CHAPTER 25 – RISK GOVERNANCE
THE RISK MANAGEMENT PROCESS
Risk Management is the process of ensuring risks exposed to are the ones thought to
be exposed to and those willing to be exposed to.
KEY STEPS :
Risk identification
Risk classification
Risk measurement
Risk control
Risk financing
Risk monitoring
The risk management process steps are consistent with actuarial control cycle :
Specifying the problem
o Identifying and analysing the risks
Developing the solution
o Selecting the most appropriate response to each risk and where relevant,
implementing the chosen mitigation action
Monitoring and feeding back into the process
RISK IDENTIFICATION
- Recognition of the risks that can threaten the income and assets of an
organisation.
IMPORTANT ASPECTS OF RISK IDENTIFICATION
- For each risk, need to have preliminary identification of possible risk control
processes that could reduce the likelihood or impact of risk
- Post identification, need to determine if risk is systematic or diversifiable.
- Need to identify opportunities to exploit risks and gain a competitive advantage
over other providers
o Taking on risk is the core business model for insurers and reinsurers
- Need to determine the risk appetite or risk tolerance level
o Forms key part of risk governance
RISK CLASSIFICATION
- After identifying risks, need to classify risks into categories
o This helps the insurer calculate the cost of risk and value of diversification
o Enable a risk ‘owner’ to be allocated from management team
o Risk owner is responsible for the control processes for the risk
o Categories include market, liquidity, business, credit, operations, risk from
external events
RISK MEASUREMENT
- Estimation of the probability and severity of the risk
, - Carried out before and after application of any risk controls and the cost of the
risk controls would be included in the assessment
- Risk measurement allows insurer to determine whether the risk should be :
o Declined
o Transferred
o Mitigated
o Retained with or without controls
RISK CONTROL
- Deciding whether to reject, fully accept or practically accept each identified risk
- Involves identifying different possible mitigation options for each risk that requires
mitigation
- Risks that give rise to serious exposure must be a priority for the application of
control techniques.
- Risk control measures are systems that aim to mitigate the consequences of risk
events by
o Reducing the probability of a risk occurring
Prevent fraudulent claims ( underwriting )
o Limiting the financial consequence of a risk
Losses if the risk occurs
Cost of mitigation techniques used
o Limiting the severity of the effect of a risk that does occur
Reducing significantly the probability of a catastrophic loss
o Reducing the consequences of a risk that does occur
- Risk mitigation techniques involve management actions to be taken when certain
trigger points are reached
o Bank acting when one or two loans repayments are missed.
- When multiple options exist for mitigating the risk, the options need to be
compared to identify the optimal approach.
- Risk Appetite will influence the extent to which the company rejects, accepts fully
or partially rejects each risk
RISK FINANCING
Risk financing involves:
- Determining the cost of each risk
o Includes:
Cost of any mitigations
Cost of putting internal risk control measures in place
Cost of transferring the risk to another party , i.e. insurance
premium
Expected losses due to risk events occurring
Cost of capital arising from retained risk
- Ensuring the organisation has sufficient financial resources available to continue
its objectives after a loss event occurs
- Risk management would be pointless if costs > benefit.
RISK MONITORING
- Regular review and re-assessment of all the risks previously identified, coupled
with an overall business review to identify new or previously omitted risks.
, - Important to establish clear management responsibility for each risk in order that
monitoring, and control procedures can be effective.
OBJECTIVES OF RISK MONITORING :
- Determine if the exposure to risk has changed
- Determine if risk appetite has changed
- Identify new risks or changes in the nature of existing risks
- Report on risks that have actually occurred and how they were managed
- Assess effectiveness of risk management process
BENEFITS OF A RISK MANAGEMENT PROCESS
Avoid surprises
React more quickly to emerging risks
Improve the stability ( reducing earnings volatility) and quality of their business
Improved their growth and returns through better management and allocation of
capital
Identify their aggregate risk exposure and assess interdependencies
o I.e. concentration of risk, diversification benefits, natural synergies.
Integrate risk into business processes ( e.g. Pricing ) and strategic decision
making (e.g. Product development, mergers and acquisitions)
Give stakeholders in their business confidence that the business is well managed.
In management of risk, providers need to find an optimal set of strategies that balance
the needs for return, growth and consistency.
The risk management process should :
Incorporate all risks, both financial and non-financial
Evaluate all relevant strategies for managing risk, both financial and non-financial
Consider all relevant constraints, including political, social, regulators and
competitive
Exploit the hedges and portfolio effects among the risks
Exploit the financial and operational efficiencies within the strategies.
RISK VS UNCERTAINTY
RELATIONSHIP BETWEEN RISK AND UNCERTAINTY
- Risk arises from the consequences of uncertain outcomes
- Uncertainty may relate to the probability of the outcome, severity of the loss, or
both.
- Key difference : Uncertainty cannot be modelled but it is often possible to model
risk.
- Main issue with quantifying risks accurately : lack of credible data
- Some risks are not quantifiable since the distribution of the potential losses
cannot be identified or the exact nature of the risk is difficult to assess.
UPSIDE RISK
, - Risk is often taken as being synonymous with uncertainty and volatility
- Risk can be positive if the outcome is better can expected
SYSTEMATIC VS DIVERSIFIABLE RISK
SYSTEMATIC RISK
Systematic risk is risk that affects an entire financial market or system and is not
avoidable through diversification.
- Risks related to individual securities can be diversified whilst risk relating to the
market cannot.
- E.g. Risk of a decline in the market as a whole
DIVERSIFIABLE RISK
Diversifiable risk is risk that arise from an individual component of a financial market or
system.
E.g. Value of an individual security falls
- Only non-diversifiable risks are awarded with extra returns.
- Required return on an asset to compensate for the risk taken must be linked to
the riskiness of the portfolio context – ie contribution to overall portfolio riskiness.
- Therefore, rational investors will diversify their portfolios
RISKS THAT ARE BOTH SYSTEMATIC AND DIVERSIFIABLE
- A worldwide equity fund that can invest in domestic and overseas equities will see
exposure to the domestic equity markets as a diversifiable risk.
- Limits the exposure to any particular national market
ENTERPRISE RISK MANAGEMENT
BUSINESS UNITS
Carry out different types of activity within the same company ( e.g. finance,
marketing, IT, etc)
Carry out activities in different industry sectors (e.g. financial, manufacturing) or
in different areas within the same sector(e.g banking, insurance )
Operate in different locations, countries, or markets
MANAGING RISK AT THE BUSINESS UNIT LEVEL
A decision must be made as to whether risk should be managed at L
The business unit level
The group/enterprise level
o This is known as enterprise risk management
BUSINESS UNIT LEVEL RISK MANAGEMENT :
THE RISK MANAGEMENT PROCESS
Risk Management is the process of ensuring risks exposed to are the ones thought to
be exposed to and those willing to be exposed to.
KEY STEPS :
Risk identification
Risk classification
Risk measurement
Risk control
Risk financing
Risk monitoring
The risk management process steps are consistent with actuarial control cycle :
Specifying the problem
o Identifying and analysing the risks
Developing the solution
o Selecting the most appropriate response to each risk and where relevant,
implementing the chosen mitigation action
Monitoring and feeding back into the process
RISK IDENTIFICATION
- Recognition of the risks that can threaten the income and assets of an
organisation.
IMPORTANT ASPECTS OF RISK IDENTIFICATION
- For each risk, need to have preliminary identification of possible risk control
processes that could reduce the likelihood or impact of risk
- Post identification, need to determine if risk is systematic or diversifiable.
- Need to identify opportunities to exploit risks and gain a competitive advantage
over other providers
o Taking on risk is the core business model for insurers and reinsurers
- Need to determine the risk appetite or risk tolerance level
o Forms key part of risk governance
RISK CLASSIFICATION
- After identifying risks, need to classify risks into categories
o This helps the insurer calculate the cost of risk and value of diversification
o Enable a risk ‘owner’ to be allocated from management team
o Risk owner is responsible for the control processes for the risk
o Categories include market, liquidity, business, credit, operations, risk from
external events
RISK MEASUREMENT
- Estimation of the probability and severity of the risk
, - Carried out before and after application of any risk controls and the cost of the
risk controls would be included in the assessment
- Risk measurement allows insurer to determine whether the risk should be :
o Declined
o Transferred
o Mitigated
o Retained with or without controls
RISK CONTROL
- Deciding whether to reject, fully accept or practically accept each identified risk
- Involves identifying different possible mitigation options for each risk that requires
mitigation
- Risks that give rise to serious exposure must be a priority for the application of
control techniques.
- Risk control measures are systems that aim to mitigate the consequences of risk
events by
o Reducing the probability of a risk occurring
Prevent fraudulent claims ( underwriting )
o Limiting the financial consequence of a risk
Losses if the risk occurs
Cost of mitigation techniques used
o Limiting the severity of the effect of a risk that does occur
Reducing significantly the probability of a catastrophic loss
o Reducing the consequences of a risk that does occur
- Risk mitigation techniques involve management actions to be taken when certain
trigger points are reached
o Bank acting when one or two loans repayments are missed.
- When multiple options exist for mitigating the risk, the options need to be
compared to identify the optimal approach.
- Risk Appetite will influence the extent to which the company rejects, accepts fully
or partially rejects each risk
RISK FINANCING
Risk financing involves:
- Determining the cost of each risk
o Includes:
Cost of any mitigations
Cost of putting internal risk control measures in place
Cost of transferring the risk to another party , i.e. insurance
premium
Expected losses due to risk events occurring
Cost of capital arising from retained risk
- Ensuring the organisation has sufficient financial resources available to continue
its objectives after a loss event occurs
- Risk management would be pointless if costs > benefit.
RISK MONITORING
- Regular review and re-assessment of all the risks previously identified, coupled
with an overall business review to identify new or previously omitted risks.
, - Important to establish clear management responsibility for each risk in order that
monitoring, and control procedures can be effective.
OBJECTIVES OF RISK MONITORING :
- Determine if the exposure to risk has changed
- Determine if risk appetite has changed
- Identify new risks or changes in the nature of existing risks
- Report on risks that have actually occurred and how they were managed
- Assess effectiveness of risk management process
BENEFITS OF A RISK MANAGEMENT PROCESS
Avoid surprises
React more quickly to emerging risks
Improve the stability ( reducing earnings volatility) and quality of their business
Improved their growth and returns through better management and allocation of
capital
Identify their aggregate risk exposure and assess interdependencies
o I.e. concentration of risk, diversification benefits, natural synergies.
Integrate risk into business processes ( e.g. Pricing ) and strategic decision
making (e.g. Product development, mergers and acquisitions)
Give stakeholders in their business confidence that the business is well managed.
In management of risk, providers need to find an optimal set of strategies that balance
the needs for return, growth and consistency.
The risk management process should :
Incorporate all risks, both financial and non-financial
Evaluate all relevant strategies for managing risk, both financial and non-financial
Consider all relevant constraints, including political, social, regulators and
competitive
Exploit the hedges and portfolio effects among the risks
Exploit the financial and operational efficiencies within the strategies.
RISK VS UNCERTAINTY
RELATIONSHIP BETWEEN RISK AND UNCERTAINTY
- Risk arises from the consequences of uncertain outcomes
- Uncertainty may relate to the probability of the outcome, severity of the loss, or
both.
- Key difference : Uncertainty cannot be modelled but it is often possible to model
risk.
- Main issue with quantifying risks accurately : lack of credible data
- Some risks are not quantifiable since the distribution of the potential losses
cannot be identified or the exact nature of the risk is difficult to assess.
UPSIDE RISK
, - Risk is often taken as being synonymous with uncertainty and volatility
- Risk can be positive if the outcome is better can expected
SYSTEMATIC VS DIVERSIFIABLE RISK
SYSTEMATIC RISK
Systematic risk is risk that affects an entire financial market or system and is not
avoidable through diversification.
- Risks related to individual securities can be diversified whilst risk relating to the
market cannot.
- E.g. Risk of a decline in the market as a whole
DIVERSIFIABLE RISK
Diversifiable risk is risk that arise from an individual component of a financial market or
system.
E.g. Value of an individual security falls
- Only non-diversifiable risks are awarded with extra returns.
- Required return on an asset to compensate for the risk taken must be linked to
the riskiness of the portfolio context – ie contribution to overall portfolio riskiness.
- Therefore, rational investors will diversify their portfolios
RISKS THAT ARE BOTH SYSTEMATIC AND DIVERSIFIABLE
- A worldwide equity fund that can invest in domestic and overseas equities will see
exposure to the domestic equity markets as a diversifiable risk.
- Limits the exposure to any particular national market
ENTERPRISE RISK MANAGEMENT
BUSINESS UNITS
Carry out different types of activity within the same company ( e.g. finance,
marketing, IT, etc)
Carry out activities in different industry sectors (e.g. financial, manufacturing) or
in different areas within the same sector(e.g banking, insurance )
Operate in different locations, countries, or markets
MANAGING RISK AT THE BUSINESS UNIT LEVEL
A decision must be made as to whether risk should be managed at L
The business unit level
The group/enterprise level
o This is known as enterprise risk management
BUSINESS UNIT LEVEL RISK MANAGEMENT :
