Introduction

• According to the dictionary risk is a situation involving exposure to danger.
• Risk involves the uncertainty about future returns.
• Opportunity comes with risk. Hence true definition of risk should also include the upside prospects along with the downside dangers.
• However, our risk awareness is not always suited to the modern world. Behavioral science shows that we rely too much on instinct and personal experience, as biases skew our thought processes. For example, even the way we frame risk decisions irrationally influences our willingness to take risk.
• Risk cannot be always automatically linked to size of the possible cost or loss, and the actual risk is variability of the losses, costs or returns.
• Risk management is an old craft but a young science – and an even younger profession.

Risk Management v/s Risk Taking

• There is a logical and instinctive give and take arrangement between risk and return.
• Risk Management is concerned with minimizing the chances of incurring expected losses.
• Risk Taking is assuming risk in order to achieve gains and it can be perceived in an opportunistic way.
• Risk Management and Risk Taking are two sides of the same coin.

Building Blocks

• Ten risk management building blocks can be isolated along the way –
• The risk management process
• Identifying risk: knowns and unknowns
• Expected loss, unexpected loss, and tail loss
• Risk factor breakdown
• Structural change: from tail risk to systemic crisis
• Human agency and conflicts of interest
• Typology of risks and risk interactions
• Risk aggregation
• Balancing risk and reward
• Enterprise risk management (ERM)

• Most risk management disasters are caused by failures in these fundamental building blocks, rather than the failure of some sophisticated technique. Centuries-old financial institutions have been bankrupted because their risk management procedures ignored a certain type of risk, misunderstood connections between risks, or did not follow the classic steps in the risk management process.

Typology Of Risks And Risk Interactions

• Given the variety of business models that firms pursue, corporate risks take many forms. However, most firms face risks that can be categorized within the risk typology given in this chapter. This kind of typology has many uses. It helps organizations drill down into the risk-specific factors within each risk type, map risk management processes to avoid gaps, and hold staff accountable for specific risk domains.
• For market and credit risks, most banks recognize that risk scales alongside reward. They actively pursue risky assets, such as particular credit segments. An increase in operational risks, on the other hand, does not lead to greater reward, so banks avoid these risks when they can. Risk typologies must be flexible because new risks are always emerging. New forms of operational risk are again climbing up the risk manager’s watch list: cyber risk (particularly the risk of hackers stealing and destroying data and compromising systems) and data privacy risk. Furthermore, the risk types interact with one another so that risk flows. During severe crisis, for example, risk can flow from credit risk to liquidity risk to market risk, such as the global financial crisis of 2007–2009. The same can occur within an individual firm: the “fat finger” of an unlucky trader (operational risk) creates a dangerous market position (market risk) and potentially ruins the standing of the firm (reputational risk).

Market Risk

• Market risk is the risk that changes in market prices and rates will negatively affect the value of an investment.

• The market risk can be subdivided into 4 categories.
  1. Equity Price Risk,
  2. Commodity Price Risk,
  3. Foreign Exchange Risk and
  4. Interest Rate Risk.
• Equity risk can be broken into:
  • General Market Risk – Sensitivity of stock or portfolio value to the broad market indices.
  • Specific Risk – Determined by factors unique to the firm.
• Commodity price risk is the volatility of the price of commodities like precious metals, base metals, agricultural commodities, energy products, etc. Since the suppliers are few in the market, commodity prices are more volatile.
• Interest rate riskis the risk that changes in interest rates may affect the market value of an investment. It can be broken into:
  • Trading Risk – General risk of a drop in value.
  • Gap Risk – Risk due to differences in sensitivitiesof assetsand liabilitiesto changes in interest rates.
• Foreign exchange risk arises from open or imperfectly hedged positions in some foreign currency positions, including foreign currency denominated assets and liabilities.
• Market risk can be managed through the relationships between positions. The diversification benefits of a large equity portfolio, for example, form the bedrock of investment risk management.
• However, market risk also arises from these relationships. An equity portfolio designed to track the performance of an equity market benchmark might fail to track it perfectly – a special form of market risk. Likewise, a position intended to balance out, or hedge, another position ormarket price behavior might do so imperfectly – a form of market risk known as basis risk.

Credit Risk

• Credit Risk is the risk of an economic loss from the failure of a counterparty to fulfill its obligations toward the other party under the contract.
• Credit Risk can be decomposed under 4 subtypes –
  • Default Risk – The risk that the debtor will not be capable or willing to meet the obligations, either principal or interest or both on the loan contracted, even after a relief period has been provided.
  • Bankruptcy risk – The risk of holding collateralized assets provided by defaulting party. In case of a bankrupt company, the first priority is given to debtholders, and shareholders can claim after the debtholders have been serviced. The risk is that the liquidation value may not be sufficient to recover the loss.
  • Downgrade risk – The risk that the perceived creditworthiness of the counterparty can deteriorate. Downgrade risk may eventually lead to default risk.
  • Settlement risk – The risk due to the exchange of cash flows when a transaction is settled, and the party which is in a net loss position might refuse to fulfill a part or all of its obligations. This risk is also known as counterparty risk (or Herstatt risk, associated withthe failure of Herstatt Bank in Germany.).
• Credit risk is driven by the probability of default of the counterparty, exposure amount during default, and amount that can be recovered in case of a default. These levers can all be altered by a firm’s approach to risk management through factors such as the quality of its borrowers,the structure of the credit instrument (e.g., collateralization), and controls on exposure.
• The exposure amount is clear with most loans but can be volatile with other kinds of transactions. A derivative transaction may have zero credit risk at the outset because it has no immediate value in the market. However, it can quickly become a major counterparty credit exposure as markets change and the position gains in value.
• Traditionally, the probability of default of an obligor is assessed through identifying and evaluating a selection of key risk factors. For example, corporate credit risk analysis looks at key financial ratios, industry sectors, etc.
• Credit standings of obligors needs to be considered and an appropriate spread is charged to each borrower to compensate for the risk undertaken.

Credit Risk At Portfolio Level

• The risk in whole portfolios of credit risk exposures is driven by obligor concentration as well as the relationship between risk factors. The portfolio will be a lot riskier if:
  • It has a small number of large loans rather than many smaller loans;
  • The returns or default probabilities of the loans are positively correlated (e.g., borrowers are in the same industry or region);
  • The exposure amount, probability of default, and loss given default amounts are positively correlated (e.g., when defaults rise, recovery amounts fall).
• Loan portfolios should not be too much concentrated on particular maturities and time diversification should be done, which will also reduce liquidity risks. Concentration risk should be avoided by diversification over exposures, geographies and industries.
• The state of the economy impacts the risk of the portfolio.
• Risk managers use sophisticated credit portfolio models to uncover risk arising from these combinations of risk factors.

Liquidity Risk

• Liquidity risk is very difficult to quantify.  Liquidity risk is also subdivided into two parts
  • Funding liquidity risk, and
  • Market Liquidity Risk or Trading liquidity risk.
• Funding liquidity risk is the risk that the entity won’t be able to raise cash to roll over its debt, or to meet the requirements of the counterparties and fulfill capital requirements. Funding liquidity risk threatens all kinds of firms. For example, many small and fast-growing firms find it difficult to pay their bills quickly enough while still having sufficient funds to invest for the future.
• Banks have a special form of funding liquidity risk because their business involves creating maturity and funding mismatches. One example of a mismatch is that banks take in short-term deposits and lend the money out for the longer term at a higher rate of interest. Sound asset/liability management (ALM), therefore, lies at the heart of the banking business to help reduce the risk.There are various techniques involved in ALM, including gap and duration analyses.
• Of course, banks sometimes get it wrong, with disastrous consequences. Many of the banks that failed during the 2007-2009 global financial crisis had built up large maturitymismatches and were vulnerable to the wholesale funding market’s perception of their creditworthiness.
• Market liquidity risk, sometimes known as trading liquidity risk, is the risk that a firm will not be able to complete a transaction at the current market price due to the non-availability of a counterparty to trade with. It is the risk of a loss in asset value when markets temporarily seize up. If market participants cannot, or will not, take part in the market, this may force a seller to accept an abnormally low price, or take away the seller’s ability to turn an asset into cash and funding at any price. Market liquidity risk can translate into funding liquidity risk overnight in the case of banking institutions too dependent on raising funds in fragile wholesale markets.
• It can be very difficult to measure market liquidity risk. Measures of market liquidity in a normal market, for example, might look at the number or volume of transactions and at the spread between the bid-ask price. However, these are not necessarily good indicators that a market will remain liquid during a time of crisis.

Operational Risk

• Operational risk is the risk of incurring losses due to operational issues like technology problems, faulty controls, fraud, management failure, human errors, natural and manmade disasters, etc. It can be defined as the “risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” It includes legal risk, but excludes business, strategic, and reputational risk.  This is a deliberately broad definition, and it includes everything from anti-money laundering risk and cyber risk to risks of terrorist attacks and rogue trading. The outbreaks of rogue trading in the 1990s helped persuade regulators to include operational risk in bank capital calculations.
• Looking beyond the banking industry, we might include many corporate disasters under the operational risk umbrella. These include physical operational mishaps and corporate governance scandals, such as the crisis at energy giant Enron in 2001. The management of operational risk is the primary day-to-day concern for many risk managers outside the financial industry, often through insurance strategies.
• The definition and measurement of operational risk continues to be problematic, however, especially in the financial industry.

Business And Strategic Risk

• Business Risks are the traditional risks of running a business, which centers around the profits of the company, and hence affect the income statement. Business risks lie at the heart of any business and includes all the usual worries of firms, such as customer demand, pricing decisions, supplier negotiations, and managing product innovation. Business risk is affected by factors such as the nature of the firm’s strategy and/or its reputation.
• Strategic risk involves making large, long-term decisions about the firm’s direction, often accompanied by major investments of capital, human resources, and management reputation. It can arise from making poor business decisions, or their faulty executions, from improper resource allocation, or due to lack of adaptability in the changing economic conditions.
• Business and strategic risks consume much of the attention of management in non-financial firms, and they are clearly also a key concern in financial firms. However, it is not obvious how they relate to the other risks that we discuss or fit within each firm’s risk management framework. A sudden fall in customer demand, the failure to launch the right kind of new product, or a misplaced major capital investment can threaten a firm’s survival. Responsibility for these risks lies with the firm’s general management.

Business And Strategic Risk– Examples

• Political Risk
• Talent Management Risk
• Strategy Forecast Risk
• Innovation Risk
• Competitive Risk
• Merger & Acquisition Risk

Reputation Risk

• Reputation risk is the danger that a firm will suffer a sudden fall in its market standing or brand with economic consequences, for example, through losing customers or counterparties. It can be divided into two classes –belief that entity is capable and willing to meet obligationsbelief that the entity is fair and ethical
• Reputation risk usually comes about through a failure in another area of risk management that damages confidence in the firm’s financial soundness or its reputation for fair dealing.  For example, a large failure in credit risk management can lead to rumors about a bank’s financial soundness. Rumors can be fatal in themselves. Investors and depositors may begin to withdraw support in the expectation that others will also withdraw support. Banks need to have plans in place for how they can reassure markets and shore up their reputations. A reputation for fair dealing is also critical. Large firms are expected to behave in certain ways. If a firm misrepresents a product’s risks, it can lose important customers.
• Reputation with regulators is particularly important to financial institutions. A bank that loses the trust of a regulator may find its activities criticized and then curtailed.

The Risk Management Process

The first building block is the classic risk management process

• During this process, the risk manager attempts to identify the risk, analyze the risk, assesses the effects of any risk event, and finally manage the risk.

• The first steps toward risk identification and triage take some classic forms.
  • Brainstorming
  • Structured interviews, questionnaires, and surveys
  • Industry resources
  • Loss data analysis
  • Basic risk triage
  • Hypothetical what-if analysis
  • Front line observation
  • Following the trail
• The identity of the risk can be just as important as its size in determining the appropriate risk management strategy. Across the corporate world, some risks are regarded as natural to a business and others as quite foreign. Manufacturers, for example, often accept and manage the operational risks of complex factory processes but try to avoid or transfer large market or credit risks. Investors often react badly to mishaps concerning risk types they believe are unnatural to a firm (e.g., a loss from a speculative derivatives position held by a non-financial corporation).
• The risk management process culminates in a series of choices that both manage risk and help to define the identity and purpose of the firm.
  • Avoid Risk: There are risks that can be sidestepped by discontinuing the business or pursuing it using a different strategy. For example, selling into certain markets, or off-shoring production, might be avoided to minimize political or foreign exchange risks.
  • Retain Risk: There are risks that can be retained within the firm’s risk appetite. Large risks can be retained through mechanisms such as risk capital allocation, self-insurance, and captive insurance.
  • Mitigate Risk: There are risks that can be mitigated by reducing exposure, frequency, and severity (e.g., improved operational infrastructure can mitigate the frequency of some kinds of operational risk, hedging unwanted foreign currency exposure can mitigate market risk, and receiving collateral against a credit exposure can mitigate the severity of a potential default).
  • Transfer Risk: There are risks that can be transferred to a third party using derivative products, structured products, or by paying a premium (e.g., to an insurer or derivatives provider).
• As the risk taker improves its risk management strategy, it will begin to avoid or mitigate nonessential or value-destroying risk exposures, which in turn will allow it to assume more risk in areas where it can pursue more value-creating opportunities for its stakeholders. Investment in risk management thus allows farmers to grow more food, metals producers to produce more metal, and banks to lend more money. Risk management allows firms to excel.
• In modern economies, risk management is therefore not only about corporate survival. It is critically important to the broader processes of specialization, scaling, efficiency, and wealth creation.
• This explains why risk never really goes away. Risk management success is a platform for greater endeavors. The risk manager is constantly identifying, evaluating, and managing risks to achieve the right balance between creating value and exposing the firm to undue risk. However, identifying and analyzing risk in a fast-changing world remains a major challenge.

Identifying Risk – Knowns And Unknowns

• One of the easiest mistakes to make is to focus on risks that are known and measurable while ignoring those that are unknown or unquantifiable. This figure is the second building block which sets out a fundamental classification of known versus unknown risk.

• In his famous 1921 paper, Knight distinguished between variability that cannot be quantified at all, which he called uncertainty, and “true” risk that can be quantified in terms of statistical science.  Incalculable Knightian uncertainties can be very large and important. Nuclear war is a major threat to the world, but its chances of happening is impossible to estimate.
• Knightian uncertainties can be managed through avoidance and other forms of risk management. For difficult actions to be taken, there has to be agreement that the Knightian uncertainty is plausible and extremely threatening in terms of its severity (if unquantifiable in terms of frequency).
• The boundary between Knightian uncertainty and measurable, statistical risk can be fluid.
• Risk managers take responsibility for all sorts of risk, not just those that can be measured. They must continuously search for “unknown unknowns,” including risks that are hiding in plain sight. They cannot simply ignore Knightian uncertainties. In fact, they sometimes need to make sure their firms avoid or transfer them.
• Knightian uncertainties can be more severe and prevalent than they can be initially suspected.
• However, risk managers must never treat risks that cannot be measured as if they are a known quantity. Uncertainty and ambiguity must be acknowledged because they exist in much greater amounts for some risky activities than for others. Our confidence in a risk measure shapes how the result should be applied in decision-making.
• Identification of correct risks and finding efficient ways to transfer them is a big challenge. Risk Management is a zero-sum game if it involves only risk transfer, where winning parties gain at the expense of losing parties.

The Risk Management Process – Problems and Challenges

• Corporate governance failures lead to market disruptions and financial accounting frauds.
• Models and their role have led to a number of questions with no easy answers.
• Risk management has to be aligned with the overall business strategy.
• Use of complex financial instruments and trading strategies overstate financial position and understate risk.
• Availability, consistency and organization of data management is a major concern.
• Risk management has to ensure implementation of regulatory demands.
• Aggregation of different types of risk is difficult with the bottom-up approach.
• Risk should be distributed among participants who have the willingness and ability to take risk.

Quantitative Risk Metrics

• Value at Risk (VaR) estimates how much a set of investments might lose, in a given time period. For Example: if one-day VaR is $1 million at the 99% confidence level, it means that there is only a 1% probability that the loss will exceed $1 million on any given day. VaR is useful for liquid positions, operating under normal market conditions, and over short period of time.
• Economic capital is the amount of risk capital which is needed to secure survival in a worst-case scenario.
• Expected loss (EL) is the average loss a position taker might expect to incur from a position or portfolio. In theory, some portfolios attract losses that rarely depart far from this average. They might vary, for example, from year to year, but not by too much. In general, EL is a function of 1) the probability of the risk event occurring; 2) the firm’s exposure to the risk event; and 3) the severity of the loss if the risk event occurs. In the case of the credit risk of a loan, these become the borrower’s probability of default (PD); the bank’s exposure at default (EAD); and the severity of loss given default (LGD). Thus, EL is simply: EL = EAD×LGD×PD.

Quantitative Measures

• Scenario analysis is a what-if analysis in which a model’s output is calculated for a number of scenarios. It estimates the expected value of a portfolio after a given period of time, assuming changes in the risk factors which may not be quantified. These scenarios can range from very likely to implausible, but still possible.
• It also predicts what will happen to an investment given natural changes in the economy, allowing investors to be better informed about how these changes will affect them.
• The factors in a scenario analysis can range from interest rates and inflation to unemployment percentages and commodities costs, and these factors would depend on what the investor wants to know.
• Stress testing is a form of scenario analysis to determine the ability of a given entity to deal with an economic crisis. It considers an outcome based on some given stress on the entity

Risk Factor Breakdown And Interactions Between Factors

• It is important for risk analysts to break risk down into discrete risk factors (like PD, LGD, EAD, etc.) and understand how these risk factors might interact over time and under stress to generate losses.  In turn, each primary risk factor is driven by a more fundamental set of risk factors. For example, the probability of default by a firm may be driven by its strength or weakness in terms of key financial indicators, industry sector, management quality, etc.
• A key question concerns how granular each risk factor analysis should be. Ideally, risk managers would like to understand every significant risk factor and analyze each factor’s importance and dynamics through the data available. To score the risk factor, the risk manager may want to look at its sub-factors. For example, the credit risk variable of management quality may be driven by management’s years of experience. Sometimes the loss data that can be used to isolate and statistically examine the power of each risk variable may be limited in quantity, quality, or descriptive detail. Machine learning and massive cloud-based computational power may prove revolutionary in the identification of discrete risk factors.

Structural Change: From Tail Risk To Systemic Crisis

• Tail risk events might be rare, but a long enough time series of data should reveal evidence of their existence. Where data are scarce, modern risk management can sometimes apply statistical tail risk techniques, utilizing a branch of statistics called Extreme Value Theory (EVT) to help make tails more visible and to extract the most useful information.
• When the structure of a system changes, risk increases. Large loss events may suddenly increase in frequency or size. Risk factors might suddenly move in lockstep. In this case, more historical data won’t help and “once-in-100-year” events might happen once a decade until the structural problem is fixed, or proper risk management processes are adopted.  A change in events does not only affect tail risk – the amounts of EL and unexpected loss might change as well.
• An important recent example was the growth in subprime lending by US banks starting in the early 2000s and its role in the creation of the 2007–2009 global financial crisis. Unusual types of mortgages, such as interest-only mortgages, rose quickly from comprising a small fraction of total loans originated to a substantial share of all new mortgages. At the same time, the proportion of loans that were subprime also increased. Structural change – looking out for it and modeling its future effects-is the fifth building block of risk management.

Human Agency And Conflicts Of Interest

• Unlike natural systems, human systems are run by intelligent participants that can react to change in a self-reflective or even a calculating manner. Those that understand how risk is generated and managed are in the best position to game it. They also often have the least incentive to make the risk transparent: Why would they broadcast the potential for unexpected loss levels or tail risks? This is one reason many financial firms employ three lines of defense:
  • First line: Business line that generates, owns, and manages risk;
  • Second line: Risk managers that specialize in risk management and day-to-day oversight; and
  • Third line: Periodic independent oversight and assurance, such as an internal audit.
• The safeguards do not always work. Risk management systems always have loopholes and become obsolete quickly in the face of industry innovations. In a worrying number of rogue trading cases in the banking industry, the trader had first worked in the middle or back office and thus understood the loopholes in the risk management infrastructure. Sometimes traders and business leaders deliberately undermine the credibility of risk management systems. Understanding the role of human agency, self-interest, and conflict of interest, is the sixthbuilding block of risk management.

Risk Aggregation

• Given the many different types of risk and risk metrics, a key problem in risk management is the challenge of seeing the bigger picture.
• Market risk tends to be the most convenient to quantification and aggregation but controlling this risk factor is challenging. Historically, market risk exposures were largely compared in terms of the notional amount held in each asset (e.g., $20 million of a blue-chip stock). This was never satisfactory. Some stocks and industry sectors were historically more volatile in price than others. Making matters worse, it made no sense to use notional amounts to compare the risks taken by, for example, the US treasury trading desk and a desk dealing in a volatile commodity.
• The emergence of the derivatives markets in the 1970s made it crucial to improve market risk measures. The value and risk of derivatives are driven by factors only slightly related to the notional value of the instrument.  Portfolios of derivatives are often designed so that the individual instruments offset each other’s market risk. It therefore makes no sense to treat the aggregate notional amounts in the portfolio as an indicator of portfolio risk. Options trading specialists developed measures of risk, like delta (sensitivity of option value to a change in the value of the underlying) and theta (the change in option value as the option expirationdate approaches). These “Greeks” are invaluable risk measures on the options trading desk.
• The shortcomings of VaR were exposed more after the global financial crisis of 2007–2009. VaR only looks at the largest loss at a given likelihood threshold; it does not examine the size of losses beyond this threshold. For that reason, it is often said to ignore tail risk (i.e., the effect of very severe but rare events). After the global financial crisis of 2007–2009, various remedies for this were put forward. One of these was expected shortfall (ES), which is a statistical measure designed to quantify the mean risk in the tail of the distribution beyond the cut-off of the VaR measure. Bank regulators have tried to improve the way VaR is calculated, make its calculation across the industry more consistent and reliable, and strengthen the role of supplementary risk measures such as expected shortfall (ES) and worst-case scenario analysis.
• Banks and their regulators also turned to scenario stress testing and reverse stress testing. Scenario analysis and stress testing ignore the problem of measuring the frequency or probability of a rare event. Instead, they focus analytical resources on imagining a reasonably plausible worst-case scenario that may develop in stages over an extended period. The riskmanager develops the scenario-or is handed it by a regulator-and then analyzes theimpact of the event on the institution given its risk exposures and reactive capabilities. Scenario analysis and stress testing can be highly quantitative and involve complex modeling, but the numbers are all focused on assessing severity rather than frequency.  Reverse stress testing starts at the other end. The institution applies its modeling capabilities to work out how bad losses could get, then works backwards to try to understand how those losses were linked to its exposures and activities. How could the institution manage its activities to avoid the worst that might happen?
• The inherent drawbacks of VaR have encouraged risk managers to adopt a broader approach to risk metrics. Aggregate risk measures are useful in their place, but they inevitably fail to capture key dimensions of risk and must be supplemented with other approaches. Understanding risk aggregation and its strengths and weaknesses is the eighth risk management building block.

Balancing Risk And Reward

• In the banking industry, economic or risk capital is the amount of capital the firm requires based on its understanding of its economic risks. It is distinct from regulatory capital, which is calculated based on regulatory rules and methodologies. Economic capital and regulatory capital are sometimes in alignment, but often generate quite different numbers.
• Economic capital provides the firm with a conceptually satisfying way to balance risk and reward. For each activity, firms can compare the revenue and profit they are making from an activity to the amount of economic capital required to support that activity.
• To factor in the cost of risk of both expected and unexpected losses, the bank can apply a classic formula for risk-adjusted return on capital (𝑜𝑟𝑅𝐴𝑅O𝐶):
• Reward can be described in terms of After-Tax Risk-Adjusted Expected Return (adjusted for expected losses), and risk can be described in terms of economic capital. Hence
• For an activity/portfolio to add value to shareholders (and the stock price), RAROC should be higher than the cost of equity capital (i.e., the hurdle rate or minimum return on equity capital required by the shareholders to be fairly compensated for risk).
• There are many variants on the RAROC formula, applied across many different industries and institutions. Their level of sophistication varies but all have the same purpose: to adjust performance for risk. Four day-to-day applications stand out.
  • Business comparison: RAROC allows firms to compare the performance of business lines that require different amounts of economic capital.
  • Investment analysis: A firm typically uses the RAROC formula that uses projected numbers to assess likely returns from future investments (e.g., the decision to offer a new type of credit product).
  • Pricing strategies: The firm can re-examine its pricing strategy for different customer segments and products. For example, it may set prices too low to make risk-adjusted profit in one business segment, while in another it may reduce prices and increase market share.
  • Risk management cost/benefit analysis: RAROC analyses can help a firm compare the dollar cost of risk management (e.g., benefit from risk transfer via insurance)

Enterprise Risk Management (ERM) : More Than Adding Up Risk?

• One challenge to an effective firm-wide risk management process is that at many firms, each business division manages its own exposures independently without considering the risk exposures of other divisions. Financial risk managers have recognized that they must build a broad picture of risk across risk types and business lines: enterprise risk management (ERM), which is the tenth building block of risk management. ERM projects encourage firms to think about enterprise risk using tools such as a clear statement of corporate risk appetite and a more cohesive approach to risk management through global risk committees, and so on.
• Oftentimes, historic ERM efforts have over-focused on the need to express risk as a single number such as economic capital or VaR. Expressing risk as a single number was too simplistic an approach. Perhaps the biggest lesson of the 2008-2009 global financial crisis was that risk cannot be reduced to any single number.
• It is multi-dimensional, so it needs to be approached from many angles, using multiple methodologies.
• It develops and crosses risk types, so even a wide view of risk types – but at only one point in time – may miss the point.
• It demands expert judgment that is combined with application of statistical science.

Digital Risk Management

• According to a survey by McKinsey in 2017, the digital transformation of risk functions in financial institutions is occurring more slowly than the transformation of customer-facing operations. However, big changes are underway, including:
  • Drawing information from a wider set of sources to apply advanced analytics to measure risk, for example, applying big data analytics to credit and operational risks; 
  • Faster and real-time decision-making based on more automated risk processes, for example, automated corporate credit scoring; and
  • Greater productivity, as risk processes are engineered away from paper documents towards automated work flows, for example, for reviews of documentation.
• The survey found that there are big challenges involved with digitizing risk management in the form of legacy infrastructure, limited data, and the need for new digital skills. Data scientists have the critical skill set for digitized risk functions and may soon be in as much demand as “rocket scientist” risk modelers