What is Risk Management?
Risk: Why Manage It?
If you look up the synonyms for the word “risk” you will likely receive results such as: danger, hazard, threat, peril, and gamble. So, why do people, companies, governments, and countries expose themselves to risk? The answer is simple: without risk there is no reward. Being that risk is an inevitable part of life, it is of great importance to mitigate the exposure. Notice how I said mitigate vs. eliminate. The reason behind this is that if we eliminate all risk, we essentially eliminate all return. Proper risk management ensures that financial institutions create a roadmap to achieve strategic goals. It allows companies to seize opportunities and to mitigate adversity.
Types of Risks
In the financial industry, risk arises from many different activities such as investments, loans, sales, purchases, legal transactions, economic downturn, internal processes/systems failure, negative publicity, etc. The three key risks that will be discussed in this article are: Market, Credit, & Operational risk.
Market risk arises from exposure to fluctuations in market prices, including exchange rates, commodity prices, and interest rates. According to the Basel Committee on Banking Supervision (BCBS), market risk is “the risk that arises from fluctuations in the values of, or income from, assets”. In other words, it is the possibility of loss on investments or trading operations due to changes in the market.
Credit risk occurs when dealing with customers, vendors, and other counterparties. It is generally viewed as the risk of default on an obligation. The BCBS defines credit risk as a risk which “occurs whenever a firm is exposed to loss if another party fails to perform obligations”.
Operational risk is associated with human error, system failures, and insufficient procedures and controls. The BCBS defines it as “the risk of loss, resulting from inadequate or failed internal processes, people, or systems, or from external events”.
The Risk Management Process
The risk management process operates within a structured framework that is dynamic and ongoing. A sound framework will ensure that a proper trade-off is maintained between the risks taken and returns earned. Furthermore, proper risk management will support the attainment of strategic goals, protect business assets and reputation, ensure compliance with regulatory requirements, improve efficiency, and reassure management that the firm is aware of, and has controls in place to mitigate current and future risks.
The process is generally broken down into the following six phases:
Risk Identification & Assessment:
The first two steps of the process involves identifying and assessing risks inherent in all material activities, processes, systems, and products of the firm. Some common methods of identifying risks are described below:
Goal-based identification: Firms set goals and objectives; events that may jeopardize or obstruct the likelihood of achieving the goals is identified as risk.
Taxonomy-based identification: A taxonomy is a breakdown of potential risk sources. A survey is created based on the risks listed in the taxonomy. The survey is answered by knowledgeable and experienced employees, exposing risks relevant to the firm.
General-risk evaluation: In financial institutions, lists with well-known risks are available. Each risk in the list can be verified for relevance to the firm.
Once all the risks have been identified, it is time to review and evaluate each one of them. Risks should be assessed on a qualitative level as well as quantitative. All identified risks must be ranked in terms of probability of occurrence and severity levels. It is important to prioritize risks, because attention should be given to the risks which have the greatest potential negative impact on the firm’s achievement of its objectives.
Identifying and prioritizing risks is an integral step in the process because it sets the focus for all further steps in the risk management process.
Risk Measurement & Mitigation:
Risk measurement is the estimation of the likelihood and magnitude of a risk. As mentioned previously, risks can be ranked based on how severely the risk is likely to impact the firm’s objectives.
Risk mitigation is the attempt to reduce (a) the degree of the exposure to risk and/or (b) the probability of its occurrence. This step should include evaluating various controls in place to mitigate the risk. In addition, weak or ineffective controls should be identified and enhanced to improve risk mitigation.
Risk Monitoring & Reporting:
Firms can invest resources into identifying, assessing, measuring, and mitigating risks; however, if a strong monitoring procedure is not in place, the risk management process will be ineffective. Adequate monitoring of risks allows for timely detection and modification of deficiencies.
Risk reporting is an essential step in the process and should not be considered the “last step”. It is an ongoing activity which must take place during all stages of the process. This step facilitates communication between various departments, to management, and the board of directors.
Information must be reported to decision makers on a timely basis, in a way which will help in the monitoring and control of the firm. Reporting and feedback can be used to refine the risk management process by modifying or improving methodology.