Risk Management is the process of measuring, or assessing risk and developing

strategies to manage it, the practice by which a firm optimizes the manner in
which it takes business risks is called risk management. The point of risk
management is not to eliminate it; that would eliminate reward. Hence this Risk
needs to be managed.

Fundamentals of Good Risk Management Potential Benefits

BOOM TIME DOOM?

• Easy for managers to forget about risk

• There are external as well as internal risks

associated with success and it should incite
managers to identify the level of internal risk
exposure.

• Many businesses focus on performance while

failing to recognize the importance of risk and
control activities.
RISK APPETITE

Risk appetite, at the organizational level, is the amount of risk exposure, or

potential adverse impact from an event, that the organization is willing to
accept/retain. Once the Risk Appetite threshold has been breached, risk
management treatments and business controls are implemented to bring the
exposure level back within the accepted range.

The design of a risk appetite framework does not have to start from scratch. It
should build on and unify existing risk and business management processes and
reports.
Approaches – TOP DOWN or BOTTOM UP APPROACH
The ‘top-down’ desired risk profile must be compared with the ‘bottom-up’
reality
Organisations use different ways to measure their Risk Appetite, ranging from
simple qualitative measures such as defining risk categories and setting
target levels around these, to developing complex quantitative models of
economic capital and earnings volatility. Again, risk appetite is not a magic number, nor
always quantifiable. It is dependent upon the aims of the business and what risks have to
be taken to achieve those aims.

The final aspect of risk appetite is the target risk/reward balance of the
organization. Organizations setting a lower risk/reward premium will be able take on a
wider range of opportunities, thus potentially building a larger organization, albeit one with a
lower return on capital.
KEY RISK INDICATORS

Key Risk Indicators (KRIs) – relate to a specific risk

and demonstrate a change in the likelihood or
impact of the risk event occurring.

The number of customer complaints is an example

of a risk indicator. As customer complaints increase,
the probability that there are some underlying and
potentially systemic mistakes and errors of
judgement being made is likely to rise.

KRIs Benefits Include:

 
• Understand how the risk profile changes in different circumstances
• Appreciate how risk moves and is affected the business environment
• Focus attention on risk drivers that are most volatile
• Ensure controls around the drivers are robust and effective
• Gain a forward looking perspective on the current risk profile
• Understand the early warning signals for emerging risks

Indictors can be leading, lagging or current in nature. Most managers want leading or
preventative indicators – to predict problems far enough in advance to prevent or
eliminate them or at least mitigate the damage.
All companies face the challenge of developing leading indicators that can effectively
provide early warnings of potential future losses. Clearly, the challenge is to
implement KRIs in such a way as to improve consistency, relevance, transparency and
completeness. To achieve this, some standardisation is required across the firm and,
across the industry.

The challenges posed by KRIs include:

• Absence of data base of known loss events

• Tendency to focus on well-known risks
• Can be costly to implement and maintain
• People can only manage KRIs they understand
• Incorrect interpretation of data
• Use of lagging indicators
• Requires a good understanding of the risk cause (for likelihood drivers) and
consequence (for impact drivers)
• Usefulness varies from risk to risk
• Out of date indicators
• Organisational risk maturity and culture
RISK MANAGEMENT PROCESS

Monitor

Control

Assess Risks

Identify
Risks

Set
Objectives
Roles and Responsibilities

Chief Executive Officer: The CEO ensures the implementation of risk

management framework and process and ongoing risk assessment of risks.
He also promotes risk culture and ensures the risk management process is
sustained organisation wide.

Risk Manager: He is the risk management process owner. He is responsible

to ensures the implementation and compliance with the risk management
policy and process.

Risk Management Committee: The RMC defines the risk management

policy framework and process. It also promotes and implement monitoring
of risk management strategies and policies.

Chief Risk Officer: The CRO oversights, advices, and communicates

information regarding the risk appetite of the organisation. He is not a
manager of risk; but only oversees the risk management process.

Audit committee: It ensures adequacy of control framework to manage

risks across the organisation - monitoring.
TYPES OF RISKS
OPERATIONAL RISK MANAGEMENT

Operational risks:

Control risks + Inherent risks for which controls are not in place.

Some of the events that could lead to operational risk include:

EVENTS

Technology Fraud and Legal and Transaction

Security
Error Theft Regulatory Risk
HOW TO MANAGE OPERATIONAL RISK

Operational risk can be divided into three functions:

• Efficient and effective maintenance of business infrastructure that mostly

consists of information systems, including security policy, internal controls and
risk management.

• Effective internal audit function, which includes assurance about integrity of

information systems, compliance, effective internal controls, assurance and
effective internal audit.

• Pricing of operational risk management, which includes measurement of

losses, pricing of operational risks for each line of business, RAROC ( Risk-
adjusted Return on Capital) and measuring capital requirement.

STEPS TO MANAGE OPERATIONAL RISK

1.Prepare a Risk Plan

a)Casual Model - identify the expected losses and establish relationships

between losses and events

b)Predictive Model - account for the unexpected losses and to predict them over
extended periods.
2. Identification and Measurement of Operational Risks:

a)Top Down Approach – financial data from the balance sheet and profit and loss accounts
are converted into a risk amount.

b)Bottom Up Approach - risks are analyzed for each line of business and their occurrence
and losses incurred are identified and measured.

3. Implementation of Risk Mitigation Techniques:

a)Causality - Knowing "what causes what," gives an ability to intervene in the environment and
implement the necessary controls.
b)Self assessment
c)Calculating reserves and capital requirements
d)Creating culture supportive of risk mitigation
e)Strengthening internal controls, including internal and external audits of systems, processes and
controls (this includes IS audit and assurance)
f)Setting up operational risks limits (so businesses will have to reduce one or more of frequency of
loss, severity of loss or size of operations)
g)Setting up independent operational risk management departments
h)Establishing a disaster recovery plan and backup systems
i)Insurance
j)Outsourcing operations with strict service level agreements so operational risk is transferred
4. Forecasting and Prediction:

Every business has to identify the events most relevant to it.

The whole exercise of the operational risk management is the exercise to identify events that
are likely to cause losses.

“VaR” (Value at Risk) and Scenario Analysis are used as techniques for prediction by taking
historical data or simulation and qualitative factors.
RISK MANAGEMENT AND INTERNAL CONTROLS

In today’s business environment, the overall profile of risk management and

internal controls has increased, resulting in greater responsibilities for those who
manage enterprise risk.

Some of the key challenges include:

• Increasing expectations for effective risk coverage, driven especially by audit

committees, executive management, and stakeholder demands for stronger
corporate governance and transparency

• Providing risk coverage in areas requiring specialized knowledge, such as

information technology, major capital programs, contracts, fraud, acquisitions,
and international ventures

• Interpreting and reconciling the volume and disparity of risk and control
information from across the enterprise

• Maintaining proper investment and alignment in risk management and internal

control approach, technology, knowledge, and learning programs

• Addressing the “war for talent” through staff recruitment, development, career
planning, and retention for experienced risk management and internal control
professionals

• Adding benefit through process and control improvement recommendations,

sharing of leading practices, and working to implement major change initiatives.
RISK MANAGEMENT AND INTERNAL CONTROL

In a recent survey, 42% of the companies that responded believe they

have key risks that are not being formally managed.
FRAMEWORK FOR RISK AND CONTROL

The three primary components of a risk and control framework include

“Governance,” “People,” and “Methods and Practices,” and related sub-
components, are reflected in the diagram below:
INFORMATION SYSTEM RISK MANAGEMENT

The cardinal rule of security is that –

“No one thing makes a computer secure”

Types of
System Risk

II. Intentional Threats

I. Accidental Threats

•Natural Calamities like Fire, •Unauthorized access

Flood, Earthquake, etc •Unauthorized alteration to data
•Energy
gy variations •Leakage of sensitive information
•Hardware failures
ACCIDENTAL THREATS

Fire damage:

Fire is a major threat to the physical security of a computer installation.

Following are the major features of a well-designed fire protection

system:
• Installation of both automatic and manual fire alarms at strategic
locations.
• Installation of manual fire extinguishers at strategic locations.
• Fire extinguishers and fire exits should be clearly marked.
• Place master switches for power.
• Place smoke detectors.
• Use sprinkler system/ halogen gas to put off fire.
• When a fire alarm is activated, a signal may be sent automatically to
permanently manned fire station.
• All staff members should know how to use the system.
Water damage:

Water damage to a computer installation can be the outcome of a fire; the

specific system sprays water that enters hardware. It may also result from other
resources such as floods, cyclones, etc.

Some of the major ways of protecting the installation against water damage are
as follows:

• Have waterproof ceilings and walls.

• Ensure an adequate drainage system exists.

• In flood areas have the installation above the high water level.

• Have a master switch for all water mains.

• Use a dry pipe automatic sprinkler system.

• Cover hardware with a protective fabric when it is not in use.

ENERGY VARIATION

Energy
Variations

Increase in Loss of
power power

Temporary Temporary Sustained

Sustained

Stabilizer/
Circuit Battery
Voltage Generator
breakers Back-Up
Regulator
Hardware Failures:

There are cases when hardware failures cause the operating system to crash.

There could also be cases of system failures which cause the whole segment of
memory to be dumped to disks and printers resulting in unintentional disclosure of
confidential information.

Backing-up data:

Backing up data is the single most important step in preventing data loss. Regular
backups are vital insurance against a data-loss catastrophe, yet many organizations
learn this lesson the hard way.
 
By far the best method of taking a back-up is replication of data to an off-site location
using local mirrors of systems.
 
Following are some rules of thumb to guide you in developing a solid backup strategy.
 
• Develop a written backup plan

• Your database and accounting files are your most critical data assets. They should be
backed up before and after any significant use. For most organizations, this means
backing up these files daily. Nonprofits that do a lot of data entry should consider
backing up their databases after each major data-entry session.

• Store a copy of your backups off-site to insure against a site-specific disaster such as
a fire, break-in, or flood. Ideally, you should store your backups in a safety-deposit
box.
DISASTER RECOVERY PLAN (DRP)

Disaster Recovery is the process, policies and procedures related to

preparing for recovery of technology and infrastructure critical to an
organization after a natural or human-induced disaster.

Example: 9/11 Terror attacks on World Trade Center

Objectives of DRP:

• Assures the management that normalcy would be restored in a set time

• Minimization of losses

General Components of DRP:

1.Emergency Plan
2.Recovery Plan
3.Back-up Plan
It is estimated that most large companies spend between 2% and 4% of their IT
budget on disaster recovery planning, with the aim of avoiding larger losses in the
event that the business cannot continue to function due to loss of IT infrastructure
and data.

Of companies that had a major loss of business data:

INTENTIONAL THREATS:

Unauthorized intrusion can take two forms.

The intruder by physically entering the room may steal assets or carry out
sabotage. Alternatively, the intruder may eavesdrop on the installation by wire
tapping, installing an electronic bug or using a receiver that picks up electro-
magnetic signals.

The Intentional attacks can be from Intruders outside the organization or even
from privileged personnel who abuse their authority (Ex: Disgruntled
employees).

Mitigation Techniques for Unauthorized Intrusion:

• There should be a separate visitor lounge.

• Entry should be granted only to IT personnel and using biometric devices, such
as fingerprints, voice prints, retina prints, or signature characteristics.
• Use alarms to alert entry made by an intruder.
• Old, unused accounts are just that many more passwords for someone to find
out.
• Install security patches to the operating system.
• Security checking software.
ADMINISTRATIVE CONTROLS:

1. Log on Procedures

2. Call Back Devices

3. Firewalls

4. Encryption

5. Anti-Virus Software

6. Hiring Tiger Teams

FINANCIAL RISK MANAGEMENT

Financial Exposure v/s Financial Risk

Financial risk refers to the probability of loss, while financial exposure is

the possibility of loss.

Financial risk arises as a result of financial exposure.

HISTORY OF FINANCIAL RISK

• Early Market Scenario

• New Era of Finance

HOW DOES FINANCIAL RISK ARISE?

• Financial risks arising from an organization’s exposure to

changes in market prices, such as interest rates, exchange
rates, and commodity prices.
 

• Financial risks arising from the actions of, and transactions

with, other organizations such as vendors, customers, and
counterparties in derivatives transactions.

 
• Financial risks resulting from internal actions or failures of
the organization, particularly people, processes, and systems.
TYPES OF FINANCIAL RISK

 Pure Risk:

The situation in which a gain will not occur. The best possible outcome is
that of no loss occurring.

Speculative Risk:

A risk in which either a gain or a loss may occur.

 
Diversifiable Risk & Non-diversifiable Risk:

Essentially diversifiable risk is that which can be mitigated through a process of

pooling risks and vice-versa for non-diversifiable.
WHAT IS FINANCIAL RISK MANAGEMENT?

Financial risk management is a process to deal with the uncertainties

resulting from financial markets.

It involves assessing the financial risks facing an organization and developing

management strategies consistent with internal priorities and policies.

Addressing financial risks proactively may provide an organization with a

competitive advantage.

It also ensures that management, operational staff, stakeholders, and the

board of directors are in agreement on key issues of risk.
PROCESS OF FINANCIAL RISK MANAGEMENT

The process can be summarized as follows:

• Identify and prioritize key financial risks.

• Determine an appropriate level of risk tolerance.

• Implement risk management strategy in accordance with policy.

• Measure, report, monitor, and refine as needed.

There are three broad alternatives for managing risk:

1.Do nothing and actively, or passively by default, accept all risks.

2.Hedge a portion of exposures by determining which exposures can and

should be hedged.

3.Hedge all exposures possible.

WAYS OF FINANCIAL RISK MANAGEMENT

Different ways of Financial Risk

Management

Hedging Using Capital Asset Pricing

Hedging Using Market Instruments
model (CAPM)
HEDGING USING CAPITAL ASSET PRICING MODEL (CAPM)

CAPM or the Capital Asset Pricing model is the most frequently used financial
model to enable portfolio diversification. If returns on risky assets have less
than perfect correlation, i.e., they do not naturally hedge against each other,
risk averse individuals diversify risk in their holding of assets. A well
diversified portfolio would have less fluctuation than returns on individually
held financial assets.

Given that non-systematic risk is virtually nullified by a large portfolio

(CAPM assumes such a large portfolio), the only risk that remains is the
systematic risk. Thus, the only type of risk for which and investor would
earn a return would be the systematic risk. This systematic risk is
measured as Beta. Beta (β) calculates the volatility/exposure of a
security’s return to the entire market (CAPM) portfolio.

According to the CAPM Model,

Cost of Capital (Ke) = Rf + β (Rm – Rf);

Where, Rf is the Risk Free Rate, β is the Beta of the portfolio and Rm is the
Market Rate.
WHAT IS HEDGING?
 
Hedge - In finance, a hedge is a position established in one market in an attempt to offset
exposure to the price risk of an equal but opposite obligation or position in another market —
usually, but not always, in the context of one's commercial activity.

SPOT CONTRACTS

FORWARD CONTRACTS

• Closed Forward - Closed forwards must be settled on a specified date.

• Open Forwards - Open forwards set a window of time during which any portion of the
contract can be settled, as long as the entire contract is settled by the end date.

Using FX forwards, one can:

• Protect costs on products and services purchased abroad
• Protect profit margins on products and services sold abroad
• Lock-in exchange rates as much as a year in advance
EXAMPLE FOR FX FORWARDS

A Swiss exporter company accepts to receive $ 1,000,000 after 3 months. The exporter
has collected following information.

Spot (CHF/$) :1.8054/1.8065

3-m forward (CHF/$) :1.8075/1.8083
3-m LIBOR (assumed) : CHF 5%, USD $ 6.76%
What option does the exporter have to hedge his position for the FX fluctuation risk?
 
Solution:

Money market cover:

The exporter has a receivable exposure. Hence, the exposure can be covered in the
money market by borrowing in USD. The receivables can be used to pay- off the loan with
interest while the dollars borrowed today can be converted into CHF and invested.
Amount, which can be borrowed today = [1,000,000] / [1+0.0676 * 3/12] = USD $ 983,381.
The amount can be converted today into
CHF (983,381) (1.8054)= CHF 1,775,396.
If this is invested for 3 months, the exporter can get
(1,775,396) ( 1+0.05 * 3/12) = CHF 1,797,588.

Forward Cover:
Instead of using money market cover, if the exporter takes forward cover then he can get
this at CHF / USD 1.8075 which will give him cash flow in CHF of (1,000,000)(1.8075)=
CHF 1,807,500.00. In this case the exporter shall go for forward cover.
Interest Rate Options –

Interest Rate Options are options on the spot yield of U.S. Treasury securities.
Available to meet the investor’s needs are options on short, medium and long-term
rates. The following contracts are available for trading at the Chicago Board Options
Exchange:
 
 
Options on the short-term rate (ticker symbol IRX) are based on the annualized
 
discount
  rate on the most recently auctioned 13-week Treasury bill.

Options on the 5-year rate (ticker symbol FVX) are based on the yield-to-maturity of the
most recently auctioned 5-year Treasury note.

Options on the 10-year rate (ticker symbol TNX) are based on the yield-to-maturity of
the most recently auctioned 10-year Treasury note.

Options on the 30-year rate (ticker symbol TYX) are based on the yield-to-maturity of
the most recently auctioned 30-year Treasury bond.
How do interest rate options work?

A call buyer anticipates interest rates will go up, increasing the value of the call position. A put
buyer anticipates that rates will go down, increasing the value of the put position.

A yield-based call option holder will profit if, by expiration, the underlying interest rate rises
above the strike price plus the premium paid for the call.

Conversely, a yield-based put option holder will profit if, by expiration, the interest rate has
declined below the strike price less the premium.

Interest Rate Options features:

  
Cash settled: Interest Rate Options are settled in cash. There is no need to own or deliver
any Treasury securities upon exercise.

Contract size: Interest Rate Options use the same $100 multiplier as options on equities
and stock indexes

European-style exercise: The holder of the option can exercise the right to buy or sell
only at expiration. This eliminates the risk of early exercise and simplifies investment
decisions.
Foreign Currency Swaps - A financial foreign currency contract whereby the buyer and
seller exchange equal initial principal amounts of two different currencies at the spot rate.

Example:
A company needs to borrow euros to fund an investment project. The cash flows will also
be in euros. It transpires that by issuing a loan in USD the company can obtain the
required funds more cheaply than by issuing a loan in EUR. However, in that case, the
company would be faced with the situation where the interest payments would be in USD
whereas the income would be in EUR. The company therefore decides to enter into a CC
Swap whereby it receives the USD interest rate and pays the EUR interest rate.
 
The following three examples show how, through a CC Swap, the standard interest rate
for the term and currency of the debenture loan are swapped.
 
Swap of the principal amounts at the beginning of the CC Swap
 
Principal in USD Principal in USD  

Debenture issue in ABC Principal in EUR ING Bank

USD.

 
 
 
Swap of interest flows during the CC Swap
 

USD interest rate USD interest rate ING Bank

ABC
EUR interest rate
on debenture loan

Swap of the principal amounts at maturity of the CC Swap

 

Principal in USD Principal in USD

ING Bank
ABC Principal in EUR
Maturity of debenture
Loan in USD
 Interest Rate Swaps –

A financial interest rate contracts whereby the buyer and seller swap interest rate exposure over
the term of the contract. The most common swap contract is the fixed-to-float swap whereby
the swap buyer receives a floating rate from the swap seller, and the swap seller receives a
fixed rate from the swap buyer.

Fixed Floating Swap

6-
Time Rate Rate Net
Month
(years) Cash Cash Cash
Libor
Flows Flows Flows

[1] [2] [3] [4] [3] – [4]

0.0 2.8 % –100.0 –100.0 0.0

0.5 3.4 % 2.3 1.4 0.9

1.0 4.4 % 2.3 1.7 0.6

1.5 4.2 % 2.3 2.2 0.1

2.0 5.0 % 2.3 2.1 0.2

2.5 5.6 % 2.3 2.5 –0.2

3.0 5.2 % 2.3 2.8 –0.5

3.5 4.4 % 2.3 2.6 –0.3

4.0 3.8 % 102.3 102.2 0.1

OTHER FINANCIAL INSTRUMENTS FOR HEDGING

• Futures
1.Commodity
2.Interest Rate
3.Currency
4.Index
5.Stock

•Credit Derivatives
1.Credit Default
2.Total Return Swap
3.Credit Linked Note
RISK MANAGED ?

Risk management isn’t just about protecting your business — it’s

also about making it better. Risk management shouldn’t be
thought of as a stand-alone compliance or control activity, but as
a competency that allows your organization to realize its potential
— whether that means driving top line growth, eliminating costs,
enhancing reputation and brand, or making better use of capital
assets. Organizations need to understand all of their business risks
— strategic, operational, financial, compliance — align their risk
functions and activities to eliminate overlaps and gaps, and
develop plans to manage, accept, or capitalize on those risks.

Although Return Maximization is an objective holding paramount

importance for an organisation’s long term goals, the same cannot
be achieved unless Risk Minimisation is paid heed to. Hence it is
essential that an appropriate balance is struck between Risks and
Return.
THANK YOU