NAME VALENTINE MUNYANYI

REG NUMER R077321T

PROG HBBS ll BANKING AND FINANCE

COURSE FINANCIAL RISK MANAGEMENT

LECTURER MR JECHECHE

DUE DATE THURSDAY 7 APRIL

QUESTION

DISCUSS THE IMPORTANCE OF RISK AUDIT AND RISK MAPPING IN RISK MANAGEMENT
IN TERMS OF THE ELEMENTS CONTAINED IN THE RISK MAPPING PROCESS.DISCUSS
THIS IN TE CONTEXT OF AN ORGANISATION OF YOUR OWN CHOICE.

INTRDUCTION
Risk ,in its broader sense is the possibility that the outcome of an action or event could bring
up adverse impacts. Such outcomes could either result in a direct loss of earnings / capital or
may result in imposition of constraints on bank’s ability to meet its businessobjectives. Such
constraints pose a risk as these could hinder a bank's ability toconduct its ongoing business or
to take benefit of opportunities to enhance itsbusiness.Risk Management is a discipline at the
centre of every financial institution andencompasses all the activities that affect its risk profile. It
involves identification,measurement, monitoring and controlling risks to ensure that the
individuals who take or manage risks clearly understand it,the organization’s risk exposure is
within the limits established by board of directors.Risk taking decisions should also be in line
with the business strategy and objectives.set by BOD.The expected payoffs compensate for the
risks taken .With proper rist management , risk managers will be in a better position to estimate
sufficient resourses needed to mitigate all risks which the organisation might be exposed to.In
light to the process of effective risk management ,management should then appreciate the
importance of carrying out a risk audit and risk mapping.

Risk audit is a systematic way of understanding the risks that an organisation faces.Brigam
and Gapenski (1986) simply defined a risk audit as a review by an organisation of all its risks.
He went on to define risk mapping as a tool used to identify, evaluate and prioritize a group of
business risks which could significantly impact a company’s or business unit’s ability to achieve
its goal of maximizing shareholders’ wealth.Risk mapping is an approach to illustrating the risk
associated with an organisation.Because the range and types of risks are many and varied, risk
audit and mapping can be complicated and involvig process. Some organisations, such as
large financial services providers, employ teams of people whose job is to continually monitor
and internally report on. The Risk Assessment Survey is used to identify and measure the
significance and likelihood of business risks that occur within a function or specific process.
Once the business risk is assessed, a risk map is used to plot the significance and likelihood of
the business risk occurring. The map allows you to visualize risks in relation to each other,
gauge their extent, and plan what type of controls should be implemented to mitigate the risks.
1.1.2 Regardless of the sophistication of the measures, banks often distinguish
between expected and unexpected losses. Expected losses are those that the
bank knows with reasonable certainty will occur (e.g., the expected default rate
of corporate loan portfolio or credit card portfolio) and are typically reserved for
in some manner. Unexpected losses are those associated with unforeseen
events (e.g. losses experienced by banks in the aftermath of nuclear tests,
Losses due to a sudden down turn in economy or falling interest rates). Banks
rely on their capital as a buffer to absorb such losses.
1.1.3 Risks are usually defined by the adverse impact on profitability of several
distinct sources of uncertainty. While the types and degree of risks an
organization may be exposed to depend upon a number of factors such as its
size, complexity business activities, volume etc, it is believed that generally the
banks face Credit, Market, Liquidity, Operational, Compliance / legal /
regulatory and reputation risks. Before overarching these risk categories, given
below are some basics about risk Management and some guiding principles to
manage risks in banking organization.
Risk Management.
1.2.1 Risk Management is a discipline at the core of every financial institution and
encompasses all the activities that affect its risk profile. It involves identification,
measurement, monitoring and controlling risks to ensure that
a) The individuals who take or manage risks clearly understand it.
b) The organization’s Risk exposure is within the limits established by Board
of Directors.
c) Risk taking Decisions are in line with the business strategy and objectives
set by BOD.
d) The expected payoffs compensate for the risks taken
e) Risk taking decisions are explicit and clear.
f) Sufficient capital as a buffer is available to take risk

The identification and assessment of risks to banking stability invariably involve an

understanding of the behaviour of markets to which the banks are exposed

Portfolio Management is used to select a portfolio of new product development projects to

achieve th following goals:

 Maximize the profitability or value of the portfolio

 Provide balance

 Support the strategy of the enterprise

Portfolio Management is the responsibility of the senior management team of an organization or

business unit. This team, which might be called the Product Committee, meets regularly to
manage the product pipeline and make decisions about the product portfolio. Often, this is the
same group that conducts the stage-gate reviews in the organization.

A logical starting point is to create a product strategy - markets, customers, products, strategy
approach, competitive emphasis, etc. The second step is to understand the budget or resources
available to balance the portfolio against. Third, each project must be assessed for profitability
(rewards), investment requirements (resources), risks, and other appropriate factors.

The weighting of the goals in making decisions about products varies from company. But
organizations must balance these goals: risk vs. profitability, new products vs. improvements,
strategy fit vs. reward, market vs. product line, long-term vs. short-term. Several types of
techniques have been used to support the portfolio management process:
  Heuristic models

 Scoring techniques

 Visual or mapping techniques

The earliest Portfolio Management techniques optimized projects' profitability or financial returns
using heuristic or mathematical models. However, this approach paid little attention to balance
or aligning the portfolio to the organization's strategy. Scoring techniques weight and score
criteria to take into account investment requirements, profitability, risk and strategic alignment.
The shortcoming with this approach can be an over emphasis on financial measures and an
inability to optimize the mix of projects. Mapping techniques use graphical presentation to
visualize a portfolio's balance. These are typically presented in the form of a two-dimensional
graph that shows the trade-off's or balance between two factors such as risks vs. profitability,
marketplace fit vs. product line coverage, financial return vs. probability of success, etc

INTERNAL AND
EXTERNAL
RISK AUDIT
Risk
audit and
assessment
is a systematic
way of understanding the risks that an organisation
faces. Because the range and types of risks are
many and varied, risk assessment and audit can
be a complicated and involved process. Some
organisations, such as large financial services
providers, employ teams of people whose job it
is to continually monitor and internally report on
Risk mapping is an approach to illustrating
the risk associated with an organisation,
project or other system in a way which
enables you to understand it better: what’s
important, what’s not, and whether the risk
picture is comprehensive.
Risk mapping is primarily qualitative and its
benefits are:
to improve your understanding of the
risk profile and your ability to
communicate about it
to force you to think through rigorously the nature and impact of the risks that have been
identified
to improve your risk models by building an intermediate link between the risk register and
the model
to improve your risk register by basing it on a more transparent and accurate
understanding of the system.
As the chart shows, the risk map can be developed from a risk register developed at
◆With the progressive deregulation
and liberalization of the Indian
financial sector, banks are increasingly
exposed to various kinds of
risk-both financial and non-financial.
Efficiency of every bank
depends on how effectively it is managing
the risks and ensuring a competitive
risk adjusted return on capital.
For this it is essential to have in
place effective risk management and
internal control systems, which are
crucial to the conduct of banking
business not only to lead the bank
more profitably but also in compliance
of prudential guidelines, for
which a professional approach in

A risk based management approach involving risk audit and risk mapping is important
Risk audit
A risk audit is a review by an organization of all its risks.

A risk based management approach involving risk audit and risk mapping is important
Risk audit
A risk audit is a review by an organization of all its risks.
Risk mapping
Is a technique of risk management that starts with a risk audit and goes on to the development
of a risk management strategy

Risk Assessment Survey and Risk Mapping Tool

WHAT IS THIS TOOL?

Risk Mapping is a tool used to identify, evaluate and prioritize a group of business risks which
could significantly impact a company’s or business unit’s ability to achieve its goal of maximizing
shareholders’ wealth. The Risk Assessment Survey is used to identify and measure the
significance and likelihood of business risks that occur within a function or specific process.
Once the business risk is assessed, a risk map is used to plot the significance and likelihood of
the business risk occurring. The map allows you to visualize risks in relation to each other,
gauge their extent, and plan what type of controls should be implemented to mitigate the risks.

WHAT ARE ITS BENEFITS AND LIMITATIONS?

The survey and risk map link business risk significance and likelihood of occurrence in a clear,
effective manner. Business risks are rated by overall impact on business strategies and thus,
can be addressed accordingly. The survey can be utilized by multiple department managers and
strategists to develop separate risk maps or one collective map.

Using the Arthur Andersen Business Risk Model, several business risks which could
significantly impact a company’s ability to accomplish its business strategies have been
identified. This particular survey is given for purposes of example, ideally each company should
identify the risks that are most relevant to their business and customize the survey accordingly.

Once the risk survey is prepared, rate each risk with 10 being the most significant (i.e. if this risk
was not prevented or mitigated by proper controls, there could be a major impact on the
company’s ability to accomplish certain of its key strategies) and 1 being the least significant.

Risk management is a central part of any

organisation’s strategic management. It is
the process whereby organisations
methodically address the risks attaching to
their activities with the goal of achieving
sustained benefit within each activity and
across the portfolio of all activities.
The focus of good risk management is the
identification and treatment of these risks.
Its objective is to add maximum
sustainable value to all the activities of the
organisation. It marshals the
understanding of the potential upside and
downside of all those factors which can
affect the organisation. It increases the
probability of success, and reduces both
the probability of failure and the
uncertainty of achieving the organisation’s
overall objectives.
Risk management should be a continuous
and developing process which runs
throughout the organisation’s strategy and
the implementation of that strategy. It
should address methodically all the risks
surrounding the organisation’s activities past,
present and

Risk Assessment is defined by the ISO/

IEC Guide 73 as the overall process of risk
analysis and risk evaluation

4.1 Risk Identification

Risk identification sets out to identify an
organisation’s exposure to uncertainty.This
requires an intimate knowledge of the
organisation, the market in which it operates,
the legal, social, political and cultural
environment in which it exists, as well as the
development of a sound understanding of its
strategic and operational objectives,
including factors critical to its success and the
threats and opportunities related to the
achievement of these objectives.
Risk identification should be approached
in a methodical way to ensure that all
significant activities within the organisation
have been identified and all the risks
flowing from these activities defined.
All associated volatility related to these
activities should be identified and
categorized

4.3 Risk Estimation

Risk estimation can be quantitative, semiquantitative
or qualitative in terms of the
probability of occurrence and the possible
consequence.
For example, consequences both in terms
of threats (downside risks) and
opportunities (upside risks) may be high,
medium or low (see table 4.3.1). Probability
may be high, medium or low but requires
different definitions in respect of threats and
opportunities

4.5 Risk Profile

The result of the risk analysis process can
be used to produce a risk profile which
gives a significance rating to each risk and
provides a tool for prioritising risk
treatment efforts.This ranks each identified
risk so as to give a view of the relative
importance.
This process allows the risk to be mapped
to the business area affected, describes the
primary control procedures in place and
indicates areas where the level of risk
control investment might be increased,
decreased or reapportioned.
Accountability helps to ensure that
‘ownership’ of the risk is recognised and
the appropriate management resource
allocated

risk evaluation

When the risk analysis process has been

completed, it is necessary to compare the
estimated risks against risk criteria which
the organisation has established.The risk
criteria may include associated costs and
benefits, legal requirements, socioeconomic
and environmental factors,
concerns of stakeholders, etc. Risk
evaluation therefore, is used to make
decisions about the significance of risks to
the organisation and whether each specific
risk should be accepted or treated.
8 A Risk Management Standard

Risk treatment is the process of selecting

and implementing measures to modify the
risk. Risk treatment includes as its major
element, risk control/mitigation, but
extends further to, for example, risk
avoidance, risk transfer, risk financing, etc.
NOTE: In this standard, risk financing
refers to the mechanisms (eg insurance
programmes) for funding the financial
consequences of risk. Risk financing is not
generally considered to be the provision of
funds to meet the cost of implementing risk
treatment (as defined by ISO/IEC Guide
73; see page 17).
Any system of risk treatment should
provide as a minimum:
• effective and efficient operation of the
organisation
• effective internal controls
• compliance with laws and regulations.
The risk analysis process assists the effective
and efficient operation of the organisation
by identifying those risks which require
attention by management.They will need
to prioritise risk control actions in terms of
their potential to benefit the organisation.
Effectiveness of internal control is the
degree to which the risk will either be
eliminated or reduced by the proposed
control measures.
Cost effectiveness of internal control relates
to the cost of implementing the control
compared to the risk reduction benefits
expected.
The proposed controls need to be
measured in terms of potential economic
effect if no action is taken versus the cost
of the proposed action(s) and invariably
require more detailed information and
assumptions than are immediately
available

Effective risk management requires a

reporting and review structure to ensure
that risks are effectively identified and
assessed and that appropriate controls and
responses are in place. Regular audits of
policy and standards compliance should be
carried out and standards performance
reviewed to identify opportunities for
improvement. It should be remembered
that organisations are dynamic and operate
in dynamic environments. Changes in the
organisation and the environment in which
it operates must be identified and
appropriate modifications made to systems.
The monitoring process should provide
assurance that there are appropriate controls in
place for the organisation’s activities and that
the procedures are understood and followed.
Changes in the organisation and the
environment in which it operates must be
identified and appropriate changes made to
systems.
Any monitoring and review process should
also determine whether:
• the measures adopted resulted in what was
intended
• the procedures adopted and information
gathered for undertaking the assessent
were appropriate
• improved knowledge would have helped
to reach better decisions and identify
what lessons could be learned for
future assessments and management of
risks
Firstly, the cost of implementation has to
be established. This has to be calculated
with some accuracy since it quickly
becomes the baseline against which cost
effectiveness is measured. The loss to be
expected if no action is taken must also
be estimated and by comparing the
results, management can decide whether
or not to implement the risk control
measures.
Compliance with laws and regulations is
not an option. An organisation must
understand the applicable laws and must
implement a system of controls to achieve
compliance.There is only occasionally
some flexibility where the cost of reducing
a risk may be totally disproportionate to
that risk.
One method of obtaining financial
protection against the impact of risks is
through risk financing which includes
insurance. However, it should be
recognised that some losses or elements of a
loss will be uninsurable eg the uninsured
costs associated with work-related health,
safety or environmental incidents, which
may include damage to employee morale
and the organisation’s reputation.
©
Global risk maps are the holy grail of systemic risk monitoring. Defined as unified databases
that provide data on risk exposures of financial institutions and markets, they would allow
supervisors and market participants to monitor the evolution of risks in banks, banking systems
and the broader financial market community.15 Not only would these risk maps provide data
inputs for financial stability analysis, they would also serve as the starting point and testing
ground for the development of new systemic risk measurement and mitigationThere are four
stages in any risk audit (internalor external): identify, assess, review, and report.Together, these
comprise an audit or review of therisk management of an organisation.

WHAT IS INVOLVED IN RISK AUDIT?

There are four stages in any risk audit (internal
or external): identify, assess, review, and report.
Together, these comprise an audit or review of the
risk management of an organisation.
Identification
Given the range of potential unrealised
losses that an organisation might
face, it would be inexcusable for
management to be ignorant of what
the risks are, so identification of risks is
the first part of any risk audit. Risks come
and go with the changing nature of business
activity, and with the continual change in any
organisation’s environment. New risks emerge
and old ones disappear. Identification is therefore
particularly important for those organisations
existing in turbulent environments. Uncertainty can
come from any of the political, economic, natural,
socio-demographic or technological contexts in
which the organisation operates.
Assessment
Once identified, the next task is to assess the risk.
Each identified risk needs to be measured against
two variables: the probability (or likelihood) of
the risk being realised; and the impact or hazard
(what would happen if the risk was realised).
These two intersecting continua can be used
to create a probability/impact grid on to which
individual risks can theoretically be plotted. I say
‘theoretically’ because it is sometimes not possible
to gain enough information about a risk to gain an
accurate picture of its impact and/or probability.
LIN KED PERFORMANCE OBJECTI VEs
studying paper P1? did you know that PER FOR MAN CE OBJECTI VEs
1, 2 AND 3 ARE linked?
This assessment strategy is used in many
situations, from share portfolio management
to terrorism prevention, and to understand the
effects of risks on internationalisation strategies. In
anti-terrorism planning, for example, governments
assess certain potential ‘big ticket’ terrorist attacks
as ‘high impact but low probability’ events, and
other attacks as the opposite. If this were an
article on risk management, I would now go
on to discuss the risk strategies of ‘transfer’ (or
share), ‘avoid’, ‘reduce’ and ‘accept’, but instead,
in a risk audit, the auditor goes on to review the
organisation’s responses to each identified and
assessed risk.
Review
At the review stage, the auditor analyses the
controls that the organisation has in the event
of the risk materialising. For example, this
could involve looking at insurance cover where
appropriate, the extent to which the risk portfolio
is diversified, and any other controls appropriate
to the risk. In the case of accepted risks, a review
is undertaken of the effectiveness of planning for
measures such as evacuation, clean-up and so on,
should the unavoidable risk materialise. Review
can represent a substantial task, as the response
to each assessed risk is a part of the review and
there may be many risks to consider.
Report
Finally, a report on the review is produced and
submitted to the principal which, in
most cases, is the Board of the
organisation that commissioned
the audit. Management will
probably want to know
about
the
extent
of the key
risks (those
with high
probability,
high impact,
and especially both
high impact and high
probability); the quality
of existing assessment;
and the effectiveness
of controls currently
in place. Clearly,
any ineffective controls
will be a key component of
the report and they would
be the subject of urgent
management attention.
SOCIAL AND ENVIRONMENTAL AUDIT: WHY?
One area of audit activity that has grown in
recent years is that of social and environmental
audit. The social and environmental accounting
‘movement’ began in the mid-1980s, when it was
first coherently argued that there was a moral
case for businesses, in addition to reporting on
their use of shareholders’ funds, to account for
their impact on social and natural environments.
While accounting instruments already existed for
reporting financial performance, there weren’t
any for accounting for non-costable impacts, and
it was this that gave rise to modern social and
environmental accounting.
If, for example, a meat processor buys in
beef and processes it for onward sale (eg as
burgers), then the cost of the beef includes all of
the identifiable costs incurred by the supply chain
up to that point (plus profit margins, of course).
So for beef, those costs will include elements of
farming, land costs, logistical costs, abattoir costs,
and so on. However, the farmer who produced the
beef may have reared the cattle on land bought as
a result of forest clearance. He may have paid a
market price for the land upon which to graze his
cattle, but the initial deforestation has implications
that could not have been factored into the price
he paid for the land. How, for example, could you
attribute a cost to the loss of species habitat or
the loss of greenhouse gas processing capacity?
It is because of the difficulties in allocating the
costs of these externalities that, environmental
activists say, the price of that beef does not reflect
the true – or full – cost, which should include
the cost to the environment. The same would
apply to almost any product of course, not just
beef. In the case of oil and gas, for example, the

Risk is neither bad nor good.It is simply a measure of deviation from the
expected. Risk consequencescan be either bad or good:
Bad risk consequences drain resources and interfere with an entity’s
financial stability and ability to fulfill its mission.
Good risk consequences produce better than expected results or unexpected opportunities.
 Four general types of risk response strategies:
Avoid–Eliminate the risk producing activity entirely. Can be highly effective for
some types of risk, but may not be practical for important government
functions.
Reduce–Pre-event actions to reduce the frequency and/or severity of losses.

Four general types of risk response strategies: (cont.)

Control–Post event actions to keep resulting damages to a
minimum.
Transfer–Shift some of the financial burden of a loss to another party.

Risk:

Risk by default has tow components; uncertainty and exposure. If both are not present, there is
no risk. Definition of Risk as per Guidelines on Risk Management issued by State Bank of
Pakistan is, "Financial risk in a banking organization is possibility that the outcome of an action
or event could bring up adverse impacts. Such outcomes could either result in a direct loss of
earnings / capital or may result in imposition of constraints on bank's ability to meet its business
objectives. Such constraints pose a risk as these could hinder a bank's ability to conduct its
ongoing business or to take benefit of opportunities to enhance its business."

Types of Risks:

Risk Management is a hot topic in the financial sector especially in the light of the recent losses
of some multinational corporations e.g. collapses of Britain's Barings Bank, WorldCom and also
due to the incident of 9/11. Rapid changes in business condition, restructuring of organizations
to cope with ever increasing competition, development of new products, emerging markets and
increase in cross border transactions along with complexity of transactions has exposed
Financial Institutions to new risks dimensions. Thus the concept of risk has captured a growing
importance in modern financial society

The Benefits of Risk Management

There are a number of benefits to having a solid risk management process, including:
  Clear ownership and accountability for all risks

 Creation of an environment where risks and be accepted by the business on an informed

basis

 An increased likelihood that the program will be a success, along with the increased
likelihood that the objectives of the organisation will be met

The Risk Management Process

The risk management process I use looks like this:

One we have determined our Risk Strategy, which simply means we have decided how we are
going to manage risk throughout the duration of the program, we enter a 6-step loop as follows:

 Identify Risk: here we must identify what is the risk, and what is at risk. It could be
timescales, the realisation of a benefit, or the delivery of a capability.

 Allocate Ownership: As the program manager, it is ultimately your responsibility to

manage the risks within the program, however, each risk should be given an owner who
is best positioned to perform mitigating actions on the risk and monitor the risk.

 Evaluate Risk: this simply refers to evaluating and assigning the risk with an impact and
probability score.

 Plan Mitigations:In a general sense, every risk has a standard set of mitigations which
can be applied to it. These are commonly referred to as ‘The 4 Ts’:

o Transfer: can the risk be transferred to another party, for example, could an
insurance policy be taken out.

o Tolerate: this is frequently used for risks with very low impact, and is effectively
the do nothing option. Tolerate effectively means the risk is monitored but the
program proceeds without proactive action being taken to address the risk.

o Terminate: this refers to adjusting the program so the risk is no longer applicable
to the program, for example, a project may be removed entirely from the program
so the risk can never now materialise.

o Treat: this is where concrete actions are taken to reduce the probability of the
risk materialising or impact of the risk should it materialise.

 Implement Actions: here concrete actions are given to the risk owner to ensure they are
 carried out

 Monitor and Control: all risks and actions which have been created need to be reviewed
regularly, so the risk impact and probability can be updated following any actions which
have been performed to treat th