Risk management, as it is understood today, largely emerged during the early 1990s, but the term ‘risk management’ was used long before this. Since the 1960s, it has— and frequently still is — used to describe techniques for addressing insurable risks. This form of ‘risk management’ encompasses: risk reduction through safety, quality control and hazard education, alternative risk financing, including self-insurance and captive insurance, and the purchase of traditional insurance products, as suitable.
More recently, derivative dealers have promoted ‘risk management’ as the use of derivatives to hedge or customize market-risk exposures. For this reason, derivative instruments are sometimes called ‘risk management products’. The new ‘risk management’ that evolved during the 1990s is different from either of the earlier forms. It views derivatives as a problem as much as a solution. It focuses on reporting, oversight and segregation of duties within organizations.
So what is this management? Risk management— or financial risk management, should we want to distinguish it from other uses of the word— can be defined as practices by which a firm optimizes the manner in which it takes financial risk. It includes monitoring of risk taking activities, upholding relevant policies and procedures, and distributing risk-related reports.
Note that risk management is not about optimizing risk in some sense. That is the province of the board of directors and senior management, perhaps working with more tactical risk takers such as traders or portfolio managers. No, risk management is about optimizing the manner in which risk is taken. Accordingly risk management is not about managing anything. It is really about facilitating.
A related concept is enterprise risk management, which is the extension of financial risk management, in some sense, to non-financial contingencies. It is somewhat elusive concept that means different things to different people. Firms have experimented with the concept, combining financial risk management, insurance purchasing, and contingency planning into a single business unit. A challenge has been the culture clash between the worlds of finance and insurance. Few professionals are expert in both.
Organizationally, financial risk management is implemented in different ways. There may be, within the board of directors, a risk committee. Usually, there is some sort of risk oversight committee, comprising senior managers. In practice, various names are given to these two committees. A senior manager called the head of risk management or chief risk officer (CRO), reports to the risk oversight committee. This head of risk management may oversee a single department called the risk management department. Professionals working within that department, called risk managers, are responsible for facilitating the taking of applicable financial risks— market risks, credit risks and operational risks— by other departments within the firm. In larger organizations, there may be more specialization. The head of risk management might oversee three professionals: a head of market risk management, a head of credit risk management and a head or operational risk management.
Each would oversee a respective department. Other arrangements are also possible. Functionally, there are four aspects of financial risk management. Success depends upon a positive corporate culture, actively observed policies and procedures, effective use of technology, independence of risk management professionals.
(a) Culture
It is a fact that an organization will only manage risk if its members want to manage risk. Regulators struggle with this every day. They can force a bank to implement a multi-million dollar value-at-risk system. They can require an insurance company to implement hundreds of pages of procedures. But they cannot force an institution to effectively manage risk.
It is individuals who decide whether or not they are going to manage organizational risk. Unfortunately, there is a big incentive for them to choose not to. The very sorts of behaviour which reduce organizational risk entail significant personal risk.
For example: A clerk who blows the whistle on a trader may get the problem resolved, or he may end up without a job. A board member who wishes to expand the use of risk management must stick her neck out. At the risk of appearing alarmist, she must suggest that potentially significant problems are not currently being addressed. A trader— whose compensation depends primarily upon his reputation in the organization— can only manage risk if he first acknowledges that he is capable of making mistakes. An executive who wishes to address the risk of employee fraud may risk alienating his own colleagues.
Risk management is about rocking the boat, asking questions and challenging the establishment. No one can manage risk if they are not prepared to take risk. While individual initiative is critical, it is corporate culture that facilitates the process. Corporate culture defines what behaviour the members of an organization will condone— and what behaviour they will shun. Corporate culture plays a critical role in risk management because it defines the risks which an individual must personally take if they are going to help managing organizational risks. A positive risk culture is one which promotes individual responsibility and is supportive of risk taking.
Characteristics include:
Individuals making decisions: Group decision making can be ineffective if no one is personally accountable. When a single person makes a decision— possibly with the help or approval of others— that individual is accountable. His reputation is on the line, so he will carefully analyze the issues before proposing a course of action.
Questioning: In a positive risk culture, people question everything. Not only does this identify better ways to do things. It also ensures that people understand and appreciate procedures.
Admissions of ignorance: Mark Twain once said, “I was gratified to be able to answer promptly. I said I don’t know.” Admitting that we don’t know entails significant personal risk. A positive risk culture supports such honesty at every level of an organization. No risk culture is perfect. Fortunately, few are beyond repair. The challenge of risk management is to honestly assess an organization’s culture, and then work to improve it.
(b) Policies and procedures
When you mention policies and procedures, people are likely to roll their eyes, as thoughts of red tape and bureaucracy flood their thoughts. This is unfortunate. Used correctly, procedures are a powerful tool of risk management. The purpose of policies and procedures is to empower people. They specify how people can accomplish what needs to be done. It is only when policies and procedures are neglected or abused that they become an impediment.
The success of policies and procedures depends critically upon a positive risk culture. Hundreds of pages of procedures, neatly printed and sitting on a shelf, are useless if no one uses them. However, even a simple set of procedures can make an enormous difference for an organization if people believe in them and take personal responsibility for upholding them. Procedures systematize the process of risk management. Consider market risk limits. These are a form of procedure which systematize oversight of market risk. They make explicit how much risk is too much risk for any given segment of a portfolio.
Without risk limits, someone would have to track the risks being taken by individual traders and apply their own subjective judgement as to how much is too much. Should they decide to act on their subjective judgement that a trader is taking too much risk, the affected trader may reasonably feel that the decision is arbitrary or unfair— he might ask: “what about the market opportunity I was pursuing or the client whose needs I was trying to meet?”
Whenever procedures do not exist, there is increased potential for disagreement, misunderstanding and conflict. A lack of procedures increases the personal risk that individuals must take if they are going to manage organizational risk. Accordingly, a lack of procedures tends to promote inaction. Effective procedures, on the other hand, empower people. They lay out specifically what people should do— and what they should not do— in a given situation. By reducing uncertainty— individual risk— they promote action. Examples of procedures include:
Board procedures: Every board of directors or governing body should operate under a set of procedures which address conflicts of interest, clarify personal responsibility and facilitate the discussion and resolution of difficult or contentious issues.
Lines of reporting: Everyone in an organization should report to a single person. The line of reporting should be explicit. A worthwhile illustration for this is the Bank of England’s report on the Barings collapse. That report identifies four different people who may have had oversight responsibility for Nick Leeson.
Trading authority: Whenever an organization engages in a new form of market activity— such as the use of a new form of transaction, a new hedging strategy or proprietary trading— there should first be a formal review and approval process. A streamlined procedure should apply for granting new responsibility to any trader.
Risk limits: Market and credit risk limits represent procedures for managing risk. There should also be procedures for establishing and reviewing such limits in order to assure that the system of limits remains effective.
An organization should have formal procedures for changing policies or procedures. Experienced risk managers know that proposals for an informal or hasty change to procedures sometimes indicate an effort to cover up something that existing procedures would otherwise highlight. Also, because procedures become outdated over time, it is easy for organizations to change how they operate without formally recognizing that the change is taking place. Informal practices evolve out of habit, instead of by a deliberate process. Because they may be adopted out of necessity or convenience— without considering how they impact organizational risk— they, too, are a source of risk. Often, periods of change are a time of increased risk for an organization. Procedures for changing policies or procedures are an excellent mechanism that encourage people to recognize changes as they are taking place and formally address the risks that they pose.
(c) Technology
The primary role technology plays in risk management is risk assessment and communication. Technology is employed to quantify or otherwise summarize risks as they are being taken. It then communicates this information to decision-makers, as appropriate. Technology might include a VAR system or portfolio credit risk system. It can include financial engineering technology for independently marking to market positions. It may include an interactive risk report that is electronically circulated to managers every day. For many institutions, such as banks or securities firms, technology is a critical component of risk management. For other organizations, including some non-financial corporations or pension plans, technology plays a lesser role.
For institutions, which rely heavily on technology, there is always a risk of the cart being placed before the horse, with technology becoming the focus of risk management. If an organization launches a risk management initiatives by first allocating money to the project and then issuing an request for proposal, that can be a warning sign. A more staged approach starts off by recognizing that risk management is primarily about people— how they think and how they interact with one another. Technology is just a tool. In the wrong hands, it is worse than useless, but applied appropriately, it can transform an organization.
A good approach to implementing an enterprise risk management initiative is initially allocate minimal funding for the initiative, but ensure that board members or senior management or other supervisors are involved in the process. Start by planning a risk management strategy that involves no technology at all. This can be an empowering exercise. It focuses participants on the procedural and cultural issues of risk management. Ultimately, it is these which determine the success of an initiative. Once you have decided on a strategy for managing risk, then determine where technology needs to be incorporated or where it can enhance the strategy.
(d) Independence
For risk management to succeed, risk managers must be independent of risk taking functions within the organization. Holton (2004) defines independence as comprising the following four criteria: Risk managers have reporting lines that are independent from those of risk taking functions. Except at the highest levels, risk takers have no input on the performance reviews, compensation or promotion of risk managers, and conversely. Employees cannot switch from one role to the other. Those hired into risk management stay in risk management; those hired as risk takers stay as risk takers. Risk managers do not take risk on the firm’s behalf. They do not advise on which risks to take. They express no opinions about the desirability of any particular risks.
The first three items are straightforward. The fourth is more subtle— or perhaps, controversial. It speaks to the very heart of what constitutes risk management. Let’s briefly address the first three items and then proceed to the question: what is the role of risk management, anyway? Enron’s experience with risk management is instructive. The firm maintained a risk management function staffed with capable employees. Lines of reporting were reasonably independent in theory, but less so in practice. The group’s mark-to-market valuations were subject to adjustment by management. The group had few career risk managers. Enron maintained a fluid workforce. Employees were constantly on the lookout for their next internal transfer. Those who rotated through risk management were no different. A trader or structure whose deal a risk manager scrutinized one day might be in a position to offer that risk manager a new position the next. Astute risk managers were careful to not burn bridges. Even worse, risk managers were subject to Enron’s “rank and yank” system of performance review. Under that system, anyone could contribute feedback on anyone, and the consequences of a bad review were draconian. Risk managers who blocked deals could expect to suffer in ‘rank and yank.” Of the above four criteria for independence, Enron was weak on the first but utterly failed to satisfy the second two. Despite the sophistication of individual employees, risk management at Enron was hollow.
Proceeding now to the fourth criteria for independence, we want to distinguish between risk taking and risk management. Within firms, there are strategic and tactical risk takers. The CEO and other senior managers are strategic risk takers. They formulate a strategy for the firm that entails taking certain risks. They communicate the strategy to tactical risk takers— including traders, structures, and asset managers— whose job it is to implement that strategy. This is how business have operated for hundreds of years, so where do risk managers fit in? While not typically acknowledged, there are two competing models.
According to one model, strategic and tactical risk takers need help taking risk. Under this theory, super risk takers— risk managers— are required to intervene. They identify risks that should be avoided and, in doing so, risks that should be taken. In this manner, risk managers help the less qualified strategic and tactical risk takers do their jobs.
There is much wrong with this model. First, it is redundant. If strategic or tactical risk takers are not capable of doing their jobs, the answer is not to hire a super risk taker to do it for them. Rather, it is to replace them with strategic and tactical risk takers who are up to the task. Second, it undermines accountability. If a trade turns sour, is the trader at fault, or is the risk manager who failed to block the deal? Third, it leads to conflict. While strategic risk takers will never feel threatened that a super risk taker might usurp their prerogatives, tactical risk takers often do. At some firms, the result has been a cold war between the front and middle offices.
Finally, risk managers are positioned to be used as scapegoats. With corporate scandals fresh in memory, one can understand why some senior executives may be all too happy ascribing full responsibility for risk taking to a chief risk officer. With this model, risk management can become a device for executives to manage career risk as opposed to a device for managing corporate risk. The alternative model is that risk managers are facilitators. Strategic and tactical risk takers are responsible for deciding what risks to take. Risk managers facilitate the process by ensuring effective communication between the two groups. They help strategic risk takers communicate through policies, procedures and risk limits. They help tactical risk takers communicate by preparing risk reports that describe the risks they are taking. To avoid the pitfalls of the risk-managers as super-risk-takers model, risk managers must have no authority to take risk on the firm’s behalf. They do not advise on risk taking issues because, if their advice is routinely followed, they will become de facto risk takers. To avoid the semblance of giving advice, they express no opinions about the desirability of taking any particular risks. It is one thing for a risk manager to measure risk. It is entirely another for the risk manager to express an opinion that the risk is too large or otherwise not worth taking. With risk managers not expressing opinions, tactical risk takers don’t feel threatened… so there is no cold war. With risk managers not responsible for taking risks, there is little possibility of shifting lame to them when things go wrong.
Risk has two components namely uncertainty and exposure. If both are not present, there is no risk. There are six types of risk. Credit risk is the risk due to uncertainty in a counterparty’s ability to meet its obligations. Credit analysis is used to describe any process for assessing the credit quality of counterparty. Legal risk can be a particular problem for institutions who transact business across borders. A firm is exposed to liquidity risk if markets on which it depends are subject to loss of liquidity. Market risk is exposure to the uncertain market value of a portfolio. Most operational risks are managed within the departments in which they arise. Four aspects of financial risk management are positive corporate culture, actively observed policies and procedures, efficient use of technology and independence of risk management professionals.
More recently, derivative dealers have promoted ‘risk management’ as the use of derivatives to hedge or customize market-risk exposures. For this reason, derivative instruments are sometimes called ‘risk management products’. The new ‘risk management’ that evolved during the 1990s is different from either of the earlier forms. It views derivatives as a problem as much as a solution. It focuses on reporting, oversight and segregation of duties within organizations.
So what is this management? Risk management— or financial risk management, should we want to distinguish it from other uses of the word— can be defined as practices by which a firm optimizes the manner in which it takes financial risk. It includes monitoring of risk taking activities, upholding relevant policies and procedures, and distributing risk-related reports.
Note that risk management is not about optimizing risk in some sense. That is the province of the board of directors and senior management, perhaps working with more tactical risk takers such as traders or portfolio managers. No, risk management is about optimizing the manner in which risk is taken. Accordingly risk management is not about managing anything. It is really about facilitating.
A related concept is enterprise risk management, which is the extension of financial risk management, in some sense, to non-financial contingencies. It is somewhat elusive concept that means different things to different people. Firms have experimented with the concept, combining financial risk management, insurance purchasing, and contingency planning into a single business unit. A challenge has been the culture clash between the worlds of finance and insurance. Few professionals are expert in both.
Organizationally, financial risk management is implemented in different ways. There may be, within the board of directors, a risk committee. Usually, there is some sort of risk oversight committee, comprising senior managers. In practice, various names are given to these two committees. A senior manager called the head of risk management or chief risk officer (CRO), reports to the risk oversight committee. This head of risk management may oversee a single department called the risk management department. Professionals working within that department, called risk managers, are responsible for facilitating the taking of applicable financial risks— market risks, credit risks and operational risks— by other departments within the firm. In larger organizations, there may be more specialization. The head of risk management might oversee three professionals: a head of market risk management, a head of credit risk management and a head or operational risk management.
Each would oversee a respective department. Other arrangements are also possible. Functionally, there are four aspects of financial risk management. Success depends upon a positive corporate culture, actively observed policies and procedures, effective use of technology, independence of risk management professionals.
(a) Culture
It is a fact that an organization will only manage risk if its members want to manage risk. Regulators struggle with this every day. They can force a bank to implement a multi-million dollar value-at-risk system. They can require an insurance company to implement hundreds of pages of procedures. But they cannot force an institution to effectively manage risk.
It is individuals who decide whether or not they are going to manage organizational risk. Unfortunately, there is a big incentive for them to choose not to. The very sorts of behaviour which reduce organizational risk entail significant personal risk.
For example: A clerk who blows the whistle on a trader may get the problem resolved, or he may end up without a job. A board member who wishes to expand the use of risk management must stick her neck out. At the risk of appearing alarmist, she must suggest that potentially significant problems are not currently being addressed. A trader— whose compensation depends primarily upon his reputation in the organization— can only manage risk if he first acknowledges that he is capable of making mistakes. An executive who wishes to address the risk of employee fraud may risk alienating his own colleagues.
Risk management is about rocking the boat, asking questions and challenging the establishment. No one can manage risk if they are not prepared to take risk. While individual initiative is critical, it is corporate culture that facilitates the process. Corporate culture defines what behaviour the members of an organization will condone— and what behaviour they will shun. Corporate culture plays a critical role in risk management because it defines the risks which an individual must personally take if they are going to help managing organizational risks. A positive risk culture is one which promotes individual responsibility and is supportive of risk taking.
Characteristics include:
Individuals making decisions: Group decision making can be ineffective if no one is personally accountable. When a single person makes a decision— possibly with the help or approval of others— that individual is accountable. His reputation is on the line, so he will carefully analyze the issues before proposing a course of action.
Questioning: In a positive risk culture, people question everything. Not only does this identify better ways to do things. It also ensures that people understand and appreciate procedures.
Admissions of ignorance: Mark Twain once said, “I was gratified to be able to answer promptly. I said I don’t know.” Admitting that we don’t know entails significant personal risk. A positive risk culture supports such honesty at every level of an organization. No risk culture is perfect. Fortunately, few are beyond repair. The challenge of risk management is to honestly assess an organization’s culture, and then work to improve it.
(b) Policies and procedures
When you mention policies and procedures, people are likely to roll their eyes, as thoughts of red tape and bureaucracy flood their thoughts. This is unfortunate. Used correctly, procedures are a powerful tool of risk management. The purpose of policies and procedures is to empower people. They specify how people can accomplish what needs to be done. It is only when policies and procedures are neglected or abused that they become an impediment.
The success of policies and procedures depends critically upon a positive risk culture. Hundreds of pages of procedures, neatly printed and sitting on a shelf, are useless if no one uses them. However, even a simple set of procedures can make an enormous difference for an organization if people believe in them and take personal responsibility for upholding them. Procedures systematize the process of risk management. Consider market risk limits. These are a form of procedure which systematize oversight of market risk. They make explicit how much risk is too much risk for any given segment of a portfolio.
Without risk limits, someone would have to track the risks being taken by individual traders and apply their own subjective judgement as to how much is too much. Should they decide to act on their subjective judgement that a trader is taking too much risk, the affected trader may reasonably feel that the decision is arbitrary or unfair— he might ask: “what about the market opportunity I was pursuing or the client whose needs I was trying to meet?”
Whenever procedures do not exist, there is increased potential for disagreement, misunderstanding and conflict. A lack of procedures increases the personal risk that individuals must take if they are going to manage organizational risk. Accordingly, a lack of procedures tends to promote inaction. Effective procedures, on the other hand, empower people. They lay out specifically what people should do— and what they should not do— in a given situation. By reducing uncertainty— individual risk— they promote action. Examples of procedures include:
Board procedures: Every board of directors or governing body should operate under a set of procedures which address conflicts of interest, clarify personal responsibility and facilitate the discussion and resolution of difficult or contentious issues.
Lines of reporting: Everyone in an organization should report to a single person. The line of reporting should be explicit. A worthwhile illustration for this is the Bank of England’s report on the Barings collapse. That report identifies four different people who may have had oversight responsibility for Nick Leeson.
Trading authority: Whenever an organization engages in a new form of market activity— such as the use of a new form of transaction, a new hedging strategy or proprietary trading— there should first be a formal review and approval process. A streamlined procedure should apply for granting new responsibility to any trader.
Risk limits: Market and credit risk limits represent procedures for managing risk. There should also be procedures for establishing and reviewing such limits in order to assure that the system of limits remains effective.
An organization should have formal procedures for changing policies or procedures. Experienced risk managers know that proposals for an informal or hasty change to procedures sometimes indicate an effort to cover up something that existing procedures would otherwise highlight. Also, because procedures become outdated over time, it is easy for organizations to change how they operate without formally recognizing that the change is taking place. Informal practices evolve out of habit, instead of by a deliberate process. Because they may be adopted out of necessity or convenience— without considering how they impact organizational risk— they, too, are a source of risk. Often, periods of change are a time of increased risk for an organization. Procedures for changing policies or procedures are an excellent mechanism that encourage people to recognize changes as they are taking place and formally address the risks that they pose.
(c) Technology
The primary role technology plays in risk management is risk assessment and communication. Technology is employed to quantify or otherwise summarize risks as they are being taken. It then communicates this information to decision-makers, as appropriate. Technology might include a VAR system or portfolio credit risk system. It can include financial engineering technology for independently marking to market positions. It may include an interactive risk report that is electronically circulated to managers every day. For many institutions, such as banks or securities firms, technology is a critical component of risk management. For other organizations, including some non-financial corporations or pension plans, technology plays a lesser role.
For institutions, which rely heavily on technology, there is always a risk of the cart being placed before the horse, with technology becoming the focus of risk management. If an organization launches a risk management initiatives by first allocating money to the project and then issuing an request for proposal, that can be a warning sign. A more staged approach starts off by recognizing that risk management is primarily about people— how they think and how they interact with one another. Technology is just a tool. In the wrong hands, it is worse than useless, but applied appropriately, it can transform an organization.
A good approach to implementing an enterprise risk management initiative is initially allocate minimal funding for the initiative, but ensure that board members or senior management or other supervisors are involved in the process. Start by planning a risk management strategy that involves no technology at all. This can be an empowering exercise. It focuses participants on the procedural and cultural issues of risk management. Ultimately, it is these which determine the success of an initiative. Once you have decided on a strategy for managing risk, then determine where technology needs to be incorporated or where it can enhance the strategy.
(d) Independence
For risk management to succeed, risk managers must be independent of risk taking functions within the organization. Holton (2004) defines independence as comprising the following four criteria: Risk managers have reporting lines that are independent from those of risk taking functions. Except at the highest levels, risk takers have no input on the performance reviews, compensation or promotion of risk managers, and conversely. Employees cannot switch from one role to the other. Those hired into risk management stay in risk management; those hired as risk takers stay as risk takers. Risk managers do not take risk on the firm’s behalf. They do not advise on which risks to take. They express no opinions about the desirability of any particular risks.
The first three items are straightforward. The fourth is more subtle— or perhaps, controversial. It speaks to the very heart of what constitutes risk management. Let’s briefly address the first three items and then proceed to the question: what is the role of risk management, anyway? Enron’s experience with risk management is instructive. The firm maintained a risk management function staffed with capable employees. Lines of reporting were reasonably independent in theory, but less so in practice. The group’s mark-to-market valuations were subject to adjustment by management. The group had few career risk managers. Enron maintained a fluid workforce. Employees were constantly on the lookout for their next internal transfer. Those who rotated through risk management were no different. A trader or structure whose deal a risk manager scrutinized one day might be in a position to offer that risk manager a new position the next. Astute risk managers were careful to not burn bridges. Even worse, risk managers were subject to Enron’s “rank and yank” system of performance review. Under that system, anyone could contribute feedback on anyone, and the consequences of a bad review were draconian. Risk managers who blocked deals could expect to suffer in ‘rank and yank.” Of the above four criteria for independence, Enron was weak on the first but utterly failed to satisfy the second two. Despite the sophistication of individual employees, risk management at Enron was hollow.
Proceeding now to the fourth criteria for independence, we want to distinguish between risk taking and risk management. Within firms, there are strategic and tactical risk takers. The CEO and other senior managers are strategic risk takers. They formulate a strategy for the firm that entails taking certain risks. They communicate the strategy to tactical risk takers— including traders, structures, and asset managers— whose job it is to implement that strategy. This is how business have operated for hundreds of years, so where do risk managers fit in? While not typically acknowledged, there are two competing models.
According to one model, strategic and tactical risk takers need help taking risk. Under this theory, super risk takers— risk managers— are required to intervene. They identify risks that should be avoided and, in doing so, risks that should be taken. In this manner, risk managers help the less qualified strategic and tactical risk takers do their jobs.
There is much wrong with this model. First, it is redundant. If strategic or tactical risk takers are not capable of doing their jobs, the answer is not to hire a super risk taker to do it for them. Rather, it is to replace them with strategic and tactical risk takers who are up to the task. Second, it undermines accountability. If a trade turns sour, is the trader at fault, or is the risk manager who failed to block the deal? Third, it leads to conflict. While strategic risk takers will never feel threatened that a super risk taker might usurp their prerogatives, tactical risk takers often do. At some firms, the result has been a cold war between the front and middle offices.
Finally, risk managers are positioned to be used as scapegoats. With corporate scandals fresh in memory, one can understand why some senior executives may be all too happy ascribing full responsibility for risk taking to a chief risk officer. With this model, risk management can become a device for executives to manage career risk as opposed to a device for managing corporate risk. The alternative model is that risk managers are facilitators. Strategic and tactical risk takers are responsible for deciding what risks to take. Risk managers facilitate the process by ensuring effective communication between the two groups. They help strategic risk takers communicate through policies, procedures and risk limits. They help tactical risk takers communicate by preparing risk reports that describe the risks they are taking. To avoid the pitfalls of the risk-managers as super-risk-takers model, risk managers must have no authority to take risk on the firm’s behalf. They do not advise on risk taking issues because, if their advice is routinely followed, they will become de facto risk takers. To avoid the semblance of giving advice, they express no opinions about the desirability of taking any particular risks. It is one thing for a risk manager to measure risk. It is entirely another for the risk manager to express an opinion that the risk is too large or otherwise not worth taking. With risk managers not expressing opinions, tactical risk takers don’t feel threatened… so there is no cold war. With risk managers not responsible for taking risks, there is little possibility of shifting lame to them when things go wrong.
Risk has two components namely uncertainty and exposure. If both are not present, there is no risk. There are six types of risk. Credit risk is the risk due to uncertainty in a counterparty’s ability to meet its obligations. Credit analysis is used to describe any process for assessing the credit quality of counterparty. Legal risk can be a particular problem for institutions who transact business across borders. A firm is exposed to liquidity risk if markets on which it depends are subject to loss of liquidity. Market risk is exposure to the uncertain market value of a portfolio. Most operational risks are managed within the departments in which they arise. Four aspects of financial risk management are positive corporate culture, actively observed policies and procedures, efficient use of technology and independence of risk management professionals.
No comments:
Post a Comment