Beruflich Dokumente
Kultur Dokumente
Introduction
Definition
Example
Remember
Further Reading
Video Lecture
6. Edition 9/2015
© 2015 Frankfurt School of Finance & Management, Sonnemannstr. 9 –
11, 60314 Frankfurt am Main, Germany
All rights reserved. The user acknowledges that the copyright and all
other intellectual property rights in the material contained in this
publication belong to Frankfurt School of Finance & Management
gGmbH. No part of this publication may be reproduced, stored in a
retrieval system or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise, without the prior
written permission of the publisher. Violations can lead to civil and
criminal prosecution.
Printed in Germany
Contents
4 Exercises ............................................................... 21
1 What is Risk?
Here we are. I have a stack of expensive books on Risk in Banking on my
desk, have been consulting in risk management for more than ten years, and
I am still having a hard time defining "risk".
Risk truly is one of the most overused and least understood buzzwords of
our time. It is right up there with "process", "design", "system" and "value".
Try it: The guy who gets passed over for the promotion says: "The
Schlenovo laptop weighs 15 kilos and has a 5 inch screen, I do not think
anyone will buy this." The upwardly mobile consultant says: "Let's hold a
workshop on strategic design risk. We need to build a customer-centric
value system right into our core processes."
So, I asked a few regular people what they think risk is: Mostly the response Possibility of Loss
is about the possibility of something bad or negative happening, a loss or an
injury, for example. For sure, risk has an element of uncertainty about future
outcomes. And these future events must be relevant to us, in the sense that
the individual or the organization cares, or should have cared, about the
outcome of the uncertain situation. We may call this relevance "exposure" to
the uncertain outcome. The proverbial bag of rice that may or may not tip
over in China is uncertain, but it is only a risk if we are interested or invested
in the outcome. If I bet a thousand dollars on whether the bag stands or
falls, or if it falls I don't eat for a week, then I am exposed. Now, the
uncertainty about the bag tipping or not has become a risk.
Yet, are these outcomes really objectively uncertain? Or, are we simply Objective Uncertainty?
ignorant of the detailed mechanics of die throwing: trajectory angles, wrist
flick velocity, tablecloth friction coefficients, etc. This is not just a
philosophical question: Our risk model might assume that next week's
EUR/USD exchange rate is the result of a "random walk", while in fact it is
the certain knowable result of a deterministic process, and a nuclear
physicist at a hedge fund has already figured out the formula. Often, random
events in finance feel indeed more like rolling a die - with a metal plate
under the six and a strong magnet under the table - than an honest game of
chance. If you are philosophically inclined, I recommend the discussion of
subjectivist versus objectivist probabilities in the brilliant article by Glyn A.
Holton "Defining Risk", which you will find in the essential reading collection.
If the future loss is certain, it is not a risk. Jumping out of an airplane without
a parachute to certain death is not risky. However, if I jump with a
parachute, the uncertain survival is a risk to myself and my family who are
invested in my earnings capacity. To the reader, the outcome of a sky-diving
adventure by a risk management consultant is revenue neutral, thus not a
risk.
Risk = Volatility Many other alternative definitions of risk exist for different industries or
special analytical applications. In portfolio investment theory, for example,
we view risk in the context of the classic risk/return trade-off. Here, risk is
defined as the uncertain variation of a financial return around an average
expected outcome. Thus the volatility, i.e. the standard deviation of
continuously compounded annual returns, becomes the "risk". We will get to
the math behind this assertion later, when we discuss credit and market
risks. The interesting point to note now is that this volatility definition of risk
includes both positive and negative deviations of outcome. Gains and losses
relative to the average return expectation are both manifestations of risk.
Risk = Expected Loss? In the medical field, a definition used by the Occupational Health & Safety
Advisory Services (OHSAS) defines risk as the product of the probability of a
hazard resulting in an adverse event, times the severity of the event.1 This is
similar to the concept of an "expected loss" which we will use in the
discussion of credit risk. There, we also multiply the probability of a default
with the net amount at stake in the event that a client defaults on a loan. But
we would not call this expected loss "the risk". Rather the opposite, we will
look at the expected loss more like a certainty that must be priced to the
client. The risk is instead in the variation of the actual future loss around this
expected value, most importantly to the upside, of course, towards big stress
losses.
1
"Risk is a combination of the likelihood of an occurrence of a hazardous
event or exposure(s) and the severity of injury or ill health that can be
caused by the event or exposure(s)" (OHSAS 18001:2007).
The ISO Standard 31000 (2009) is widely recognized as the current best
practice consensus in risk management. It was developed in a broad
consultative process and incorporates inter alia the experience and prior
guidance from a diversity of thought leaders on risk management, including:
the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), www.coso.org.
the 1999 (revised 2005) Turnbull Report on corporate internal
control and risk management disclosure in the UK. Nigel Turnbull,
"Internal Control: Guidance for Directors on the Combined Code",
www.icaew.com/en/library/subject-gateways/corporate-
governance/codes-and-reports/turnbull-report.
the Project Management Institute (PMI), www.pmi.org
the Australia and New Zealand Risk Management Standard
AS/NZS4360:2004, www.mwds.com/AS4me_files/AS-NZS%204360
-2004%20Risk%20Management.pdf
Group of Thirty Report, following the derivatives trading disasters of
the early 90s in the US, www.group30.org
Criteria of Control (CoCo) model developed by the Canadian
Institute of Chartered Accountants, www.cica.ca
Sarbanes-Oxley Act (2002) in the US, which places greater
responsibility on the board of directors to understand and monitor an
organization's risk, www.soxlaw.com.
New York Stock Exchange Corporate Governance Rules (2004
update), www.nyse.nyx.com.
Risk & Strategy What is new in the ERM perspective on risk is that ERM is directly related to
"strategy setting". ERM creates value by being embedded in the strategic
planning and execution process. This clearly elevates risk management
from a mere compliance function (checking off legal requirements) towards a
strategic enabler that supports the attainment of the organization's
objectives.
The ERM definition also alludes to the idea of "risk appetite". This is
another key term in the high-level management approach to risk. It implies
that an organization should have a consensus on how much risk it is willing
to take on in the pursuit of its objectives. So, in addition to just defining
"risk", it is clear that we must expand our vocabulary by a few more pieces of
More Terminology high-level risk terminology: What exactly then is risk appetite, risk tolerance,
risk exposure, risk severity and a risk limit? We are sorry to bring up so
many new terms, but if Eskimos have 19 different words for snow, a good
risk manager will need a few extra words for risk as well. Also, let's
remember that we have not even begun to speak about the more specific
guidance and best practices for risk management in financial institutions. So
far, everything we say about risk is universal and applies to a chemical
manufacturing company or to a software development firm just the same.
"Risk tolerance" sounds rather similar, but is generally used with a more
specific meaning that is subordinate to risk appetite. It already begins to
operationalize risk appetite by means of tolerance thresholds or limits.
Risk appetite and its risk tolerance measures always have two dimensions:
one that focuses on the average expected situation and one that considers
extreme outcomes or "worst-case" situations:
The term risk exposure then describes the extent to which an entity is
vulnerable to a certain risk or portfolio of risks. Mylera/Lattimore propose
that risk exposure be defined as a function of the potential impact of a risk
event and its likelihood of occurrence2. This is similar to a definition of risk in
industry and the medical field (see the OHSAS risk definition above) but not
really mainstream, certainly not in financial services. Exposure is more
frequently used like this:
For example, when we speak about the risk arising from transacting in
foreign currencies, the exposure could be measured by an open position as
the gross amount that is exposed to exchange rate risk. However, it is
impossible that the entire amount of the open position would ever be lost.
The possible losses resulting from an open position would be determined by
confronting the gross exposure with an analysis of how much exchange
rates may actually vary over a certain period of time with what level of
probability.
2
Ken Mylera & Joshua Lattimore, How to Create and Use Corporate Risk
Tolerance, p.144. In Fraser & Simkins eds., Enterprise Risk Management.
2010.
Assume that you place a bet on the outcome of flipping a coin. "Heads" you
win one dollar, "tails" you receive nothing. Knowing that both possible
outcomes should have equal probability, you can expect on average to win in
half of the attempts, as long as you play the game often enough. How much
would you be willing to pay to play this game? If you are willing to pay more
than 50 cents per round, you are a risk taker, if you pay exactly 50 cents
you are risk neutral, if you are willing to risk less than 50 cents you are risk-
averse.
3
See ARMAMIS - Accidental Risk Assessment Methodology for Industries
in the Context of the Seveso II Directive: ARAMIS project: the severity
index. Planas, Casal, Delvosalle et al. in Safety & Reliability, Bedford and
van Gelder eds., 2003.
Risk aversion on matters of entity survival is actually a curiosity from a Does entity survival
portfolio investment perspective. Why should an economic entity be so matter?
stuck on its survival that the owners would allow it to become risk averse? In
theory, the entity and its managers and staff don't really matter. Owners are
well diversified and if one of their shareholdings takes the bullet from the
economic Russian roulette, five others will have made a profit. The answer
is, of course, that there are massive costs and inefficiencies associated with
bankruptcy. Bankruptcy destroys careers, drains pension funds and leaves
valuable assets to rot, such that institutional survival does indeed become a
strategic objective in itself, even for diversified shareholders.
This said, we still think it is worthwhile to address this issue of difference in Empire building and
perspective on risk between owners and managers or staff early on. It is diversification are often
important to keep this tension in mind when discussing the governance of inefficient for owners
risk. It can also explain some curious institutional behavior towards risk
which seems poorly aligned with stakeholder interests. So, the point is that
management tends to diversify business and in-source more activities in an
attempt to reduce the volatility of earnings and build an empire under their
control. This risk-aversion is inefficient from the owner's standpoint, because
the earnings are being stabilized at a much lower average (expected) value
as before the risk mitigation. Owners would have been fine with the higher
earnings risk in a pure-play undiversified business, because they have
several other irons in the fire. The take-away lesson here is that risk is never
absolute: what is a severe risk to the manager's career plans or to a
director's bonus may not be an important risk to the organization's overall
objectives, or may not really concern shareholders and vice versa. So,
before we take far-reaching decisions on risk, it is always helpful to pause
and think about exactly whose risks we are managing.
While we are establishing the basic terminology of risk, it is time to define the
term governance or corporate governance, which we have already been
using in various combinations with risk and sometimes as a close proxy for
risk management.
The key words that resonate in the definition of (corporate) governance are
control, accountability, conflicts of interest and decision-making under
uncertainty. Exercising good corporate governance is about achieving the
strategic objectives of an organization, while balancing the interests of
stakeholders and protecting the assets of the organization in a context of
uncertain outcomes. This is largely overlapping with our definition of
(enterprise) risk management, particularly in financial institutions where all
major business variables are uncertain.
Glyn A. Holton, Defining Risk, Financial Analysts Journal, Vol. 60. 2004.
http://riskexpertise.com/papers/risk.pdf.
Internalize
Low High
SEVERITY
Figure 1: Risk Severity / Risk Probability Map and Risk
Management Strategies
Consider the blue box at the intersection of high severity and low High Severity & Low
probability. For an individual, this might be the risk of death or disability Probability
from a traffic accident. To a data center operation, it might be the
simultaneous loss of multiple redundant wide-area network paths that would
cut the center off from all outside communications. The chart suggests to
share or transfer such a risk, rather than just bearing it and hoping for the
best. The classic method for sharing a risk is insurance. Insurance works
best in cases where the risk is rare, but catastrophic if it does materialize.
Since the event is rare, the premium that the individual entity would have to
Low Severity & High Now move to the yellow quadrant, where severity is low but the frequency
Probability of occurrence is high. From an individual's perspective, examples in this
area include minor common illnesses such as a cold or flu and dental
cavities. If one tries to insure such routine health risks in a private un-
subsidized insurance market, it cannot come as a surprise that the annual
premium will be equal to the expected health maintenance cost plus an
administrative handling fee plus a moral hazard surcharge. The moral
hazard arises, because individuals can significantly influence the rate at
which the risk materializes (brush your teeth, eat better, etc.) and will often
neglect precautions because they are insured. Or, they will over-consume
treatment services, just to get their money's worth for their premium. The
high probability / low severity situation, therefore, is treated most efficiently
by managing down the probability as best as possible, while absorbing the
losses that do materialize rather than trying to share or transfer them.
Low Severity & Low Consider the green section that combines low severity and low frequency.
Probability That's clearly a nice problem to have and often should simply be accepted.
Otherwise, the mitigation effort could end up costing more money than could
have been lost, if the risk occurred unmitigated. As an example, many
companies have given up on controlling basic office supplies, like pens and
paper. Such controls should have discouraged staff from over-consuming or
taking supplies home. Take the test: how many of those pens in your
drawers at home have you actually bought yourself? Yet, most companies
have decided it's not worth the effort to stop pen and paper theft. Rather,
you should have your logo printed on the office supplies and let staff
accidentally spread your marketing message in the community.
High Severity & High Finally, let's turn to the killer combination of high severity and high
Probability probability. Imagine a chemical munitions recycling business. Many things
can go wrong and will go wrong frequently, and when they do, people will be
seriously hurt. If possible, an entity should simply stay away from this
activity. If the activity cannot be avoided, the solution would be to transfer it,
i.e. contract it out to another entity. Ideally, that other entity would specialize
in these type of high risk activities and have the technologies and skills to
mitigate the probability and the severity of the risk.
4
Moral hazard is defined as a lack of incentive to guard against risk where
one is protected from its consequences, e.g., by insurance.
Consider an airline that is heavily exposed to the cost of jet fuel. The
management is concerned about the risk that fuel prices might increase
further next year and that this may push the airline into an accounting loss.
So, hedging the fuel price would seem like the proper risk management
strategy. What is the simplest way to hedge a factor input against future
price increases? Exactly, what your grandmother would have done when
she was afraid potatoes might go up: You buy them today and store them.
Now, you have certainty of the price of jet fuel for the next year. Instead of
putting the fuel in the tank, you could also just buy Jet-A fuel futures
contracts and thus fix the price but defer delivery and cash payment.
The hedging strategy superficially removes the fuel price risk, but this is not
a miracle solution, is it? If prices fall next year, the airline will be burning the
most expensive fuel in the industry and will be losing money while
competitors win. It might have been better to use hedging or insurance to
cut off some of the rare but extreme price events that could threaten survival,
but not lock in the entire fuel bill for next year. If you are not hedged and fuel
prices do go up, they will rise for all airlines and you can probably pass most
of the cost increase on to customers.
A better strategy than hedging the fuel cost might be to reduce exposure to Strategic interaction
fuel prices by buying more fuel efficient planes. But if prices fall, the with risk is complex and
investment may not pay off and the competition's old planes are flying more non-linear
cheaply. But then there is the correlation of new planes with a positive
image of safer and more comfortable travel, which might make new planes a
good investment regardless of fuel cost. This shows that strategic
interaction with risks is never simple or linear. We squeeze the risk out of
one end of the balloon just to make it reappear elsewhere. So, we better get
used to it: Risk management is about dealing effectively with
uncertainty and complexity.
The context element in the Risk Management Process sets the stage for the
decision or activity requiring risk management. Risk assessment identifies,
analyzes and evaluates the risks. Risk treatment enhances the probability
of positive outcomes and reduces the incidence of negative outcomes to
within acceptable levels. Monitoring and review keeps close watch over
the risk and the controls implemented to modify the risk. Finally, the process
includes a permanent, ongoing effort at communication and consultation
to ensure that the stakeholders are engaged and contribute to the
management of risks.
Establish Context
Communicate and Consult
Monitor and Review
Risk Assessment
Identify Risks
Strategic Process
Strategic Process
Analyze Risks
Evaluate Risks
Treat Risks
5
Adapted from John Shortreed, "ERM Frameworks", p. 103. In Fraser &
Simkins eds., Enterprise Risk Management. 2010.
A key element, maybe the critical element, that underpins both the core risk
management process as well as the strategic feedback loop around it, is the
management information system. Without efficiently generated, timely,
and systematic data on exposures and materialized losses versus limits,
there cannot be accountability for risk and no organizational learning and
improvement of risk management.
If you compare the various programs, you will notice that we made an effort Where the Frankfurt
to align ours with the theoretical foundations, terminology and quantitative School e-learning
methodologies that are shared by risk management practitioners worldwide. Certificate fits in
All of the industry certifications and academic programs are rigorous,
worthwhile and require hard work to pass the exams. We believe ours is
more reasonably priced, is more approachable for non-traditional students,
offers more support and guidance, and is uniquely focused on financial
services for SMEs and micro-entrepreneurs in an emerging and developing
market context. Other programs seem to suppose that financial services
only exist in perfect worlds where every business is quoted on the stock
exchange, issues bonds and has a rating from S&P; and every retail
customer is formally employed at a major corporation that is quoted on the
stock exchange, has a rating and issues bonds etc.
Other programs are certainly also academically challenging and practically Unique Focus on Risk in
useful for risk management in any financial sector anywhere. But with the Micro & SME Finance
Frankfurt School e-Learning Certificate under your belt, you can walk proudly
among various certified risk managers knowing that you will speak the same
language of risk and master the same theoretical apparatus. However,
where you will leave the others eating your dust is in applying risk
management to the particular circumstances of retail financial services in
emerging and developing markets. For example, in this course you will learn
how to design, calculate, interpret and maintain a statistical micro-enterprise
credit score. And we will do this with a simple statistical plug-in for Excel
without buying an expensive software "solution" and flying in an army of
implementation consultants. It is not that difficult, actually.
So, let's not be too modest, Frankfurt School e-Learning Certificate holders
are at least as smart as the other guys:
The Financial Risk Manager (FRM) and the Energy Risk Professional
certifications are offered by the Global Association of Risk Professionals
(www.garp.org). The FRM exam has two levels. Level 1 covers core areas
of risk management including quantitative analysis, financial markets and
products, and risk modeling. Level 2 focuses on the practical
implementation of risk management techniques used to manage credit,
market and operational risk. This exam also covers current issues in
financial markets.
In order to maintain their FRM and the PRM designations, risk managers
must keep up their membership in the sponsoring organizations and take a
certain minimum of continuing education credits every year.
In many ways what ATTF does follows the model of Frankfurt School's
"Summer Academy" executive workshops in Frankfurt and other global
locations. The Risk Management Competence Center at Frankfurt School's
International Advisory Services also provides technical assistance to many
SME banks and microfinance institutions as they implement modern risk
management programs. In fact, most of the examples and case studies that
we will consider in this e-Learning Certificate are inspired directly by this
practical work in the field.
In short, there are many other good options out there, but you have definitely
come to the right place, if you are looking for international best practice in
risk management in an accessible format and with a very practical, hands-on
twist on inclusive financial services in developing and emerging markets.
Let's get going and dig into the details!