FINANCIAL RISK MANAGEMENT FIRST LECTURE RISK

Risk is defined as the effect of uncertainty on objectives (whether positive or negative). Financial risk in an organization is the possibility that the outcome of an action or event could bring up adverse impacts. Such outcomes could either result in a direct loss of earnings / capital or may result in imposition of constraints on an organizations ability to meet its business objectives. Risks are usually defined by the adverse impact on profitability of several distinct sources of uncertainty. The types and degree of risks an organization may be exposed to depends upon a number of factors such as its size, complexity business activities and volume.

RISK MANAGEMENT
Risk management can therefore be considered the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. It should address methodically all the risks surrounding the organizations activities past, present and in particular, future.

It must be integrated into the culture of the organization with an effective policy and a programme led by the most senior management. It must translate the strategy into tactical and operational objectives, assigning responsibility throughout the organization with each manager and employee responsible for the management of risk as part of their job description. It supports accountability, performance measurement and reward, thus promoting operational efficiency at all levels. Risk Management is a discipline at the core of every financial institution and encompasses all the activities that affect its risk profile. It involves identification, measurement, monitoring and controlling risks to ensure that a) The individuals who take or manage risks clearly understand it. b) The organizations Risk exposure is within the limits established by Board of Directors. c) Risk taking Decisions are in line with the business strategy and objectives set by BOD. d) The expected payoffs compensate for the risks taken e) Risk taking decisions are explicit and clear. f) Sufficient capital as a buffer is available to take risk Risk management as commonly perceived does not mean minimizing risk; rather the goal of risk management is to optimize risk-reward trade -off. Notwithstanding the fact that financial

institutions are in the business of taking risk, it should be recognized that an institution need not engage in business in a manner that unnecessarily imposes risk upon it: nor it should absorb risk that can be transferred to other participants. Rather it should accept those risks that are uniquely part of the array of banks services. Risk management protects and adds value to the organisation and its stakeholders through supporting the organisations objectives by: providing a framework for an organisation that enables future activity to take place in a consistent and controlled manner improving decision making, planning and prioritisation by comprehensive and structured understanding of business activity, volatility and project opportunity/threat contributing to more efficient use/allocation of capital and resources within the organisation reducing volatility in the non essential areas of the business protecting and enhancing assets and company image

developing and supporting people and the organisations knowledge base optimising operational efficiency

Risk Management Process

Organizations Strategic Objective

 Risk Assessment Risk Analysis o Identification o Description o Estimation Risk Evaluation Risk Reporting o Threats o Opportunities Decision Risk Treatment Residual Risk Reporting Monitoring Risk Assessment Risk Assessment is defined by the ISO/IEC Guide 73 as the overall process of risk analysis and risk evaluation Risk Analysis Includes Identification, Description and Estimation Identification

Risk identification sets out to identify an organisations exposure to uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. Risk identification should be approached in a methodical way to ensure that all significant activities within the organization have been identified and all the risks flowing from these activities defined. All associated volatility related to these activities should be identified and categorized. Risk Identification Techniques examples Brainstorming Questionnaires

Business studies which look at each business process and describe both the internal processes and external factors which can influence those processes

Industry benchmarking Scenario analysis Risk assessment workshops

 Incident investigation Auditing and inspection

HAZOP (Hazard & Operability Studies)

Risk Description The objective of risk description is to display the identified risks in a structured format, for example, by using a table. The risk description table overleaf can be used to facilitate the description and assessment By considering the consequence and probability of each of the risks set out in the table, it should be possible to prioritise the key risks that need to be analysed in more detail. Identification of the risks associated with business activities and decision making may be categorised as strategic, project/tactical, operational. It is important to incorporate risk management at the conceptual stage of projects as well as throughout the life of a specific project. Strategic level: It encompasses risk management functions performed by senior management and BOD. For instance definition of risks, ascertaining institutions risk appetite, formulating strategy and policies for managing risks and establish adequate systems and controls to ensure that overall risk remain within acceptable level and the reward compensate for the risk taken.

Macro Level: It encompasses risk management within a business area or across business lines. Generally the risk management activities performed by middle management or units devoted to risk reviews fall into this category. Micro Level: It involves On-the-line risk management where risks are actually created. This is the risk management activities performed by individuals who take risk on organizations behalf such as front office and loan origination functions. The risk management in those areas is confined to following operational procedures and guidelines set by management. Risk Estimation Risk estimation can be quantitative, semiquantitative or qualitative in terms of the probability of occurrence and the possible consequence. For example, consequences both in terms of threats (downside risks) and opportunities (upside risks) may be high, medium or low (see table 4.3.1). Probability may be high, medium or low but requires different definitions in respect of threats and opportunities. Different organisations will find that different measures of consequence and probability will suit their needs best. Risk Analysis methods and techniques A range of techniques can be used to analyse risks. These can be specific to upside or downside risk or be capable of dealing with both. Risk Analysis Methods and Techniques examples

Upside risk Market survey Prospecting Test marketing Research and Development Business impact analysis Both Dependency modelling SWOT analysis (Strengths,Weaknesses, Opportunities,Threats) Event tree analysis Business continuity planning BPEST (Business, Political, Economic, Social,Technological) analysis Real Option Modelling Decision taking under conditions of risk and uncertainty Statistical inference Measures of central tendency and dispersion PESTLE (Political Economic Social Technical Legal Environmental) Downside risk Threat analysis Fault tree analysis FMEA (Failure Mode & Effect Analysis)

Risk Profile The result of the risk analysis process can be used to produce a risk profile which gives a significance rating to each risk and provides a tool for prioritising risk treatment efforts. This ranks each identified risk so as to give a view of the relative importance. This process allows the risk to be mapped to the business area affected, describes the primary control procedures in place and indicates areas where the level of risk control investment might be increased, decreased or reapportioned. Accountability helps to ensure that ownership of the risk is recognised and the appropriate management resource allocated. Risk Evaluation When the risk analysis process has been completed, it is necessary to compare the estimated risks against risk criteria which the organisation has established.The risk criteria may include associated costs and benefits, legal requirements, socioeconomic and environmental factors, concerns of stakeholders, etc. Risk evaluation therefore, is used to make decisions about the significance of risks to the organisation and whether each specific risk should be accepted or treated. Risk Reporting and Communication Internal Reporting

Different levels within an organisation need different information from the risk management process. The Board of Directors should: know about the most significant risks facing the organisation know the possible effects on shareholder value of deviations to expected performance ranges ensure appropriate levels of awareness throughout the organisation know how the organisation will manage a crisis know the importance of stakeholder confidence in the organisation know how to manage communications with the investment community where applicable be assured that the risk management process is working effectively publish a clear risk management policy covering risk management philosophy and responsibilities

Business Units should: be aware of risks which fall into their area of responsibility, the possible impacts these may have on other areas and the consequences other areas may have on them have performance indicators which allow them to monitor the key business and financial activities, progress towards objectives

and identify developments which require intervention (e.g. forecasts and budgets) have systems which communicate variances in budgets and forecasts at appropriate frequency to allow action to be taken report systematically and promptly to senior management any perceived new risks or failures of existing control measures Individuals should: understand their accountability for individual risks understand how they can enable continuous improvement of risk management response understand that risk management and risk awareness are a key part of the organisations culture report systematically and promptly to senior management any perceived new risks or failures of existing control measures External Reporting A company needs to report to its stakeholders on a regular basis setting out its risk management policies and the effectiveness in achieving its objectives. Increasingly stakeholders look to organisations to provide evidence of effective management of the organisations non-financial performance in such areas as community affairs, human rights, employment practices, health and safety and the environment. Risk Treatment

Risk treatment is the process of selecting and implementing measures to modify the risk. Risk treatment includes as its major element, risk control/mitigation, but extends further to, for example, risk avoidance, risk transfer, risk financing, etc. Any system of risk treatment should provide as a minimum: effective and efficient operation of the organisation effective internal controls compliance with laws and regulations. The risk analysis process assists the effective and efficient operation of the organization by identifying those risks which require attention by management. They will need to prioritise risk control actions in terms of their potential to benefit the organisation. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures. Cost effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction benefits expected. Compliance with laws and regulations is not an option. An organisation must understand the applicable laws and must implement a system of controls to achieve compliance.There is only occasionally some flexibility where the cost of reducing a risk may be totally disproportionate to that risk. (Example is SOX and BASEL)

Residual Risk Reporting The level of risk faced by an organisation after internal controls have been applied is known as the net or residual risk. Controls will not eliminate the risk but help to manage it; therefore this is also known as the organisation's "exposure to risk". Monitoring and Review of the Risk Management Process Effective risk management requires a reporting and review structure to ensure that risks are effectively identified and assessed and that appropriate controls and responses are in place. Regular audits of policy and standards compliance should be carried out and standards performance reviewed to identify opportunities for improvement. It should be remembered that organisations are dynamic and operate in dynamic environments. Changes in the organisation and the environment in which it operates must be identified and appropriate modifications made to systems. The monitoring process should provide assurance that there are appropriate controls in place for the organisations activities and that the procedures are understood and followed. Changes in the organisation and the environment in which it operates must be identified and appropriate changes made to systems. Any monitoring and review process should also determine whether:

 the measures adopted resulted in what was intended the procedures adopted and information gathered for undertaking the assessment were appropriate improved knowledge would have helped to reach better decisions and identify what lessons could be learned for future assessments and management of risks

Financial risk management

is a process of evaluating and managing current and possible financial risk at a firm as a method of decreasing the firm's exposure to the risk. Financial risk managers must identify the risk, evaluate all possible remedies, and then implement the steps necessary to alleviate the risk. These risks are typically remedied by using certain financial instruments as a method of counteracting possible ramifications. Financial risk management cannot prevent a firm from all possible risks because some are unexpected and cannot be addressed quickly enough. Similar to general risk management, financial risk management requires identifying its sources, measuring it, and plans to address them. How does financial risk arises Pressure from shareholders Management working for bonuses Good ratings from moodys etc Better share prices

Credit Risk The risk of loss of principal or loss of a financial reward stemming from a borrower's failure to repay a loan or otherwise meet a contractual obligation. Credit risk arises whenever a borrower is expecting to use future cash flows to pay a current debt. Investors are compensated for assuming credit risk by way of interest payments from the borrower or issuer of a debt obligation. Credit risk is closely tied to the potential return of an investment, the most notable being that the yields on bonds correlate strongly to their perceived credit risk. The higher the perceived credit risk, the higher the rate of interest that investors will demand for lending their capital. Credit risks are calculated based on the borrowers' overall ability to repay. This calculation includes the borrowers' collateral assets, revenue-generating ability and taxing authority (such as for government and municipal bonds). Credit risks are a vital component of fixed-income investing, which is why ratings agencies such as S&P, Moody's and Fitch evaluate the credit risks of thousands of corporate issuers and municipalities on an ongoing basis. Market Risk The day-to-day potential for an investor to experience losses from fluctuations in securities prices. This risk cannot be diversified away. Also referred to as "systematic risk". The beta of a stock is a measure of how much market risk a stock faces Risk which is common to an entire class of assets or liabilities. The value of investments may decline over a given time period simply

because of economic changes or other events that impact large portions of the market. Asset allocation and diversification can protect against market risk because different portions of the market tend to underperform at different times. also called systematic risk. Market risk is exposure to the uncertain market value of a portfolio. A trader holds a portfolio of commodity forwards. She knows what its market value is today, but she is uncertain as to its market value a week from today. She faces market risk.A forward contractor forwardis an OTC derivative. In its simplest form, it is a trade that is agreed to at one point in time but will take place at some later time. For example, two parties might agree today to exchange 500,000 barrels of crude oil for USD 42.08 a barrel three months from today. Some financial or commodities instruments are traded on established exchanges. Examples include most highly-capitalized stocks, which trade on exchanges such as the New York Stock Exchange, and futures, which trade on futures exchanges such as the Chicago Board of Trade. These instruments are called exchange traded. An instrument is traded over-the-counter (OTC) if it trades in some context other than a formal exchange. Most debt instruments are traded OTC with investment banks making markets in specific issues. If someone wants to buy or sell a bond, they call the bank that makes a market in that bond and ask for quotes. Many derivative instruments, including forwards, swaps and most exotic derivatives are also traded OTC. In these markets, large financial institutions serve as derivatives dealers, customizing derivatives for the needs of clients. Liquidity Risk

The risk that arises from the difficulty of selling an asset. An investment may sometimes need to be sold quickly. Unfortunately, an insufficient secondary market may prevent the liquidation or limit the funds that can be generated from the asset. Some assets are highly liquid and have low liquidity risk (such as stock of a publicly traded company), while other assets are highly illiquid and have high liquidity risk (such as a house). Operational Risk the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. A form of risk that summarizes the risks a company or firm undertakes when it attempts to operate within a given field or industry. Operational risk is the risk that is not inherent in financial, systematic or market-wide risk. It is the risk remaining after determining financing and systematic risk, and includes risks resulting from breakdowns in internal procedures, people and systems. Operational risk can be summarized as human risk; it is the risk of business operations failing due to human error. Operational risk will change from industry to industry, and is an important consideration to make when looking at potential investment decisions. Industries with lower human interaction are likely to have lower operational risk.

Compliance Risk Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the Banks clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and an inability to enforce contracts. Regulatory Risk The risk associated with the potential for laws related to a given industry, country, or type of security to change and impact relevant investments. The risk that a change in laws and regulations will materially impact a security, business, sector or market. A change in laws or regulations made by the government or a regulatory body can increase the costs of operating a business, reduce the attractiveness of investment and/or change the competitive landscape. For example, utilities face a significant amount of regulation in the way they operate, including the quality of infrastructure and the amount that can be charged to customers. For this reason,

these companies face regulatory risk that can arise from events - such as a change in the fees they can charge - that may make operating the business more difficult. Another type of regulatory risk would be a change by the government in the amount of margin that investment accounts are able to have. While this is an unlikely change, if it were to be changed, the impact on the stock market would be material as this would force investors to either meet the new margin requirements or sell off their margined positions. Legal Risk A description of the potential for loss arising from the uncertainty of legal proceedings, such as bankruptcy, and potential legal proceedings. Reputational Risk What Is Reputation? The reputation of any individual or organization of any size is complex. It exists in the minds of both those with whom we interact directly, and in the minds of those who become aware of us as word of our actions circulates. It changes all the time, reflecting both the things we say and do an the trends and events that change the way our words and actions are interpreted It takes twenty years to build a reputation and five minutes to destroy it. (W. Buffet)

If you lose dollars for the firm, I will be understanding. If you lose reputation, I will be ruthless. (W. Buffet) Our assets are our people, capital and reputation. If any of these are ever diminished, the last is the most difficult to restore. (Goldman Sachs Business Principles) What Does Risk-Return Tradeoff Mean? The principle that potential return rises with an increase in risk. Low levels of uncertainty (low risk) are associated with low potential returns, whereas high levels of uncertainty (high risk) are associated with high potential returns. According to the riskreturn tradeoff, invested money can render higher profits only if it is subject to the possibility of being lost. Because of the risk-return tradeoff, you must be aware of your personal risk tolerance when choosing investments for your portfolio. Taking on some risk is the price of achieving returns; therefore, if you want to make money, you can't cut out all risk. The goal instead is to find an appropriate balance - one that generates some profit, but still allows you to sleep at night. Systematic Risk - Systematic risk influences a large number of assets. A significant political event, for example, could affect several of the assets in your portfolio. It is virtually impossible to protect yourself against this type of risk. Unsystematic Risk - Unsystematic risk is sometimes referred to as "specific risk". This kind of risk affects a very small number of assets. An example is news that affects a specific stock such as a

sudden strike by employees. Diversification is the only way to protect yourself from unsystematic risk. (We will discuss diversification later in this tutorial).