Corporate risk management
Risk, Uncertainty & Risk management
Course
The probability and the impact of a risk has to be analysed.
Low probability and high impact risk are difficult to manage high chance that we’ll neglect them. If
you work with historical data, there might be not enough data to work with because the risk does not
occur often.
A risk can lead to other risks. Dealing with risk can be complex because they do not arise alone. The
effect can be larger than anticipated.
Uncertainty: Everything in the future, there is a certain element of uncertainty.
A state of not knowing whether a proposition is true or false.
True uncertainty cannot be measured.
Risk: No universal definition
= certain scenario, with a certain consequence and a certain probability.
2 enterprise risk management perspectives (see further as well):
COSO : “risk is the possibility that events will occur and affect the achievement of objectives”
ISO: “the effect of uncertainty on objectives”
Risk measure: mathematical method for computing risk.
Risk measurement: summary number that captures risk which is obtained by applying data to a risk
measure.
Risk measurement is the number you get when applying your risk measure.
4 types of uncertainty: (UNIE)
1. No uncertainty
2. Established uncertainty
= we know the consequences, we know the probabilities risks we can manage well.
3. Imaginable uncertainty
= we know the consequences, but not the probability for example a fire
4. Unimaginable uncertainty
= we don’t know the consequences and we don’t know the probabilities
Overview of major risks: (can also be classified otherwise, eg: firm-specific, industry-specific, ..)
Financial risks:
Interest rate, foreign exchange, credit risk, commodity, liquidity
Non-financial risks:
Operational, regulatory, legal, reputation, political and sovereign, value chain
1
,Financial risks:
Market risk
= Risk of loss due to adverse movement in asset prices
Associated with interest rates, foreign exchange, commodity and equity risk.
Market risk management has evolved significantly.
Example:
devaluation, sudden drops in currency: This will impact the business
Ryanair: oil price changes, they tried to hedge. commodity risk: This impacted their
profit.
Credit risk
o Customers’ or business’ credit risk: credit risk associated with normal business
activities, like trade credit.
o Counterparty credit risk stemming from derivatives:
Otc: over the counter: derivatives can be traded on regulated markets, but the vast
majority are OTC’s: settled directly between trading room of banks and big firms.
Risk that the counterparty could default to a derivatives transaction before
the final settlement (eg default on outstanding swap)
Rapid development in derivatives markets in terms of growth and
complexity has increased credit risk and the need for more advanced risk
management tools.
Liquidity risk
o Funding liquidity risk
= Ability to raise the necessary cash to roll over its debt or meet its obligations
(payments, margins, …).
o Asset liquidity risk
= you want to trade, but is there a counterparty who’s interested?
Risk that transaction cannot be executed with the desired trade size and without
generating a significant price impact.
can lead to losses if the transaction cannot be postponed
Non-financial risk
Operational risk
= The risk of loss resulting from inadequate or failed internal processes, people and systems
or from external events.
Examples include fraud, human error, technological risk (e.g. failing IT systems).
operational risk is difficult to assess: Occurrence is infrequent but consequences could be
severe
Other risks include:
regulatory, legal or contract, reputation, political and sovereign, value chain
Risk management is not a process in isolation: interaction with value chain management needed.
For example switch between suppliers impacts entire value chain.
See CH1 slide 19.
2
,In the beginning: no risk management, it did not fit in the state of mind. People lived according to
God’s will If a risk happened, God wanted it like this.
Evolution: from risk as isolated events to integrated events. Now risks are a part of businesses.
Evolution of Risk management: Traditional to ERM
Traditional risk management:
o Segmented/ silo approach:
starts from segmented approach: looking at risks separately.
o Risk management is disjoint activity with no close link to business activities
o Managing risks one by one
o Risk managment solutions start from silo level
o Reactive, focusing on preventing losses
ERM: enterprise risk management:
o Holistic approach
o Create a risk culture and risk awareness
o Strong portfolio approach (incl. intangibles such as customers, employees, …)
o Firm-wide strategy is starting point for risk management policy
o Proactive, strategic focus (firm value creation via risk management)
Risk concerns should be part of the decision you make. In the past, they took a
decision and then tried to deal with the risk after the decision had been made.
Example: slide 25.
ERM is characterised by 5 dimensions:
1. Risk transparency and insight
Risk identification is a key first step
(identify likelihood of occurrence and possible opportunities)
This phase will help the firm to consolidate and prioritize risks.
Three steps often used:
A heat map,
An exercise to identify the company’s principal risks
a risk reporting system that delivers consistent and insightful information
The output is a risk register
Ensures that risk information is captured in a consistent manner
Simplifies communication within organisation.
See slide 28 +29
2. Risk appetite and strategy
Determine risk capacity first:
= Firm’s ability to withstand risk without unwanted side effects (downgrading,
cancelled key projects, reputation effects, …).
Risk strategy:
= Decide risk level that firm is comfortable with.
If outcome on firm is not acceptable, the risk appetite should be lowered or risk
response strategy should be applied to align risk exposures with risk appetite.
See slide 32
Risk response strategy
3
, o Risk avoidance
eliminate the risk all together.
The cost of removal of the risk should be weighed against the lost
opportunity and how the removal would affect the business objective
E.g. close oil exploration because of political risk.
o Risk mitigation
for instance via diversification
E.g. diversification over supplier in different regions can reduce foreign
exchange risk and supply chain risks.
o Risk transfer
transfer (a part of the) risk to another party.
E.g. hedging, insurance, JV
o Risk acceptance
A firm can accept a risk because it is economic sensible (low impact; high
cost of risk transfer,…) or other strategies are not feasible.
See slide 34 + 35
3. Risk-related business processes and decisions
= Integration of risk management processes in overall information management and decision
system, as well as in performance and incentive compensation schemes.
Integration will allow the organisation to (re-)act quickly.
Strategic and other decisions should be aligned with the firm’s risk appetite and should be
risk transparent.
See case bottom slide 36
4. Risk organization and governance
Board responsibility:
Risk oversight should not only be responsibility of the board’s audit committee but
all directors.
Board should interact with top management
ERM organisation
Should enable an integrated approach to risk management.
5. Risk culture
The norms of behaviour for individuals and groups within a company that determine the
collective willingness to accept or take risk, and the ability to identify, understand, discuss,
and act on the organization’s risk.
the culture in the corporation will define how people will deal with/ look at risks.
Flaws in risk culture: (know 4 terms + one example) (DADA)
Detachment:
“it might happen, but we still have time”
slow response
Avoidance:
beat the system, gaming
Ambiguity:
Poor definition, understanding, communication and tracking of risks
lack of insight, poor communication, ..
Denial:
“head in the sand” approach to recognizing and surfacing risks
Fear of bad news, overconfidence, ..
4
