7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 1/41
Uni t 1:
Enterpri se r isk management
Enterprise risk management (ERM) in business includes the methods and processes used by organizationsto manage risks and seize opportunities related to the achievement of their objectives. ERM provides a
framework for risk management, which typically involves identifying particular events or circumstances
relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and
magnitude of impact, determining a response strategy, and monitoring progress. By identifying and
proactively addressing risks and opportunities, business enterprises protect and create value for their
stakeholders, including owners, employees, customers, regulators, and society overall. (ERM)
ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts
of internal control, the Sarbanes – Oxley Act, and strategic planning. ERM is evolving to address the needs of
various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to
ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on
the risk management processes of companies.
Enterprise Risk Management Defined
Enterprise risk management deals with risks and opportunities affecting value creation or preservation
defined as follows:
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 2/41
―Enterprise risk management is a process, effected by an entity‘s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is:• A process, ongoing and flowing through an entity
• Effected by people at every level of an organization
• Applied in strategy setting
• Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of
risk
• Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its
risk appetite
• Able to provide reasonable assurance to an entity‘s management and board of directors
• Geared to achievement of objectives in one or more separate but overlapping categories
This definition is purposefully broad. It captures key concepts fundamental to how companies and other
organizations manage risk, providing a basis for application across organizations, industries, and sectors. I
focuses directly on achievement of objectives established by a particular entity and provides a basis for
defining enterprise risk management effectiveness. Executive Summary
Achievement of Objectives
Within the context of an entity‘s established mission or vision, management establishes strategic objectives
selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk
management framework is geared to achieving an entity‘s objectives, set forth in four categories:
• Strategic – high-level goals, aligned with and supporting its mission
• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and regulations.
This categorization of entity objectives allows a focus on separate aspects of enterprise risk management
These distinct but overlapping categories – a particular objective can fall into more than one category –
address different entity needs and may be the direct responsibility of different executives. This
categorization also allows distinctions between what can be expected from each category of objectives
Another category, safeguarding of resources, used by some entities, also is described.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 3/41
Because objectives relating to reliability of reporting and compliance with laws and regulations are within
the entity‘s control, enterprise risk management can be expected to provide reasonable assurance of
achieving those objectives. Achievement of strategic objectives and operations objectives, however, is
subject to external events not always within the entity‘s control; accordingly, for these objectives, enterprise
risk management can provide reasonable assurance that management, and the board in its oversight role, are
made aware, in a timely manner, of the extent to which the entity is moving toward achievement of theobjectives.
Components of Enterprise Risk Management
Enterprise risk management consists of eight interrelated components. These are derived from the way
management runs an enterprise and are integrated with the management process. These components are:
• Internal Environment – The internal environment encompasses the tone of an organization, and sets the
basis for how risk is viewed and addressed by an entity‘s people, including risk management philosophy and
risk appetite, integrity and ethical values, and the environment in which they operate.
• Objective Setting – Objectives must exist before management can identify potential events affecting their
achievement. Enterprise risk management ensures that Executive Summary
management has in place a process to set objectives and that the chosen objectives support and align with
the entity‘s mission and are consistent with its risk a ppetite.
• Event Identification – Internal and external events affecting achievement of an entity‘s objectives must be
identified, distinguishing between risks and opportunities. Opportunities are channeled back to
management‘s strategy or objective-setting processes.
• Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how
they should be managed. Risks are assessed on an inherent and a residual basis.
• Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk –
developing a set of actions to align risks with the entity‘s risk tolerances and risk appetite.
• Control Activities – Policies and procedures are established and implemented to help ensure the risk
responses are effectively carried out.
• Information and Communication – Relevant information is identified, captured, and communicated in aform and timeframe that enable people to carry out their responsibilities. Effective communication also
occurs in a broader sense, flowing down, across, and up the entity.
• Monitoring – The entirety of enterprise risk management is monitored and modifications made as
necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, o
both. Enterprise risk management is not strictly a serial process, where one component affects only the next
It is a multidirectional, iterative process in which almost any component can and does influence another.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 5/41
as proceeding across the two dimensions of risk type and risk management processes.[1] The risk types and
examples include:
Hazard risk
Liability torts, Property damage, Natural catastrophe
Financial risk
Pricing risk, Asset risk, Currency risk, Liquidity risk Operational risk
Customer satisfaction, Product failure, Integrity, Reputational risk
Strategic risks
Competition, Social trend, Capital availability.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 6/41
The risk management process involves
1. Establishing Context: This includes an understanding of the current conditions in which the
organization operates on an internal, external and risk management context.
2. Identifying Risks: This includes the documentation of the material threats to the organization‘s
achievement of its objectives and the representation of areas that the organization may exploit for
competitive advantage.
3. Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability
distributions of outcomes for each material risk.
4. Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and
portfolio effects, and the formulation of the results in terms of impact on the organization‘s key
performance metrics.
5. Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the
aggregate risk profile, and appropriate prioritization.
6. Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting
the various risks.
7. Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk
environment and the performance of the risk management strategies.
The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of
the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight
components - additional components highlighted - are:
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 7/41
The four objectives categories - additi onal components highl ighted - are :
Strategy - high-level goals, aligned with and supporting the organization's mission
Operations - effective and efficient use of resources
Financial Reporting - reliability of operational and financial reporting
Compliance - compliance with applicable laws and regulations
Implementing an ERM program
Goals of an ERM program
Organizations by nature manage risks and have a variety of existing departments or functions ("risk
functions") that identify and manage particular risks. However, each risk function varies in capability and
how it coordinates with other risk functions. A central goal and challenge of ERM is improving this
capability and coordination, while integrating the output to provide a unified picture of risk forstakeholders and improving the organization's ability to manage the risks effectively.
Typical risk functions
The primary risk functions in large corporations that may participate in an ERM program typically
include:
Strategic planning - identifies external threats and competitive opportunities, along with strategic
initiatives to address them
Marketing - understands the target customer to ensure product/service alignment with customer
requirements
Compliance & Ethics - monitors compliance with code of conduct and directs fraud investigations
Accounting / Financial compliance - directs the Sarbanes-Oxley Section 302 and 404 assessment, which
identifies financial reporting risks
Law Department - manages litigation and analyzes emerging legal trends that may impact the
organization
Insurance - ensures the proper insurance coverage for the organization
Treasury - ensures cash is sufficient to meet business needs, while managing risk related to commodity
pricing or foreign exchange
Operational Quality Assurance - verifies operational output is within tolerances
Operations management - ensures the business runs day-to-day and that related barriers are surfaced for
resolution
Credit - ensures any credit provided to customers is appropriate to their ability to pay
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 8/41
Customer service - ensures customer complaints are handled promptly and root causes are reported to
operations for resolution
Internal audit - evaluates the effectiveness of each of the above risk functions and recommends
improvements
Common challenges in ERM implementationVarious consulting firms offer suggestions for how to implement an ERM program.[5] Common topics and
challenges include:
Identifying executive sponsors for ERM.
Establishing a common risk language or glossary.
Describing the entity's risk appetite (i.e., risks it will and will not take)
Identifying and describing the risks in a "risk inventory".
Implementing a risk-ranking methodology to prioritize risks within and across functions.
Establishing a risk committee and or Chief Risk Officer (CRO) to coordinate certain activities of the risk
functions.
Establishing ownership for particular risks and responses.
Demonstrating the cost-benefit of the risk management effort.
Developing action plans to ensure the risks are appropriately managed.
Developing consolidated reporting for various stakeholders.
Monitoring the results of actions taken to mitigate risk.
Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.
Developing a technical ERM framework that enables secure participation by 3rd parties and remote
employees.
Cur rent issues in ERM
The risk management processes of U.S. corporations are under increasing regulatory and
private scrutiny. Risk is an essential part of any business. Properly managed, it drives growth and
opportunity. Executives struggle with business pressures that may be partly or completely beyond their
immediate control, such as distressed financial markets; mergers, acquisitions and restructurings; disruptive
technology change; geopolitical instabilities; and the rising price of energy.
1. Sarbanes-Oxley Act requirements
Section 404 of the Sarbanes-Oxley Act of 2002 required U.S. publicly traded corporations to
utilize a control framework in their internal control assessments. Many opted for the COSO Interna
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 9/41
Control Framework, which includes a risk assessment element. In addition, new guidance issued by
the Securities and Exchange Commission (SEC) and PCAOB in 2007 placed increasing scrutiny on top-
down risk assessment and included a specific requirement to perform a fraud risk assessment.[8] Fraud risk
assessments typically involve identifying scenarios of potential (or experienced) fraud, related exposure to
the organization, related controls, and any action taken as a result.
2. NYSE corporate governance rulesThe New York Stock Exchange requires the Audit Committees of its listed companies to
"discuss policies with respect to risk assessment and risk management." The related commentary continues
"While it is the job of the CEO and senior management to assess and manage the company‘s exposure to
risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled.
The audit committee should discuss the company‘s major financial risk exposures and the steps management
has taken to monitor and control such exposures. The audit committee is not required to be the sole body
responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines
and policies to govern the process by which risk assessment and management is undertaken. Many
companies, particularly financial companies, manage and assess their risk through mechanisms other than the
audit committee. The processes these companies have in place should be reviewed in a general manner by the
audit committee, but they need not be replaced by the audit committee."
ERM and corporate debt ratings
Standard & Poor's (S&P), the debt rating agency, plans to include a series of questions about
risk management in its company evaluation process. This will rollout to financial companies in 2007. The
results of this inquiry is one of the many factors considered in debt rating, which has a corresponding impact
on the interest rates lenders charge companies for loans or bonds. On May 7, 2008, S&P also announced that
it would begin including an ERM assessment in its ratings for non-financial companies starting in 2009, with
initial comments in its reports during Q4 2008.
ISO 31000 : the new International Risk Management Standard
ISO 31000 is an International Standard for Risk Management which was published on 13
November 2009. An accompanying standard, ISO 31010 - Risk Assessment Techniques, soon followed
publication (December 1, 2009) together with the updated Risk Management vocabulary ISO Guide 73.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 10/41
Companies I ncreasingly Focusing on ERM
It is clear that companies recognize ERM as a critical management issue. This is demonstrated through the
prominence assigned to ERM within organizations and the resources devoted to building ERM capabilities
In a 2008 survey by Towers Perrin,[22] at most life insurance companies, responsibility for ERM resides
within the C-suite. Most often, the chief risk officer (CRO) or the chief financial officer (CFO) is in charge
of ERM, and these individuals typically report directly to the chief executive officer. From their vantage
point, the CRO and CFO are able to look across the organization and develop a perspective on the risk
profile of the firm and how that profile matches its risk appetite. They act as drivers to improve skills, tools
and processes for evaluating risks and to weigh various actions to manage those exposures. Companies are
also actively enhancing their ERM tools and capabilities. Three quarters of responding companies said they
have tools for specifically monitoring and managing enterprise-wide risk. These tools are used primarily for
identifying and measuring risk and for management decision making. Respondents also reported that they
have made good progress in building their ERM capabilities in certain areas.
In this study, more than 80% of respondents reported that they currently have adequate or
better controls in place for most major risks. In addition, about 60% currently have a coordinated process for
risk governance and include risk management in decision making to optimize risk adjusted returns.
In another survey conducted in May and June 2008, against the backdrop of the developing financial crisis,
six major findings came to light regarding risk and capital management among insurers worldwide:[23]
Embedding ERM is proving to be a significant challenge
Company size matters
European insurers are better positioned
ERM is influencing important strategic decisions
Economic capital standards are gaining ground
Operational risk remains a weak spot
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 11/41
BASEL:
Basel I is the round of deliberations by central bankers from around the world, and in 1988, the Base
Committee on Banking Supervision (BCBS) in Basel, Switzerland, published a set of minimum capita
requirements for banks. This is also known as the 1988 Basel Accord, and was enforced by law in
the Group of Ten (G-10) countries in 1992 . Basel I is now widely viewed as outmoded. Indeed, the
world has changed as financial conglomerates, financial innovation and risk management have
developed. Therefore, a more comprehensive set of guidelines, known asBasel II are in the process of
implementation by several countries. New updates, Basel III, were developed in response to
the financial crisis.
Basel I, that is, the 1988 Basel Accord, primarily focused on credit risk. Assets of banks were classified and
grouped in five categories according to credit risk, carrying risk weights of zero (for example home
country sovereign debt), ten, twenty, fifty, and up to one hundred percent (this category has, as an example,
most corporate debt). Banks with international presence are required to hold capital equal to 8% of the risk-
weighted assets. The creation of the credit default swap after the Exxon Valdez incident helped large banks
hedge lending risk and allowed banks to lower their own risk to lessen the burden of these onerous
restrictions.
Since 1988, this framework has been progressively introduced in member countries of G-10, currently
comprising 13 countries,
namely, Belgium, Canada, France, Germany, Italy, Japan,Luxembourg, Netherlands, Spain, Sweden, Switz
erland, United Kingdom and the United States of America.
Basel II is the second of the Basel Accords, (now extended and effectively superseded by Basel III), which
are recommendations on banking laws and regulations issued by the Basel Committee on Banking
Supervision.
Basel II, initially published in June 2004, was intended to create an international standard for banking
regulators to control how much capital banks need to put aside to guard against the types of financial and
operational risks banks (and the whole economy) face. One focus was to maintain sufficient consistency o
regulations so that this does not become a source of competitive inequality amongst internationally active
banks. Advocates of Basel II believed that such an international standard could help protect the international
financial system from the types of problems that might arise should a major bank or a series of banks
collapse. In theory, Basel II attempted to accomplish this by setting up risk and capital managemen
requirements designed to ensure that a bank has adequate capital for the risk the bank exposes itself to
through its lending and investment practices. Generally speaking, these rules mean that the greater risk to
which the bank is exposed, the greater the amount of capital the bank needs to hold to safeguard
its solvency and overall economic stability.
Politically, it was difficult to implement Basel II in the regulatory environment prior to 2008, and progress was
generally slow until that year's major banking crisis caused mostly by credit default swaps, mortgage-
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 12/41
backed security markets and similar derivatives. As Basel III was negotiated, this was top of mind, and
accordingly much more stringent standards were contemplated, and quickly adopted in some key countries
including the USA
Objective
The final version aims at:
1. Ensuring that capital allocation is more risk sensitive;
2. Enhance disclosure requirements which will allow market participants to assess the capital adequacy
of an institution;
3. Ensuring that credit risk, operational risk and market risk are quantified based on data and forma
techniques;
4. Attempting to align economic and regulatory capital more closely to reduce the scope for regulatory
arbitrage.
The accord in operationBasel II uses a "three pillars" concept –
(1) Minimum capital requirements (addressing risk),
(2) Supervisory review and
(3) Market discipline.
The Basel I accord dealt with only parts of each of these pillars. For example: with respect to the first Base
II pillar, only one risk, credit risk, was dealt with in a simple manner while market risk was an afterthought
operational risk was not dealt with at all.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 13/41
The first pillar
The first pillar deals with maintenance of regulatory capital calculated for three major components of risk
that a bank faces: credit risk, operational risk, and market risk. Other risks are not considered fully
quantifiable at this stage.
The credit risk component can be calculated in three different ways of varying degree of sophistication
namely standardized approach, Foundation IRB, Advanced IRB and General IB2 Restriction. IRB stands fo
"Internal Rating-Based Approach".
For operational risk, there are three different approaches – basic indicator approach or BIA, standardized
approach or STA, and the internal measurement approach (an advanced form of which is the advanced
measurement approach or AMA).
For market risk the preferred approach is VaR (value at risk).
As the Basel II recommendations are phased in by the banking industry it will move from standardized
requirements to more refined and specific requirements that have been developed for each risk category by
each individual bank. The upside for banks that do develop their own bespoke risk measurement systems is
that they will be rewarded with potentially lower risk capital requirements. In future there will be closer links
between the concepts of economic and regulatory capital.
The second pillar
The second pillar deals with the regulatory response to the first pillar, giving regulators much improved
'tools' over those available to them under Basel I. It also provides a framework for dealing with all the other
risks a bank may face, such as systemic risk, pension risk, concentration risk, strategic risk, reputationa
risk, liquidity risk and legal risk, which the accord combines under the title of residual risk. It gives banks apower to review their risk management system.
It is the Internal Capital Adequacy Assessment Process (ICAAP) that is the result of Pillar II of Basel I
accords.
The third pillar
This pillar aims to complement the minimum capital requirements and supervisory review process by
developing a set of disclosure requirements which will allow the market participants to gauge the capita
adequacy of an institution.
Market discipline supplements regulation as sharing of information facilitates assessment of the bank by
others, including investors, analysts, customers, other banks, and rating agencies, which leads to good
corporate governance. The aim of Pillar 3 is to allow market discipline to operate by requiring institutions to
disclose details on the scope of application, capital, risk exposures, risk assessment processes, and the
capital adequacy of the institution. It must be consistent with how the senior management, including the
board, access and manage the risks of the institution.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 14/41
When market participants have a sufficient understanding of a bank's activities and the controls it has in
place to manage its exposures, they are better able to distinguish between banking organisations so that
they can reward those that manage their risks prudently and penalise those that do not.
These disclosures are required to be made at least twice a year, except qualitative disclosures providing a
summary of the general risk management objectives and policies which can be made annually. Institutions
are also required to create a formal policy on what will be disclosed and controls around them along with the
validation and frequency of these disclosures. In general, the disclosures under Pillar 3 apply to the topconsolidated level of the banking group to which the Basel II framework applies.
Basel III (or the Third Basel Accord) is a global regulatory standard on bank capital adequacy, stress
testing and market liquidity risk agreed upon by the members of the Basel Committee on Banking
Supervision in 2010 –11, and scheduled to be introduced from 2013 until 2018.[1][2] The third installment of
the Basel Accords (see Basel I, Basel II) was developed in response to the deficiencies in financia
regulation revealed by the late-2000s financial crisis. Basel III strengthens bank capital requirements and
introduces new regulatory requirements on bank liquidity and bank leverage. The OECD estimates that theimplementation of Basel III will decrease annual GDP growth by 0.05 –0.15%.[3][4] Critics suggest that greate
regulation is responsible for the slow recovery from the late-2000s financial crisis,[5][6] and that the tighte
Basel III requirements may further negatively affect the stability of the financial system by increasing the
incentives of banks to game the regulatory framework.[7]
Basel III will require banks to hold 4.5% of common equity (up from 2% in Basel II) and 6% of Tier I
capital (up from 4% in Basel II) of risk-weighted assets (RWA). Basel III also introduces additiona
capital buffers, (i) a mandatory capital conservation buffer of 2.5% and (ii) a discretionary
countercyclical buffer, which allows national regulators to require up to another 2.5% of capital duringperiods of high credit growth. In addition, Basel III introduces a minimum leverage ratio and two
required liquidity ratios.[8]
The leverage ratio is calculated by dividing Tier 1 capital by the bank's
average total consolidated assets;[9]
the banks are expected to maintain the leverage ratio in excess of
3%. The Liquidity Coverage Ratio requires a bank to hold sufficient high-quality liquid assets to cover
its total net cash outflows over 30 days; the Net Stable Funding Ratio requires the available amount o
stable funding to exceed the required amount of stable funding over a one-year period of extended
stress.[10]
THE L IM I TS OF BASEL I I ACCORD
In general the banks don‗t have to engage in transactions, in which the risks can not be identified and
controlled in an efficient manner. Each risk an institution of credit deals with must be identified, supervised
and limited its‗ effects.
In the 1980s, because of the critical changes of interest rates, produced by the inflationary
Process and by the energetic crises, because of the significant changes of the exchange rates after the
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 15/41
abolishment of the Bretton Woods system and because of the intensification of competition on the financia
services market, the instability becomes a characteristic of the environment in which the banks are operating
In this new situation, the bank‗s vulnerability and the number of bankruptcy increases. The Basel I Accord in
1988, emerged because of the banks insolvency in the 1980s, has lead to the banking system‗s recovery on
the account of the minimum capital adequacy. The Accord has also concurred to the international banking
system‗s stability due to the harmonization of international banks‗ practices and because of the eliminationof disloyal bank competition. The stipulations of Basel I Settlement didn‗t have an imperative character
they were just merely given as a guide, but they were adopted by the majority of banks.
The risks on the international market are evolving and they are affecting the banks‗ activity, in 1996 the
Basel I Settlement was amended by the incorporation of market risk next to the credit risk in estimating the
adequacy capital. The Basel II Accord adopted in 2004 has a more flexible character, offering to the credit
institutions the freedom to choose their own methods of risk evaluation, but conserves the key elements of
Basel I Settlement, respectively the minimum of 8% capital adequacy.
The Basel I I Settlement has many advantages l ike:
- the credit institutions take into consideration the operational risk next to the credit risk and market risk;
- The Global Risk Approach;
- The Internal Rating Systems;
- A Market Discipline Based On The Transparency Principle And A Detailed Reporting Offering Relevant
Credible, Opportune, Comparable And Comprehensible Information;724
- An Increased Competence For Supervision Authorities;
- The Creation Of A Solid Bank Industry;
- Contributes To The Harmonization Of Bank Practices Between East And West Europe;
- An Equitable Bank Competition;
- The Three Pillars Represent a whole unit;
- the internal methods of risk evaluation determine, that the weighting coefficients with which every risk
asset is being evaluated, are not the same for the whole banking sector, but the are being established
individual, by each institution, so that the risk is evaluated much more accurately, and the situations inwhich capital requirements are overestimated are being eliminated. So the banks will have more money for
giving credits, and they will have to make up fewer reserves.
The Basel II Convention introduces in the standard approach of credit risk an accessory forfeit for credits
given to the institution with an inferior rating. So, if the Basel I Accord the minimum requirement was 100%
from the exposure, in the Basel II for B – ratings the weightin coefficient is 150%. The exposure classes
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 16/41
and the weighting coefficients for credit risk increase from 4 to 8 categories: 0%, 10%, 20%, 35%, 50%
75%, 100%, 150%, which allows to detect more accurately the credit risk based on the nature of investment
for each bank. The weighting coefficients for each risk do not depend only on the class in which is being
placed the exposure, but also on the credit quality, determined by the ratings given by the external
evaluation of credit/clients institutions.
The banks, which will make the most of the New Settlement, will be the ones that seriously invest in the
risk management and the ones that know to choose the right risk management method based on the result o
analyses made. In other words, the promotion of the internal risk management models will represent the
banks‗ success key in developing the credit activity and managing the risks.
The implementation of Basel I I Agreement has revealed its‘limits, like
- the implementation implies high costs regarding the training of staff, IT, especially for countries in Centra
and East Europe;
- the discrimination between bank (small and large banks);
- fewer loans for countries in the transitional period, especially for banks and companies with low rating;
- the increase of the bank concentration degree through fusions and acquisitions between banks in the
system;
- the variation of interest based on the quality of the credit applicant.
Due to its‗ complexity, the IRB method becomes very difficult to implement for banks, which don‗t have a
superior level of culture in credit risk management, so the standard approach appears to be the only
credible option for banks in Central and East Europe. In Romania this process is easier because the whole
banking system is owned by West Europe Banks, which passed this test, so they will be able to facilitate the
transition of the subsidiary to the new capital requirements. In some cases the mother banks will provide
their own internal risk evaluation models..
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 17/41
Uni t 3:
The Role of Credit Rating Agencies in the Governance of F inancial Markets
Throughout the industrialized world governments play an important role in the regulation of financial market
risk. By protecting investors from fraud and by introducing preventive regulation to reduce the likelihood of
financial crisis, they have contributed to the markets‘ efficiency and growth. However, the state‘s role in
financial markets has become more difficult over the last two to three decades. The increasing global
integration of nationally contained financial markets means that a financial crisis can spread more easily
from one national system to another. Furthermore, the high mobility of capital makes the enforcement of
rules more difficult. These problems raise the question as to whether and how the management of risk in
financial markets takes place today.
In recent years credit rating agencies (CRA) have become increasingly important in the management of
financial market risk. CRA are commercial firms that receive payment for publishing an evaluation of the
creditworthiness of their clients. This information is especially useful when borrowing takes place through
the issue of securities, rather than by bank loans, since buyers of securities do not know the issuers as well as
banks usually know their customers. CRA originated in the USA at the turn of the century and concentrated
on rating corporate bonds. Their activities subsequently increased in scope and scale. At present no major
type of security, issuer or geographic area is excluded. CRA now define a truly global benchmark for credit
risk. Published ratings are not only closely observed in the market place. They are significant for regulation
as well. Since the Great Depression the CRA‘s benchmark has also been used in the regulation of financial
markets. Banks or certain types of other investors, for example, are only allowed to hold lower risk securities
rated ‗investment grade‘. By referring to the market benchmark for credit risk, regulation remains in touch
with the changing credit risks in the market. As with the use of ratings in the market, their use as a regulatory
benchmark is also spreading globally. Since CRA judgments define a globally uniform benchmark, they are
attractive as a reference for international regulatory standards as well. A good case in point is the recent
proposition by the Bank for International Settlements to use ratings to calculate capital adequacy ratios for
banks.
The increasing prominence of the CRA in risk management in the market place and in
regulation makes them an important element in coping with the risk of globally interconnected financial
markets. The question arising from this observation is: how effective are present rating-based risk
management strategies? Given the rapidly changing nature of financial market risk, how well do rating
agencies adapt to them? To answer this question, the dominant mode of action co-ordination between the
actors involved is to be analyzed. The question guiding the analysis will be whether rating-based risk
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 18/41
management results in greater adaptability associated with networks or whether it will be limited to the trial
and error learning of markets and hierarchies.
Uni t 4:
Risk Measurement:
In financial mathematics, a risk measure is used to determine the amount of an asset or set of assets
(traditionally currency) to be kept in reserve. The purpose of this reserve is to make therisks taken
by financial institutions, such as banks and insurance companies, acceptable to the regulator. In recent years
attention has turned towards convex and coherent risk measurement.
Risk M anagement'
The process of identification, analysis and either acceptance or mitigation of uncertainty in
investment decision-making. Essentially, risk management occurs anytime an investor or fund
manager analyzes and attempts to quantify the potential for losses in an investment and then
takes the appropriate action (or inaction) given their investment objectives and risk tolerance.
Inadequate risk management can result in severe consequences for companies as well as
individuals. For example, the recession that began in 2008 was largely caused by the loose
credit risk management of financial firms.
Risk management is a two-step process - determining what risks exist in an
investment and then handling those risks in a way best-suited to your investment objectives.
Risk management occurs everywhere in the financial world. It occurs when an investor buys
low-risk government bonds over more risky corporate debt, when a fund manager hedges
their currency exposure with currency derivatives and when a bank performs a credit check on
an individual before issuing them a personal line of credit.
Principles of risk management
The International Organization for Standardization (ISO) identifies the following principles of risk
management:[4]
Risk management should:
create value – resources expended to mitigate risk should be less than the consequence of inaction, or (as
in value engineering), the gain should exceed the pain
be an integral part of organizational processes
be part of decision making process
explicitly address uncertainty and assumptions
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 19/41
be systematic and structured
be based on the best available information
be tailorable
take human factors into account
be transparent and inclusive
be dynamic, iterative and responsive to change
be capable of continual improvement and enhancement be continually or periodically re-assessed
Process
According to the standard ISO 31000 "Risk management – Principles and guidelines on
implementation,"[3] the process of risk management consists of several steps as follows:
1. Establishing the context
This involves:
1. identification of risk in a selected domain of interest
2. planning the remainder of the process
3. mapping out the following:
the social scope of risk management
the identity and objectives of stakeholders
the basis upon which risks will be evaluated, constraints.
4. defining a framework for the activity and an agenda for identification
5. developing an analysis of risks involved in the process6. mitigation or solution of risks using available technological, human and organizational resources.
2. Identification
After establishing the context, the next step in the process of managing risk is to identify potential risks.
Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the
source of problems, or with the problem itself.
Source analysis[citation needed ] - Risk sources may be internal or external to the system that is the target of
risk management.
Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an
airport.
Problem analysis[citation needed ] - Risks are related to identified threats. For example: the threat of losing
money, the threat of abuse of confidential information or the threat of human errors, accidents and
casualties. The threats may exist with various entities, most important with shareholders, customers and
legislative bodies such as the government.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 20/41
When either source or problem is known, the events that a source may trigger or the events that can lead to
a problem can be investigated. For example: stakeholders withdrawing during a project may endanger
funding of the project; confidential information may be stolen by employees even within a closed network;
lightning striking an aircraft during takeoff may make all people on board immediate casualties.
The chosen method of identifying risks may depend on culture, industry practice and compliance. The
identification methods are formed by templates or the development of templates for identifying source,
problem or event. Common risk identification methods are:
Objectives-based risk identification[citation needed ] - Organizations and project teams have objectives. Any
event that may endanger achieving an objective partly or completely is identified as risk.
Scenario-based risk identification - In scenario analysis different scenarios are created. The scenarios
may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for
example, a market or battle. Any event that triggers an undesired scenario alternative is identified as
risk – see Futures Studies for methodology used by Futurists.
Taxonomy-based risk identification - The taxonomy in taxonomy-based risk identification is a breakdown
of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is
compiled. The answers to the questions reveal risks.[5]
Common-risk checking (help) - In several industries, lists with known risks are available.
Each risk in the list can be checked for application to a particular situation.[6]
Risk charting [7] - This method combines the above approaches by listing resources at risk, threats to
those resources, modifying factors which may increase or decrease the risk and consequences it is
wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can
begin with resources and consider the threats they are exposed to and the consequences of each.
Alternatively one can start with the threats and examine which resources they would affect, or one can
begin with the consequences and determine which combination of threats and resources would be
involved to bring them about.
3. Assessment
Once risks have been identified, they must then be assessed as to their potential severity of impact
(generally a negative impact, such as damage or loss) and to the probability of occurrence. These quantities
can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in
the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical
to make the best educated decisions in order to properly prioritize the implementation of the risk
management plan.
Even a short-term positive improvement can have long-term negative impacts. Take the "turnpike" example.
A highway is widened to allow more traffic. More traffic capacity leads to greater development in the areas
surrounding the improved traffic capacity. Over time, traffic thereby increases to fill available capacity.
Turnpikes thereby need to be expanded in a seemingly endless cycles. There are many other engineering
examples where expanded capacity (to do any function) is soon filled by increased demand. Since
expansion comes at a cost, the resulting growth could become unsustainable without forecasting and
management.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 21/41
The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical
information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the
consequences (impact) is often quite difficult for intangible assets. Asset valuation is another question that
needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of
information. Nevertheless, risk assessment should produce such information for the management of the
organization that the primary risks are easy to understand and that the risk management decisions may be
prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk
formulae exist, but perhaps the most widely accepted formula for risk quantification is:
Rate (or probability) of occurrence multiplied by the impact of the event equals risk magnitude
4. Composite Risk Index
The above formula can also be re-written in terms of a Composite Risk Index, as follows:
Composite Risk Index = Impact of Risk event x Probability of Occurrence
The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5 represent the
minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses).
However, the 1 to 5 scale can be arbitrary and need not be on a linear scale.
The probability of occurrence is likewise commonly assessed on a scale from 1 to 5, where 1 represents
a very low probability of the risk event actually occurring while 5 represents a very high probability of
occurrence. This axis may be expressed in either mathematical terms (event occurs once a year, once
in ten years, once in 100 years etc.) or may be expressed in "plain english" – event has occurred here
very often; event has been known to occur here; event has been known to occur in the industry etc.).
Again, the 1 to 5 scale can be arbitrary or non-linear depending on decisions by subject-matter experts.
The Composite Index thus can take values ranging (typically) from 1 through 25, and this range is
usually arbitrarily divided into three sub-ranges. The overall risk assessment is then Low, Medium or High, depending on the sub-range containing the calculated value of the Composite Index. For instance,
the three sub-ranges could be defined as 1 to 8, 9 to 16 and 17 to 25.
Note that the probability of risk occurrence is difficult to estimate, since the past data on frequencies are
not readily available, as mentioned above. After all, probability does not imply certainty.
Likewise, the impact of the risk is not easy to estimate since it is often difficult to estimate the potential
loss in the event of risk occurrence.
Further, both the above factors can change in magnitude depending on the adequacy of risk avoidance
and prevention measures taken and due to changes in the external business environment. Hence it is
absolutely necessary to periodically re-assess risks and intensify/relax mitigation measures, or as
necessary. Changes in procedures, technology, schedules, budgets, market conditions, political
environment, or other factors typically require re-assessment of risks.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 22/41
5. Risk Options
Risk mitigation measures are usually formulated according to one or more of the following major risk
options, which are:
1. Design a new business process with adequate built-in risk control and containment measures
from the start.
2. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of
business operations and modify mitigation measures.
3. Transfer risks to an external agency (e.g. an insurance company)
4. Avoid risks altogether (e.g. by closing down a particular high-risk business area)
Later research[citation needed ] has shown that the financial benefits of risk management are less dependent
on the formula used but are more dependent on the frequency and how risk assessment is performed.
In business it is imperative to be able to present the findings of risk assessments in financial, market, or
schedule terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting risks in financial
terms. The Courtney formula was accepted as the official risk analysis method for the US governmentalagencies. The formula proposes calculation of ALE (annualised loss expectancy) and compares the
expected loss value to the security control implementation costs (cost-benefit analysis).
6. Potential risk treatments
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of
these four major categories:[8]
Avoidance (eliminate, withdraw from or not become involved)
Reduction (optimize – mitigate)
Sharing (transfer – outsource or insure)
Retention (accept and budget)
Ideal use of these strategies may not be possible. Some of them may involve trade-offs that are not
acceptable to the organization or person making the risk management decisions. Another source, from
the US Department of Defense (see link), Defense Acquisition University, calls these categories ACAT,
for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is reminiscent of another ACAT
(for Acquisition Category) used in US Defense industry procurements, in which Risk Management
figures prominently in decision making and planning.
Risk avoidanc e
This includes not performing an activity that could carry risk. An example would be not buying
a property or business in order to not take on the legal liability that comes with it. Another would be not
flying in order not to take the risk that the airplane were to be hijacked. Avoidance may seem the answer
to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the
risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of
earning profits. Increasing risk regulation in hospitals has led to avoidance of treating higher risk
conditions, in favour of patients presenting with lower risk.[9]
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 23/41
Hazard prevent io n
Main article: Hazard prevention
Hazard prevention refers to the prevention of risks in an emergency. The first and most effective stage
of hazard prevention is the elimination of hazards. If this takes too long, is too costly, or is otherwise
impractical, the second stage is mitigation.
Risk reduc t ion Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of the loss
from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire.
This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire
suppression systems may mitigate that risk, but the cost may be prohibitive as astrategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding a balance between
negative risk and the benefit of the operation or activity; and between risk reduction and effort applied.
By an offshore drilling contractor effectively applying HSE Management in its organization, it can
optimize risk to achieve levels of residual risk that are tolerable.[10]
Modern software development methodologies reduce risk by developing and delivering software
incrementally. Early methodologies suffered from the fact that they only delivered software in the final
phase of development; any problems encountered in earlier phases meant costly rework and often
jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a
single iteration.
Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher capability at
managing or reducing risks.[11] For example, a company may outsource only its software development,
the manufacturing of hard goods, or customer support needs to another company, while handling the
business management itself. This way, the company can concentrate more on business development
without having to worry as much about the manufacturing process, managing the development team, or
finding a physical location for a call center.
Risk shar ing
Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a risk, and
the measures to reduce a risk."
The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can
transfer a risk to a third party through insurance or outsourcing. In practice if the insurance company or
contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party. As such
in the terminology of practitioners and scholars alike, the purchase of an insurance contract is often
described as a "transfer of risk." However, technically speaking, the buyer of the contract generally
retains legal responsibility for the losses "transferred", meaning that insurance may be described more
accurately as a post-event compensatory mechanism. For example, a personal injuries insurance policy
does not transfer the risk of a car accident to the insurance company. The risk still lies with the policy
holder namely the person who has been in the accident. The insurance policy simply provides that if an
accident (the event) occurs involving the policy holder then some compensation may be payable to the
policy holder that is commensurate to the suffering/damage.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 24/41
Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining
the risk for the group, but spreading it over the whole group involves transfer among individual members
of the group. This is different from traditional insurance, in that no premium is exchanged between
members of the group up front, but instead losses are assessed to all members of the group.
Risk retent ion
Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self insurance falls in this
category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk
would be greater over time than the total losses sustained. All risks that are not avoided or transferred
are retained by default. This includes risks that are so large or catastrophic that they either cannot be
insured against or the premiums would be infeasible. War is an example since most property and risks
are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts
of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the
chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it
would hinder the goals of the organization too much.
7. . Create a risk management plan
Select appropriate controls or countermeasures to measure each risk. Risk mitigation needs to be
approved by the appropriate level of management. For instance, a risk concerning the image of the
organization should have top management decision behind it whereas IT management would have the
authority to decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for managing the
risks. For example, an observed high risk of computer viruses could be mitigated by acquiring and
implementing antivirus software. A good risk management plan should contain a schedule for control
implementation and responsible persons for those actions.
According to ISO/IEC 27001, the stage immediately after completion of the risk assessment phaseconsists of preparing a Risk Treatment Plan, which should document the decisions about how each of
the identified risks should be handled. Mitigation of risks often means selection of security controls,
which should be documented in a Statement of Applicability, which identifies which particular control
objectives and controls from the standard have been selected, and why.
8. Implementation
Implementation follows all of the planned methods for mitigating the effect of the risks. Purchase
insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that
can be avoided without sacrificing the entity's goals, reduce others, and retain the rest.
9. Review and evaluation of the plan
Initial risk management plans will never be perfect. Practice, experience, and actual loss results will
necessitate changes in the plan and contribute information to allow possible different decisions to be
made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are two primary
reasons for this:
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 25/41
1. to evaluate whether the previously selected security controls are still applicable and effective
2. to evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of rapidly changing business environment.
Uni t 5:
What is Risk Management
Risk management is an important concept mainly aims at identification, assessment, and prioritization of
events that may have an adverse impact on the organization. It can be considered as a very powerful strategic
tool and has become more prevalent in recent decades due to rapid growth in industrial sector. Risks can be
uncertainty in financial markets, failure of projects, legal liabilities, credit risk, accidents of natural causes
and disasters, etc. Avoiding the risk, transferring the risk to another party, reducing the impact of the risk are
some strategies to manage risk.
Risk Management Definition
"Risk management is defined as the logical development and carrying out of a plan to deal with potential
losses. The purpose of the risk management programme is to manage an organization exposure to loss and to
protect its assets." - Mark S. Dorsman
Types of Risk Management
Assessment of the risk, obtaining options for handling the risk, and analyzing the risks in order to determine
the ways in which the same may change are some ways to deal with risk. There are different types of risks
and management must be aware of all the kinds. The risks can be financial risks, process risks, intangible
risks, time risks, human risks, legal risks, and physical risks. Brief notes on various types of risks;
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 26/41
Systemic risk
In finance, systemic risk is the risk of collapse of an entire financial system or entire market, as opposed to
risk associated with any one individual entity, group or component of a system.[1][2] It can be defined as
"financial system instability, potentially catastrophic, caused or exacerbated by idiosyncratic events or
conditions in financial intermediaries".[3] It refers to the risks imposed
by interlinkages and interdependencies in a system or market, where the failure of a single entity or cluster of
entities can cause a cascading failure, which could potentially bankrupt or bring down the entire system or
market.[4] It is also sometimes erroneously referred to as "systematic risk ".
Explanation
Systemic risk has been compared to a bank run which has a cascading effect on other banks which are owed
money by the first bank in trouble, causing a cascading failure. As depositors sense the ripple effects of
default, and liquidity concerns cascade through money markets, a panic can spread through a market, with a
sudden flight to quality, creating many sellers but few buyers for illiquid assets. These interlinkages and the
potential "clustering" of bank runs are the issues which policy makers consider when addressing the issue of
protecting a system against systemic risk .[1][5] Governments and market monitoring institutions (such as
the U.S. Securities and Exchange Commission (SEC), and central banks) often try to put policies and rules in
place with the ostensible justification of safeguarding the interests of the market as a whole, claiming that the
trading participants in financial markets are entangled in a web of dependencies arising from their
interlinkage. In simple English, this means that some companies are viewed as too big and too interconnected
to fail. Policy makers frequently claim that they are concerned about protecting the resiliency of the system,
rather than any one individual in that system.
Systemic risk should not be confused with market or price risk as the latter is specific to the item
being bought or sold and the effects of market risk are isolated to the entities dealing in that specific item.
This kind of risk can be mitigated by hedging an investment by entering into a mirror trade.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 27/41
Insurance is often easy to obtain against "systemic risks" because a party issuing that insurance can
pocket the premiums, issue dividends to shareholders, enter insolvency proceedings if a catastrophic event
ever takes place, and hide behind limited liability. Such insurance, however, is not effective for the insured
entity.
One argument that was used by financial institutions to obtain special advantages in bankruptcy for
derivative contracts was a claim that the market is both critical and fragile.However, evidenceoverwhelmingly suggests that such special treatment, justified by arguments about systemic risk, actually
exacerbated systemic risk during the financial crisis and forced the government to bail out derivatives traders
Systemic risk can also be defined as the likelihood and degree of negative consequences to the larger
body. With respect to federal financial regulation, the systemic risk of a financial institution is the likelihood
and the degree that the institution's activities will negatively affect the larger economy such that unusual and
extreme federal intervention would be required to ameliorate the effects.
Unsystemati c Risk'
Company or industry specific risk that is inherent in each investment. The amount of unsystematic risk can
be reduced through appropriate diversification.
Also known as "specific risk," "diversifiable risk" or "residual risk.
For example, news that is specific to a small number of stocks, such as a sudden strike by the employees of a
company you have shares in, is considered to be unsystematic risk.
While systematic risk factors affect many firms in an economy, unsystematic risk factors affect either asingle firm or a group of firms. The risk that a firm loses its successful CEO is an example of an
unsystematic risk factor. While the loss can affect the firm's performance substantially, it would have very
little impact on other firms in the economy
Unsystematic risk is a concept in finance and portfolio theory that refers to the extent to which a
company's stock return is uncorrelated with the return of the overall stock market. This type of risk may be
thought of as industry-specific or company-specific risk. It is the opposite of systematic, which is
that risk inherent to an entire market.
It is commonly referred to as specific or idiosyncratic risk , since unsystematic risk affects only a
relatively few firms rather than the overall market. For example, the risk of food poisoning is
unsystematic risk, since it applies only to firms handling human food. Key man risk is also unsystematic,
since few individual companies are likely to suffer a large drop in value if their leaders were to suffer
unexpected incapacitation.
The unsystematic risk inherent in individual stocks is routinely quantified by professional investors using
statistical regression analysis. Like all forms of risk, it is measured as the volatility of returns, with returns
including both stock, or share, price appreciation and dividends.
From the point of view of an investor, all risk is a negative. Some risk is less negative than others, however,
and detracts less from the value of an asset. Unsystematic risk is preferable to systematic risk since its
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 28/41
negative effect can be removed within the context of an overall portfolio. As a result, unsystematic risk is
also known as diversifiable risk .
The concept of unsystematic and systematic risk is very helpful for investors seeking to construct a large,
diversified investment portfolio that mirrors the overall market. If constructed well, that portfolio will closely
track the market. If the market increases in value, the portfolio will also increase in value by the same
percentage. If the overall market decreases in value, the portfolio will also go down.Adding a stock that is uncorrelated with the overall market to a portfolio will tend to decrease the volatility
of that portfolio's return. To that extent, the portfolio is said to become more efficient.
The unsystematic risk of the individual stock is removed through the diversification inherent in the overall
portfolio.
The investment market does not reward investors for carrying unsystematic risk — it does not allow
investors to be compensated for incurring the specific risk inherent in an individual stock. Competition in the
investment market drives down the price of a stock to a level that eliminates any compensation for this risk.
Efficient investors neutralize the negative impact ofunsystematic risk through efficient
portfolio diversification.
What Are Unsystematic and Systematic Risks?
All investments are subject to risk. It is generally believed that investors are rewarded for taking risk.
However, some risk is not rewarded. Investors need to control or eliminate risks for which they are not
rewarded from their investment portfolio. Investment risks can be placed into two broad categories:
unsystematic and systematic risks.
Unsystematic risk (also called diversifiable risk) is risk that is specific to a company. This type of risk could
include dramatic events such as a strike, a natural disaster such as a fire, or something as simple as slumping
sales. Two common sources of unsystematic risk are business risk and financial risk.
Diversification can greatly reduce unsystematic risk from a portfolio. It is unlikely that events such as the
ones listed above would happen in every firm at the same time. Therefore, by diversifying, one can reduce
their risk. There is no reward for taking on unneeded unsystematic risk.
On the other hand, some events can affect all firms at the same time. Events such as inflation, war, and
fluctuating interest rates influence the entire economy, not just a specific firm or industry.
Diversification cannot eliminate the risk of facing these events. Therefore, it is considered un-diversifiable
risk. This type of risk accounts for most of the risk in a well-diversified portfolio. It is called systematic
risk or market risk. However, the expected returns on their investments can reward investors for enduring
systematic risks.
Investors are induced to take risks for potentially higher returns. However, not all risks offer such potential
rewards. The wise investor identifies these risks and eliminates them from his or her portfolio through
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 29/41
Difference between systematic risk and unsystematic risk
Systematic Risk Unsystematic Risk
This type of risk affects over all securities in amarket.
This type of risk is unique to a security or acompany.
This risk is dependent of political or economic
factors.
This risk is independent of political or
economic factors.
It is also known as Market Risk. It is also known as Diversifiable Risk.
This risk arises from management inefficiency,
unsuccessful planning etc.
It occurs due to imbalance in the political
situation or fluctuation in the market etc.
It can be reduced by holding large number of
securities.
It can be reduced by holding better portfolios
of company‘s securities.
Systemati c Risk
Systematic risk is risk associated with market returns. This is risk that can be attributed to broad factors. It is
risk to your investment portfolio that cannot be attributed to the specific risk of individual investments.Sources of systematic risk could be macroeconomic factors such as inflation, changes in interest rates,
fluctuations in currencies, recessions, wars, etc. Macro factors which influence the direction and volatility of
the entire market would be systematic risk. An individual company cannot control systematic risk.
Systematic risk can be partially mitigated by asset allocation. Owning different asset classes with low
correlation can smooth portfolio volatility because asset classes react differently to macroeconomic factors.
When some asset categories (i.e. domestic equities, international stocks, bonds, cash, etc.) are increasing
others may be falling and vice versa.
I prefer using a tactical asset allocation because I want to adjust my asset allocation target according tovaluations. When mitigating systematic risk within a diversified portfolio, cash may be the most important
and underappreciated asset category.
Unsystemati c Risk Unsystematic risk is company specific or industry specific risk. This is risk attributable or specific to the
individual investment or small group of investments. It is uncorrelated with stock market returns. Other
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 30/41
names used to describe unsystematic risk are specific risk, diversifiable risk, idiosyncratic risk, and residual
risk.
Examples of risk that might be specific to individual companies or industries are business risk, financing
risk, credit risk, product risk, legal risk, liquidity risk, political risk, operational risk, etc. Unsystematic risks
are considered governable by the company or industry.
Investment diversification can nearly eliminate unsystematic risk. If an investor owns just one stock or bondand something negative happens to that company the investor suffers great harm. But if an investor owns a
diversified portfolio of 20, 30, or 40 individual investments, the damage done to the portfolio is minimized.
The important concept of unsystematic risk is that it is not correlated to market risk and can be nearly
eliminated by diversification.
Diversifiable risk (also known as unsystematic risk) represents the portion of an asset‘s risk that is associated
with random causes that can be eliminated through diversification. It‘s attributable to firm-specific events,
such as strikes, lawsuit, regulatory actions, and loss of a key account. Unsystematic risk is due to factors
specific to an industry or a company like labor unions, product category, research and development, pricing,
marketing strategy etc.
While the non-diversifiable risk (also known as systematic risk) is the relevant portion of an asset‘s risk
attributable to market factors that affect all firms such as war, inflation, international incidents, and political
events. It cannot be eliminated through diversification and the combination of a security‘s non-diversifiable
risk and diversifiable risk is called total risk.
In the other word Systematic risk is due to risk factors that affect the entire market such as investment policy
changes, foreign investment policy, change in taxation clauses, shift in socio-economic parameters, global
security threats and measures etc. Systematic risk is beyond the control of investors and cannot be mitigated
to a large extent. In contrast to this, the unsystematic risk can be mitigated through portfolio diversification.
It is a risk that can be avoided and the market does not compensate for taking such risks.
Market risk
Market risk is the risk of losses in positions arising from movements in market prices.[1] Some market risks
include:
Equity risk , the risk that stock or stock indexes (e.g. Euro Stoxx 50, etc. ) prices and/or their implied
volatility will change.
Interest rate risk , the risk that interest rates (e.g. Libor , Euribor , etc.) and/or their implied volatility will
change.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 31/41
Currency risk , the risk that foreign exchange rates (e.g. EUR/USD, EUR/GBP, etc.) and/or their implied
volatility will change.
Commodity risk , the risk that commodity prices (e.g. corn, copper , crude oil, etc.) and/or their implied
volatility will change.
Economic Risk
The possibility that an economic downturn will negatively impact an investment. For example,launching a luxury product immediately before or during a recession carries a great deal of economicrisk. Economic risk is closely related to political risk as government decisions impacting the economymay also affect an investment. For example, a central bank may raise interest rates or the legislaturemay raise taxes, and this may result in economic conditions impacting an investment.
I nterest rate r isk, the risk that interest rates (e.g. Libor , Euribor , etc.) and/or their implied volatility will
change.
Interest rate risk is the risk that arises for bond owners from fluctuating interest rates. How much interest
rate risk a bond has depends on how sensitive its price is to interest rate changes in the market. The
sensitivity depends on two things, the bond's time to maturity, and the coupon rate of the bond.[1]
The risk that an investment's value will change due to a change in the absolute level of interest rates, in
the spread between two rates, in the shape of the yield curve or in any other interest rate relationship.
Such changes usually affect securities inversely and can be reduced by diversifying (investing in fixed-
income securities with different durations) or hedging (e.g. through an interest rate swap).
Interest rate risk affects the value of bonds more directly than stocks, and it is a major risk to all
bondholders. As interest rates rise, bond prices fall and vice versa. The rationale is that as interest rates
increase, the opportunity cost of holding a bond decreases since investors are able to realize greater
yields by switching to other investments that reflect the higher interest rate. For example, a 5% bond is
worth more if interest rates decrease since the bondholder receives a fixed rate of return relative to the
market, which is offering a lower rate of return as a result of the decrease in rates.
Foreign exchange risk
Foreign exchange risk (also known as exchange rate risk or currency risk ) is a financial risk posed by an
exposure to unanticipated changes in the exchange rate between two currencies.[1][2] Investors and
multinational businesses exporting or importing goods and services or making foreign investments
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 32/41
throughout the global economy are faced with an exchange rate risk which can have severe financial
consequences if not managed appropriately.[3][4]
1. The risk of an investment's value changing due to changes in currency exchange rates.
2. The risk that an investor will have to close out a long or short position in a foreign currency at a loss due to
an adverse movement in exchange rates. Also known as "currency risk" or "exchange-rate risk".
This risk usually affects businesses that export and/or import, but it can also affect investors makinginternational investments. For example, if money must be converted to another currency to make a certain
investment, then any changes in the currency exchange rate will cause that investment's value to either
decrease or increase when the investment is sold and converted back into the original currency.
Credit r isk
Credit risk refers to the risk that a borrower will default on any type of debt by failing to make payments
which it is obligated to do.[1] The risk is primarily that of the lender and include lost principal and interest,
disruption to cash flows, and increased collection costs. The loss may be complete or partial and can arise ina number of circumstances.[2] For example:
A consumer may fail to make a payment due on a mortgage loan, credit card, line of credit, or other loan
A company is unable to repay amounts secured by a fixed or floating charge over the assets of the
company
A business or consumer does not pay a trade invoice when due
A business does not pay an employee's earned wages when due
A business or government bond issuer does not make a payment on a coupon or principal payment when
due
An insolvent insurance company does not pay a policy obligation
An insolvent bank won't return funds to a depositor
A government grants bankruptcy protection to an insolvent consumer or business
To reduce the lender's credit risk, the lender may perform a credit check on the prospective borrower, may
require the borrower to take out appropriate insurance, such as mortgage insurance or
seek security or guarantees of third parties, besides other possible strategies. In general, the higher the risk,
the higher will be the interest rate that the debtor will be asked to pay on the debt.
Types of credit risk
Credit risk can be classified in the following way:
Credit default risk - The risk of loss arising from a debtor being unlikely to pay its loan obligations in full
or the debtor is more than 90 days past due on any material credit obligation; default risk may impact all
credit-sensitive transactions, including loans, securities and derivatives.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 33/41
Concentration risk - The risk associated with any single exposure or group of exposures with the
potential to produce large enough losses to threaten a bank's core operations. It may arise in the form of
single name concentration or industry concentration.
Country risk - The risk of loss arising from a sovereign state freezing foreign currency payments
(transfer/conversion risk) or when it defaults on its obligations (sovereign risk).
L iquidity risk The risk that arises from the difficulty of selling an asset. An investment may sometimes need to
be sold quickly. Unfortunately, an insufficient secondary market may prevent the liquidation or limit
the funds that can be generated from the asset. Some assets are highly liquid and have low liquidity risk
(such as stock of a publicly traded company), while other assets are highly illiquid and have high liquidity
risk (such as a house)
Liquidity is generally defined as the ability of a financial firm to meet its debt obligations without incurring
unacceptably large losses. An example is a firm preferring to repay its outstanding one-month commercial
paper obligations by issuing new commercial paper instead of by selling assets. Thus, "funding liquidity risk"
is the risk that a firm will not be able to meet its current and future cash flow and collateral needs, both
expected and unexpected, without materially affecting its daily operations or overall financial condition.
Financial firms are especially sensitive to funding liquidity risk since debt maturity transformation (for
example, funding longer-term loans or asset purchases with shorter-term deposits or debt obligations) is one
of their key business areas.In response to this well-known risk, financial firms establish and maintain liquidity management systems to
assess their prospective funding needs and ensure the funds are available at appropriate times. A key element
of these systems is monitoring and assessing the firm's current and future debt obligations and planning for
any unexpected funding needs, regardless of whether they arise from firm-specific factors, such as a drop in
the firm's collateral value, or from systemic (economy-wide) factors. To balance its funding demand, both
expected and unexpected, with available supply, a firm must also incorporate its costs and profitability
targets.
Financial firms can meet their liquidity needs through several sources ranging from existing assets to debt
obligations and equity. The most readily available is operating cash flows arising from interest and principal
payments from existing assets, service fees, and the receipt of funds from various transactions. For example,
active management of the timing and maturity of firms' asset and liability cash flows can enhance liquidity.
In addition, firms may sell assets that are near-term cash equivalents, such as government securities. This is
typically done on a contingency basis to meet unexpected cash needs, and such liquidity reserves must be
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 34/41
actively managed, since the assets must be unencumbered (that is, not pledged as collateral for any other
transaction) and easy to liquidate under potentially adverse market conditions.
Operational r isk
An operational risk is defined as a risk incurred by an organisation's internal activities.
Operational risk is the broad discipline focusing on the risks arising from the people, systems and processesthrough which a company operates. It can also include other classes of risk, such as fraud, legal risks,
physical or environmental risks.
A widely used definition of operational risk is the one contained in the Basel II [1] regulations. This
definition states that operational risk is the risk of loss resulting from inadequate or failed internal processes,
people and systems, or from external events.
Operational risk management differs from other types of risk, because it is not used to generate profit
(e.g. credit risk is exploited by lending institutions to create profit, market risk is exploited by traders and
fund managers, and insurance risk is exploited by insurers). They all however manage operational risk tokeep losses within their risk appetite - the amount of risk they are prepared to accept in pursuit of their
objectives. What this means in practical terms is that organisations accept that their people, processes and
systems are imperfect, and that losses will arise from errors and ineffective operations. The size of the loss
they are prepared to accept, because the cost of correcting the errors or improving the systems is
disproportionate to the benefit they will receive, determines their appetite for operational risk.
The Basel II Committee defines operational risk as:
"The risk of loss resulting from inadequate or failed internal processes, people and systems or from external
events."
However, the Basel Committee recognizes that operational risk is a term that has a variety of meanings and
therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk,
provided that the minimum elements in the Committee's definition are included.
Legal Risk
The potential loss that may occur to an investment as a result of insufficient, improperly applied, or simply
unfavorable legal proceedings in the country in which the investment is made. For example, a country may
have inadequate bankruptcy protection or, in an extreme circumstance, the government may be able to
seize property without provocation. On the other hand, legal risk exists even in countries that operate under
the rule of law: a court, for instance, may find against a company in a given lawsuit, creating a precedent for
other companies with similar operations.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 35/41
Legal risk is a type of risks that means that a counterparty is not legally able to enter into a contract. Another
legal risk relates to regulatory risk, i.e., that a transaction could conflict with a regulator's policy or, more
generally, that legislation might change during the life of a financial contract.
A description of the potential for loss arising from the uncertainty of legal proceedings, such as bankruptcy,
and potential legal proceedings.
Regulatory Risk'
Exposure to financial loss arising from the probability that regulatory agencies will make changes in
the current rules (or will impose new rules) that will negatively effect the already-
taken trading positions.
The risk that a change in laws and regulations will materially impact a security, business, sector
or market. A change in laws or regulations made by the government or a regulatory body can increase
the costs of operating a business, reduce the attractiveness of investment and/or change the competitive
landscape.
For example, utilities face a significant amount of regulation in the way they operate, including
the quality of infrastructure and the amount that can be charged to customers. For this reason, these
companies face regulatory risk that can arise from events - such as a change in the fees they can charge
- that may make operating the business more difficult.
Another type of regulatory risk would be a change by the government in the amount of margin that
investment accounts are able to have. While this is an unlikely change, if it were to be changed, the
impact on the stock market would be material as this would force investors to either meet the new
margin requirements or sell off their margined positions.
Poli tical ri sk
The risk that an investment's returns could suffer as a result of political changes or instability in a country.
Instability affecting investment returns could stem from a change in government, legislative bodies, other
foreign policy makers, or military control.
Political risk is also known as "geopolitical risk," and becomes more of a factor as the time horizon of an
investment gets longer.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 36/41
Political risks are notoriously hard to quantify because there are limited sample sizes or case studies when
discussing an individual nation. Some political risks can be insured against through international agencies or
other government bodies.
The outcome of a political risk could drag down investment returns or even go so far as to remove the ability
to withdraw capital from an investment
The risk of loss when investing in a given country caused by changes in a country's
political structure or policies, such as tax laws, tariffs, expropriation of assets,
or restriction in repatriation of profits. For example, a company may suffer from such loss in the case of
expropriation or tightened foreign exchange repatriation rules, or from increased credit risk if
the government changes policies to make it difficult for the company to pay creditors.
Political risk is a type of risk faced by investors, corporations, and governments. It is a risk that can be
understood and managed with reasoned foresight and investment.
Broadly, political risk refers to the complications businesses and governments may face as a result of what
are commonly referred to as political decisions —or ―any political change that alters the expected outcome
and value of a given economic action by changing the probability of achieving business
objectives‖.[1] Political risk faced by firms can be defined as ―the risk of a strategic, financial, or personnel
loss for a firm because of such nonmarket factors as macroeconomic and social policies (fiscal, monetary,
trade, investment, industrial, income, labour, and developmental), or events related to political instability
(terrorism, riots, coups, civil war, and insurrection).‖[2] Portfolio investors may face similar financial losses.
Moreover, governments may face complications in their ability to execute diplomatic, military or other
initiatives as a result of political risk.
A low level of political risk in a given country does not necessarily correspond to a high degree of political
freedom. Indeed, some of the more stable states are also the most authoritarian. Long-term assessments of
political risk must account for the danger that a politically oppressive environment is only stable as long as
top-down control is maintained and citizens prevented from a free exchange of ideas and goods with the
outside world.[3]
Understanding risk partly as probability and partly as impact provides insight into political risk. For a
business, the implication for political risk is that there is a measure of likelihood that political events may
complicate its pursuit of earnings through direct impacts (such as taxes or fees) or indirect impacts (such as
opportunity cost forgone). As a result, political risk is similar to an expected value such that the likelihood of
a political event occurring may reduce the desirability of that investment by reducing its anticipated returns.
There are both macro- and micro-level political risks. Macro-level political risks have similar impacts across
all foreign actors in a given location. While these are included in country risk analysis, it would be incorrect
to equate macro-level political risk analysis with country risk as country risk only looks at national-level
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 37/41
risks and also includes financial and economic risks. Micro-level risks focus on sector, firm, or project
specific risk.
Reputational r isk Reputational risk , often called reputation risk , is a type of risk related to the trustworthiness of business.
Damage to a firm's reputation can result in lost revenue or destruction of shareholder value, even if the
company is not found guilty of a crime. Reputational risk can be a matter of corporate trust, but serves also
as a tool in crisis prevention.[1]
This type of risk can be informational in nature or even financial. Extreme cases may even lead
to bankruptcy (as in the case of Arthur Andersen). Recent examples of companies include: Toyota, Goldman
Sachs, Oracle Corporation, NatWest and BP. The reputational risk may not always be the company's fault as
per the case of the Tylenol cyanide panic after seven people died in 1982.[2]
Reputational risk
A company‘s reputation is perhaps its most valuable asset. Reputational risk is the possible loss of the
organisation‘s reputational capital. Imagine that the company has an account similar to a bank account thatthey are either filling up or depleting. Every time the company does something good, its reputational capital
account goes up; every time the company does something bad, or is accused of doing something bad, the
account goes down.
The commercial bank examination, which is a supervisory manual published by the Federal Reserve Board
in the US to provide guidance in bank inspections, defines reputational risk as the potential loss in
reputational capital based on either real or perceived losses in reputational capital. In fact, the manual states
very clearly that a company can lose its reputation whether allegations are true or not.
Some corporations try to understand what the potential risks are to the company‘s reputation and either
prepare crisis management responses or solutions.
Many of the leading experts in the field of communication and strategy believe that being able to assess and
manage a company‘s reputational risk is one way to attain a competitive edge, especially in an increasingly
negative global business environment as shown in polls describing people's feelings toward business, such as
the Edelman Trust Barometer.
Example
The pharmaceutical company, Merck knew that side effects from the drug Vioxx could lead to heart
problems in some patients. In fact, after the company faced law suits related to the complications from taking
this drug, a memo was discovered showing that executives within the company knew about the side effectsand had warned senior managers about the dangers associated with taking Vioxx in some patients.
These warnings were ignored. If the company had understood the risk to its reputation, it would have
understood that in the long term, the money it was making selling the drug was not worth the potential loss in
reputational capital to the organization as a whole.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 38/41
Project r isk
A project risk is an uncertain event that, if it occurs, has a positive or negative effect on the prospects of
achieving project objectives
Three aspects of the definition are especially important:
Uncertain event: something may or may not happen, e.g. somebody becomes ill or the temperature drops
below a certain point making a chemical process impossible.
Positive or negative effect: project risk is not necessarily negative (increased costs, decreased quality etc.);
It can also be positive (new valuable product features due to the use of new technology or opening up a new
market segment due to some project adjustments).
Project objectives: the project goals are at stake if a risk occurs. Severe negative risks can lead to the
cancellation of a project whereas minor risks may slightly increase the completion time of a project.
Strategy risk
Exposure to loss resulting from a strategy that turns out to be defective or inappropriate.
Strategic risk is the risk of losses of the credit organization as a result of mistakes made (imperfections)
in taking decisions defining the strategy of the Bank‘s activity and development (strategic management) and
resulting non-consideration or insufficient consideration of possible threats to the Bank‘s activity, inadequate
or insufficiently substantiated definition of prospective business lines where Bank could gain advantage over
its competitors, absence or incomplete provision of necessary resources (financial, material and technical,
human) and organizational measures (managerial decisions) that must provide the achievement of strategicobjectives the credit organization
The major goal of strategic risk management is to maintain the risks taken by the Bank at levels determined
in accordance with its strategic tasks and to ensure safety of assets and capital by minimization of possible
losses.
The Bank uses the following methods of strategic risk management:
business planning;
financial planning; monitoring of approved plans implementation;
market analysis;
Readjustment of plans
Demographic factors
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 39/41
Socioeconomic characteristics of a population expressed statistically, such as
age, sex, education level, income level, marital status, occupation, religion, birth rate, death
rate, average size of a family, average age at marriage. A census is a collection of the
demographic factors associated with every member of a population.
Unit 6:
Risk assessment
Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete
situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of
two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will
occur. In all types of engineering of complex systems sophisticated risk assessments are often made
within Safety engineering and Reliability engineering when it concerns threats to life, environment or
machine functioning. The nuclear, aerospace, oil, rail and military industries have a long history of dealing
with risk assessment. Also, medical, hospital, and food industries control risks and perform risk assessments
on a continual basis. Methods for assessment of risk may differ between industries and whether it pertains to
general financial decisions or environmental, ecological, or public health risk assessment.
Value at risk:
In financial mathematics and financial risk management, Value at Risk (VaR) is a widely used risk
measure of the risk of loss on a specific portfolio of financial assets. For a given portfolio, probability and
time horizon, VaR is defined as a threshold value such that the probability that the mark-to-market loss on
the portfolio over the given time horizon exceeds this value (assuming normal markets and no trading in the
portfolio) is the given probability level. [clarification needed]
For example, if a portfolio of stocks has a one-day 5% VaR of $1 million, there is a 0.05 probability that the
portfolio will fall in value by more than $1 million over a one day period if there is no trading. Informally, a
loss of $1 million or more on this portfolio is expected on 1 day out of 20 days (because of 5% probability).
A loss which exceeds the VaR threshold is termed a ―VaR break.‖ Thus, VaR is a piece of jargon favored in
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 40/41
the financial world for a percentile of the predictive probability distribution for the size of a future financial
loss. In other words if you have a record of portfolio value over time then the VaR is simply the negative
quantile function of those values.
VaR has four main uses in finance:
Risk management,
Financial control,
Financial reporting and
Computing regulatory capital.
VaR is sometimes used in non-financial applications as well
Operation r isk management:
The term Operational Risk Management (ORM) is defined as a continual cyclic process which
includes risk assessment, risk decision making, and implementation of risk controls, which results in
acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk , including the risk of
loss resulting from inadequate or failed internal processes and systems; human factors; or external events.
Four Principles of ORM
The U.S. Department of Defense summarizes the principles of ORM as follows:
Accept risk when benefits outweigh the cost.
Accept no unnecessary risk.
7/28/2019 ERM Final Notes
http://slidepdf.com/reader/full/erm-final-notes 41/41
Anticipate and manage risk by planning.
Make risk decisions at the right level.
Three Levels of ORM
In Depth
In depth risk management is used before a project is implemented, when there is plenty of time to
plan and prepare. Examples of in depth methods include training, drafting instructions and
requirements, and acquiring personal protective equipment.
Deliberate
Deliberate risk management is used at routine periods through the implementation of a project or
process. Examples include quality assurance, on-the-job training, safety briefs, performance reviews,
and safety checks.
Time Critical
Time critical risk management is used during operational exercises or execution of tasks. It is defined
as the effective use of all available resources by individuals, crews, and teams to safely and
effectively accomplish the mission or task using risk management concepts when time and resources
are limited. Examples of tools used includes execution check-lists and change management. This
requires a high degree of situational awareness.
\
Top Related