Hello and a very warm welcome to the Financial Risk Management course. I am Umar Manzar and I have over 12 years of experience in organizations all over the world. Throughout my career, I have been involved in risk management processes for companies in various sectors spanning from logistics to banking.
I'm currently working as a full-time freelancer and my clients range from startups to large multinational corporations. I help my clients solve complex risk management and strategic questions around strategic planning, resource allocation, profitability maximization, and investment management. I also publish financial content so you can follow me on LinkedIn in case of interest.
In my experience, risk management courses are very complicated and the concepts are difficult to grasp. These courses revolve around quantitative topics and there is less emphasis on the practical considerations of risk management. In this course, we attempt to cover the fundamentals of risk management to provide you with a solid foundation so that you can continue your learning journey.
If you lead an organization or work to support the decision-making process of organizations, you're often faced with deciding what should be done next. That decision is easier to make if you knew what was going to happen in the future. Yet, understanding the future is clouded by an increasingly complex world that seems to be moving faster and faster with an ever-expanding array of options. That is where financial risk management comes in.
Financial risk management is the technique of protecting a company company's economic value by utilizing risk management and mitigation techniques to manage exposures to financial risk, which includes operational, credit, and interest rate risk, among other things. We tend to associate the word risk with negative connotations. Risk, on the other hand, is necessary and inextricably linked to success.
A variation from an expected outcome is a standard deviation of risk. This variation might be expressed in absolute terms or relative to something else, such as market benchmark. While the deviation could be good or bad, most professionals agree that it reflects some degree of desired outcome for your assets.
As a result, in order to earn bigger profits, one must be willing to take on more risk. The basic premise behind risk management is to minimize the chances of unfavorable outcomes and maximize the chances of positive outcomes. If this task leaves your head spinning, you have come to the right place. This course will get you started on understanding financial risk management and can help you and your organization improve decision making. As far as the requirements of this course are concerned, students need to have a basic knowledge of finance and accounting.
Students need to have a basic understanding of corporate management and organization structures. Problem solving skills are absolutely critical, but most importantly, patience to go through the material and a desire to learn will go a long way. This is how the course is structured.
In section one, we will be discussing what risk is and explore statistical and probability concepts in the context of this course. In Section 2, we will delve into risk management and explore risk tolerance and risk budgeting. Section 3 will explore the importance of managing people, processes, technology, and unexpected risks. In Section 4, we will discuss the various types of financial risks, namely credit, foreign exchange, interest rate, and operational risks. Finally, in Section 5, we will discuss various risk measurement metrics.
such as standard deviation, value at risk, and scenario analysis. We will also explore risk transfer and risk shifting techniques. Please remember to make use of the case studies in this course. In these case studies, we will be applying the concepts we have learned. We have a total of nine case studies which will provide you with ample practice.
The supporting files are provided together with this course. Now that we have discussed the course requirements and the course content, it's time to get started. I hope you are as excited as I am as we delve into the world of financial risk management. I look forward to our association in this course. Before we can answer the question, what is risk management, we must first answer the question, what is risk?
This isn't an easy question to answer. Risk is a very hard concept to understand. We must evaluate both the unpredictability of future events and the utility or benefits of those outcomes when defining risk. When someone walks on a frozen lake, they are taking a risk not only because the ice may crack, but also because if it happens, the consequences may be disastrous. In contrast, we would talk about the chance of ice breaking on a lake when no one is trying to cross it on foot.
We would only use the phrase risk if the cracking ice had an impact on someone or something. The term risk is frequently associated with negative or negative outcomes. However, focusing just on the negative aspects of financial risk would be a mistake.
Financial risk management is about maximizing chances for profit as well as minimizing risks. More unpredictability is bad and less randomness is beneficial, all other things being equal. It is undoubtedly appropriate to focus on downside measurements.
This will be covered in more detail later in the course. However, there is a danger of upside as well. Everything else is seldom equal in the world of financial management, and more uncertainty is nearly always associated with a higher possibility for profit.
Upside risk is sometimes referred to as opportunity. Although the two terms are interchangeable, and more risk is compensated by larger expected profits. Firms that properly handle all risks, both on the downside and on the upside, are successful.
Let's take a look at an example. Burger King introduced the Impossible Whopper, plant-based, protein equivalent of a beef burger, to their menu in August 2019. The Impossible Whopper was an instant hit, with sales up 5% year over year in the first quarter. This was Burger King's largest rise since 2015. Burger King took a risk by offering a meatless burger in addition to their popular beef burgers. This was a dangerous decision because original Whopper fans may be hesitant to try it and vegans may be skeptical. Burger King succeeded by introducing Impossible Whopper because they differentiated themselves from the competition by providing a vegan alternative.
The Impossible Whopper is said to resemble a standard Whopper in appearance and taste. They also catered to a whole new group of folks who had never eaten at one of their restaurants previously due to dietary restrictions or preferences. Other chains such as McDonald's in Germany followed suit. Let's discuss another example.
Microsoft made its debut in the gaming world in 2001 with the release of its first well-known system, the Xbox. It was released in November 2001 in North America and March 2002 in Japan. Because Microsoft was a relatively unknown firm in the gaming space, creating a game system was a risky proposition. Nintendo, Sony, and Sega already had a devoted following in the gaming world. Microsoft needed to come up with something new and better in order to compete with Sony and Nintendo.
In 2002, Microsoft also decided to reduce the price of their console from $299 to $199 in order to make it more affordable to more families. The Xbox was an enormous success. Microsoft had an advantage over the already popular PlayStation with Halo, a first-person shooting game with a distinctive PC-like build. They also took the Xbox to various expos early on, which helped the console acquire traction and the addition of a fresh gaming experience added to the excitement.
Risk is a term that encompasses both the uncertainty of events as well as the utility or value of those outcomes. Think of profits as the future outcomes for future enterprises. Because the fundamental goal of financial firms is to maximize profits, the notion that only profits count is quite near the truth.
Other factors like Status, company ranking, and jobs may be important, but they are secondary and are neglected here. This means that risk is very complicated and can't be described with a single number. We need to think about all possible outcomes when talking about risk.
Most of the time, we use summary measures to learn about the distribution because the full distribution is too hard to measure or understand. and we want to make it easier to understand when talking about risk. Defining risk can be tricky. It can be defined in terms of profitability or predictability.
The examples of Burger King and Microsoft depict that the risk that these corporations took were difficult to quantify in terms of expected profitability or predictability, for that matter. Nonetheless, these were significant risks. and these corporations came out on top. This module was all about asking the right questions about risk. As we continue to work our way through the course, we will learn more about the characteristics of risk and start answering those questions.
It's difficult to think about uncertainty and randomness. If risk could be reduced to a single number, life would be a lot easier, but that isn't possible. The illusion of certainty is a human tendency and there is a great temptation to reduce future uncertainty and contingency to a single definitive number.
However, ignoring future unpredictability and relying on a set number to depict the future leads to numerous errors and misconceptions. We will be discussing these numerous errors and misconceptions. in this module. Our world is filled with unpredictability, but human intuition isn't very adept at dealing with probabilities and randomness. Experience and training do not necessarily prepare us to comprehend or deal with ambiguous situations.
Let's take a look at an example. There were once 80 million BlackBerry users worldwide, including former US President Barack Obama, who only stopped using his in 2016. In the mid to late 2000s, BlackBerry Messenger was the dominant form of professional and personal contact, with everyone demanding to know your PIN. The introduction of iPhone spelled trouble for BlackBerry.
Apple began to dominate the mobile market by supporting bring-your-own-device rules and guidelines within companies, whereas BlackBerry ignored touchscreen-based technologies. In 2014, three years after Apple had integrated Siri in all of their devices, there were rumors that BlackBerry was working on a Siri-like voice assistant called BlackBerry Assistant. Because of their inability to innovate, BlackBerry swiftly fell to a market share of 0.2% by early 2016. Kodak suffered a similar fate to Blackberry.
Kodak was a market leader in photographic film during the 20th century, having been founded in 1888. They came up with the Kodak Moment tagline which was used everywhere and they even got a shout out from Pitbull in his hit song, Give Me Everything. Enter digital cameras. Kodak's demise was due to their fear of innovation.
They built the first digital camera in 1975, but abandoned it due to concerns that it would suffocate their photographic film juggernaut. After that, digital seized over, and Kodak's competitors, including Fuji, outlasted the former photo kings. In 2012, Kodak declared bankruptcy, then resurfaced in 2013, substantially smaller and focused on business clients. As you will see from the examples we just discussed, when faced with difficulties of uncertainty and unpredictability, corporations adopt heuristics, which are rules of thumb or shortcuts for addressing complicated problems. Both Blackberry and Kodak stuck to their old ways and had to pay a very steep price.
Let's discuss the three factors that led to their demise. Starting off with the failure to adapt, at its peak, BlackBerry's and Kodak's innovation kept us all on our feet. For instance, the BlackBerry Messenger revolutionized instant messaging and its devices also helped speed up smartphones to what today are effectively portable mini computers but in the end these companies fell victim to their own stubbornness another reasons both companies failed was because they simply did not understand the market trends for example Kodak completely ignored the emergence of digital cameras in the market as such It didn't see the digital camera manufacturers as direct competition.
The marketing team at Kodak tried to convince the managers about the change needed in the company's core principles to achieve success, but Kodak's management committee continued to stick with its outdated idea of relying on film cameras. Even though both BlackBerry and Kodak were immensely successful at one point, these companies failed to experiment and reinvent themselves. For instance, Kodak built their first digital camera in 1975, but they abandoned it rather quickly.
Similarly, BlackBerry was very late to the touchscreen market, as it never thought that phones can also operate without keyboards. Shortcuts of sticking with the predictable and usual ways of working cause consistent errors. These are also known as cognitive biases.
One well-known experiment demonstrates the difficulty of understanding about probability and randomness. You will now be given an opportunity to participate in this experiment as well. The goal of this experiment is to rate the likelihood of assertions regarding someone's employment and hobbies based on background and corrector information.
I will be providing you with a description of Linda, who is 31 years old, single, assertive, and extremely clever. Linda studied philosophy in college, was concerned about discrimination and social justice, and took part in anti-nuclear protests. Can you please rank the likelihood of three different descriptions of Linda's present career and hobbies? In other words, please tell me what is more probable? A.
Linda works as a teller at a bank. B. Linda is a strong supporter of women's rights. Or C. Linda works as a teller at a bank and is involved in the feminist movement. If you chose option C, you are not alone.
In fact, over 80% of participants thought the possibility of a bank cashier and a feminist working together was higher than the probability of a bank teller working alone. In other words, they ranked C, which is both A and B together, above A alone. However, this is a mathematical impossibility.
Whatever Linda's current occupation and interests are, the likelihood that she is both a bank teller and an active feminist, C, that is, A and B combined, cannot be larger than the likelihood that she is only a bank teller. The likelihood of A and B together is never greater than the possibility of A alone. regardless of the details.
Another way to look at this issue is to remember that the whole universe of bank tellers is far greater than the subset of bank tellers who are also active feminists. Therefore, being a bank teller has to be more likely than being an active feminist bank teller. The purpose of this example is to make you understand that it's not uncommon for people to make blunders like this.
Representativeness, availability of instances or scenarios, and adjustment from an anchor are three shortcuts created by Kahneman and Trawerski to help people solve probability problems and deal with uncertainty. As demonstrated in the Lynda example, these heuristics frequently lead to errors or prejudices. These shortcuts and inability to embrace uncertainty also led to the demise of Blackberry and Kodak. Probability is the study of uncertainty and how to make sense of randomness. What should happen?
What should we see? A good example is the analysis of streaks, the chance of a team winning a series of games. This kind of problem is discussed in any basic probability textbook.
Rather than going through complicated probability calculations, we are going to discuss some simple examples to understand the concepts. Let's say that a series of three games is played between soccer clubs. The team that wins two games in a row is crowned as the winner of the series.
As shown in the table, there are four ways a team can win and four ways they can lose. They each have a 50% chance of winning one game, and each individual possibility has a 0.125% chance of happening. Let's look at the first example. A team wins twice in a row and then loses the last game. So the probability of each instance happening is 0.5.
So you multiply 0.5 three times, you get a probability of 0.125. Win total and the loss total after adding all these instances up is at 0.5. The conclusion isn't very surprising. But what if the teams aren't even? In this example, one team has a 40% chance of winning and the other has a 60% chance of losing.
How likely is it that the team that isn't as good still wins the series? In this example, a poor team will have a chance of getting two wins and one loss at 0.096, which is simply 0.4 times 0.4 times 0.6. It turns out that the probability that the team will win the series is 35% or 0.352 to be exact.
When you look at a longer series, the problem gets even more interesting. In baseball, the winner of a World Series is the winner of 4 out of 7 games. If you look at the statistics, the best team in the league wins about 60% of games during a season and the worst team wins about 40%. Pitting a 60% team against a 40% team would be about the same as pitting the top team against the bottom team. How likely would it be that the team with the lower probability would still win?
We just need to write down all the ways that could happen, figure out how likely each one is, and add them all up. There will now be 128 ways to do this instead of 8. To illustrate, I calculated the win and loss probability for the first instance. We repeat the process 128 times and we add up the probabilities of the win and loss scenarios.
The win total comes out to be 0.29 or 29% as opposed to a loss total that comes in at 71% or 0.71. I don't know about you, but to me, A 29% chance that the team that isn't very good will still win the series is surprising. It is also a good example of how probability theory can help us make sense of things.
If we hadn't already done this, we would have thought that the chance of it happening were much lower. This example also illustrates that our intuition is wrong or that our understanding of how we think about things is wrong. Probability theory and analysis helps us to look at our assumptions in a critical way and it also helps us in changing our assumptions so that they are more in line with our experience and reality.
When you look at win-loss situations, it turns out to be very useful and can be used to solve many problems. Coin tossing is the same. The probability of getting a heads or a tails is even at 50%.
The name for a process that has two outcomes. one of which is usually called success and the other failure is a Bernoulli test. When you repeat a Bernoulli test a lot, the number of times it works out is called a binomial distribution. Bernoulli trials and the binomial distribution can be used right away in finance and risk management.
The chances of losing more than 100,000 or even a million in one day are very low. We are often told that this is true. This is what value at risk is all about and I'll show you how to use it later in the course. In the past we used to look at our losses for one day as a Bernoulli trial.
99% chance of success versus 1% chance of failure. In this example the 1% chance of failure being that we will lose a hundred thousand or even a million in one day. If we repeat this process over and over again we will get a binomial distribution. Probability theory can help us figure out how likely it is that we will see one or more days where we lose a lot of money. It is not the goal of this section to go over probability theory in great detail.
Instead, it is to explain what it is and show how it can be used. Probability helps us think about uncertainty and randomness in a way that makes sense. It tells us what we should expect to see if we use a certain model or type of randomness in the world.
For example, it tells us how likely a team is to win a series or how likely it is for a company to have bad financial months. Once we get familiar with thinking along these lines, we can start quantifying a difficult concept such as risk. Please remember that building probabilistic intuition is important and I would say even necessary for anyone who wants to understand and apply the concepts of risk management. Probability theory might start by telling us that there is a one percent chance of a day where we lose more than a hundred thousand dollars it then tells us the chance that in a string of hundred days we will see exactly one or exactly two or exactly three of these days in statistics we start with the actual losses we see over a period of 100 days and then try to figure out what is going on behind the scenes using statistics we essentially try to answer the question is the chance of a loss worse than $100,000 equal to 1% or 2%. In addition, statistics gives us estimates of how confident we should be about the probabilities.
For example, we can figure out if we should be very sure that it's a 1% chance or if we should be a little more sure that it's somewhere between 0.5% and 1.5%. For the technical side of risk measurement, statistics are more important than probability. In risk management, probability is more important than risk itself. It's important to have a good idea of how randomness might affect future results. Without an understanding of how randomness rules our world, it is impossible to understand risk.
Consider the weather tomorrow. What does it mean when we say that there is a 30% chance of rain? This is not a true or false statement about how the world is viewed from today.
Tomorrow is a one-time event. Saying the probability is 30% is a statement about our confidence in the outcome or about the credibility of the evidence we use to predict that it will rain tomorrow. How likely is it that an asteroid hit the dinosaurs and killed them?
We can't apply frequency concepts or the law of large numbers to any of the two examples we have discussed because they won't happen again. Yet we need to apply, commonly do apply, and indeed can sensibly apply probabilistic thinking to these areas. Let's look at another example.
Bruno De Finetti, an Italian mathematician and statistician, used a clever trick to figure out how likely it is for one-off events to happen. If you want to think about something, you can apply the Diffiniti game. It's a thought experiment that looks at an event and how it's like picking balls out of a bag of balls.
The event we are going to discuss is about getting a perfect score on an exam. A friend took an exam and she is 100% sure she got a perfect score on the exam. In the words of Ben Franklin, nothing is certain.
except death and taxes. Exam grades, on the other hand, are notoriously hard for people to predict. Ask your friend to choose between two risk-free bets. If our friend gets a perfect score on their test tomorrow, we'll get $10.
If our friend picks a red ball out of a bag with 100 balls, we'll get $10. Now the bag is full of 99 red balls and there is only one black ball in it. This means there is a 99% chance our friend will pick a red ball.
Draw from the bag rather than wait for your exam score, most people would think. It's almost certain that you'll get the $10 by drawing from the bag. Our friend, who is being reasonable, probably doesn't think you have a better than 99% chance of getting a perfect score.
Assuming our friend chooses to draw a ball from the bag with 99 red balls. We can then pose another choice between the no lose gambles. $10 if the test score is perfect versus $10 if a red ball is drawn from a bag. However, this bag is filled with 80 red and 20 black balls.
If our friend chooses the test score, we know the subjective probability is between 80 to 99%. We can further refine the bounds by posing the choice between $10 for a perfect test score versus $10 for a red ball from a bag with 90 red and 10 black balls. Depending on the answer, the probability is between 90 to 99 percent or 80 to 90 percent.
Such a scheme can be used to find out how likely we think things are. Even if you only think about the game as a thought experiment, it can be very useful. People often change their probabilities when they play this game.
It makes us think more carefully about our probabilities and make them match up with our assessments of other events. People who work as weather forecasters don't change their assessments very often, which is interesting because they have to think a lot about their beliefs or subjective probabilities because of their job. However, successful risk management is all about constantly reassessing events in light of changing circumstances.
Think of successful risk management as constantly reassessing the outcomes if the number of blue and black balls in the Diffiniti bag change. Much of our previous discussion has focused on how randomness and uncertainty can deceive our human intuition. We've seen how simple it is to generate random runs and streaks that appear to be very non-random.
As human beings, we crave control over our surroundings, and we frequently impose the illusion of certainty and control over purely random events. It's all too easy and all too tempting to confuse luck for skill, which can lead to overconfidence in our own abilities. There is a fundamental tension here because confidence in one's abilities is as important in the financial arena as it is in any other area of life.
But please note that overconfidence can also breed complacency and an inability to recognize and adapt to new circumstances. I would like to share Malcolm Gladwell's 2009 essay in which he discusses the importance of psychology, specifically confidence and overconfidence in the finance industry. He focuses on Jimmy Cain and the fall of Bear Stearns in 2008. For those of you who aren't aware, Jimmy Cain was the CEO of Bear Stearns, a famous investment bank that crashed spectacularly and was swallowed by JP Morgan.
Jimmy also lost close to a billion dollars in that debacle. His reputation, 40 years in the making, was in ruins. especially when it came out that during the bear's final critical months, he'd spent an inordinate amount of time on the golf course.
Refer to the article for more information. It's an interesting read. In the article, Gladwell convincingly argues that such confidence is a necessary component of running an investment bank.
If those in charge of the bank do not have such optimism and confidence, why should customers or competitors? Nonetheless, such confidence can also be harmful. Gladwell also discusses our desire to exert control over events. When we desire to feel in control, it distorts our perception of random events. Many will argue that it was Jimmy Cain's desire to feel in control that led him to make huge blunders and essentially lose everything he had worked so hard for.
There was another fascinating experiment conducted in which Yale undergraduates were asked to predict the outcome of 30 random coin tosses. When questioned later, the students acted as if predicting the outcome of a random coin toss was a skill that could be honed with practice. Subjects whose tosses were manipulated to produce early streaks rated themselves as better guessers than other subjects.
despite the fact that all subjects guessed correctly half of the time. This experiment also depicts that overconfidence is a fundamental and difficult problem, especially when we talk about risk management. The situation is exacerbated by the natural human tendency to forget past negative events.
Perhaps this is just a part of the human psyche. It would be difficult to survive if past losses remained painful indefinitely. I'm still on the lookout to identify a foolproof method for avoiding overconfidence. However, Gladwell's final paragraphs are perhaps the most insightful.
At the end of his essay, he contrasts the bridge-playing expertise of Kane and others at Bear Stearns with the open world where one day a calamity can happen that no one had dreamed could happen. Bridge is a game of chance. A repeated game with fixed and unchanging rules to which the law of large numbers can be applied. We may become overconfident as a bridge player for a brief moment, but the repeated game will remind us of the underlying probabilities. The real world, on the other hand, is not a repetitive game, and the truly unexpected does occur from time to time.
Most importantly, Because the unexpected occurs infrequently, we may become overconfident for long periods of time before nature reminds us that the real world is not repetitive. At the risk of becoming philosophical, to me, luck is the randomness of life that can't be changed. Although luck cannot be controlled, it can be managed.
What do I mean when I say luck and risk? The interaction of the uncertainty of future outcomes with the benefits and costs of those outcomes is known as risk. Risk can be investigated and modified.
Luck persists even after learning everything there is to know about possible future outcomes, understanding how current conditions and exposures are likely to alter future outcomes, and adjusting those current conditions to optimally control costs and benefits. Some things are determined by luck and attempting to completely control luck is a fool's errand. Luck should be managed rather than controlled.
When talking about luck and risk, the question is not whether to take risks, which are unavoidable and part of life, but rather how to manage luck and keep the odds on one's side. The focus of this module has been twofold, randomness and luck. are inherent in the world and randomness is frequently difficult to recognize and comprehend.
The success or failure of risk managers, finance departments, and firms is at times determined by randomness and luck, which we must recognize, accept, and manage. In the following modules, we shift gears, focusing on the business side of risk management. The insights and approach to uncertainty discussed in this module must be internalized in order to manage risk appropriately on a day-to-day basis. Welcome to the second section of our course. In this module, we will be discussing the concepts of risk management and risk measurement.
Managing risk is at the core of managing any organization. This is probably one of the most important sentences you will hear in this course. The statement may seem obvious, even trivial, but remember that the risk management department is usually separate from the finance department or the line management.
So what exactly do I mean when I say managing risk is at the core of managing an organization? Words matter. and using the term risk management for a group that does not actually manage anything leads to the notion that managing risk is somehow different from managing other affairs within the firm risk management is the process by which an organization or individual defines the level of risk to be taken measures the level of risk being taken and the process of adjusting both with the goal of maximizing the company's finances or the individual's overall satisfaction. To repeat, managing risk is at the core of managing any organization.
It is too important a responsibility for a firm's managers to delegate. Managing risk is about making the tactical and strategic decisions to control those risks that should be controlled and to exploit those opportunities that can be exploited. Although managing risk does involve those quantitative tools and activities generally covered in a risk management textbook. In reality, risk management is as much the art of managing people, processes, and institutions as it is the science of measuring and quantifying risk. Let's take a look at risk measurement now.
Risk measurement is necessary to support the management of risk. Risk measurement is the specialized task of quantifying and communicating risk. In various sectors and industries, we have seen how risk measurement has justifiably grown into a specialized quantitative discipline.
In many institutions, those focused on risk measurement will be organized into an independent department with reporting lines separate from line managers. Risk measurement has three goals. Let's explore these goals further. Uncovering known risks faced by the portfolio or the firm.
By known risks, I mean risks that can be identified and understood with study and analysis, because these or similar risks have been experienced in the past by this firm or others. Such risks often are not obvious or immediately apparent, possibly because of the size. or diversity of the company but these risks can be uncovered with diligence the second point is making known risks easy to see understand and compare in other words the effective simple and transparent display and reporting of risk value at risk or var for short is a popular tool in this arena but there are other complementary techniques and tools lastly trying to understand and uncover the unknown or unanticipated risks.
Those that may not be easy to understand or anticipate, for example, because the organization or industry has not experienced them before. In my career, I have often come across people and processes that mistakenly assume that risk management is the same as risk measurement. This is certainly incorrect. Across industries, Probably more than any other, risk management must be a central responsibility for line managers from the board and CEO down through individual line managers. Managers within an organization must be, before anything else, risk managers in the true sense of managing the risks that the firm faces.
Extending the focus from the passive measurement and monitoring of risk to the active management of risk also drives one. towards tools to help identify the type and direction of risks and tools to help identify hedges and strategies that alter risk risk management as discussed earlier is the responsibility of managers at all levels of an organization to support the management of risk risk measurement and reporting should be consistent throughout the firm from the most disaggregate level up to the top management level risk measurement at the lowest level should aggregate in a consistent manner to firm wide risk although this risk aggregation is never easy to accomplish a senior manager should be able to view firm wide risk like the layers of an onion the senior manager peels back the layers and looks at increasingly detailed and disaggregated risk A uniform foundation for risk reporting across a firm provides immense benefits that are not available when firm-wide and desk-level risks are treated on a different basis. The distinction between risk management and risk measurement argues for a subtle but important change in focus from the standard risk management approach, a focus on understanding and managing risk in addition to the independent measurement of risk. Unfortunately, the term risk management has been appropriated to describe what should be termed as risk measurement in my experience.
Risk measurement requires specialized expertise and should generally be organized into a department separate from the main risk-taking units within the organization. Managing risk, in contrast, must be treated as a core competence of a firm and of those charged with managing the firm. Appropriating the term risk management in this way can mislead one to think that the risk-taker's responsibility to manage risk is somehow lessened.
diluting their responsibility to make the decisions necessary to effectively manage risk. The standard view posits risk management as a separate discipline and an independent department. I have observed that the risk measurement indeed requires technical skills and should often form a separate department.
Neither risk measurement experts nor line managers should confuse the measurement of risk with the management of risk. To conclude, in this module we discussed the concepts of risk management and risk measurement. Risk measurement tools can only go so far.
They help one to understand current and past exposures, which is a valuable and necessary undertaking but clearly not sufficient for actually managing risk. In contrast, the goal of risk management should be to use the understanding provided by risk measurement to manage future risks. The goal of managing risk with incomplete information is daunting precisely because quantitative risk measurement tools often fail to capture unanticipated events that pose the greatest risk. The art of risk management is not just in responding to anticipated events but in building a culture and organization that can respond to risk and withstand unanticipated events.
See you soon in the next module. Risk management framework flows logically from the definition of risk management that we previously discussed. It is the infrastructure, process, and analytics needed to support effective risk management in an organization.
This process should fully integrate the risk. and return aspects of the enterprise into decisions in support of best achieving its goals within its tolerance for risk risk management is not a one-size-fits-all solution it is integral to the enterprise's goals and needs thus it is best achieved through a custom solution despite customizations every risk management system our framework should address the following key factors risk governance risk identification and measurement risk infrastructure defined policies and processes risk monitoring mitigation and management communications and lastly strategic analysis not surprisingly these factors often overlap in practice let's discuss these factors individually Governance is the top-level system of structures, rights, and obligations by which organizations are directed and controlled. Normally performed at the board level, governance is how goals are defined, authority is granted, and top-level decisions are made. The foundation for risk management in the organization is set at the board level as well.
Risk governance is the top-down process and guidance that directs risk management activities. to align with and support the overall enterprise. A risk management committee is another facet of governance. It provides top decision makers with the forum for regularly considering risk management issues. To achieve the best results for an organization, risk governance should take an enterprise-wide view.
Enterprise risk management is an overarching governance approach applied throughout the organization and consistent with its strategy a guiding post for risk management framework to focus right activities on objectives health and value of the entire organization risk identification and measurement is the main quantitative core of risk management but more than that it must include the qualitative assessment and evaluation of all potential sources of risk and the organization's risk exposures. This ongoing work involves analyzing the environment for relevant risk drivers, which is the common term used for any fundamental underlying factor that results in a risk that is relevant or important to an organization, analyzing the business or portfolio to a certain risk exposures, tracking changes in those risk exposures, and calculating risk metrics to size these risks under various scenarios and stresses. Risks are not limited to what is going on in the markets.
There are many types of risks that can potentially impact a business. The power of technology has allowed for risk management to be more quantitative and timely. Management can measure and monitor risk, run scenarios, conduct statistical analysis, work with more complex models, and examine more dimensions and risk drivers, as well as doing it faster. Technology has made risk infrastructure even more important and beneficial in managing risk.
Risk infrastructure refers to the people and systems required to track risk exposures and perform most of the quantitative risk analysis to allow an assessment of the organization's risk profile. Infrastructure will include risk capture. Risk capture is an important operational process.
by which a risk exposure gets populated in a risk system. We then have a database and a data model, a stress or scenario engine, ability to generate reports, as well as some amount of skilled and empowered personnel resources dedicated to building and executing the risk framework. With increased reliance on technology, more time and effort must be allotted to test data, models and results in order to avoid the ironic outcome of the risk of errors coming from within the risk systems.
Obviously, the scope of risk infrastructure will be related to the resources or potential losses of the organization. Individuals and smaller businesses may rely heavily on an external partner or provider for much of their risk infrastructure and analysis. Policies and processes are the extension of risk governance into both the day-to-day operation and decision-making processes of the organization. There may be limits, requirements, constraints, and guidelines, some quantitative and some procedural, to ensure risky activities are in line with the organization's predetermined risk tolerance and regulatory requirements.
Much of this is just common sense business practice. You need to update and protect data, you need to control cash flows, conduct due diligence, and handle exceptions and escalations, while making checklists to support important decisions. In a good risk framework, processes would naturally evolve to consider risk at all key decision points, such as financial decisions around the company's future. Process of risk monitoring and management is the most obvious facet of a risk framework, but also one of the most difficult.
Actively monitoring and managing risk requires pulling together risk governance, identification and measurement, infrastructure, and policies and procedures to continually review and re-evaluate changing risk exposures and risk drivers. It requires recognizing when risk exposure is not aligned with risk tolerance and then taking action to bring them back into alignment. Communication of critical risk issues must happen continually and across all levels of the organization.
Governance parameters such as risk tolerances and associated constraints must be clearly communicated to and understood by managers. Risk metrics must be reported in a clear and timely manner. Risk issues must be reviewed and discussed as a standard part of decision making.
Changes in exposure must be discussed so that action can be taken as appropriate. There should also be a feedback loop with the governance body so that top-level risk guidance can be validated or updated and communicated back to the rest of the organization. Strategic analysis and integration help turn risk management into an offensive weapon to improve performance.
Good risk management is a key to increasing the value of the overall business. A risk management framework should provide the tools to better understand the how and why of performance and help sort out which activities are adding value and which are not. The feedback from the strategic analysis can be used to improve the risk management framework.
To conclude, in this module we discussed the key factors for creating a robust risk management framework. I encourage you to go back and review the factors to understand the fundamentals of each factor. As mentioned earlier, these factors often overlap in practice but as the framework will serve as an important foundation throughout the course, you need to understand the logic behind each of these factors.
See you soon in the next module. In this module, we will apply our knowledge of the risk management framework that we previously discussed. Let's have a brief look at the risk management framework. It is comprised of seven essential factors, namely governance, infrastructure, monitoring and mitigation, strategic analysis, identification, policies and processes, and communication.
We are now going to apply our knowledge by discussing the circumstances that led to the fall of a real-life company called Enron. The story of Enron Corp. depicts a company that reached dramatic heights only to face a dizzying fall. The fated company's collapse affected thousands of employees and shook Wall Street to its core.
At Enron's peak, its shares were worth $90.75. Just prior to declaring bankruptcy on December 2001, they were trading at $0.26. Enron had $100 billion in revenue and 29,000 employees at the beginning of 2001, and surprisingly, it filed for bankruptcy at the end of the same year. Once the experts started to scrutinize the documents after Enron's demise, it became apparent that Enron engaged in accounting fraud and erroneous reporting. The management of Enron was singled out for poor risk management practices, which made Enron the largest American bankruptcy at the time.
I am also providing an in-depth article titled, Risk Management and Organizational Governance, The Case of Enron, with this course. Please feel free to go through it in case of interest. Enron was formed in 1985, following a merger between Houston National Gas and Omaha-based InterNorth.
Following the merger, Kenneth Lay, who had been the chief executive officer of Houston Natural Gas, became Enron's CEO and chair. Lay quickly rebranded Enron into an energy trader and supplier. Deregulation of the energy markets allowed companies to place bets on future prices, and Enron was poised to take advantage. In 1990, Lay created Enron. Enron Financial Corp and appointed Jeffrey Skilling, whose work as a McKinsey consultant had impressed Lay to head the new corporation.
Skilling joined Enron at an auspicious time. The era's minimal regulatory environment allowed Enron to flourish. There were major red flags at Enron. Let's discuss them individually. One of Skilling's early contributions was to transition Andron's accounting from a traditional historical cost accounting method to a mark-to-market, or MTM for short, accounting method, for which the company received official U.S.
Securities and Exchange Commission approval in 1992. MTM is a measure of a fair value of accounts that can change over time, such as assets and liabilities. It aims to provide a realistic appraisal of an institution's or company's current financial situation, and it is a legitimate and widely used practice. However, in some cases, the method can be manipulated. since MTM is not based on actual cost but on fair value, which is harder to pin down.
Some believe MTM was the beginning of the end for Enron, as it essentially permitted the organization to log estimated profits as actual profits. Secondly, Enron created Enron Online in October 1999. It was an elective trading website that focused on commodities. Enron was the counterparty to every transaction on EOL.
It was either the buyer or the seller. To entice participants and trading partners, Enron offered its reputation, credit and expertise in the energy sector. However, Enron's claims of expertise were often exaggerated. At the time, the company was praised for its expansion and ambitious plans.
and ambitious projects. It was also named America's most innovative company by Fortune for six consecutive years from 1996 to 2001. One of the many unwitting players in the Enron scandal was Blockbuster, the former juggernaut video rental chain. In July 2000, Enron Broadband Services and Blockbuster formed a partnership to enter the burgeoning video on-demand market.
This market was a sensible pick, but Enron started logging expected earnings based on the expected growth of the VOD market, which vastly inflated the numbers. And lastly, the role of Arthur Anderson. In addition to Fasto, a major player in the Enron scandal was Enron's accounting firm, Arthur Anderson, and partner David Duncan, who oversaw Enron's accounts.
As one of the five largest accounting firms in the United States at the time, Anderson had a reputation for high standards and quality risk management. However, despite Enron's poor accounting practices, Arthur Anderson offered its stamp of approval, signing off on the corporate reports for years. By April 2001, many analysts started to question Enron's earnings and transparency.
There was also a big question mark over Arthur Anderson's role. Now on to the question that we need to solve. We need to identify at least three weaknesses in Endron's risk management framework. Let's start off with governance. There were major loopholes in Endron's governance.
The most important reason for this was that managers and Enron prioritized profits over consumer welfare. Identification is another area with major flaws. Enron had taken over some significant projects such as EOL and Blockbuster.
The management should have analyzed the risks across the business by aggregating and disaggregating risk factors across its segments. Enron also had serious issues when it comes to monitoring and mitigation. Instead of choosing an auditor that was professional and independent in its review, they decided to stick with Arthur Anderson.
This also casts a shadow over Arthur Anderson's risk management practices as well. Arthur Anderson was one of the first casualties of Enron's notorious demise. The firm was deeply disgraced as Anderson's accounting license was cancelled.
This was effectively a debt sentence for the firm. Poor risk management practices can have catastrophic implications as we saw in the case of Enron. Therefore, it's essential that companies incorporate robust risk management frameworks and continue to improve their processes to mitigate risk. See you soon in the next module. Risk governance is the foundation for risk management.
As defined earlier, it is the top-down process and guidance that directs risk management activities to align with and support the goals of the overall enterprise. It typically emanates from a board of directors with fiduciary obligations and risk oversights and who prescribe goals and authorities, referring to the definition of risk management Note that risk management is keenly focused on the risk and value of the overall enterprise. In addition to the responsibility for risk oversight, there are two other important areas in which the governing body drives the risk framework. First, it determines the organization's goals, direction, and priorities, which combined serve as a key foundation for enterprise risk management. Recall that enterprise risk management is an overarching governance approach applied across the organization.
that focuses risk activities on the objectives, health, and value of the whole organization. Second, it spells out the risk appetite or tolerance, meaning which risks are acceptable, which risks are to be mitigated, and to what extent, and which risks are unacceptable. Risk governance should also provide a sense of the worst losses that could be tolerated in various scenarios. and management should manage risk accordingly.
These considerations should flow naturally into decisions about risk budgeting to guide implementation of an optimal program that is consistent with that risk tolerance. Risk governance is the impact of the governing body of an organization on the risk management framework. It provides context for and clarity on an organization's value drivers and risk appetite, specifies clear authority to management to execute risk management, and ensures risk oversight to continually determine whether risk management is functioning well and consistent with the organization's value maximization. It is the governing body's job to tie the organizational goals and risk framework together. Thus, risk governance happens within an enterprise context.
Risk governance and risk oversight also entail compliance with regulatory requirements. Risk governance is a difficult and demanding discipline, and if it is going to flourish in an organization, it needs visible commitment from the top. Providing clear guidance with sufficient leeway to execute strategy is often a difficult balance.
Even more challenging is providing for advanced discussion and a clear decision and statement of organizational risk appetite. There is usually substantial discussion about this risk appetite after a crisis, but too often there is very little discussion during periods of normalcy when it would be much more beneficial. Because risk is one of the main strategic tools that management can regulate, it is especially important for governing bodies to openly discuss risk, consider scenarios, understand the impact of negative outcomes on the organization, and make it clear where they are not willing to venture.
Think of risk management as a pilot of a large plane. You, the risk manager, are sitting in a cockpit and are surrounded by numerous tiles with red zones clearly marked for fuel, speed, distance, etc. Much like a plane that comes with these red zones to establish boundaries for safe operation, risk governance bodies should likewise establish hypothetical red zones to ensure the safe operation of their enterprise. Governance that focuses on the entire enterprise will result in risk management that is much less likely to be at odds with the goals of the organization and more likely to enhance long-term value. Likewise, consideration of a full spectrum of risks and not just the most obvious quantitative risks will result in better risk governance.
Appropriate set of risks for an individual must be viewed not in isolation but in consideration of the goals and characteristics of the individual in a holistic view. For example, financial controller of an e-commerce company is trying to identify the different revenue sources for the firm. He identifies revenue sources as advertising, sale of products, membership subscriptions. and content creation.
The company derives 35% of its revenue from advertising, 55% of the revenue comes from sale of products, membership subscription accounts for 5% and content creation accounts for another 5%. What's wrong with this picture? As you can see, 90% of the revenue is coming from only two sources, namely advertising and sale of products.
This represents a significant risk as the company will suffer substantial financial losses if one of these revenue sources performs poorly. The controller can recommend that the company investigate increasing its revenue from membership and content creation. Risk Risk governance extends into management to include ways to ensure that the risk framework of an organization stays consistent with top-level guidance.
One useful approach is to provide a regular forum to discuss the risk framework and key risk issues at the management level. In other words, a risk management committee would be a key element of good risk governance. Its activities could parallel the governance body's risk deliberations, but at an operational level.
as opposed to high-level oversight. In this forum, governance overlaps many of the other aspects of the organization's risk framework. In fact, if done well, it integrates all of them. In the same way, another element of good risk governance is the formal appointment of a responsible executive as chief risk officer. The officer should be responsible for building and implementing the risk framework.
for the enterprise and managing the many activities. In the same manner that risks are inextricably linked with the core business activities, the CRO is likewise a key participant in the strategic decisions of the enterprise. This position is not solely a policing role.
Although the chief executive is responsible for risk as well as other aspects of an enterprise, It makes no more sense for the CEO to perform the role of the CRO than it would be for the CEO to perform the role of the CFO. Many firms now have a CRO in executive management, which had become best practice even in the years prior to the 2008 crisis. Holistic risk management is not possible without a strong risk governance framework. governance framework, we can dissect the risk appetite and identify hypothetical red zones.
It all starts with the senior management forum oversight at the top, followed by a risk management committee and the appointment of a chief risk officer. See you soon in the next module. Risk tolerance discussion and decision within the governing body is perhaps the most critical aspect of good risk governance. Selecting a portfolio of acceptable risk activities that will maximize value and deliver the highest returns possible for the given risk level is at the heart of business strategy. The responsibility of governance is to set the organization's risk appetite not to choose these activities.
Certain risks or levels of risks may be considered acceptable, while others may be considered intolerable, and risks in the middle may be pursued in a risk-limited manner. To put it another way, risk tolerance refers to how willing a company is to accept losses or opportunity costs as a result of failing to fulfill its goals. The right lens through which to approach the risk appetite question is from the standpoint of enterprise risk management. The risk tolerance is based on the integration of two independent analyses, an inside and an outside view.
First, what flaws in an organization would cause it to fail, or at the very least, fail to meet some key objectives? Second, what are the organization's unpredictable forces? What are its risk factors in other words?
With the answer to these two challenging questions in hand, a board may start defining the dimensions and levels of risk it is willing to accept. Before a crisis, this risk tolerance should be publicly established and disclosed, and it will act as a high-level guide for management in its strategic risk selection. Many organizations will do this after a catastrophe, which is preferable. than doing nothing but is similar to purchasing insurance after a loss has occurred. When there appears to be no pressing reason to do so, it is preferable to take care of it.
Similarly, some people may not think about their risk tolerance until after a crisis has occurred, at which point they realize the risk was not worth taking. Let's look at an example. Assume the board of directors of a French car manufacturer is calculating its risk tolerance. From the inside, it is concerned about two things, revenue and liquidity. It finds that a 5 to 10 percent loss in sales is acceptable.
but that a 25% drop would trigger cash flow issues and jeopardize the launch of its new flagship product. It needs 50 million euros in yearly cash flow for key capital expenditures over the next three years as part of this strategy, and it can put nearly none of this cash flow at risk. From the outside, it recognizes that it has no control over three major uncertainties or risks.
drivers change in foreign currency exchange rates no control over interest rate changes and no control over raw material costs rather than assuming a passive role as a risk watcher the board in this scenario formulates its risk tolerance using a top level analysis in this situation it may elect to limit yearly cash flow fluctuation to 20 million euros and revenue exposure to 10% in the event of a global recession. It may also specify other stated restrictions, such as the maximum cash or other risk exposure. This might include placing a cap on the amount of raw materials purchased from one country, other product strategies that management may adopt, may be made riskier as a result of this recommendation.
To eliminate cash flow unpredictability, the company may require more expensive financing solutions. Risk mitigation initiatives, such as a hedging plan, may be driven by governance limits, particularly for the key risk drivers that have been identified as areas of concern. Governance guidance is critical in assisting an organization in determining where risks should be actively pursued and where risks should be mitigated or modified. Strategic goals based on core strengths should be pursued, leading to the company taking risks that will best position the organization for success and value development.
Companies occasionally take chances in areas where they lack competence, jeopardizing their primary value creation as well as their entire organization. In areas where they have no comparative advantage, a well-functioning risk program would restrict or hedge such non-core risks. What factors go into determining a company's risk tolerance? Well, there is no such thing as a formula.
Most significantly, a firm's goals, expertise in specific areas, and strategy will aid a board in determining which risks the company should take and how serious they should be a company's capacity to respond quickly to negative occurrences may allow for a higher risk tolerance the amount of loss a firm can take without jeopardizing its viability should be included into its risk tolerance certain businesses are more vulnerable than others a company's internal compliance requirements should also not be discounted the compliance requirements should also help determine a company's internal risk tolerance because both the boards and investors expectations are usually formed in the context of how a firm is positioned in its industry the competitive environment is important the government and regulatory landscape are also important both in terms of ex-ante requirements for how companies approach risk and in terms of likely exposed reactions in the event of disasters. To determine where a board's zone of comfort is bounded, quantitative investigations like scenario analysis, economic models, and sensitivity to macro risk drivers may be applied. There are other factors that should not influence risk tolerance, but they do in many cases. Board members' personal motives, views, and agendas. firm size whether the market environment appears stable short-term pressures and management compensation all influence risk tolerance in ways that may not be in the best interest of the company Once risk tolerance has been established, the overall risk framework should be designed to measure, manage, and communicate compliance with it, bringing risk exposure in line with the enterprise's risk appetite.
Adequately gauging the risk tolerance factors that we have discussed forms an important part of governance. This type of governance activity not only ensures that the organization survives the worst-case scenario, but it also ensures a strategic trade-off between risk and return in the decision-making process, which enhances prospective returns for the given level of risk and value. It's simple to uncover business methods and investing approaches that appear to provide large profits, but they may come at the expense of putting the company in danger.
Many easier. Less well-reasoned tactics that incur excessive risk in comparison to the firm's risk tolerance would naturally be avoided if a structured risk governance framework with a declared risk tolerance were in place. Instead, it would steer the strategic conversation towards alternate methods that are more likely to provide value while accepting a fair risk within the enterprise's risk tolerance, rather than simply trading ruin for profit. Where risk tolerance ends, risk budgeting begins.
Risk tolerance is concerned with one's appetite for risk and what is and is not acceptable, whereas risk budgeting is concerned with how and why that risk is accepted. Risk budgeting quantifies and allocates tolerable risk based on specified indicators. It also extends and drives the risk tolerance decision implementation. Any company can benefit greatly from risk budgeting.
It is based on the idea that a company has to put together a collection of risk activities that can be grouped together to form a collection of risk characteristics. Understanding the assumptions on which your budget is founded is the ultimate goal of incorporating risk management into budget planning. Here are some strategies to help you reach that conclusion. We start off by identifying primary budget line items.
Risk assessing a whole budget may appear intimidating, but the best approach to tackling the risks of any new process is to break it down into components and focus on the ones that have the greatest potential impact. Thankfully, a budget is already cleanly split down into line items. All that's left now is to perform risk assessments to figure out which elements are the most important.
A risk assessment using consistent scoring criteria can assist you in comparing and prioritizing line items based on which ones will have the most influence on your company's goals. Then look into why the line items are the way they are. Who contributed to these figures?
How did they arrive at these figures? And who is in charge of meeting the goal on time and on budget? Is this figure based on previous performance? Is it the result of new legislation, rules, or operational changes?
You're unlikely to be aware of the assumptions that led to each of the line items you're interested in. Engaging key employees involved with each estimate is the only way to gather the information you require. The next point is around requesting input from key staff on main line items. Let's look at an example. There are two budgets available.
One involves growing a product that your organization has been providing for the past 20 years. The other budget is for a new product for an existing consumer-based segment. The line items for the 20-year-old product or service may be historically accurate, but they may overlook the expansion's intricacies. How much investment is involved? What is the expected success rate?
What about the other budget, which is for the brand new product? In this example, what assumptions were made. Does it really make sense for the company?
What you're looking for here is whether all of the risks have been identified as well as the team's confidence in their assumptions. Having these individuals do risk assessments that ultimately answer questions around product feasibility, investments, and competition is a fantastic method to gain this insight. The third point is around obtaining additional information.
I know it's a cliche, but it couldn't be a more worthwhile undertaking. Let's look at another scenario. Taxes are a big line item in every company's budget. Since the tax bill was recently overhauled, this will likely be a very low confidence line item in most circumstances.
The new tax package is vast, complicated, and not fully understood at this time. The important piece of information is that corporations will see a significant tax relief. The devil, however, is in the details. That is a risky assumption for any corporation to make.
Companies must be aware of how the tax bill will affect them in particular. Engaging subject matter experts, both inside and outside the firm, is the best method to gain more information on any line item. determine the questions you require answers to in order to increase the confidence level of essential line items and locate the people who can provide them.
Now we will discuss how to mitigate risks in budgeting. Once you have gathered all of the data you can on crucial line items, assessed the risks and are as confident in your forecasts as possible, You may continue to enhance the firm budget by implementing mitigation efforts for each of the identified risks. For example, if a line item has a high risk score, you can protect yourself against negative consequences.
Contingency plans can also be put in place well in advance of a risk event. Based on the risk assessment, you may decide that the budget has to be altered to account for the risk-reward trade-off you've discovered. When looking at the line items based on low confidence assumptions, this is very significant.
Overall, identifying and recording the risks associated in budgeting will put everyone at ease. No one wants to be in a position where they have to justify their predictions months later when things have gone wrong. Lastly, continuing to monitor risks and effectiveness of controls. Don't stop after you have completed steps 1 through 4. A budget is a dynamic document that is continually influenced by internal changes, market fluctuations, and even natural disasters.
To guarantee that your budgeting is accurate, set up a system for monitoring changes in the risks you have identified and collecting metrics to demonstrate the effectiveness of the controls you have put in place. There are numerous advantages to trying. risk management to budgeting. Following these five stages will help you create a more accurate projection, be more nimble and sensitive to changes in the months ahead, and improve your relationship with your managers and peers. One of the most important advantages of even the most basic risk budgeting is that it compels risk trade-offs and fosters a culture where risk is considered in all critical decisions.
Assume that the risk budget is insufficient to cover all of a company's activities. Risk budgeting should lead to a strategy of investing where the return per unit of risk is highest, whether explicitly or implicitly. Simply having a risk budget in place pushes decision makers to aim to bring value to the company with every risky move they make.
The risk budgeting paradigm incorporates this factor. into the decision-making process. Previously, we discussed the key concepts of risk tolerance and risk budgeting. Although they would have seemed a little abstract, I can assure you that they have real-life implications in corporations all over the world. Let's go through some examples and evaluate the situations using the concepts we have discussed in the previous modules.
Nick Leeson, a Singapore-based futures trader, lost $1.3 billion, bankrupting the 233-year-old Barings Bank. Leeson had amassed a significant position in Japanese Nikkei 225 stock market worth $7 billion in notional value, and he disguised his losses in a loss account when the Nikkei fell. And that's not all.
He continued to buy the stocks in the hopes of a market recovery. However, Japan was hit by an earthquake in the first two months of 1995, and the Nikkei fell by roughly 15%. Egushi, a New York-based trader for Daiwa Securities Group, lost $1.1 billion over an 11-year period. Egushi, like Leeson, had influence over both the front and back offices, making it easier to hide his losses. Yasuo, a copper dealer located in London, engaged in a series of prohibited speculative trades in order to increase his sections earnings.
However, the trades resulted in a total loss of $2.6 billion over the course of 13 years. Between 1997 and late 2001, currency trader John Rusnak, who worked for a miner subsidiary in Maryland, racked up $691 million in losses. He concealed his losses by faking hedging trades. and opening prime accounts which allowed him to trade through other institutions. Amaranth, a hedge fund which had made big wagers on energy markets, lost 65% of its $9.2 billion assets in just over a week in September 2006. Amaranth's bets were large compared to other hedge funds.
Amaranth had taken on a high amount of risk. We also discovered several parallels with the LTCM hedge fund catastrophe, starting with the fact that both funds took on very risky positions that their capital bases couldn't maintain if financial disasters occurred. Let's apply a risk appetite lens to these examples.
Although a single source of risk can result in significant losses, it is rarely enough to cause a disaster. Several types of dangers must normally interact for such an event to occur. Most critically, it indicates that a lack of sufficient controls is a decisive factor. Although insufficient controls do not cause the real financial loss, they do allow the business to take on more risk than is necessary and give extreme losses enough time to build.
Financial crises do not happen by chance. They show serious deficiencies in management and governance. Separating the numerous trading, compliance and risk management tasks is one technique to improve control structure. In the previous examples, we see that there was a high level of autonomy afforded to the people in question.
For instance, Leeson was in charge of both the front and back offices of Baring Singapore's trading section. This permitted him to take very huge positions and disguise his losses, which was a major component to the disaster. Another key factor was Bering's use of hazy matrix-based organizational charts.
Roles, duties, and supervisory responsibilities were not clearly defined. As a result of the absence of structure, risk budgeting was impossible. Let's review the deficiencies in the risk budgeting process now. On closer observation, it was noticed that the internal controls were either under the direct supervision of the trader or severely weak at all companies. Furthermore, trade was not the primary line of business.
Trading and back office activities were decentralized and put in the hands of specialists who had little contact with the corporate headquarters. This meant that the input was not requested from key staff members. Speaking of Amaranth, the decision to liquidate the fund had negative consequences due to the size of the holdings compared to the depth of the markets, which historical-based risk metrics would have grossly overestimated.
Furthermore, although adopting economically sound tactics, neither LTCM nor Amaranth understood the capacity constraint associated with their respective strategies. Market experts have also stated that basic risk management models to monitor risks and effectiveness of controls may have provided at least some advance notice of the possibility of substantial losses in our examples. Some of the most popular risk measures include variance, standard deviation, value at risk, measure of downside risk, conditional value at risk, and extreme value theory.
The massive financial losses and the painful consequences could have been avoided if the companies utilized some of these risk measures. We will be discussing some of these risk measures later in the course. In my experience, I believe that the main thing keeping companies from using risk measures is their own culture.
This is why governance and appropriate risk management practices are so important. They ensure the appropriate culture is in place, which then enables companies to outline their specific risk tolerances. I talked about the uncertainty, risk, and the theory of probability in the previous module.
Now I switch gears and move from the hard science to soft business management. Because risk management is all about managing risks, which means managing people, processes, data, and projects. We will be covering these topics in this section of the course. While assessing the global risks and opportunities faced by a large logistics company, I realized that it's not just about fancy mathematical techniques. It's about the day-to-day work of running an organization and dealing with the risks it faces.
Managing Risk means making the tactical and strategic decisions needed to control the risks that should be controlled and take advantage of the opportunities that should be taken advantage of. Managing profits and losses or the possibility of losses are inseparable. Any company needs to be able to handle risks well.
The single most important thing that separates successful and long-lasting firms from those that don't do well is their ability to manage risks well. These long-lasting firms balance the organizational goals with the risk appetite. Risk management has always been and still is the job of line managers at successful companies, from the board to the C-suite. Managers have always known that this is their job.
and good managers take this responsibility seriously. Over the past 20 years or so, the only thing that has changed is that better tools have been made to measure and quantify risk. Because of this, line managers now need more technical skills and knowledge than they did before. Good managers have taken advantage of these techniques to better deal with risks and take advantage of new opportunities.
But not all firms and managers have paid the investments in human capital and institutions that are needed to make the new quantitative tools useful for management. But it's important not to put too much weight on the value of quantitative tools. If there is one major complaint about the new risk management model, it is that the industry has put too much emphasis on measuring and not done enough of the old-fashioned work of managing risk.
In addition to quantitative measures, experience and intuition are also needed to manage risk. The quantitative tools are very helpful because they formalize and standardize a process that would otherwise be based on hunches and rules of thumb. However, they can't replace good judgment.
Risk management is about apprenticeship and learning by doing as much as it is about learning from books. It's more than just numbers. It's also about managing people, processes, and projects.
Risks that can be ensured or are a hazard can have an immediate impact on operations. So the first time risk management principles were used, it was to make sure that normal, efficient operations kept going. As risk management has grown, it has become more important to focus on project management and the delivery of programs. that improve business processes.
Processes need to work well enough to get the results that are needed. For example, it doesn't help much to have a software program that works well if it doesn't do all the things that are needed. The most important decisions a business has to make are strategic ones. With better information from risk management, strategic decisions can be made with more confidence.
The strategy that an organization chooses must be able to to get the results that are needed. This kind of plan can be effective. There are many examples of organizations that chose the wrong strategy or didn't do a good job of putting the strategy they chose into action. A lot of these businesses went bankrupt. The goal of strategy should be to make the most of opportunities.
For example, a sports club may realize that it could sell more products to the people who already go there. Some clubs will set up a travel agency for their fans who travel abroad, and they will also offer travel insurance. Also, a new finance subsidiary could run a credit card for the club. After finding these possibilities, the club will need to look at the risks that come with these possible investment opportunities and come up with a good set of projects to put the chosen strategies into action.
Making sure that the risk is taken into account during all of these steps will make it more likely that the right effective strategy will be chosen. Organizations that have good operations and processes but don't have the right strategy as a whole will fail. This will be the case no matter how good the operational and project risk management processes are.
More companies have failed because of bad strategy than because of bad operations. In a field like risk management that is changing quickly, there is a chance that different people will not like the way other people do things. Internal control experts who think that risk management is all about managing uncertainty and making sure that business goals are met shouldn't be against the more traditional way of doing things.
managing insurance risks. There is no point for one group of experts to look down on another group's way of doing things and refuse to use the expertise available in another group. In a field like risk management that is changing quickly, there is a chance that different people will not like the way other people do things.
Internal control experts who think that risk management is all about managing uncertainty and making sure that business goals are met shouldn't be against the more traditional ways of managing risks. There is no point for one group of experts to look down on another group's way of doing things and refusing to use the expertise available in the other group. In any case, there isn't a single risk management style or approach that has all the answers. Clearly.
The different styles that can be used should work together to make an organization stronger. The integrative approach to risk management recognizes that the organization must be able to deal with a certain amount of risk from hazards and must be willing to invest in risk from opportunities. In the context of risk management, insurance is the way to keep the financial cost of losses to a minimum when a risk materializes. Techniques for risk control and loss management will cut down on the expected losses and should keep the overall cost down.
When insurance and risk control are used together, the actual cost of risk losses will go down as well. This will reduce the organization's risk tolerance as it should. The company will then be able to invest in opportunities with more of its risk capacity.
Control management narrows the range of things that could happen when something happens. Control management is based on the tried and tested methods of internal financial control that internal auditors use every day. Think of control management as the internal audit function in organizations.
These functions ensure that checks and balances are in place and the accounting principles are being consistently applied. The main goal is to reduce losses caused by bad control management. and narrow the range of possible outcomes at the same time.
This is what internal control management should bring to an organization's overall approach to risk management. Opportunity management tries to make it more likely and more important for good things to happen. As part of its approach to opportunity management, the company should also look at ways to make more money from a product or service.
An example of opportunity management is the mergers and acquisitions function in organizations. These functions are on the lookout for ways in which the company value can be increased. In this module, we discussed the importance of balancing various perspectives when speaking of risk management. We saw how the organizational goals need to be balanced with the risk appetite. We also spent some time looking at how the technical aspects need to be balanced with the traditional aspects.
In any organization, different people have different perspectives. No one perspective is entirely correct or entirely flawed. These perspectives can be grouped under control management and opportunity management, both of which are essential for managing risks.
Managing people necessitates careful consideration of incentives and remuneration. Although I don't claim to have all of the answers when it comes to personnel or incentive structures, I do want to stress the importance of pay and incentive plan for risk management. Risk management is challenging for financial products and corporations in general, but the principal agent concerns generated by the separation of ownership and management significantly compound the issues for most businesses.
Risk encompasses both the uncertainty of outcomes and the utility of outcomes. As addressed earlier, the distribution of outcomes is objective in the sense that it can be witnessed and agreed upon by everyone, at least conceptually. In contrast, the usefulness of outcomes is subjective and dependent on individual preferences.
The preferences of the ultimate owner or beneficiary are the ones that really matter. Consider an individual CFO making risk judgments on his or her own. Although tough, the problem is fundamentally simple because the individual is making decisions about his own preferences.
Although preferences can be difficult to uncover, in this case, the CFO, who is also a risk manager, is calling all the shots and these choices are the ones that count. Now let's discuss the principal-agent problem. Consider a publicly traded company. The shareholders are now the ultimate beneficiaries.
Typically, shareholders do not operate the company. Instead, they hire expert managers and delegate authority and responsibility for risk management to them. The shareholders' preferences are still relevant when making risk decisions, but the management now makes the majority of the decisions. Shareholders must ensure that decisions reflect the their views but this presents two challenges the first is that the managers may be unaware of the owner's preferences which is a legitimate and possibly difficult issue but not the substance of the issue even if the owner's preferences are understood the second problem will arise the manager's choices will differ from those of the shareholders and the managers and owners interests will not be aligned the owners must devise a contract or pay structure that rewards managers for behaving in accordance with the owner's wishes and punishes them for acting against them. In economic literature, this problem is known as the principal-agent problem.
The essence of the problem is addressing the difficulties that arise when a principal hires an agent to perform some actions. The two parties' interests differ. and there is incomplete and asymmetric information, making it impossible for the principal to monitor the agent's behavior perfectly.
There will be some conflict of interest in almost every employer-employee relationship. The principal's interests will be to have some tasks or actions completed in order to maximize the principal's profit or achieve some other relevant goal. In most cases, The agent has additional interests. To complete the actions, the agent will have to exert effort and behave diligently, both of which are costly to the agent. The principal agent issue can be solved in a world with perfect information, no uncertainty, and costless monitoring.
For example, a contract may be drafted that specifies the required degree of effort or diligence, compensating the agent for the required amount of time. based on the effort expended or the action's observed consequence. The principal's and agent's interests can be perfectly aligned in such a world.
To reiterate, the principal-agent dilemma arises when there is uncertainty, asymmetric information, and costly monitoring, and establishing a contract to match the interests of principal and agent can be difficult. A compensation scheme can't usually be based on the agent's effort since it can only be noticed by the agent or it's too expensive to track. The compensation mechanism will be difficult to base on observable outcomes. First, measuring the effects properly may be difficult or impossible.
Second, the outcome may not reflect the agent's effort due to uncertainty. Rewarding output may reward lazy but lucky agents. while penalizing diligent but unlucky agents to the point that it provides no motivation for the agents to work hard. Furthermore, Compensating employees based on individual performance indicators may undermine incentives for teamwork and lead to free-riding issues.
Risk management often focuses on the challenge of risk measurement and the decisions that emerge from it. Combining the uncertainty of outcomes with the usefulness of outcomes will help us arrive at risk management decisions. An additional degree of confidence in the performance of the company will help us achieve the desired outcomes. complication arises in the real world. We need to ensure that managers or agents really apply the right measures either through ensuring that they have the appropriate incentives or through ongoing monitoring and control.
Fixed versus variable remuneration, deferred compensation and issuance of share ownership with various type and degrees of vesting are all common compensation plans. Designing pay and incentive schemes must be one of the most difficult and unappreciated areas of risk management, but it is also one of the most vital. Designing incentive and compensation plans is tough in both good and bad times.
It is easier to keep people happy during good times since there is more money and status to distribute, but it is more difficult to develop incentives that align the principal's and agent's objectives. On the other hand, it is more difficult to make people happy in poor times. Money and status are frequently in limited supply, and hence it is more difficult to keep good individuals.
It is critical to plan for periods when organization is under stress from both high earnings and low profitability. Risk measurement and monitoring are important. but they are useless unless the managers who have the knowledge also have the incentives to act in accordance with the owner's desires. As I stated in the beginning, I do not have answers to the pay and incentive challenges. However, the subject merits thorough consideration.
Although there is no substitute for monitoring and measuring risk, well-designed incentive schemes can help manage and mitigate risks. If the interests of the managers throughout the business are appropriately aligned, these managers can go from being disasters in the making that require constant monitoring and control to being partners in risk control and management with the principals. To conclude, rigorous considerations of preferences, incentives, remuneration, and principal-agent difficulties illuminates many of the risk management's most difficult issues. Issues that I believe we as professionals have only begun to explore substantively.
Remember that people play the most important role when it comes to risk management. As agents in an organization, they need to be compensated in order to keep the principal's interests at heart. Risk management is fundamental to everything we do.
We assess and manage risk subconsciously with every decision we make, from getting out of bed to going back to sleep. As a result, most of us are already experienced risk managers. However, many people find organizational risk management to be a daunting task.
Risk management in your organization is not and should not be a difficult task. Throughout my career, I have implemented and reviewed successful risk management execution at organizations both large and small. This module will provide you with simple steps you can take to assist your organization in effectively and efficiently assessing and managing processes. This approach is adaptable and applicable to any corporation. It all starts with understanding why corporations take risks.
Understanding an organization's mission and goals is essential for implementing an effective risk management program. These not only explain what the organization wants to achieve, but also why it is willing to take risks to achieve it. These serve as the backdrop and context for an organization to assess and manage risk. Every organization strives to add value.
While it can take many forms, it is a function of risk and reward. Companies must take risks in order to create value. It is frequently stated that the higher the risk, the greater the reward.
This is a false statement. Taking excessive risks on a regular basis will almost certainly result in massive losses. However, risk cannot be eliminated. Organizational risk management is a discipline used to assist an organization in operating at a risk level that allows it to maximize value creation. Risk management in the organizational structure.
An organization is ready to prepare for a risk assessment after it has clearly defined its mission and goals through a risk identification exercise. It is critical at this stage to have a risk management organizational structure that is strong enough to obtain adequate coverage and input from across the organization. The worst case scenario for identifying risks in a large enterprise is for the few people tasked with risk management, internal audit, or compliance to do so without input from the rest of the business. The goal of this exercise is to generate a comprehensive list of risks for the entire organization.
We need to evaluate all the processes and identify all the risks that an organization faces. When personnel from various units and with varying levels of supervisory responsibility are involved, this process becomes highly effective and accurate. Include the possibility of fraud and misconduct as specific areas to consider in this step. For reporting purposes, identified risks are commonly grouped by risk type, such as operational, environmental, strategic, financial, and so on. An entity is ready to conduct a risk assessment once a comprehensive list of risks has been prepared.
These are variously referred to as a company risk assessment or an internal control risk assessment. Organizations may conduct risk assessments in specific areas such as data risk management or IT security. The second step is around creating assessment criteria.
Prior to assessing identified risk, Assessment criteria are developed to ensure that all participants assessing and prioritizing risks are doing so on the same basis. The most common attributes used to assess risks are the likelihood and impact of specific risks. Assuming that each participant could rate a control's likelihood and impact as high, medium, or low, the criteria would specify the ranges that each rating could cover.
For example, The criteria may define a low likelihood rating as the risk is unlikely to occur in the next year, a medium likelihood rating as the risk is likely to occur in the next 6 to 12 months, and a high likelihood rating as the risk is likely to occur in the next 6 months. Ratings would be difficult to interpret across a large number of participants if there was no defined criteria. Another aspect of the assessment criteria that should be defined is whether the risks are to be rated based on inherent or residual risk. Participants would have to assess the risk with the assumption that no controls are in place if there is inherent risk. Using residual risk, the entity would assess the risk that remains after all controls have been implemented.
In my experience, using residual risk is the simplest approach. Participants rate each risk based on the assessment criteria during the risk assessment process. For larger organizations, this may be an iterative process in which a large group of lower or middle level managers assess the risks first and then provide a subset of risks to senior managers or executive leadership for risk assessment. A smaller company's risk assessment may be completed in a single round or workshop with its leadership.
Risk assessments can be carried out in a number of ways, including online surveys, personal interviews, group workshops, and benchmarking. This process yields a risk rating for each risk, which is typically based on the average likelihood and impact. While all risks are prioritized based on their risk rating from the risk assessment, risk prioritization is the process of determining risk management priorities by comparing the level of risk risk to predetermined levels and tolerance thresholds. This is an activity that should be carried out with the executives and board members who have an oversight over the company.
Because of these additional factors, certain controls with lower risk ratings may be prioritized higher than others. Nowadays, almost every organization outsources something. Outsourcing shifts some of the risk to the service provider.
If your company is a service provider, You are still responsible for monitoring your service providers and ensuring the quality of your services to your clients. So how can you be confident in your service provider's control environment and service quality? Well, your service provider can provide you with an SOC or System and Organizational Control Report, which you have to review. It can assist you in identifying risks that a service provider has not addressed.
and the need to implement controls to mitigate those risks within your own environment. The annual risk assessment concludes many organizations' risk management activities. However, this is only the start of risk management.
The assessment provides information on the organization's key processes and top risks, as well as a baseline of risks to consider. when assessing its own internal control environment. A risk assessment, on the other hand, is meaningless unless management acts on that information. During the financial crisis that began in 2008, risk management, or the lack thereof, was scrutinized, questioned, and sometimes blamed for the financial state of banks and other financial institutions.
Risk management was demoted in status and brushed under the rug and at least one institution Lehman Brothers was considered to be the company that ran itself into the ground refusing to look at the truth behind massive profits. Even though there were massive risk management failures at Lehman Brothers, in this module we will be discussing the failures related to people and process management. Lehman Brothers began as a small general store in 1844, founded by German brothers Henry, Emmanuel, and Mayor Lehman.
Farmers paid for their goods and cotton, so the company became involved in the cotton trade. Following Henry's death, the other Lehman Brothers expanded the company's scope to include commodities trading and brokerage services. The company thrived in the decades that followed as the U.S. economy grew into an international powerhouse.
However, Lehman faced numerous challenges over the years. The company survived the railroad bankruptcies, the Great Depression, and two world wars. Despite its ability to withstand previous disasters, the collapse of the U.S. housing market eventually brought Lehman to its knees. as its headlong rush into the subprime mortgage market proved to be a disastrous step.
On September 15, 2008, Lehman Brothers declared bankruptcy. Hundreds of employees, mostly in business suits, exited the bank's offices one by one, carrying boxes. It was a sober reminder that nothing lasts forever, even in the financial and investment world.
Lehman was the fourth largest investment bank in the U.S. at the time of its demise. with 25,000 employees worldwide. The bank became a symbol of the 2007-2008 financial crisis that swept through the financial markets and cost an estimated $10 trillion in lost economic output.
Lehman Brothers is often cited as an example of corporate governance failure, largely due to poor oversight by the board. Richard Fuld, former CEO of Lehman Brothers during his 2008 bankruptcy, continues to disagree with this broad assessment. According to the Wall Street Journal, Fultz said of Lehman's risk management, Regardless of what you heard about Lehman's risk management, we had 27,000 risk managers because they all had a piece of the firm. However, the fact that Lehman's employees owned such a small percentage of the company's stock did not solve its principal agent problem.
Why did Lehman's board of directors fail to effectively oversee the company, allowing it to go bankrupt? The responsibilities included company oversight and advisory. After Lehman Brothers failed, many observers pointed out that it should not have taken on excessive debt, should have diversified its product portfolio, and the board of directors should have closely monitored its strategy and risk management. The fact that Lehman Brothers employees owned a very small percentage of the company does not guarantee that they will act in Lehman's best interests and effectively manage its risks.
In other words, Lehman's excessive risk-taking was a classic example of the agency problem because employees and executives are motivated by performance-based compensation. The board of directors is formed to avoid this problem. However, do directors effectively serve as a safeguard for shareholders interests the agency problem is frequently created by the board itself a large public company such as Lehman has a large number of shareholders and the composition of those shareholders change minute by minute on the stock market it is nearly impossible for shareholders to run the company directly as a result shareholders hire third parties and directors to reduce the agency problem that exists between shareholders and employees.
The question now is, how could the principal-agent problem at Lehman Brothers be resolved? Because the agency problem arises from divergent interests, one way to reduce agency costs is to align an agent's interest with the principal's interest. For example, Requiring directors to own company stock can motivate directors to work in the best interests of the company.
Even though the board at Lehman owned company stock, it was not nearly enough to resolve the principal-agent problem. Note that the directors at any company are monitors and advisors rather than managers. Tying directors' pay to the company's financial success may jeopardize their ability to provide effective oversight. This is what we observed in Lehman's case. The directors preferred immediate financial gains from the company, and they became unwilling to approve risky projects that will harm the company's short-term profits but create long-term value.
The Lehman board also lacked financial expertise and failed to consistently monitor the company. For example, the Finance and Risk Committee met only twice a year, while the Compensation Committee met eight times more frequently than the Audit Committee. Speaking of the composition of the board, Evans was a career officer in the United States Navy, while Berlin was a theatrical producer.
Dina Merrill, an 83-year-old actress, served on Lehman's board of directors until 2006. Furthermore, there were no current CEOs of major public corporations, and former CEOs were long retired. Did this board grasp the complexities and severity of financial markets well enough to weather the storms when the market slowed? Could these independent directors who lacked up-to-date financial expertise represent the best interests of their shareholders? I don't think so. However, by 2003, Lehman Brothers had transformed itself into a real estate hedge fund disguised as an investment bank.
Madeline Antonchich, the chief risk officer got into trouble when she warned the company's CEO, Dick Fuld, that the company was too risky. As the true scope of risky mortgage-backed securities, instead of listening to Antonchich, Dick Fuld fired her in 2007. The company also had a risk assessment criteria on paper, but not in practice. Even though the risk manager was maintaining the likelihood and impact of key risks, the company was not listening to its risk managers.
In fact, they listened to the risk managers when things were going well. But the most important time to listen to your risk manager is when things are going bad. The CFO, Chris O'Meara, took over for Anton Chich.
But Chris did not have any experience in risk management. He was lacking in advising the management on how to prioritize the risks. Lehman also started to suffer huge losses in its real estate portfolio.
But the company continued to keep the same level of exposure. Given its size and prominence in the United States and around the world, Lehman's demise roiled global financial markets for weeks. Lehman had a market value of nearly $46 billion at its peak, which was wiped out in the months preceding its bankruptcy.
Some of the reasons for its decline included the principal agent problem and poor process risk management. subscribe, so you get notified about similar videos we upload. To see the full course that this video came from, click over there.
And click over there to see more videos from Simon Says It.