1.) What is Risk Management?

(according to ISO)

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the
effect of uncertainty on objectives) followed by coordinated and economical application of resources to
minimize, monitor, and control the probability and/or impact of unfortunate events[1] or to maximize the
realization of opportunities.

Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design,
development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and
disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.
Several risk management standards have been developed including the Project Management Institute,
the National Institute of Standards and Technology, actuarial societies, and ISO standards.[2][3]Methods,
definitions and goals vary widely according to whether the risk management method is in the context of
project management, security, engineering, industrial processes, financial portfolios, actuarial assessments,
or public health and safety.

The strategies to manage threats (uncertainties with negative consequences) typically include transferring
the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or
even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for
opportunities (uncertain future states with benefits).

Certain aspects of many of the risk management standards have come under criticism for having no
measurable improvement on risk, whether the confidence in estimates and decisions seem to increase. [1] For
example, it has been shown that one in six IT projects experience cost overruns of 200% on average, and
schedule overruns of 70%.[4]

2.) Function of Risk Management

Traditionally, a firm’s risk management function ensured that the pure risks of losses were managed

appropriately. The risk manager was charged with the responsibility for specific risks only. Most activities

involved providing adequate insurance and implementing loss-control techniques so that the firm’s

employees and property remained safe. Thus, risk managers sought to reduce the firm’s costs of pure risks

and to initiate safety and disaster management.

Typically, the traditional risk management position has reported to the corporate treasurer. Handling risks

by self-insuring (retaining risks within the firm) and paying claims in-house requires additional personnel

within the risk management function. In a small company or sole proprietorship, the owner usually performs

the risk management function, establishing policy and making decisions. In fact, each of us manage our own

risks, whether we have studied risk management or not. Every time we lock our house or car, check the
wiring system for problems, or pay an insurance premium, we are performing the same functions as a risk

manager. Risk managers use agents or brokers to make smart insurance and risk management decisions

(agents and brokers are discussed in Chapter 7 "Insurance Operations").

The traditional risk manager’s role has evolved, and corporations have begun to embrace enterprise risk

management in which all risks are part of the process: pure, opportunity, and speculative risks. With this

evolution, firms created the new post of chief risk officer (CRO). The role of CROs expanded the traditional

role by integrating the firm’s silos, or separate risks, into a holistic framework. Risks cannot be segregated—

they interact and affect one another.

In addition to insurance and loss control, risk managers or CROs use specialized tools to keep cash flow in-

house, which we will discuss in Chapter 6 "The Insurance Solution and Institutions" and Chapter 7 "Insurance

Operations". Captives are separate insurance entities under the corporate structure—mostly for the exclusive

use of the firm itself. CROs oversee the increasing reliance on capital market instruments to hedge risk. They

also address the entire risk map—a visual tool used to consider alternatives of the risk management tool

set—in the realm of nonpure risks. For example, a cereal manufacturer, dependent upon a steady supply of

grain used in production, may decide to enter into fixed-price long-term contractual arrangements with its

suppliers to avoid the risk of price fluctuations. The CRO or the financial risk managers take responsibility for

these trades. They also create the risk management guideline for the firm that usually includes the following:
 Writing a mission statement for risk management in the organization
 Communicating with every section of the business to promote safe behavior
 Identifying risk management policy and processes
 Pinpointing all risk exposures (what “keeps employees awake at night”)
 Assessing risk management and financing alternatives as well as external conditions in the insurance
markets
 Allocating costs
 Negotiating insurance terms
 Adjusting claims adjustment in self-insuring firms
 Keeping accurate records

Writing risk management manuals set up the process of identification, monitoring, assessment, evaluation,

and adjustments.

In larger organizations, the risk manager or CRO has differing authority depending upon the policy that top

management has adopted. Policy statements generally outline the dimensions of such authority. Risk

managers may be authorized to make decisions in routine matters but restricted to making only

recommendations in others. For example, the risk manager may recommend that the costs of employee
injuries be retained rather than insured, but a final decision of such magnitude would be made by top

management.

3.) Role of Risk Management

The implementation of strong and effective risk management and controls within securities firms promotes
stability throughout the entire financial system. Specifically, internal risk management controls provide four
important functions:

o to protect the firm against market, credit, liquidity, operational, and legal risks;
o to protect the financial industry from systemic risk;
o to protect the firm's customers from large non-market related losses (e.g., firm failure,
misappropriation, fraud, etc.); and
o to protect the firm and its franchise from suffering adversely from reputational risk.

Sound and effective risk management and controls promote both securities firm and industry stability which,
in turn, inspires confidence in the investing public and counterparties. Securities firms have economic and
commercial incentives to employ strong risk management internal control systems. Without such controls, a
firm is vulnerable to risk.

4.) Treatments

Risk treatment involves identifying the range of options for treating risk, assessing those options, preparing
risk treatment plans and implementing them.

The options available for the treatment of risks include:

 Retain/accept the risk - if, after controls are put in place, the remaining risk is deemed acceptable to the
organisation, the risk can be retained. However, plans should be put in place to manage/fund the
consequences of the risk should it occur.

 Reduce the Likelihood of the risk occurring - by preventative maintenance, audit & compliance programs,
supervision, contract conditions, policies & procedures, testing, investment & portfolio management,
training of staff, technical controls and quality assurance programs etc.

 Reduce the Consequences of the risk occurring - through contingency planning, contract conditions,
disaster recovery & business continuity plans, off-site back-up, public relations, emergency procedures
and staff training etc.

 Transfer the risk - this involves another party bearing or sharing some part of the risk by the use of
contracts,insurance, outsourcing, joint ventures or partnerships etc.

 Avoid the risk - decide not to proceed with the activity likely to generate the risk, where this is
practicable.
5.) Specific types of Risk

Systematic Risk - Systematic risk influences a large number of assets. A significant political event,
for example, could affect several of the assets in your portfolio. It is virtually impossible to protect
yourself against this type of risk.

Unsystematic Risk - Unsystematic risk is sometimes referred to as "specific risk". This kind of risk
affects a very small number of assets. An example is news that affects a specific stock such as a
sudden strike by employees.Diversification is the only way to protect yourself from unsystematic
risk. (We will discuss diversification later in this tutorial).

Now that we've determined the fundamental types of risk, let's look at more specific types of risk,
particularly when we talk about stocks andbonds.

Credit or Default Risk - Credit risk is the risk that a company or individual will be unable to pay the
contractual interest or principal on its debt obligations. This type of risk is of particular concern to
investors who hold bonds in their portfolios. Government bonds, especially those issued by the
federal government, have the least amount of default risk and the lowest returns, while corporate
bonds tend to have the highest amount of default risk but also higher interest rates. Bonds with a
lower chance of default are considered to be investment grade, while bonds with higher chances are
considered to be junk bonds. Bond rating services, such as Moody's, allows investors to determine
which bonds are investment-grade, and which bonds are junk. (To read more, see Junk Bonds:
Everything You Need To Know, What Is A Corporate Credit Rating and Corporate Bonds: An
Introduction To Credit Risk.)

Country Risk - Country risk refers to the risk that a country won't be able to honor its financial
commitments. When a country defaults on its obligations, this can harm the performance of all other
financial instruments in that country as well as other countries it has relations with. Country risk
applies to stocks, bonds, mutual funds, options and futures that are issued within a particular
country. This type of risk is most often seen in emerging markets or countries that have a severe
deficit. (For related reading, see What Is An Emerging Market Economy?)

Foreign-Exchange Risk - When investing in foreign countries you must consider the fact that
currency exchange rates can change the price of the asset as well. Foreign-exchange risk applies to all
financial instruments that are in a currency other than your domestic currency. As an example, if you
are a resident of America and invest in some Canadian stock in Canadian dollars, even if the share
value appreciates, you may lose money if the Canadian dollar depreciates in relation to the American
dollar.
 Interest Rate Risk - Interest rate risk is the risk that an investment's value will change as a result of
a change in interest rates. This risk affects the value of bonds more directly than stocks. (To learn
more, read How Interest Rates Affect The Stock Market.)

Political Risk - Political risk represents the financial risk that a country's government will suddenly
change its policies. This is a major reason why developing countries lack foreign investment.

Market Risk - This is the most familiar of all risks. Also referred to asvolatility, market risk is the the
day-to-day fluctuations in a stock's price. Market risk applies mainly to stocks and options. As a
whole, stocks tend to perform well during a bull market and poorly during a bear market - volatility
is not so much a cause but an effect of certain market forces. Volatility is a measure of risk because it
refers to the behavior, or "temperament", of your investment rather than the reason for this
behavior. Because market movement is the reason why people can make money from stocks,
volatility is essential for returns, and the more unstable the investment the more chance there is that
it will experience a dramatic change in either direction.

6.) Process of Risk Management

The Risk Management Process

A typical risk management function includes the steps listed above: identifying risks, assessing them,

forecasting future frequency and severity of losses, mitigating risks, finding risk mitigation solutions, creating

plans, conducting cost-benefits analyses, and implementing programs for loss control and insurance. For each

property risk exposure, for example, the risk manager would adopt the following or similar processes:
 Finding all properties that are exposed to losses (such as real property like land, buildings, and other
structures; tangible property like furniture and computers; and intangible personal property like
trademarks)
 Evaluating the potential causes of loss that can affect the firms’ property, including natural disasters (such
as windstorms, floods, and earthquakes); accidental causes (such as fires, explosions, and the collapse of
roofs under snow); and many other causes noted in Chapter 1 "The Nature of Risk: Losses and
Opportunities";
 Evaluating property value by different methods, such as book value, market value, reproduction cost, and
replacement cost
 Evaluating the firm’s legal interest in each of the properties—whether each property is owned or leased
 Identifying the actual loss exposure in each property using loss histories (frequency and severity),
accounting records, personal inspections, flow charts, and questionnaires
 Computing the frequency and severity of losses for each of the property risk exposures based on loss data
 Forecasting future losses for each property risk exposure
 Creating a specific risk map for all property risk exposures based on forecasted frequency and severity
 Developing risk management alternative tools (such as loss-control techniques) based upon cost-benefit
analysis or insurance
 Comparing the existing solutions to potential solutions (traditional and nontraditional)—uses of risk
maps
 Communicating the solutions with the whole organization by creating reporting techniques, feedback, and
a path for ongoing execution of the whole process
 The process is very similar to any other business process.

7.) Approaches

The Risk Management Process

A typical risk management function includes the steps listed above: identifying risks, assessing them,

forecasting future frequency and severity of losses, mitigating risks, finding risk mitigation solutions, creating

plans, conducting cost-benefits analyses, and implementing programs for loss control and insurance. For each

property risk exposure, for example, the risk manager would adopt the following or similar processes:
 Finding all properties that are exposed to losses (such as real property like land, buildings, and other
structures; tangible property like furniture and computers; and intangible personal property like
trademarks)
 Evaluating the potential causes of loss that can affect the firms’ property, including natural disasters (such
as windstorms, floods, and earthquakes); accidental causes (such as fires, explosions, and the collapse of
roofs under snow); and many other causes noted in Chapter 1 "The Nature of Risk: Losses and
Opportunities";
 Evaluating property value by different methods, such as book value, market value, reproduction cost, and
replacement cost
 Evaluating the firm’s legal interest in each of the properties—whether each property is owned or leased
 Identifying the actual loss exposure in each property using loss histories (frequency and severity),
accounting records, personal inspections, flow charts, and questionnaires
 Computing the frequency and severity of losses for each of the property risk exposures based on loss data
 Forecasting future losses for each property risk exposure
 Creating a specific risk map for all property risk exposures based on forecasted frequency and severity
 Developing risk management alternative tools (such as loss-control techniques) based upon cost-benefit
analysis or insurance
 Comparing the existing solutions to potential solutions (traditional and nontraditional)—uses of risk
maps
 Communicating the solutions with the whole organization by creating reporting techniques, feedback, and
a path for ongoing execution of the whole process
 The process is very similar to any other business process.