defined as the uncertain variation of a financial return around an average expected outcome. Thus the volatility, i.e. the standard deviation of continuously compounded annual returns, becomes the "risk". We will get to the math behind this assertion later, when we discuss credit and market risks. The interesting point to note now is that this volatility definition of risk includes both positive and negative deviations of outcome. Gains and losses relative to the average return expectation are both manifestations of risk.

Risk = Expected Loss?

In the medical field, a definition used by the Occupational Health & Safety Advisory Services (OHSAS) defines risk as the product of the probability of a hazard resulting in an adverse event, times the severity of the event. 1 This is similar to the concept of an "expected loss" which we will use in the discussion of credit risk. There, we also multiply the probability of a default with the net amount at stake in the event that a client defaults on a loan. But we would not call this expected loss "the risk". Rather the opposite, we will look at the expected loss more like a certainty that must be priced to the client. The risk is instead in the variation of the actual future loss around this expected value, most importantly to the upside, of course, towards big stress losses. In Standard 31000 (2009) and ISO Guide 73:2002, the International Standards Organization defines risk as follows: Risk is the potential that an event, action or inaction will adversely impact the ability of an entity to achieve its organizational objectives. In this definition, uncertainties include events which may or may not happen as well as uncertainties caused by ambiguity or a lack of information. The ISO Standard 31000 (2009) is widely recognized as the current best practice consensus in risk management. It was developed in a broad consultative process and incorporates inter alia the experience and prior guidance from a diversity of thought leaders on risk management, including:



the Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org.

1

"Risk is a combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s)" (OHSAS 18001:2007).

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

6



the 1999 (revised 2005) Turnbull Report on corporate internal control and risk management disclosure in the UK. Nigel Turnbull, "Internal Control: Guidance for Directors on the Combined Code", www.icaew.com/en/library/subject-gateways/corporategovernance/codes-and-reports/turnbull-report.



the Project Management Institute (PMI), www.pmi.org



the Australia and New Zealand Risk Management Standard AS/NZS4360:2004, www.mwds.com/AS4me_files/AS-NZS%204360 -2004%20Risk%20Management.pdf



Group of Thirty Report, following the derivatives trading disasters of the early 90s in the US, www.group30.org



Criteria of Control (CoCo) model developed by the Canadian Institute of Chartered Accountants, www.cica.ca



Sarbanes-Oxley Act (2002) in the US, which places greater responsibility on the board of directors to understand and monitor an organization's risk, www.soxlaw.com.



New York Stock Exchange Corporate Governance Rules (2004 update), www.nyse.nyx.com.

ISO 31000 (2009) / ISO Guide 73 "Risk Management Vocabulary" states: A risk management framework is a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization. The above notion of a risk management framework is essentially equivalent to the widely discussed concept of Enterprise Risk Management (ERM). In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defined ERM in its "Enterprise Risk Management Integrated Framework" as follows: Enterprise risk management is a process, carried out by the entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. What is new in the ERM perspective on risk is that ERM is directly related to "strategy setting". ERM creates value by being embedded in the strategic planning and execution process. This clearly elevates risk management from a mere compliance function (checking off legal requirements) towards a strategic enabler that supports the attainment of the organization's objectives.

Risk & Strategy

The ERM definition also alludes to the idea of "risk appetite". This is another key term in the high-level management approach to risk. It implies that an organization should have a consensus on how much risk it is willing to take on in the pursuit of its objectives. So, in addition to just defining

More Terminology

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

7

"risk", it is clear that we must expand our vocabulary by a few more pieces of high-level risk terminology: What exactly then is risk appetite, risk tolerance, risk exposure, risk severity and a risk limit? We are sorry to bring up so many new terms, but if Eskimos have 19 different words for snow, a good risk manager will need a few extra words for risk as well. Also, let's remember that we have not even begun to speak about the more specific guidance and best practices for risk management in financial institutions. So far, everything we say about risk is universal and applies to a chemical manufacturing company or to a software development firm just the same. Why is a concise grasp of generic high-level risk terminology relevant, when we are all eager to finally get down to the specifics and crunch some numbers? We will get to look through the risk microscope soon enough, but the preliminaries are important. This is because risk managers sometimes end up measuring the wrong thing with great precision, while the house is on fire somewhere else. Also, as a risk manager you have to "sell" the very specific and sometimes tedious practices you are imposing on the organization. So, it is essential to be conversant in the rapidly evolving risk management language in order to show how what we do fits in with ERM, ISO, COSO, etc. So, here we go: Risk appetite is the amount and type of risk an organization is prepared to pursue or take, in order to attain the objectives of the organization and those of its shareholders and stakeholders. (ISO Guide 73). "Risk tolerance" sounds rather similar, but is generally used with a more specific meaning that is subordinate to risk appetite. It already begins to operationalize risk appetite by means of tolerance thresholds or limits.

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

8

Risk tolerance(s) is/are quantified risk criteria or measures of risk exposure that serve to clarify and communicate risk appetite. Risk tolerances are used in risk evaluation in order to determine the treatment needed for acceptable risk. Risk appetite and its risk tolerance measures always have two dimensions: one that focuses on the average expected situation and one that considers extreme outcomes or "worst-case" situations: 1)

The average, "normal" risk appetite dimension refers to typical outcomes in the absence of major macroeconomic crisis or a disruptive technology breakthrough by competitors and generally evolves in a business-asusual context.

2)

the unexpected or worst-case dimension of risk appetite emphasizes the organizational survival and explores the resilience and robustness of its business model when faced with extreme loss events.

The term risk exposure then describes the extent to which an entity is vulnerable to a certain risk or portfolio of risks. Mylera/Lattimore propose that risk exposure be defined as a function of the potential impact of a risk event and its likelihood of occurrence2. This is similar to a definition of risk in industry and the medical field (see the OHSAS risk definition above) but not really mainstream, certainly not in financial services. Exposure is more frequently used like this: Risk exposure designates a gross measure of risk, before taking account of risk mitigation and before applying any particular knowledge about the probability of loss events that would activate the exposure. Example: When we speak about the risk arising from transacting in foreign currencies, the exposure could be measured by an open position as the gross amount that is exposed to exchange rate risk. However, it is impossible that the entire amount of the open position would ever be lost. The possible losses resulting from an open position would be determined by confronting the gross exposure with an analysis of how much exchange rates may actually vary over a certain period of time with what level of probability. We further distinguish risk severity as a separate notion in the description of risk: Risk severity is determined by the size of the possible loss or the gravity of the impact, in the event that a certain risk should materialize. It does not imply any particular knowledge about how likely or frequent such an event might be. (See "Hazard Analysis", Wikipedia.org).

2

Ken Mylera & Joshua Lattimore, How to Create and Use Corporate Risk Tolerance, p.144. In Fraser & Simkins eds., Enterprise Risk Management. 2010.

© 2016 Frankfurt School of Finance & Management Certified Expert in Risk Management Unit 1: Introduction to Risk Management

9

Others also define risk severity along the lines of the health and industrial understanding of risk, i.e. as the product of the probability of occurrence times the size of the potential loss. 3 However, we think it is beneficial to look at risk severity as a distinct dimension, before combining it with a perspective on the frequency or probability of loss. This two-dimensional tension field provides a very useful platform for strategic thinking about risk in organizations, see Figure 1 below. A risk limit is a measure of risk, either expressed in terms of (gross) exposure or possible loss or in another metric that tends to correlate with exposure or possible loss. Being a limit, this measure of risk is articulated as an indication of risk tolerance with the intention to c...