UNIT III – INTRODUCTION TO RISK MANAGEMENT

CHAPTER 11: RISK MANAGEMENT

Expected Learning Outcomes

After studying the chapter, you should be able to …

1. Define risk management.

2. Explain briefly the basic principles of risk management.
3. Describe the elements of risk management.
4. Define the relevant risk terminologies.
5. Describe the potential treatments or approaches in managing risks.
6. Explain the areas of risk management.
7. Describe the steps in the risk management process.
8. Familiarize yourself with the SEC requirements in dealing with enterprise-wide risk
management.

INTRODUCTION

Effective corporate governance cannot be attained without the organization mastering the art of
risk management. And risk management is recognized as one of the most important competencies
needed by the board of directors of modern organization, large as well as small and medium sized
business firms. The levels of risk faced by business firms have increased because of the fast-growing
sophistication of organization, globalization, modern technology and impact of corporate scandals. In
addition, therefore to compliance with legal requirements, top management should consider adequate
knowledge of risk management.

RISK MANAGEMENT DEFINED

Risk management is the process of measuring or assessing risk and developing strategies to
manage it. Risk management is a systematic approach in identifying, analyzing and controlling areas or
events with a potential for causing unwanted change. Risk management is the act or practice of
controlling risk.

It includes risk planning, assessing risk areas, developing risk handling options, monitoring risks
to determine how risks have changed and documenting overall risk management program.

As defined in the International Organization of standardization (ISO 31000), RISK MANAGEMENT

is the identification, assessment, and prioritization of risks followed by coordinated and economical
application of resources to minimize, monitor and control the probability and/or impact of unfortunate
events and to maximize the realization of opportunities.
 Risks can come from uncertainty in financial market, project failures, legal liabilities, credit risks,
accidents, natural causes and disasters as well as deliberate attack from adversary or events of uncertain
or unpredictable root-cause.

BASIC PRINCIPLES OF RISK MANAGEMENT

The International Organization for Standardization (ISO) identifies the basic principles of risk
management.

Risk management should:

1. Create value – resources spent to mitigate risk should be less that the consequence of inaction,
i.e., the benefit should exceed the costs.
2. Address uncertainty and assumptions
3. Be an integral part of the organizational process and decision-making
4. Be dynamic, iterative, transparent, tailorable, and responsive to change
5. Create capability of continual improvement and enhancement considering the best available
information and human factors
6. Be systematic, structured and continually or periodically reassessed

PROCESS OF RISK MANAGEMENT

According to the Standard ISO 31000 “Risk management – Principles and Guidelines on Implementation,
“the process of risk management consists of several steps as follows:

1. Establishing the Context. This will involve

a. Identification of risk in a selected domain of interest
b. Planning the remainder of the process
c. Mapping out the following:
i. The social scope of risk management
ii. The identity and objectives of stakeholders
iii. The basis upon which risks will be evaluated, constraints.
d. Defining a framework for the activity and an agenda for identification.
e. Developing an analysis of risks involved in the process.
f. Mitigation or solution of risks using available technological, human and organizational
resources.
2. Identification of potential risks. Risk identification can start with the analysis of the source of
problem or with the analysis of the problem itself. Common risk identification methods are:
a. Objective-based risk
b. Scenario-based risk
c. Taxanomy-based risk
d. Common-risk checking
e. Risk charting
 3. Risk assessment. Once risks have been identified, their potential severity of impact and the
probability of occurrence must be assessed. The assessment process is critical to make the best
educated decisions in prioritizing the implementation of the risk management plan.

ELEMENTS OF RISK MANAGEMENT

In practice, the process of assessing overall risks can be difficult, and balancing resources to mitigate
between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower
probability of occurrence can often be mishandled. Ideal risk management should minimize spending of
manpower or other resources and at the same time minimizing the negative effect of risks.

For the most part, the performance of assessment methods should consist of the following elements:

1. Identification, characterization, and assessment of threats

2. Assessment of the vulnerability of critical assets to specific threats
3. Determination of the risk (i.e. the expected likelihood and consequences of specific types of
attacks on specific assets)
4. Identification of ways to reduce those risks
5. Prioritization of risk reduction measures based on a strategy

RELEVANT RISK TERMINOLOGIES

I. Risks Associated with Investments

Although a single risk premium must compensate the investor for all the uncertainty
associated with the investment, numerous factors may contribute to investment
uncertainty. The factors usually considered with respect to investments are
 Business risk
 Financial risk
 Liquidity risk
 Default risk
 Interest rate risk
 Management risk
 Purchasing power risk

BUSINESS RISK

Business risk refers to the uncertainty about the rate of return caused by the nature of the
business. The most frequently discussed causes of business risk are uncertainty about the firm’s
sales and operating expenses. Clearly, the firm’s sales are not guaranteed and will fluctuate as
the economy fluctuates or the nature of the industry changes. A firm’s income is also related to
its operating expenses. If all operating expenses are variable, then sales volatility will be passed
directly to operating income. These fixed expenses cause the operating income to be more
volatile than sales. Business risk is related to sales volatility as well as to the operating leverage
of the firm caused by fixed operating expenses.
DAFAULT RISK

Default risk is related to the probability that some or all of the initial investment will not be
returned. The degree of default risk is closely related to the financial condition of the company
issuing the security and the security’s rank in claims on assets in the event of default or
bankruptcy. For example, if a bankruptcy occurs, creditors, including bondholders have a claim
on assets prior to the claim of ordinary equity shareholders.

FINANCIAL RISK

The firm’s capital structure or sources of financing determine financial risk. If the firm is all
equity financed, then any variability in operating income is passed directly to net income on an
equal percentage basis. If the firm is partially financed by debt that requires fixed preferred
dividend payments, then these fixed charges introduce financial leverage. This leverage causes
net income to vary more than operating income. The introduction of financial leverage causes
the firm’s lenders and its stockholders to view their income streams as having additional
uncertainty. As a result of financial leverage, both investment groups would increase the risk
premiums that they require for investing in the firm.

INTEREST RATE RISK

Because money has time value, fluctuations in interest rates will cause the value of an
investment to fluctuate also. Although interest rate risk is most commonly associated with bond
price movements, rising interest rates cause bonds to decline and declining interest rates cause
bond prices to rise. Movements in interest rates affect almost all investment alternatives. For
example, as a change in interest rates will impact the discount rate used to estimate present
value of future cash dividends from ordinary shares. This change in discount rate will materially
impact the analyst’s estimate of the value of a share of ordinary shares.

LIQUIDITY RISK

Liquidity risk is associated with the uncertainty created by the inability to sell the investment
quickly for cash. An investor assumes that the investment can be sold at the expected price
when future consumption is planned. As the investor considers the sale of investment, he or
she faces two uncertainties: (1) what price will be received? (2) How long will it take to sell the
asset?

MANAGEMENT RISK

Decisions made by a firm’s management and board of directors materially affect the risk faced
by investors. Areas affected by these decisions range from product innovation and production
methods (business risk) and financing (financial risk) to acquisitions. For example, acquisition or
acquisition-defense decisions made by the management of such firms materially affected the
risk of the holders of their companies’ securities.
 PURCHASING POWER RISK

Purchasing power risk is perhaps, more difficult to recognize than the other types of risk. It is
easy to observe the decline in the price of a stock or bond, but it is more often difficult to
recognize that the purchasing power of the return you have earned on an investment has
declined (risen) as a result of inflation (deflation). It is important to remember that an investor
expects to be compensated for forgoing consumption today. If an individual is invested peso-
denominated assets such as bonds, Treasury bills, or savings accounts during the period of
inflation, the real or inflation adjusted rate of return will be less than the nominal or stated rate
of return. Thus, inflation erodes the purchasing power of the peso and increases investor risk.

II. Risks Associated with Manufacturing, Trading and Service Concerns

A. Market Risk
 Product Risk
o Complexity
o Obsolescence
o Research and Development
o Packaging
o Delivery of Warranties
 Competitor Risk
o Pricing Strategy
o Market Share
o Market Strategy
B. Operations Risk
 Process Stoppage
 Health and Safety
 After sales Service Failure
 Environmental
 Technological Obsolescence
 Integrity
o Management Fraud
o Employee Fraud
o Illegal Acts
C. Financial Risk
 Interest Rates Volatility
 Foreign Currency
 Liquidity
 Derivative
 Viability
D. Business Risk
 Regulatory Change
  Reputation
 Political
 Regulatory and Legal
 Shareholder Relations
 Credit Rating
 Capital Availability
 Business Interruptions

III. Risks Associated with Financial Institutions

Financial Non-financial
 Liquidity Risk  Operational Risk
 Market Risk o Systems
o Currency  Information
Processing
o Equity  Technology
o Commodity o Customer satisfaction
 Credit Risk o Human Resources
o Counterparty o Fraud and Illegal acts
o Trading o Bankruptcy
o Commercial  Regulatory Risk
 Loans o Capital Adequacy
 Guarantees o Compliance
 Market Liquidity Risk o Taxation
o Currency Rates o Changing laws and policies
o Interest Rates  Environmental Risk
o Bond and Equity Prices o Politics
 Hedged Positions Risk o Natural Disasters
 Portfolio Exposure Risk o War
 Derivative Risk o Terrorism
 Accounting Information Risk  Integrity Risk
o Completeness o Reputation
o Accuracy  Leadership Risk
 Financial Reporting Risk o Turnover
o Adequacy o Succession
o Completeness

POTENTIAL RISK TREATMENTS

ISO 31000 also suggests that once risks have been identified and assessed, techniques to manage the
risks should be applied. These techniques can fall into one or more of these four categories:

 Avoidance
 Reduction
  Sharing
 Retention

Risk Avoidance

This includes performing an activity that could carry risk. An example would be not buying a property or
business in order not to take on the legal liability that comes with it. Avoiding risks, however, also
means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not
entering a business to avoid the risk of loss also avoids the possibility of earning profits.

Risk Reduction

Risk reduction or optimization involves reducing the severity of the loss or the likelihood of the loss from
occurring. Optimizing risks means finding a balance between the negative risk and the benefit of the
operation or activity; and between risk reduction and effort applied. Outsourcing could be an example
of risk reduction if the outsourcer can demonstrate higher capability of managing or reducing risks.

Risk Sharing

Risk sharing means sharing with another party the burden of loss or the benefit of gain, from a risk, and
the measures to reduce a risk.

Risk Retention

Risk retention involves accepting the loss or benefit of gain from a risk when it occurs. Self-insurance
falls in this category. All risks that are not avoided are transferred or retained by default. Also, any
amounts of potential loss over the amount insured is retained risk. This is acceptable if the chance of a
very large loss is small or if the cost to insure for greater coverage involves a substantial amount that
could hinder the goals of the organization.

AREAS OF RISK MANAGEMENT

As applied to corporate finance, risk management is the technique for measuring, monitoring, and
controlling the financial or operational risk on a firm’s balance sheet.

The Basel II framework breaks risks into market risk (price risk), credit risk, and operational risk and also
specifies methods of calculating capital requirements for each of these components.

The most commonly encountered areas of risk management include:

1. Enterprise risk management

2. Risk management activities as applied to project management
3. Risk management for megaprojects
4. Risk management of information technology
5. Risk management techniques in petroleum and natural gas
A simplified framework for an Enterprise-wide Risk Management Process follows:

Risk management System Top management’s Involvement

Oversight Activities:

Define goals & objectives, roles & Set management policy, establish
responsibilities, common language, & context, set limits and tolerance etc.
oversight structure

Risk Management Process

Step 1: Assess Risks: Ensure that process captures all

Identify, source, and measure business risks.

Step 2: Develop / Design Action Plans: Ensure that all available tools and
Reduce, Avoid, retain, transfer & exploit methodologies are used

Step 3: Implement action plans Review effectiveness of plans.

Check capabilities

Step 4: Monitor and report risk Review and evaluate regular reports on
management performance performance

Step 5: Continuously improve risk Evaluate recommendations for

management capabilities improvement

RISK MANAGEMENT FRAMEWORK

The Board should oversee that a sound enterprise risk management (ERM) framework is in place to
effectively identify, monitor, assess and manage key business risks. The risk management framework
should guide the Board in identifying units/business lines and enterprise-level risk exposures, as well as
the effectiveness of risk management strategies.

Subject to a corporation’s size, risk profile and complexity of operations, the Board should establish a
separate Board Risk Oversight Committee (BROC) that should be responsible for the oversight of a
company’s Enterprise Risk Management system to ensure its functionality and effectiveness. The BROC
should be composed of at least three members, majority of whom should be independent directors,
including the Chairman. The Chairman should not be the Chairman of the Board or of any other
committee. At least one member of the committee must have relevant thorough knowledge and
experience on risk and risk management. Subject to its size, risk profile and complexity of operations,
the company should have a separate risk management function to identify, assess and monitor key risk
exposure.
STEPS IN THE RISK MANAGEMENT PROCESS

To enhance management’s competence in their oversight role on risk management, the following steps
may be followed:

1. Set up a separate risk management committee chaired by a board member.

2. Ensure that a formal comprehensive risk management system is in place.
3. Assess whether the formal system possesses the necessary elements.
4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive risks
faced by the business firm.
5. Assess if management has developed and implemented the suitable risk management strategies
and evaluate their effectiveness.
6. Evaluate if management has designed and implemented risk management capabilities.
7. Assess management’s efforts to monitor overall company risk management performance and to
improve continuously the firm’s capabilities.
8. See to it that best practices as well as mistakes are shared by all. This involves regular
communication of results and feedbacks to all concerned.
9. Assess regularly the level of sophistication of the firm’s risk management system.
10. Hire experts when needed.