Risk Management - Section D
5 components of ERM
1) Governance and Culture 2) Strategy and Objective-setting 3) Performance 4) Review and Revision 5) Information, Communication, and Reporting
5 components of Performance
1) Identifies risk 2) Assesses severity of risk 3) Prioritizes Risk 4) Implements Risk Responses 5) Develops Portfolio View
3 components of information, communication, and reporting
1) Leverages information systems 2) communicates risk information 3) reports on risk, culture, and performance
What are the four common categories of risk?
1) Strategic risks include risks that are on a more global, or macro, level for the business. 2) Operational risks are risks that result from inadequate or failed internal processes, people or systems. 3) Financial risks are risks connected to the financial health of the company. 4) Hazard risk is the type of risk that is can be insured against.
4 components of strategy and objective-setting
1) analyzes business context 2) defines risk appetite 3) Evaluates alternative strategies 4) Formulates business objectives
3 Components of review and revision
1) assesses substantial change 2) reviews risk and performance 3) pursues improvement in enterprise risk management
5 Components of Governance and Culture
1) exercise board risk oversight 2) Establishes operating structures 3) Defines desired culture 4) demonstrates commitment to core values 5) attracts, develops, and retains capable individuals
What are the main components of an ERM system?
1) the internal environment 2) Objective setting 3) Event Identification 4) Risk Assessment 5) Risk Response 6) Control activities 7) Information and communication 8) monitoring
What is one of the primary ways of managing operational risk?
Having properly developed, implemented and maintained internal controls is one of the primary ways of managing operational risk. Also, a continuous review of both the business processes and the personnel in the company is an important part of the process of managing operational risk.
What is risk
In the Statement on Management Accounting: Enterprise Risk Management: Frameworks, Elements and Integration, risk is defined as "Any event or action that can keep an organization from achieving it's objectives"
What are loss frequency and loss severity
Loss Frequency (probability) is the measure of how often the loss occurs, on average Loss severity measures how serious a loss is in terms of cost when it occurs
What is the maximum possible (catastrophic) loss?
The maximum possible or catastrophic loss is the worst-case scenario. It is the greatest possible loss from a specific risk or event. For example, if the risk is loss of property, the maximum possible loss is the total destruction of the property. If the property is a structure, the maximum possible loss is the entire structure and all of its contents.
What is the maximum probable loss?
The maximum probable loss (also called the probable maximum loss, or PML) is the largest loss that can occur under foreseeable circumstances. The maximum probable loss is the largest amount of damage that could likely occur in a very bad year. Damage greater than the maximum probable loss could occur, but in the judgment of management, it is very unlikely to occur.
Tier 1 Capital
Tier 1 capital is the bank's core capital, considered its most reliable form of capital. It is the measure of a bank's financial strength used by regulators. It is generally the common stock accounts, including retained earnings. It also includes perpetual preferred stock that is non-redeemable and non-cumulative.
Tier 2 Capital
Tier 2 capital is secondary capital. Tier 2 capital includes undisclosed reserves, revaluation reserves (increase in the value of an asset that has been reappraised), general provisions (money the bank has lost but has not been able to calculate), hybrid instruments, and subordinated term debt (debt that would be paid off in the event of default only after some other debt has been paid off).
Earnings Distribution
is a graphical representation of the probability of a level of return and the level of return itself
Earnings per share distribution
is a graphical representation of the probability of the amount of earnings per share and the likelihood of each level occuring
Sufficient Capital (in terms of capital adequacy
is whether or not the bank has sufficient capital to properly protect its depositors from default
Event inventories
lists of potential events common to companies in a particular industry
Earnings at Risk
measures the confidence interval for a fall in earnings during a specific period
Cash flow at risk
measures the likelihood that cash flows will drop more than a certain amount
Value at Risk (VaR)
measures the potential loss in value of a risky asset or event over a defined period for a given confidence interval
Residual Risk
the level of risk that remains after management has taken action to mitigate
Inherent Risk
the level of risk that resides with an event or process prior to management action
Loss event data methodologies
used to associate losses with adverse events in the past to make predictions. An example is matching workers' compensation claims with the frequency of accidents.
What is a risk map
x axis = 1-9 probability of an event happening y axis = 1-9 estimated impact of the loss if it occurs
What are some examples of external risks
- Competition - Regulations - Supply chain disruptions - Political Risk
What are the techniques for identifying risk events?
- Event Inventories - Internal Analysis - Escalation or threshold triggers - Facilitated workshops - Interviews, questionnaires and surveys - process flow analysis - leading event indicators - Loss event data methodologies - brainstorming sessions
What are some of the benefits of risk management
- Increasing shareholder value because of the process of minimizing losses and maximizing opportunities. - Fewer disruptions to the operations of the business. - Better utilization of the resources of the organization. - Fewer shocks and unwelcome surprises. -Providing more confidence to employees, stakeholders and governing and regulatory bodies. - More effective strategic planning. - Better cost control. - Enables quick assessment and grasp of new opportunities. - Provides better and more complete contingency planning. - Improves the ability of the organization to meet objectives and achieve opportunities. - Enables quicker response to opportunities.
What are some examples of internal risks
- Infrastructure events such as organizational changes or policy changes. Changes can cause customer complaints and a major decrease in customer satisfaction. Expansion of facilities carries a risk that the increased production will not be accepted in the marketplace. - Process-related events such as changes in the way something is done. Changes in processes can cause a wide range of risk events, for example processing errors and omissions. -Internal technological events such as new software that may or may not work properly for a variety of reasons, including improper setup and inadequate user training.
What are the basic steps in the risk management process
- Risk identification - Risk assessment - Risk Prioritization - Response planning
What are some of the quantitative risk assessment tools?
- Value of Risk - Cash Flow at Risk - Earnings at Risk - Earnings Distributions - Earnings per share distributions
Operational Risk examples
- supply chain risk - process execution risk - human resources risk (employee turnover and performance incentive risk) - technological risks (glitches, failures, or security breaches) - customer satisfaction - business continuity (breaks in continuity) - legal risk - compliance risk
What are the benefits of an ERM system?
An alignment of the entity's strategy and its appetite for risk. An improvement in risk response decisions. A reduction in the number and impact of operational surprises and losses. The identification and management of multiple and cross-enterprise risks. An improved ability to seize (act on) opportunities that arise. An improved utilization of capital and the resources of the company.
Facilitated Workshops
An elicitation technique using focus sessions that bring key cross-functional stakeholders together to define product requirements.
What is an expected loss?
An expected loss is the amount that management expects to be lost to a given risk per year on average over a period of several years. Because the loss is expected, the business should budget to cover it.
What is an unexpected loss?
An unexpected loss is the amount that a cautious manager might think could likely be lost to the risk in a very bad year, in excess of the amount budgeted for the expected loss, up to the maximum probable loss. The business should reserve the unexpected loss amount as capital.
What are the five responses to risk?
Avoiding - the risk is eliminating the risky event or item. Eliminating the risk might entail selling (or otherwise disposing of) a business unit or product line. Reducing (mitigating) the risk recognizes that the risk will continue to exist but looks for ways to reduce the risk. Transferring (sharing) - the risk is transferring the risk of loss either partially or wholly to another organization. The primary example of transferred risk is the purchase of insurance. Retained risk, or risk retention, - is the portion of a risk not covered by insurance, such as a deductible amount that must be paid before any losses are reimbursed. A retained risk may also be a risk the firm chooses to self-insure against by not purchasing insurance to cover the risk at all but instead budgeting and paying for it out of its own funds\ Exploiting (or accepting) a risk. - Exploiting a risk is the strategic process by which a firm deliberately exposes itself to risk because its management believes they can take advantage of a situation and generate value for shareholders. Examples of exploiting or accepting risk are investing in an emerging geographic market that carries substantial political and economic risk or introducing a new high-technology product when the product's success in the market is not certain.
What is capital adequancy
Capital adequacy is a measurement usually used by banks that assesses whether the bank has sufficient capital compared to its liabilities. If a bank does not have sufficient capital, there is the risk that it will not be able to pay its depositors when the depositors demand payment. Bank regulators in most countries monitor banks' capital, and banks must maintain adequate capital. The classification of banks' capital accounts is standardized by banking regulators.
COSO definition of risk management
ERM is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value.
What is enterprise risk management (ERM)
The Casualty Actuarial Society (CAS) defines ERM as "the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risk from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders."
capital adequacy ratio
The amount of capital a bank has is used to calculate each bank's Capital Adequacy Ratio, which is used by regulatory authorities to monitor banks in order to protect the banks' depositors. The Capital Adequacy Ratio (CAR) is: (Tier 1 Capital + Tier 2 Capital) ÷ Risk Weighted Assets (RWA)
Risk appetite
The degree of uncertainty an entity is willing to take on, in anticipation of a reward.
Risk Tolerance
The degree, amount, or volume of risk that an organization or individual will withstand.(acceptable level)
What is volatility
Volatility is something that impacts risk. By definition, volatility has to do with the consistency of results. If sales fluctuate greatly from day to day, there is great volatility in sales. Volatility increases risk because it increases uncertainty about the future, and there is a greater probability that the future results will be poor.
Reserves (in terms of capital adequacy)
are the amount of cash that the bank must keep on hand in order to be able to pay its depositors
Leading event indicators
by monitoring data correlated to events, entitites identify the existence of conditions that could give rise to an event.
Solvency (in terms of capital adequacy)
relates to the ability of a bank to pay its long-term obligations as they come due
liquidity (in terms of capital adequacy)
relates to the ability of the bank to pay its short-term obligations as they come due
Corporate Governance and ERM
setting the tone of how the company will conduct itself. Establishing risk management committees to oversee and monitor risk
