Professional Documents
Culture Documents
LECTURER MR JECHECHE
QUESTION
DISCUSS THE IMPORTANCE OF RISK AUDIT AND RISK MAPPING IN RISK MANAGEMENT
IN TERMS OF THE ELEMENTS CONTAINED IN THE RISK MAPPING PROCESS.DISCUSS
THIS IN TE CONTEXT OF AN ORGANISATION OF YOUR OWN CHOICE.
INTRDUCTION
Risk ,in its broader sense is the possibility that the outcome of an action or event could bring
up adverse impacts. Such outcomes could either result in a direct loss of earnings / capital or
may result in imposition of constraints on bank’s ability to meet its businessobjectives. Such
constraints pose a risk as these could hinder a bank's ability toconduct its ongoing business or
to take benefit of opportunities to enhance itsbusiness.Risk Management is a discipline at the
centre of every financial institution andencompasses all the activities that affect its risk profile. It
involves identification,measurement, monitoring and controlling risks to ensure that the
individuals who take or manage risks clearly understand it,the organization’s risk exposure is
within the limits established by board of directors.Risk taking decisions should also be in line
with the business strategy and objectives.set by BOD.The expected payoffs compensate for the
risks taken .With proper rist management , risk managers will be in a better position to estimate
sufficient resourses needed to mitigate all risks which the organisation might be exposed to.In
light to the process of effective risk management ,management should then appreciate the
importance of carrying out a risk audit and risk mapping.
Risk audit is a systematic way of understanding the risks that an organisation faces.Brigam
and Gapenski (1986) simply defined a risk audit as a review by an organisation of all its risks.
He went on to define risk mapping as a tool used to identify, evaluate and prioritize a group of
business risks which could significantly impact a company’s or business unit’s ability to achieve
its goal of maximizing shareholders’ wealth.Risk mapping is an approach to illustrating the risk
associated with an organisation.Because the range and types of risks are many and varied, risk
audit and mapping can be complicated and involvig process. Some organisations, such as
large financial services providers, employ teams of people whose job is to continually monitor
and internally report on. The Risk Assessment Survey is used to identify and measure the
significance and likelihood of business risks that occur within a function or specific process.
Once the business risk is assessed, a risk map is used to plot the significance and likelihood of
the business risk occurring. The map allows you to visualize risks in relation to each other,
gauge their extent, and plan what type of controls should be implemented to mitigate the risks.
1.1.2 Regardless of the sophistication of the measures, banks often distinguish
between expected and unexpected losses. Expected losses are those that the
bank knows with reasonable certainty will occur (e.g., the expected default rate
of corporate loan portfolio or credit card portfolio) and are typically reserved for
in some manner. Unexpected losses are those associated with unforeseen
events (e.g. losses experienced by banks in the aftermath of nuclear tests,
Losses due to a sudden down turn in economy or falling interest rates). Banks
rely on their capital as a buffer to absorb such losses.
1.1.3 Risks are usually defined by the adverse impact on profitability of several
distinct sources of uncertainty. While the types and degree of risks an
organization may be exposed to depend upon a number of factors such as its
size, complexity business activities, volume etc, it is believed that generally the
banks face Credit, Market, Liquidity, Operational, Compliance / legal /
regulatory and reputation risks. Before overarching these risk categories, given
below are some basics about risk Management and some guiding principles to
manage risks in banking organization.
Risk Management.
1.2.1 Risk Management is a discipline at the core of every financial institution and
encompasses all the activities that affect its risk profile. It involves identification,
measurement, monitoring and controlling risks to ensure that
a) The individuals who take or manage risks clearly understand it.
b) The organization’s Risk exposure is within the limits established by Board
of Directors.
c) Risk taking Decisions are in line with the business strategy and objectives
set by BOD.
d) The expected payoffs compensate for the risks taken
e) Risk taking decisions are explicit and clear.
f) Sufficient capital as a buffer is available to take risk
Provide balance
A logical starting point is to create a product strategy - markets, customers, products, strategy
approach, competitive emphasis, etc. The second step is to understand the budget or resources
available to balance the portfolio against. Third, each project must be assessed for profitability
(rewards), investment requirements (resources), risks, and other appropriate factors.
The weighting of the goals in making decisions about products varies from company. But
organizations must balance these goals: risk vs. profitability, new products vs. improvements,
strategy fit vs. reward, market vs. product line, long-term vs. short-term. Several types of
techniques have been used to support the portfolio management process:
Heuristic models
Scoring techniques
The earliest Portfolio Management techniques optimized projects' profitability or financial returns
using heuristic or mathematical models. However, this approach paid little attention to balance
or aligning the portfolio to the organization's strategy. Scoring techniques weight and score
criteria to take into account investment requirements, profitability, risk and strategic alignment.
The shortcoming with this approach can be an over emphasis on financial measures and an
inability to optimize the mix of projects. Mapping techniques use graphical presentation to
visualize a portfolio's balance. These are typically presented in the form of a two-dimensional
graph that shows the trade-off's or balance between two factors such as risks vs. profitability,
marketplace fit vs. product line coverage, financial return vs. probability of success, etc
INTERNAL AND
EXTERNAL
RISK AUDIT
Risk
audit and
assessment
is a systematic
way of understanding the risks that an organisation
faces. Because the range and types of risks are
many and varied, risk assessment and audit can
be a complicated and involved process. Some
organisations, such as large financial services
providers, employ teams of people whose job it
is to continually monitor and internally report on
Risk mapping is an approach to illustrating
the risk associated with an organisation,
project or other system in a way which
enables you to understand it better: what’s
important, what’s not, and whether the risk
picture is comprehensive.
Risk mapping is primarily qualitative and its
benefits are:
to improve your understanding of the
risk profile and your ability to
communicate about it
to force you to think through rigorously the nature and impact of the risks that have been
identified
to improve your risk models by building an intermediate link between the risk register and
the model
to improve your risk register by basing it on a more transparent and accurate
understanding of the system.
As the chart shows, the risk map can be developed from a risk register developed at
◆With the progressive deregulation
and liberalization of the Indian
financial sector, banks are increasingly
exposed to various kinds of
risk-both financial and non-financial.
Efficiency of every bank
depends on how effectively it is managing
the risks and ensuring a competitive
risk adjusted return on capital.
For this it is essential to have in
place effective risk management and
internal control systems, which are
crucial to the conduct of banking
business not only to lead the bank
more profitably but also in compliance
of prudential guidelines, for
which a professional approach in
A risk based management approach involving risk audit and risk mapping is important
Risk audit
A risk audit is a review by an organization of all its risks.
A risk based management approach involving risk audit and risk mapping is important
Risk audit
A risk audit is a review by an organization of all its risks.
Risk mapping
Is a technique of risk management that starts with a risk audit and goes on to the development
of a risk management strategy
Risk Mapping is a tool used to identify, evaluate and prioritize a group of business risks which
could significantly impact a company’s or business unit’s ability to achieve its goal of maximizing
shareholders’ wealth. The Risk Assessment Survey is used to identify and measure the
significance and likelihood of business risks that occur within a function or specific process.
Once the business risk is assessed, a risk map is used to plot the significance and likelihood of
the business risk occurring. The map allows you to visualize risks in relation to each other,
gauge their extent, and plan what type of controls should be implemented to mitigate the risks.
The survey and risk map link business risk significance and likelihood of occurrence in a clear,
effective manner. Business risks are rated by overall impact on business strategies and thus,
can be addressed accordingly. The survey can be utilized by multiple department managers and
strategists to develop separate risk maps or one collective map.
Using the Arthur Andersen Business Risk Model, several business risks which could
significantly impact a company’s ability to accomplish its business strategies have been
identified. This particular survey is given for purposes of example, ideally each company should
identify the risks that are most relevant to their business and customize the survey accordingly.
Once the risk survey is prepared, rate each risk with 10 being the most significant (i.e. if this risk
was not prevented or mitigated by proper controls, there could be a major impact on the
company’s ability to accomplish certain of its key strategies) and 1 being the least significant.
risk evaluation
Risk is neither bad nor good.It is simply a measure of deviation from the
expected. Risk consequencescan be either bad or good:
Bad risk consequences drain resources and interfere with an entity’s
financial stability and ability to fulfill its mission.
Good risk consequences produce better than expected results or unexpected opportunities.
Four general types of risk response strategies:
Avoid–Eliminate the risk producing activity entirely. Can be highly effective for
some types of risk, but may not be practical for important government
functions.
Reduce–Pre-event actions to reduce the frequency and/or severity of losses.
Risk:
Risk by default has tow components; uncertainty and exposure. If both are not present, there is
no risk. Definition of Risk as per Guidelines on Risk Management issued by State Bank of
Pakistan is, "Financial risk in a banking organization is possibility that the outcome of an action
or event could bring up adverse impacts. Such outcomes could either result in a direct loss of
earnings / capital or may result in imposition of constraints on bank's ability to meet its business
objectives. Such constraints pose a risk as these could hinder a bank's ability to conduct its
ongoing business or to take benefit of opportunities to enhance its business."
Types of Risks:
Risk Management is a hot topic in the financial sector especially in the light of the recent losses
of some multinational corporations e.g. collapses of Britain's Barings Bank, WorldCom and also
due to the incident of 9/11. Rapid changes in business condition, restructuring of organizations
to cope with ever increasing competition, development of new products, emerging markets and
increase in cross border transactions along with complexity of transactions has exposed
Financial Institutions to new risks dimensions. Thus the concept of risk has captured a growing
importance in modern financial society
An increased likelihood that the program will be a success, along with the increased
likelihood that the objectives of the organisation will be met
One we have determined our Risk Strategy, which simply means we have decided how we are
going to manage risk throughout the duration of the program, we enter a 6-step loop as follows:
Identify Risk: here we must identify what is the risk, and what is at risk. It could be
timescales, the realisation of a benefit, or the delivery of a capability.
Evaluate Risk: this simply refers to evaluating and assigning the risk with an impact and
probability score.
Plan Mitigations:In a general sense, every risk has a standard set of mitigations which
can be applied to it. These are commonly referred to as ‘The 4 Ts’:
o Transfer: can the risk be transferred to another party, for example, could an
insurance policy be taken out.
o Tolerate: this is frequently used for risks with very low impact, and is effectively
the do nothing option. Tolerate effectively means the risk is monitored but the
program proceeds without proactive action being taken to address the risk.
o Terminate: this refers to adjusting the program so the risk is no longer applicable
to the program, for example, a project may be removed entirely from the program
so the risk can never now materialise.
o Treat: this is where concrete actions are taken to reduce the probability of the
risk materialising or impact of the risk should it materialise.
Implement Actions: here concrete actions are given to the risk owner to ensure they are
carried out
Monitor and Control: all risks and actions which have been created need to be reviewed
regularly, so the risk impact and probability can be updated following any actions which
have been performed to treat th