Risk management is the process of identifying, prioritising, assessing, analysing mitigating and controlling risk.  Regulatory challenges have been driving risk management in recent years.

Risk management process should involve the appointment of a risk manager who will be responsible and accountable for the design and development of the risk management framework and oversees the implementation of the framework by the business units. The risk manager carries out the ongoing monitoring and reporting to the executive management and the Board explaining the business risks and the effectiveness and efficiency of the risk management practice.  The risk manager recommends changes to the risk appetite or risk tolerance of the company.

Risk management should remain relevant and be adding measurable value to the business.  Components of risks should be expressed in the simplest form possible so that it will not be overcomplicated for others in the business to understand.

Risk identification

The types of risks to which the business is exposed should be identified.  The classification must be relevant to the underlying nature of the business.  It may not be a quick process to consider and identify the risks inherent in a company, but the value of such an exercise should not be underestimated.  The analysis will direct senior management to areas of exposure, and serve as a tool to ensure active tackling of all identified threats to the company.

The following headings should act as prompts for the company but this is not exhaustive, these are just the low hanging fruits:

Credit risk, Market risk, Liquidity risk, Operational risk, Compliance risk, Regulatory risk, Reputation risk, Litigation risk, Outsourcing risk, Technological risk, Fraud and other fiduciary risk, Foreign exchange risk, Concentration risk, key personnel risk, strategy risk, product risk.

Risk Mitigation

Credit Risk.

No credit facility.  Receive your cash before you hand over the assets or receive assets before you hand over your cash. Only deal with counterparties and clients that are regulated or recommended. Credit check counterparties with credit agencies for default. Check rating of counterparties at rating agencies. Cash deposits are held with high ‘A’ rated banks. Loan to be payable early. Loan is secured on quality collateral.  Draft legal agreements to ensure prompt payment and action for delay or non payment. Fees are deducted from client account – set-off /netting rights Daily matching and reconciliation of trades. Segregation of client money Open a position with initial deposit monitor automated real time marked to market position credit profit and debit losses automatically, if outside margin, make margin call for fund injection or reduce exposure, close out position if market movement continues to erode the position. Analyse the current exposure, current replacement cost of the contract by asking “what would it cost to replace the deal in the market, if the counterparty were to default today?”. Analyse the potential exposure likely replacement cost of the contract by  asking “what is an estimate of the maximum likely replacement cost of the contract, if the counterparty defaults in the future?”.

 Market Risk                                                                                                       

Set maximum amount you are prepared to invest in the market. Set stop loss for maximum fall in market you can accept. Set stop loss for maximum rise so as to preserve your profit.

 Liquidity Risk

Overdraft facility Equity financing – easy injection of funds from your investors Cash payable on demand from debtors Predictable inflow and out flow of cash

 Concentration risk

Set concentration limit not more that 25% of total assets in one counterparty

 Operational Risk

Risk database Maintain error register Disaster recovery test/BCP Verification of client identity checks Service level agreement checks Insurance claims promptly made. Staff deputies appointment – no overreliance on one person Training and competence of staff Fraud – 4 eyes, holiday, limits, password, and segregation, preparer of statement is not authoriser. IT system efficiency test Information security Legal risk – review agreements Regulatory risk – interpreter regulations and implement Electronic trading to reduce error

Risk analysis

Once the company has completed a process of risk identification, it is likely that there will be a daunting list of risk issues that are, or should be, addressed by the company. The next stage of the process will be to catalogue the risk that the company faces across the business and examine the likely probability of a particular risk being encountered and the likely impact.  Look at the likelihood of occurrence and the consequences or impact if the event does occur i.e. the frequency and severity. 

Ideally, analysis should be done by event data so as to make it scientific, so that a design model can be created pushing analytic methods to the absolute limit.  Look at the number of losses and the number of complaints and litigations.  If however the company does not have enough historic data to use to measure loss, the analysis would have to be done by applying judgement based on experience and insight of senior management into the business model and operational infrastructure.  This process will require discussion between those who have an interest in the issues.

Risk retention

Effective risk management, if embedded into the company’s strategic and operational processes, provides the framework to overcome uncertainty, to help management determine and agree an acceptable level of risk and opportunity.  The challenge, however, is to determine how much risk the business is prepared to accept.  When certain risks are accepted there then has to be an allocation of capital that will be used to absorb and accommodate the risk. 

An accurate measure of risk would help in determining the amount of capital required so that the company is not overly conservative and there is no overestimation in a situation where balance sheet is thin so there is no over-allocation of capital. In the same token, risk managers must ensure that the capital does not underestimate risk. Regulatory capital requirements may need to be covered between 3 to 5 times to cater for risks.  The company has to consider assess to capital and ability to raise capital from shareholders and the market condition for raising capital.

Risk transfer

The whole concept of insurance is based on risk.  The insurer transfers risk off the company’s balance sheet and on to their balance sheet in return for a payment of a premium.  Professional indemnity insurance, liability insurance, error & omission insurance, fraud & fidelity insurance are useful covers that transfer risk.

It is important to ensure that the insurer is solid with good credit record and that it pays claims promptly and provides quality service.  The company should also ensure that it can survive the period between the making of a claim and receiving settlement. Another way of transfer is the outsourcing of custodian activities to banks so that client assets can be held by those banks.  Guarantee from a parent company also gives financial backing and comfort in the event of financial insolvency and a bail out to protect the reputation of the group as a whole.

Risk control

Having process and procedures in place to ensure that the affairs of the company are managed in an efficient manner with an eye on risk exposures.  Use compliance team to monitor compliance with rules and regulation, internal audit to give assurance of effectiveness of control measures, legal support to properly draft contractual language, product approval process for quality, portfolio risk and performance management, self–assessment process, staff training and development, incentive structure that enables staff to consider how much risk they take to make money. Structuring deals with risk in mind, proactive culture rather than reactive, aligning risk appetite or tolerance to strategy.

Risk avoidance

The company may determine that it would avoid certain strategy or exit certain types of business to avoid the risk involved e.g. not using derivatives.  The risk manager should be able to say ‘no’ to activities that exposes the company to significant risk, explain reasons for saying ‘no’ and obtain acceptance of their position explaining all options that has been considered in reaching that conclusion.

Conclusion

A robust risk management framework with all the necessary data, analytics and tools will enhance the opportunity and capability to grow value linking growth and risk with return and minimising operational surprises and losses.

Related Posts

1. Better Risk Management –- Using Risk Surveys to Identify, Assess and Mitigate Business Risks
2. Integrated Risk Management Software Effectively Simplifies Risk Governance
3. Risk Management – the Essentials of Business